pdm export support env variables in credentials

[Drachenfels]

Is your feature request related to a problem? Please describe.

Pipelines sometimes work with generated requirements.txt as backward compatibility, if one uses a different index like this:

[[tool.pdm.source]]
url = "https://${PDM_USERNAME}:${PDM_PASSWORD}@path/to/custom/pypi/package/simple/"
verify_ssl = true
name = "pypi"

and PDM_USERNAME (example: john) / PDM_PASSWORD (example: password123) is set,

and runs pdm export like this:

pdm export --prod -o requirements.txt --without-hashes

the resulting requirements file will have a username and password in plaintext:

# This file is @generated by PDM.
# Please do not edit it manually.

zipp==3.15.0
--index-url https://john:password123@path/to/custom/pypi/package/simple/

Describe the solution you'd like

PIP allows to use env variables that are expanded at runtime: https://pip.pypa.io/en/stable/reference/requirements-file-format/#using-environment-variables

My proposal would be to add a switch --no-env-expansion (please suggest a better name) that will generate an export file but with an env notation that pip likes, example:

# This file is @generated by PDM.
# Please do not edit it manually.

zipp==3.15.0
--index-url https://${PDM_USERNAME}:${PDM_PASSWORD}@path/to/custom/pypi/package/simple/

[Drachenfels]

Hi @frostming

I wonder what was the resolution of this issue, if I read the commit correctly, you consider it was actually a bug and from now on by default, we are going to have env vars in requirements. Am I correct?

[frostming]

Yes, I think preserving the env vars make more sense. And the variable substitution is also supported by pip.

It may be a little breaking change but I think people writing variables in their source settings can expect it.

[berislavlopac]

Wouldn't it make sense to keep a runtime option to force the variable expansion?

[berislavlopac]

@frostming you said:

And the variable substitution is also supported by pip.

Can you point out this in any documentation? As far as I can tell, pypa/pip#4789 is still open... 🤔

[frostming]

@berislavlopac You are confusing two different requirements. pip has always supported using environment variables in requirementst.txt(since 10.0): https://pip.pypa.io/en/stable/reference/requirements-file-format/#using-environment-variables

While the issue you linked to is asking for env expansion in pip.conf. This issue also talks about the requirements.txt exported by PDM.

[berislavlopac]

Thank you @frostming. How about this question?

Wouldn't it make sense to keep a runtime option to force the variable expansion?