Add expansion of environment variables in requirement files #3728
Conversation
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
from
5f8114a to
6c09626
Compare
|
Has this been implemented? |
tests/unit/test_req_file.py
Outdated
| assert reqs[0].link.url == expected_url | ||
|
|
||
| def test_expand_missing_env_variables(self, tmpdir, finder): | ||
| req_url = ('https://${NON_EXISTING_VARIABLE}:$WRONG_FORMAT@' |
There was a problem hiding this comment.
While the test is still reasonably accurate, isn't this supposed to be https://${WRONG_FORMAT}:$NON_EXISTING_VARIABLE@ instead?
|
Would love to see this feature merged. May I ask if there are any plans of doing this anytime soon? |
|
This is a wonderful feature! Any update when it will be merged? |
|
also this seems to be a less complete implementation of https://docs.python.org/2/library/os.path.html#os.path.expandvars |
|
@RonnyPfannschmidt yeah, I'm not sure I understand the reasoning for that, but it was done in response to a comment from @pfmoore last year:
Isn't |
|
@jediorange: Yes, but |
|
@benoit-pierre I see that, but just personally fail to understand how that is a bad thing. The use case for environment variables in requirements files is for using private repos or obscuring other things. This means that they are used for private or proprietary projects, not mainstream things that are going to be downloaded by everyone. If someone really wants to use Windows style variables for a personal/proprietary project (breaking things for any other OS), why not let them? I would consider it expected behavior. |
As @jediorange and @benoit-pierre pointed out, the history on this is that the original PR was implemented using
Above + this custom logic is straightforward enough. |
If we can prevent someone from breaking stuff by mistake (or ignorance) without handicapping their ability to do something (here - expand variables in req-files), I'd say that we should. :) |
@pradyunsg I would argue that more people would be confused by having to adhere to a very specific style of environment variables, rather than using the same styles they can anywhere else (in shell scripts, Procfiles, etc). To be clear: While I don't see the purpose of making it limited to only |
|
@jediorange
I mean, yeah, it's possible. The nice thing about being strict initially is we could expand this behaviour (word-play not intended) later if it actually confuses/annoys too much. :)
Roger that! |
|
One outstanding issue from the discussion in the original PR is that this needs documentation - both to note that the requirements file format allows variable expansion, and to describe the permissible form. The key review comment from the previous discussion was #3514 (comment). Other than that @xavfernandez was lukewarm on the idea, as am I. None of the other @pypa/pip-committers has commented yet. If @elbaschid wants to take this PR forward by adding docs and fixing up the requested changes, or if someone else wants to take it over, then I'm OK to merge this. But I'd like someone with an actual need for the feature to complete the work. |
|
I recently figured out a way to achieve this without changes to So doing something like Hope this helps. |
pradyunsg
added
the
resolution: deferred till PR
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
pradyunsg
removed
the
resolution: deferred till PR
If @elbaschid or anyone else wants to take this forward, this is one thing that needs to be fixed. |
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
from
6c09626 to
a75ef04
Compare
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
2 times, most recently
from
2e1df66 to
bfeb0f7
Compare
|
@pradyunsg I've rebased and added the NEWS file as requested. Seems like the failed test are the same as in I'm thinking about adding a section in docs/reference/pip_install.rst below "VCS Support". Does that sound like a reasonable place? |
|
VCS support is probably not the right place. You want to do it at the location where there's discussion on/description of the requirement file format. I think that would in pip install reference but yeah, whereever it is, I think that's the right place. |
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
from
4bb2465 to
70b4dd8
Compare
|
I'm happy to make the 🎨 changes...I fully understand your picky-ness 😃 . I've also updated the docs according to your suggestions. I hope that makes more sense now and is concise enough. Let me know if you need any other changes made. |
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
from
70b4dd8 to
4496268
Compare
roadsideseb
force-pushed
the
add_expanding_env_vars
branch
from
4496268 to
4a040c3
Compare
|
@pradyunsg I realized the test on appveyor were still failing so I rebased the latest working master and that fixed it. All seems to be green on that front now. Let me know if you need me to make any changes before this can be merged. |
|
Thanks for working on this PR! This feature is badly needed in corporate environments where you have to install dependencies from private repositories with auth. This Issue is probably related to this PR. |
|
What's the status of this PR? Our company would love seeing this available in pip as it would solve tons of headaches. |
|
We also need this feature for security. Any change this could be merged soon? |
|
I concur. We use travis-ci and this feature would make our process much cleaner and more secure with our private pypi repo. |
|
Thanks for approvals, we would be grateful if a collaborator merges this in. Thanks. |
|
Given that none of the @pypa/pip-committers are opposed (or in favour) of this and, that there's multiple people asking for this and the PR is complete, I'm okay with merging this. I should state that this increases the complexity of the format that is already defined on an as-implemented basis, which I don't like but again, I won't oppose this for that reason. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
added
the
auto-locked
I really like pip and have been using it for quite some time. One scenario that I've come across several times that doesn't seem to be covered is installing from private git (or other) repos without having to store private API keys or other authentication artifacts in the requirements file.
In a 12-factor fashion, I've started thinking about how pip could support private repos by keeping secrets in environment variables. And it turned out that supporting the expansion of environment variables is pretty trivial. Adding a line like this in a requirement file:
https://$GITHUB_TOKEN:[email protected]/user/repo/archive/master.zip
can easily be expanded to by extracting the actual API key from the $GITHUB_TOKEN variable using os.path.expandvars, turning it into:
https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:[email protected]/user/repo/archive/master.zip
I'm not sure if there are any caveats with this implementation around cross-platform support, security or whatever else. But I think this would be a great feature to add to pip and would love to know how to improve on this PR to get it added.
I'm also aware that the tests could be improved since they are not really testing if this actually work. However, mocking the environment for this specific test is not really straight forward. I'd appreciate any input on how this can be tested properly.
This was automatically migrated from #3514 to reparent it to the
masterbranch. Please see original pull request for any previous discussion.Original Submitter: @elbaschid
This change is