build: update poetry to latest version (#393)

Poetry is the workflow management tool used for this project and forms
the root of all other actions taken when working with this repository.
It is also used to manage dependencies and therefore should be treated
very carefully, with updates to newer versions taken deliberately.

This PR updates `poetry` to the latest version of v1.8.1 to account for
the [changes introduced](https://python-poetry.org/history) in both
v1.8.0 and v1.8.1, with these actions taken:

* Bump all instances of `poetry` to the new version
  * Installs in workflows
  * pre-commit hook revision
  * Dockerfiles
* Update the lockfile with the new version of `poetry`

None of the changes or new features in these new versions required any
updates to the use of `poetry` in this project. Interestingly, a change
to "Upgrade the warning about an inconsistent lockfile to an error"
([#8737](python-poetry/poetry#8737)) still does
not address the lockfile injection attack outlined in the ["Bad Beat
Poetry"](https://blog.phylum.io/bad-beat-poetry/) blog post. Therefore,
it is still recommended to check and refresh the lockfile every time
before using it to install an environment:

```
poetry check --lock
poetry lock --no-update --no-cache
poetry install ...
```

A review of the latest `poetry-core` release
([v1.9.0](https://github.com/python-poetry/poetry-core/releases/tag/1.9.0))
did not prove that an upgrade to that version in the `phylum-ci` project
is needed at this time.

.github/workflows/auto_updates.yml

@@ -35,7 +35,7 @@ jobs:
  git_commit_gpgsign: true
 
  - name: Install poetry
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  run: poetry config virtualenvs.in-project true

.github/workflows/preview.yml

@@ -37,7 +37,7 @@ jobs:
  fetch-depth: 0
 
  - name: Install poetry
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  run: |

.github/workflows/release.yml

@@ -65,7 +65,7 @@ jobs:
  git_tag_gpgsign: true
 
  - name: Install poetry
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  run: |

.github/workflows/test.yml

@@ -27,7 +27,7 @@ jobs:
  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Install poetry
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  run: poetry config virtualenvs.in-project true
@@ -70,7 +70,7 @@ jobs:
  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Install poetry
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  run: poetry config virtualenvs.in-project true
@@ -112,7 +112,7 @@ jobs:
 
  - name: Install poetry
  if: ${{ matrix.build == 'wheel' }}
- run: pipx install poetry==1.7.1
+ run: pipx install poetry==1.8.1
 
  - name: Configure poetry
  if: ${{ matrix.build == 'wheel' }}

.pre-commit-config.yaml

@@ -52,7 +52,7 @@ repos:
  # https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version
  # NOTE: This `rev` should be manually updated whenever `poetry` is updated. The `rev` can be found by checking out
  # the `poetry` repository and running the command: `git show-ref --tags <tag_name>`
- rev: 7696e93872a965261ea154b5e423c44e8317fd38 # frozen: 1.7.1
+ rev: 3de374c01c9a0c927abd419813a47746c45afb11 # frozen: 1.8.1
  hooks:
  - id: poetry-check
  args: [--lock]

Dockerfile

@@ -84,7 +84,7 @@ ENV PHYLUM_VENV="/opt/venv"
 ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
 ENV PIP_NO_COMPILE=1
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1
-ENV POETRY_VERSION="1.7.1"
+ENV POETRY_VERSION="1.8.1"
 
 WORKDIR ${APP_PATH}
 

Dockerfile.slim

@@ -92,7 +92,7 @@ ENV PHYLUM_VENV="/opt/venv"
 ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
 ENV PIP_NO_COMPILE=1
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1
-ENV POETRY_VERSION="1.7.1"
+ENV POETRY_VERSION="1.8.1"
 
 WORKDIR ${APP_PATH}