Manage dependencies with PDM #250
Conversation
| jobs: | ||
| post_create_environment: | ||
| - pip install pdm | ||
| - pdm export --format requirements --prod --group doc --output requirements-doc.txt --no-hashes |
There was a problem hiding this comment.
If you have a non-PyPI dependency (like a dependency on a git repo), pip install -r requirements.doc will error out:
ERROR: Can't verify hashes for these requirements because we don't have a way to hash version control repositories:
b2sdk@ git+https://github.com/vbaltrusaitis-reef/b2-sdk-python@ac1e1355f1aaac10a398618214021cc7ecb6a1eb from git+https://github.com/vbaltrusaitis-reef/b2-sdk-python@ac1e1355f1aaac10a398618214021cc7ecb6a1eb (from -r requirements-doc.txt (line 21))
To be fair, non-PyPI dependencies shouldn't get into master (and definitely definitely not release), so this is only a convenience for testing. But for this use-case this seems pretty harmless, I'm now on the fence if I should remove --no-hashes.
There was a problem hiding this comment.
don't think it matters much - this is run on readthedocs side afterall and only for docs generation;
so the worst case (i.e. someone hacked pypi depdency) our docs get defaced - but at that point it would very cheap price to pay for knowing one of our dependencies were hacked :D
Dockerfile.template
Outdated
| ENV PDM_BUILD_SCM_VERSION=${version} | ||
| RUN --mount=type=bind,source=./b2,target=/b2/b2 \ | ||
| --mount=type=bind,source=./pyproject.toml,target=/b2/pyproject.toml \ | ||
| --mount=type=bind,source=./pdm.lock,target=/b2/pdm.lock \ |
There was a problem hiding this comment.
at first I was wondering why not use wheel/tar, but it does make sense to use lock indeed 👍
There was a problem hiding this comment.
Yeah, lock is half the point. I did consider (and try out) a wheel+requirements approach: install dependencies using exported requirement file (pdm export --no-self [...]) and then install a b2 wheel on top of that with --no-deps . This would get rid of pdm within the container, less files to copy, it's nice. But in this case, I feel like I should definitely export requirements with hashes (see comment about the --no-hashes flag in readthedocs config). However, this would fail the docker build when you have b2sdk from git as a dependency. And that makes for an unpleasant development experience in case you're trying out unreleased b2sdk features, you want to make a draft PR that uses them and see if all tests pass.
This was a bit of a dilemma, I feel that exported requirements + wheel is nicer in many ways.
There was a problem hiding this comment.
multi-layered dockerfilerfile is the way to go long term, not necessary now
How big image is after this change? our last b2 image was 170MB, so unless this one is much bigger (>250MB) then I feel we can easily try doing it later down the line.
When using requirements.txt I tried doing multilayer, but other than it being more error prone, the image size didn't differ much at all.
There was a problem hiding this comment.
I checked the image size and yes, it increased by a lot after these changes, to 300Mb. So I implemented a multi-stage build and now it's 146M.
pyproject.toml
Outdated
| dependencies = [ | ||
| "argcomplete>=2,<4", | ||
| "arrow>=1.0.2,<2.0.0", | ||
| "b2sdk @ git+https://github.com/vbaltrusaitis-reef/b2-sdk-python", |
There was a problem hiding this comment.
this for sure has to be b2sdk>=1.29.0,<2 like it was before
we cannot have pip install b2 users install stuff from git after this PR
There was a problem hiding this comment.
Yes, absolutely. I'll change this before merging and submit for a review once b2sdk SyntaxWarning problem is fixed.
nox -s make_release_commit would detect this dependency and complain. That's, unfortunately, not the same as preventing this from reaching master, but it's something.
Co-authored-by: Maciej Urbański <[email protected]>
|
In the last few commits:
Requesting re-review @mjurbanski-reef |
Dockerfile.template
Outdated
| # due https://github.com/moby/moby/issues/47021 we cannot have /root/.cache leftover as it causes random errors in CI | ||
| RUN --mount=type=bind,source=${tar_path}/${tar_name},target=/tmp/${tar_name} \ | ||
| pip install --no-cache-dir /tmp/${tar_name}[full] && rm -rf /root/.cache | ||
| ENV PYTHONPATH=/b2/pkgs |
There was a problem hiding this comment.
/opt/b2 will be slightly better IMO as per https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s13.html , but do as you will
changelog.d/+pdm.infrastructure.md
Outdated
| @@ -0,0 +1 @@ | |||
| Use pdm for building, testing and managing dependencies. | |||
There was a problem hiding this comment.
I think seeing at issue reported in other repo it is worth mentioning here that tests and other superfluous files have been removed from sdist tarball.
This is a draft PR for two reasons:
noxso they can adjust for their internal tests.Changes:
b2.pyproject.toml/pdm.lockanyways before release.pdm add b2sdk @ git+https://github.com/Backblaze/b2-sdk-pythonwhile developing a feature together with sdk.