Skip to content

Commit

Permalink
Use Dependabot to manage Poetry dependency
Browse files Browse the repository at this point in the history
This project uses Poetry to manage the Python package dependencies.

The pipx tool is used in the GitHub Actions workflows to install Poetry in an isolated environment.

Previously, the pipx commands used in the workflows caused the latest version of Poetry to be installed. This
uncontrolled versioning approach might result in breakage of the project infrastructure at any time.

The obvious solution would be to specify the Poetry version in the pipx command (e.g. `pipx install poetry==1.6.1`). The
problem with that approach is that there is no mechanism for automating the update process, making it likely that the
project infrastructure would use increasingly outdated Poetry versions over time.

The project already uses the Dependabot service for automation of controlled updates of the Python package dependencies,
but previously was not used to update the Poetry dependency. This is accomplished by adding the Poetry dependency to the dependency configuration file.

Dependabot recognizes two forms of dependency data in the pyproject.toml file used to define the Python package dependencies:

- Poetry
- PEP 621

Since Poetry can't be used to manage itself, the obvious approach would be to define the Poetry dependency in a PEP 621
field in the file. However, this is not possible because if Dependabot finds Poetry data in pyproject.toml, it ignores
the PEP 621 fields. So it is necessary to define the Poetry dependency in the Poetry fields of the file. A special
dependencies group is created for this purpose and that group is excluded in the `poetry install` commands.

Unfortunately pipx doesn't support using dependency configuration files so it is necessary to generate the dependency
argument in the pipx command by parsing the project.toml file.
  • Loading branch information
per1234 committed Oct 18, 2023
1 parent 13225dc commit 587e2d5
Show file tree
Hide file tree
Showing 6 changed files with 1,183 additions and 6 deletions.
16 changes: 14 additions & 2 deletions .github/workflows/check-poetry-task.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,13 @@ jobs:
run: |
pipx install \
--python "$(which python)" \
poetry
"poetry==$( \
yq \
--input-format toml \
--output-format yaml \
'.tool.poetry.group.pipx.dependencies.poetry' \
< pyproject.toml
)"
- name: Install Go
uses: actions/setup-go@v4
Expand Down Expand Up @@ -101,7 +107,13 @@ jobs:
run: |
pipx install \
--python "$(which python)" \
poetry
"poetry==$( \
yq \
--input-format toml \
--output-format yaml \
'.tool.poetry.group.pipx.dependencies.poetry' \
< pyproject.toml
)"
- name: Install Go
uses: actions/setup-go@v4
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/check-yaml-task.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,13 @@ jobs:
run: |
pipx install \
--python "$(which python)" \
poetry
"poetry==$( \
yq \
--input-format toml \
--output-format yaml \
'.tool.poetry.group.pipx.dependencies.poetry' \
< pyproject.toml
)"
- name: Install Go
uses: actions/setup-go@v4
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/spell-check-task.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,13 @@ jobs:
run: |
pipx install \
--python "$(which python)" \
poetry
"poetry==$( \
yq \
--input-format toml \
--output-format yaml \
'.tool.poetry.group.pipx.dependencies.poetry' \
< pyproject.toml
)"
- name: Install Go
uses: actions/setup-go@v4
Expand Down
6 changes: 5 additions & 1 deletion Taskfile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,11 @@ tasks:
poetry:install-deps:
desc: Install dependencies managed by Poetry
cmds:
- poetry install --no-root
- |
poetry \
install \
--no-root \
--without pipx
poetry:validate:
desc: Validate pyproject.toml
Expand Down
Loading

0 comments on commit 587e2d5

Please sign in to comment.