Unexpected dependency on requests

[wichert]

For various reasons I had to switch to a new custom runner for GitHub actions, and this broke actions-rust-language/audit:

Cache restored from key: cargo-audit-v0.20.0
Run import audit
Traceback (most recent call last):
  File "/runner/_work/_temp/192418c1-d8d4-4dc8-b912-a20d707d5c75.py", line 1, in <module>
    import audit
  File "/runner/_work/_actions/actions-rust-lang/audit/v1/audit.py", line 8, in <module>
    import requests
ModuleNotFoundError: No module named 'requests'

would it be possible to use urllib so that there are no extra dependencies needed? Alternatively documenting this requirement, or vendoring requests (or do this with urllib3, since it has no other dependencies) are also options.

[jonasbb]

Hi, thanks for the reports. Yes, there is definitely a documentation gap and the requirements could be listed better.

All the actions in https://github.com/actions-rust-lang target the GitHub runners. Mainly, because that is the only environment available to test them. I happily accept PRs to improve the situation here.

Regarding the specific dependency: urllib is not a suitable replacement. Switching to urllib3 would be fine, but that is not part of the Python distribution either. Vendoring is too complicated.
Another solution would be to add a check and install step if dependencies are missing, e.g., perform a python3 -m pip install --user requests or similar.

[jonasbb]

I added some information about the dependencies to the readme
https://github.com/actions-rust-lang/audit/blob/main/README.md#dependencies

[wichert]

@jonasbb can you explain why urllib is not a suitable replacement? I'ld be happy to try to submit a PR to use that, so there are no external dependencies.

[jonasbb]

urllib is quite low-level and does not offer the same features as requests. The added usability (e.g., encoding) and features (e.g., connection pooling) of requests are quite wanted.