-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Too permissive with substitution using $ENV_VAR
instead of ${ENV_VAR}
#545
Comments
Hmm, I wonder if the token or password contain some characters, e.g. $ or @, which are being parsed improperly? (Although GitLab generates sane tokens in my experience.) I did a quick test by setting up a new deploy token and uploading a package. The following command works correctly for me: pip install my_private_package@https://deploy_token_user:[email protected]/api/v4/projects/12345/packages/pypi/files/b1...ce/my_private_package-2.2.1.post1.dev16%2Bg6dab24f.d20231108-py3-none-any.whl If I remove I'm intrigued that you have a space character between |
Oh dear, I left the ***** instead of token when trying manual pip install command 🤦♂️ Token is sane, and it works when I remove it. But conda-lock install still fails, and yes, I have spaces for all pip packages. Here is a full output of the install command:
|
@psarka, could you try replacing |
Assuming my hypothesis is correct, I think it's a bug that conda-lock silently enables environment variable substitution without braces |
$ENV_VAR
instead of ${ENV_VAR}
Sorry for lag, got distracted yesterday. Yes, it works! 🎉 Thank you @maresb ❤️ |
Checklist
What happened?
This is not exact repro, as I don't know how to set it up. But approximately, this is the
environment.yml
file:Command
conda-lock
works fine, and produces approximatelly this kind of entry in theconda-lock.yml
file:However, this then fails to install with
conda-lock install
. The key part of the stack trace looks like this:I tried to run
pip install my_private_package@ https://__token__:****@gitlab.com/api/v4/projects/12345/packages/pypi/files/71..45/my_private_package-1.0-py3-none-any.whl#sha256=71..45
manually, and indeed it opens an input prompt for a user, even though it is specified as__token__
in the urlConda Info
Conda Config
No response
Conda list
No response
Additional Context
(top) psarka@hdsvm0007:~/yfp-pipelines$ conda-lock --version
conda-lock, version 2.4.2
The text was updated successfully, but these errors were encountered: