Skip to content

Commit

Permalink
build: update poetry to latest version (#393)
Browse files Browse the repository at this point in the history
Poetry is the workflow management tool used for this project and forms
the root of all other actions taken when working with this repository.
It is also used to manage dependencies and therefore should be treated
very carefully, with updates to newer versions taken deliberately.

This PR updates `poetry` to the latest version of v1.8.1 to account for
the [changes introduced](https://python-poetry.org/history) in both
v1.8.0 and v1.8.1, with these actions taken:

* Bump all instances of `poetry` to the new version
  * Installs in workflows
  * pre-commit hook revision
  * Dockerfiles
* Update the lockfile with the new version of `poetry`

None of the changes or new features in these new versions required any
updates to the use of `poetry` in this project. Interestingly, a change
to "Upgrade the warning about an inconsistent lockfile to an error"
([#8737](python-poetry/poetry#8737)) still does
not address the lockfile injection attack outlined in the ["Bad Beat
Poetry"](https://blog.phylum.io/bad-beat-poetry/) blog post. Therefore,
it is still recommended to check and refresh the lockfile every time
before using it to install an environment:

```
poetry check --lock
poetry lock --no-update --no-cache
poetry install ...
```

A review of the latest `poetry-core` release
([v1.9.0](https://github.com/python-poetry/poetry-core/releases/tag/1.9.0))
did not prove that an upgrade to that version in the `phylum-ci` project
is needed at this time.
  • Loading branch information
maxrake authored Feb 26, 2024
1 parent 55f22c8 commit 09136bc
Show file tree
Hide file tree
Showing 8 changed files with 10 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/auto_updates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
git_commit_gpgsign: true

- name: Install poetry
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
run: poetry config virtualenvs.in-project true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
fetch-depth: 0

- name: Install poetry
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:
git_tag_gpgsign: true

- name: Install poetry
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install poetry
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
run: poetry config virtualenvs.in-project true
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install poetry
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
run: poetry config virtualenvs.in-project true
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:

- name: Install poetry
if: ${{ matrix.build == 'wheel' }}
run: pipx install poetry==1.7.1
run: pipx install poetry==1.8.1

- name: Configure poetry
if: ${{ matrix.build == 'wheel' }}
Expand Down
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ repos:
# https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version
# NOTE: This `rev` should be manually updated whenever `poetry` is updated. The `rev` can be found by checking out
# the `poetry` repository and running the command: `git show-ref --tags <tag_name>`
rev: 7696e93872a965261ea154b5e423c44e8317fd38 # frozen: 1.7.1
rev: 3de374c01c9a0c927abd419813a47746c45afb11 # frozen: 1.8.1
hooks:
- id: poetry-check
args: [--lock]
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ ENV PHYLUM_VENV="/opt/venv"
ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
ENV PIP_NO_COMPILE=1
ENV PIP_DISABLE_PIP_VERSION_CHECK=1
ENV POETRY_VERSION="1.7.1"
ENV POETRY_VERSION="1.8.1"

WORKDIR ${APP_PATH}

Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.slim
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ ENV PHYLUM_VENV="/opt/venv"
ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
ENV PIP_NO_COMPILE=1
ENV PIP_DISABLE_PIP_VERSION_CHECK=1
ENV POETRY_VERSION="1.7.1"
ENV POETRY_VERSION="1.8.1"

WORKDIR ${APP_PATH}

Expand Down
2 changes: 1 addition & 1 deletion poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 09136bc

Please sign in to comment.