WIP: Migrate dependency management to poetry

Switch dependency management to use poetry, which is much nicer than
pip-tools. This is largely based off of
<freedomofpress/securedrop-proxy#122> and
applies the same changes to the Makefile and CI.

The main difference is that we install PyQt5 via system packages, so the
two versions we specifically need are listed in pyproject.toml and vary
on the Python versions shipped with bullseye and bookworm.

We also don't actually need the pathlib2 dependency any more because
our Python version is high enough, so it's dropped now that poetry
is smart enough to detect it!

.circleci/config.yml

@@ -1,11 +1,30 @@
 ---
 common-steps:
+  - &install_poetry
+    run:
+      name: Install Poetry
+      command: |
+        set -e
+        source /etc/os-release
+        if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
+            # Install Poetry via PyPI
+            apt-get update && apt-get install --yes --no-install-recommends python3-pip
+            pip install poetry==1.6.1
+        elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
+            # Install Poetry via system package
+            apt-get update && apt-get install --yes --no-install-recommends python3-poetry
+        else
+            echo "Unsupported Debian version: $VERSION_CODENAME"
+            exit 1
+        fi
+
   - &install_testing_dependencies
     run:
       name: Install testing dependencies
       command: |
         set -e
         apt update && apt install -y git gnupg libarchive13 libmagic1 libqt5x11extras5 make python3-tk python3-dev gnupg python3-venv sqlite3 xvfb
+        poetry install --no-ansi
 
   - &configure_locales
     run:
@@ -21,90 +40,57 @@ common-steps:
     run:
       name: Install build dependencies
       command: |
-        set -e
         apt update && apt install -y git make sudo
 
   - &run_unit_tests
     run:
       name: Install requirements and run unit tests
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         export PYTHONPATH=$PYTHONPATH:.  # so alembic can get to Base metadata
         make test-random
 
   - &run_integration_tests
     run:
       name: Install requirements and run integration tests
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         export PYTHONPATH=$PYTHONPATH:.  # so alembic can get to Base metadata
         make test-integration
 
   - &run_functional_tests
     run:
       name: Install requirements and run functional tests
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         export PYTHONPATH=$PYTHONPATH:.  # so alembic can get to Base metadata
         make test-functional
 
   - &run_lint
     run:
       name: Run lint, type checking, code formatting
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         make check-black check-isort lint mypy
 
   - &check_security
     run:
       name: Run static analysis on source code to find security issues
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         make semgrep bandit
 
   - &check_source_strings
     run:
       name: Check that source strings are updated
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         make check-strings
 
   - &check_mo_repro
     run:
       name: Check that translation machine objects are reproducible
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         make verify-mo
 
   - &check_python_dependencies_for_vulnerabilities
     run:
       name: Check Python dependencies for known vulnerabilities
       command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
         make safety
 
   - &install_packaging_dependencies
@@ -115,10 +101,11 @@ common-steps:
         mkdir ~/packaging && cd ~/packaging
         # local builds may not have an ssh url, so || true
         git config --global --unset url.ssh://[email protected] || true
-        git clone https://github.com/freedomofpress/securedrop-builder.git
+        git clone https://github.com/freedomofpress/securedrop-builder.git -b poetry-fix-casing
         cd securedrop-builder
         apt-get update && apt-get install -y sudo make
         make install-deps
+        source .venv/bin/activate
         PKG_DIR=~/project make requirements
 
   - &check_packaging_requirements
@@ -129,17 +116,6 @@ common-steps:
         # Fail if unstaged changes exist that are not comments (after `make requirements` in the previous run step).
         git diff --ignore-matching-lines=# --exit-code
 
-  - &check_testing_requirements
-    run:
-      name: Ensure that the same Python requirements are used for development/testing and production.
-      command: |
-        set -e
-        export VERSION_CODENAME=$(~/project/scripts/codename)
-        make venv
-        source .venv/bin/activate
-        make requirements
-        git diff --exit-code requirements/dev-${VERSION_CODENAME}-requirements.txt
-
   - &build_debian_package
     run:
       name: Build debian package
@@ -149,6 +125,7 @@ common-steps:
         cd ~/packaging/securedrop-builder
         export PKG_VERSION=1000.0
         export PKG_PATH=~/project/
+        source .venv/bin/activate
         make securedrop-client
 
 version: 2.1
@@ -171,9 +148,10 @@ jobs:
     parameters: *parameters
     docker: *docker
     steps:
+      - *install_poetry
+      - checkout
       - *install_testing_dependencies
       - *configure_locales
-      - checkout
       - *run_unit_tests
       - store_test_results:
           path: test-results
@@ -182,60 +160,58 @@ jobs:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *run_integration_tests
 
   functional-test:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *run_functional_tests
 
   lint:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *run_lint
 
   check-security:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *check_security
 
   check-python-security:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *check_python_dependencies_for_vulnerabilities
 
 
   check-internationalization:
     parameters: *parameters
     docker: *docker
     steps:
-      - *install_testing_dependencies
+      - *install_poetry
       - checkout
+      - *install_testing_dependencies
       - *check_source_strings
       - *check_mo_repro
 
-  check-testing-requirements:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - *install_testing_dependencies
-      - checkout
-      - *check_testing_requirements
-
 workflows:
   securedrop_client_ci:
     jobs: &jobs
@@ -251,8 +227,6 @@ workflows:
           matrix: *matrix
       - lint:
           matrix: *matrix
-      - check-testing-requirements:
-          matrix: *matrix
       - check-security:
           matrix: *matrix
       - check-python-security: