Switch dependency management to Poetry

freedomofpress · Sep 26, 2023 · 3b73f6f · 3b73f6f
1 parent 82392a4
commit 3b73f6f
Show file tree

Hide file tree

Showing 10 changed files with 1,099 additions and 661 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -4,7 +4,6 @@ include securedrop_proxy/VERSION
 include changelog.md
 include config-example.yaml
 include qubes/securedrop.Proxy
-include requirements/build-requirements.txt
-include requirements/requirements.txt
+include build-requirements.txt
 include securedrop_proxy/*.py
 include setup.py
diff --git a/Makefile b/Makefile
@@ -3,83 +3,62 @@
 .PHONY: all
 all: help
 
-.PHONY: venv
-venv:
-	python3 -m venv .venv ## Provision a Python 3 virtualenv for **development**
-	.venv/bin/pip install --upgrade pip wheel
-	.venv/bin/pip install --require-hashes -r "requirements/dev-requirements.txt"
-
 .PHONY: bandit
 bandit: ## Run bandit with medium level excluding test-related folders
-	pip install --upgrade pip && \
-		pip install --upgrade bandit!=1.6.0 && \
-	bandit -ll --recursive securedrop_proxy
+	@echo "Installing latest version of Bandit in virtual environment…"
+	@poetry update bandit
+	@echo "Running bandit security checks…"
+	@poetry run bandit -ll --recursive securedrop_proxy
 
 .PHONY: safety
 safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	pip install --upgrade safety && \
-		for req_file in `find . -type f -name '*requirements.txt'`; do \
-			echo "Checking file $$req_file" \
-			&& safety check --full-report -r $$req_file \
-			&& echo -e '\n' \
-			|| exit 1; \
-		done
+	@echo "Installing latest version of safety in virtual environment…"
+	@poetry update safety
+	@echo "Running safety against requirements files in this repository…"
+	for req_file in `find . -type f -name '*requirements.txt'`; do \
+		echo "Checking file $$req_file" \
+		&& poetry run safety check --full-report -r $$req_file \
+		&& echo -e '\n' \
+		|| exit 1; \
+	done
 
 .PHONY: lint
 lint: check-isort check-black mypy ## Run isort, black and flake8 and mypy
-	@flake8 securedrop_proxy tests
+	@poetry run flake8 securedrop_proxy tests
 
 .PHONY: mypy
 mypy: ## Run mypy static type checker
-	@mypy --ignore-missing-imports securedrop_proxy
+	@poetry run mypy --ignore-missing-imports securedrop_proxy
 
 .PHONY: black
 black: ## Run black for file formatting
-	@black securedrop_proxy tests
+	@echo "Running black (may result in changes in your working directory)…"
+	@poetry run black securedrop_proxy tests
 
 .PHONY: check-black
 check-black: ## Check Python source code formatting with black
-	@black --check --diff securedrop_proxy tests
+	@echo "Running black formatting check…"
+	@poetry run black --check --diff securedrop_proxy tests
 
 .PHONY: isort
 isort: ## Run isort for file formatting
-	@isort securedrop_proxy/*.py tests/*.py
+	@echo "Running isort (may result in changes in your working directory)…"
+	@poetry run isort securedrop_proxy/*.py tests/*.py
 
