From 61c2a04ca593e17c567817acf39548f49bfbe1db Mon Sep 17 00:00:00 2001 From: Charles Coggins Date: Mon, 26 Feb 2024 13:06:52 -0600 Subject: [PATCH] build: update `poetry` to latest version Poetry is the workflow management tool used for this project and forms the root of all other actions taken when working with this repository. It is also used to manage dependencies and therefore should be treated very carefully, with updates to newer versions taken deliberately. This PR updates `poetry` to the latest version of v1.8.1 to account for the [changes introduced](https://python-poetry.org/history) in both v1.8.0 and v1.8.1, with these actions taken: * Bump all instances of `poetry` to the new version * Installs in workflows * pre-commit hook revision * Dockerfiles * Update the lockfile with the new version of `poetry` None of the changes or new features in these new versions required any updates to the use of `poetry` in this project. Interestingly, a change to "Upgrade the warning about an inconsistent lockfile to an error" ([#8737](https://github.com/python-poetry/poetry/pull/8737)) still does not address the lockfile injection attack outlined in the ["Bad Beat Poetry"](https://blog.phylum.io/bad-beat-poetry/) blog post. Therefore, it is still recommended to check and refresh the lockfile every time before using it to install an environment: ``` poetry check --lock poetry lock --no-update --no-cache poetry install ... ``` A review of the latest `poetry-core` release ([v1.9.0](https://github.com/python-poetry/poetry-core/releases/tag/1.9.0)) did not prove that an upgrade to that version in the `phylum-ci` project is needed at this time. --- .github/workflows/auto_updates.yml | 2 +- .github/workflows/preview.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 6 +++--- .pre-commit-config.yaml | 2 +- Dockerfile | 2 +- Dockerfile.slim | 2 +- poetry.lock | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/auto_updates.yml b/.github/workflows/auto_updates.yml index c6141b70..2508336c 100644 --- a/.github/workflows/auto_updates.yml +++ b/.github/workflows/auto_updates.yml @@ -35,7 +35,7 @@ jobs: git_commit_gpgsign: true - name: Install poetry - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry run: poetry config virtualenvs.in-project true diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml index a5263be0..bb060c61 100644 --- a/.github/workflows/preview.yml +++ b/.github/workflows/preview.yml @@ -37,7 +37,7 @@ jobs: fetch-depth: 0 - name: Install poetry - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dbe1c90b..deb62fa3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,7 +65,7 @@ jobs: git_tag_gpgsign: true - name: Install poetry - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 53e203cd..b7a42ba3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install poetry - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry run: poetry config virtualenvs.in-project true @@ -70,7 +70,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install poetry - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry run: poetry config virtualenvs.in-project true @@ -112,7 +112,7 @@ jobs: - name: Install poetry if: ${{ matrix.build == 'wheel' }} - run: pipx install poetry==1.7.1 + run: pipx install poetry==1.8.1 - name: Configure poetry if: ${{ matrix.build == 'wheel' }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9bf2822c..5a17bbdf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -52,7 +52,7 @@ repos: # https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version # NOTE: This `rev` should be manually updated whenever `poetry` is updated. The `rev` can be found by checking out # the `poetry` repository and running the command: `git show-ref --tags ` - rev: 7696e93872a965261ea154b5e423c44e8317fd38 # frozen: 1.7.1 + rev: 3de374c01c9a0c927abd419813a47746c45afb11 # frozen: 1.8.1 hooks: - id: poetry-check args: [--lock] diff --git a/Dockerfile b/Dockerfile index af3e827a..d2d126e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -84,7 +84,7 @@ ENV PHYLUM_VENV="/opt/venv" ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip" ENV PIP_NO_COMPILE=1 ENV PIP_DISABLE_PIP_VERSION_CHECK=1 -ENV POETRY_VERSION="1.7.1" +ENV POETRY_VERSION="1.8.1" WORKDIR ${APP_PATH} diff --git a/Dockerfile.slim b/Dockerfile.slim index 9f751d35..f21bb55f 100644 --- a/Dockerfile.slim +++ b/Dockerfile.slim @@ -92,7 +92,7 @@ ENV PHYLUM_VENV="/opt/venv" ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip" ENV PIP_NO_COMPILE=1 ENV PIP_DISABLE_PIP_VERSION_CHECK=1 -ENV POETRY_VERSION="1.7.1" +ENV POETRY_VERSION="1.8.1" WORKDIR ${APP_PATH} diff --git a/poetry.lock b/poetry.lock index d1ee23c7..42212ca3 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.1 and should not be changed by hand. [[package]] name = "annotated-types"