Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

action: use a venv to prevent PEP 668 errors #145

Merged
merged 4 commits into from
Jul 4, 2024
Merged

action: use a venv to prevent PEP 668 errors #145

merged 4 commits into from
Jul 4, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jul 3, 2024

WIP.

Closes #144.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Jul 3, 2024
woodruffw added 2 commits July 3, 2024 09:11
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw marked this pull request as ready for review July 3, 2024 13:21
@woodruffw
Copy link
Member Author

This is good to go. To summarize:

We now isolate this action's Python dependencies inside of a virtual environment, rather than using either the distribution or configured Python's user packages site. This makes us both compatible with PEP 668 (the source of the error) and avoids the (slim) likelihood of conflict with other steps running in the same job.

(Plumbing everything through this new venv is a minor adventure, since Windows and *nix venvs have slightly different directory layouts. But the selftests confirm that the specialization for both works.)

This has been true for a while.

Signed-off-by: William Woodruff <william@trailofbits.com>
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, This looks surprisingly complicated to deal with. I don't have a better suggestion so let's go with that

@jku jku merged commit 1ddeb82 into main Jul 4, 2024
33 checks passed
@jku jku deleted the ww/pep-668 branch July 4, 2024 12:04
DK96-OS added a commit to DK96-OS/gh-action-sigstore-python that referenced this pull request Dec 3, 2024
(sigstore#134):
* schedule-selftest: reduce nagging
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#140):
* requirements: sigstore ~3.0
* selftest: update filenames
* action: update another path
* action: remove deprecated settings
* README: remove old docs
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#145):
* action: use a venv to prevent PEP 668 errors
* action: use sys.executable
* fight with Windows
* setup: minimum Python is 3.8 (This has been true for a while)
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#142):
* action: flip `release-signing-artifacts`
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#146):
* action: remove old output settings
* selftest: remove old test ref
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

Cleanup workflows (sigstore#148):
* Workflows: remove default input arg from action call
* workflows: Remove unnecessary selftest

release-signing-artifacts defaults to "true" so the removed test now
duplicates the previous test.

We could try testing the release-signing-artifacts == "false" but that's
a bit trickier since it could only be done in a release event...

* workflows: Drop recently removed job from needs-list
---------
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Prep 3.0.0 (sigstore#143):
---------
Signed-off-by: William Woodruff <william@trailofbits.com>

(sigstore#152):
* build(deps): bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 in the actions group
---------
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

(sigstore#154):
* Fix remaining reference to 2.1.1 in README
---------
Signed-off-by: Stefanie Molin <24376333+stefmolin@users.noreply.github.com>

(sigstore#151):
* Enable debugging also if ACTIONS_STEP_DEBUG==true
---------
Co-authored-by: rindeal <dev.rindeal@gmail.com>
Co-authored-by: William Woodruff <william@trailofbits.com>

Upgrade Dependencies:
* Update requirements.txt - upgrade sigstore 3.1, upgrade requests 2.32
---------
Signed-off-by: DK96-OS <69859316+DK96-OS@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Action fails on ubuntu-24.04 with "This environment is externally managed"
2 participants