 .PHONY: check-isort
 check-isort: ## Check isort for file formatting
-	@isort --check-only --diff securedrop_proxy/*.py tests/*.py
-
-.PHONY: sync-requirements
-sync-requirements:  ## Update dev-requirements.txt to pin to the same versions of prod dependencies
-	rm -r requirements/dev-requirements.txt && cp requirements/requirements.txt requirements/dev-requirements.txt
-	pip-compile --allow-unsafe --generate-hashes --output-file requirements/dev-requirements.txt requirements/requirements.in requirements/dev-requirements.in
-
-.PHONY: requirements
-requirements:  ## Update *requirements.txt files if pinned versions do not comply with the dependency specifications in *requirements.in
-	pip-compile --generate-hashes --output-file requirements/requirements.txt requirements/requirements.in
-	$(MAKE) sync-requirements
-
-.PHONY: update-dependency
-update-dependency:  ## Add or upgrade a package to the latest version that complies with the dependency specifications in requirements.in
-	pip-compile --generate-hashes --upgrade-package $(PACKAGE) --output-file requirements/requirements.txt requirements/requirements.in
-	$(MAKE) sync-requirements
-
-.PHONY: update-dev-only-dependencies
-update-dev-only-dependencies:  ## Update dev-requirements.txt to pin to the latest versions of dev-only dependencies that comply with the dependency specifications in dev-requirements.in
-	$(MAKE) sync-requirements
-	@while read line; do \
-		pip-compile --allow-unsafe --generate-hashes --upgrade-package $file --output-file requirements/dev-requirements.txt requirements/requirements.in requirements/dev-requirements.in; \
-	done < 'requirements/dev-requirements.in'
+	@echo "Running isort module ordering check…"
+	@poetry run isort --check-only --diff securedrop_proxy/*.py tests/*.py
 
 .PHONY: test
 test: clean .coverage ## Runs tests with coverage
 
 .coverage:
-	@coverage run --source securedrop_proxy -m unittest
+	@poetry run coverage run --source securedrop_proxy -m unittest
 
 .PHONY: browse-coverage
 browse-coverage: .coverage ## Generates and opens HTML coverage report
-	@coverage html
+	@poetry run coverage html
 	@xdg-open htmlcov/index.html 2>/dev/null || open htmlcov/index.html 2>/dev/null
 
 .PHONY: check

diff --git a/README.md b/README.md
@@ -29,27 +29,40 @@ https://github.com/freedomofpress/securedrop-workstation/issues/107.
 
 #### Quick Start
 
-To try the proxy script, create a virtual environment and install the
-requirements. In the root of the project directory, run
+1. [Install Poetry](https://python-poetry.org/docs/#installing-with-the-official-installer)
+2. Run `make test` to verify the installation
 
-```
-make venv
-source .venv/bin/activate
-make test
-```
+#### Managing Dependencies
 
-#### Update Dependencies
+We use Poetry to manage dependencies for this project.
 
-If you're adding or updating a dependency, you need to:
+### Development dependencies
 
-1. Modify either `dev-requirements.in` and `requirements.in` (depending on whether it is prod or dev only) and then run `make update-pip-dependencies`. This will generate `dev-requirements.txt` and `requirements.txt`.
+You can add development dependencies via  `poetry add <name> --group dev`.
+Make sure you commit changes to the lockfile along with changes to `pyproject.toml`.
 
-2. For building a debian package from this project, we use the requirements in
-`build-requirements.txt` which uses our pip mirror, i.e. the hashes in that file point to
-wheels on our pip mirror. A maintainer will need to add
-the updated dependency to our pip mirror (you can request this in the PR).
+To update the dependency to the latest version within the specified
+version constraints, simply run `poetry update <name>` and commit the resutling
+changes.
 
-3. Once the pip mirror is updated, you should checkout the [securedrop-debian-packaging repo](https://github.com/freedomofpress/securedrop-debian-packaging) and run `make requirements`. Commit the `build-requirements.txt` that results and add it to your PR.
+To update to a new major version (e.g., from 1.0.0 to 2.0.0), you will typically have to
+update `pyproject.toml`.
+
+### Production dependencies
+
+To add a production dependency, use `poetry add <name>`, and to update it,
+use `poetry update <name>`.
+
+For our production Debian packages, we use locally built wheels instead of
+downloading wheels from PyPI.
+
+This means that whenever you add or update a production dependency, you also
+have to build and commit a new wheel according to the process described in the
+[securedrop-builder](https://github.com/freedomofpress/securedrop-builder)
+repository.
+
+This will result in an updated `build-requirements.txt` file you can add to your
+PR in this repository.
 
 ## Making a Release
 

diff --git a/requirements/build-requirements.txt → build-requirements.txt b/requirements/build-requirements.txt → build-requirements.txt