Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Poetry fails in CI/CD with ERROR: In --require-hashes mode, all requirements must have their versions pinned

See original GitHub issue

I am on the latest Poetry version.
I have searched the issues of this repo and believe that this is not a duplicate.
If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

OS version and name: Ubuntu 18.04.5 LTS
Poetry version: 1.1.4
Link of a Gist with the contents of your pyproject.toml file: https://github.com/DontShaveTheYak/cloud-radar/pull/5

Issue

My builds were working fine locally and remotely. Here is an example of the first 12 or so lines…

2020-11-28T13:25:00.7733264Z ##[group]Run nox
2020-11-28T13:25:00.7733666Z [36;1mnox[0m
2020-11-28T13:25:00.7772013Z shell: /bin/bash -e {0}
2020-11-28T13:25:00.7772325Z env:
2020-11-28T13:25:00.7772772Z   pythonLocation: /opt/hostedtoolcache/Python/3.8.6/x64
2020-11-28T13:25:00.7773219Z ##[endgroup]
2020-11-28T13:25:00.8815564Z nox > Running session lint-3.9
2020-11-28T13:25:00.8867576Z nox > Session lint-3.9 skipped: Python interpreter 3.9 not found.
2020-11-28T13:25:00.8869448Z nox > Running session lint-3.8
2020-11-28T13:25:00.8870400Z nox > Creating virtual environment (virtualenv) using python3.8 in .nox/lint-3-8
2020-11-28T13:25:01.6319387Z nox > poetry export --dev --format=requirements.txt --output=/tmp/tmp2554a7nu
2020-11-28T13:25:04.4828117Z nox > pip install --constraint=/tmp/tmp2554a7nu flake8 flake8-black flake8-bugbear flake8-import-order
2020-11-28T13:25:11.0176722Z nox > flake8 src tests noxfile.py

I added a package with poetry add cfn-flip

My builds still work locally but fail in github actions:

2020-12-10T12:32:26.6270480Z ##[group]Run nox
2020-12-10T12:32:26.6270955Z [36;1mnox[0m
2020-12-10T12:32:26.6313567Z shell: /bin/bash -e {0}
2020-12-10T12:32:26.6313932Z env:
2020-12-10T12:32:26.6314480Z   pythonLocation: /opt/hostedtoolcache/Python/3.8.6/x64
2020-12-10T12:32:26.6315036Z ##[endgroup]
2020-12-10T12:32:26.7301178Z nox > Running session lint-3.9
2020-12-10T12:32:26.7352891Z nox > Session lint-3.9 skipped: Python interpreter 3.9 not found.
2020-12-10T12:32:26.7354096Z nox > Running session lint-3.8
2020-12-10T12:32:26.7357585Z nox > Creating virtual environment (virtualenv) using python3.8 in .nox/lint-3-8
2020-12-10T12:32:27.5320470Z nox > poetry export --dev --format=requirements.txt --output=/tmp/tmp2k2e6e06
2020-12-10T12:32:30.7810961Z nox > pip install --constraint=/tmp/tmp2k2e6e06 flake8 flake8-black flake8-bugbear flake8-import-order
2020-12-10T12:32:32.4291735Z nox > Command pip install --constraint=/tmp/tmp2k2e6e06 flake8 flake8-black flake8-bugbear flake8-import-order failed with exit code 1:
2020-12-10T12:32:32.4293643Z Collecting flake8
2020-12-10T12:32:32.4300409Z ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
2020-12-10T12:32:32.4303405Z     flake8 from https://files.pythonhosted.org/packages/d4/ca/3971802ee6251da1abead1a22831d7f4743781e2f743bd266bdd2f46c19b/flake8-3.8.4-py2.py3-none-any.whl#sha256=749dbbd6bfd0cf1318af27bf97a14e28e5ff548ef8e5b1566ccfb25a11e7c839

Since my builds still worked locally I thought it might be an issue with PyPi, so I waited a day, but they are still failing. Up above I have linked my PR so you should be able to see the changes to the toml and the lock file. I’m very unsure what to try next except maybe deleting the lock file and having poetry recreate it again.

Locally and in the CI/CD I’m running the same Nox and Poetry versions. I think this might be related to python-poetry/poetry-plugin-export#38 and possibly python-poetry/poetry-plugin-export#145 since both of those are about poetry export.

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:31 (8 by maintainers)

Top GitHub Comments

42reactions

shadycuzcommented, Dec 14, 2020

I feel good enough about closing this now. The issue is with the change to how pip handles the constraints flag. pip maintainers have confirmed it’s not a bug but a design choice based on the new pip resolver.

Workarounds:

For Hypermodern python users pass this flag in your poetry export command --without-hashes,
Stop passing in packages with pinned hashes using the pip --contstraints flag.
If you are using pip directly then pin it to a version before 20.3 python -m pip install --upgrade pip==20.2.4
If you are using something else like virtualenv that depends on pip, make sure you pin it. python -m pip install --upgrade virtualenv==20.0.26 Or use a env var VIRTUALENV_PIP=20.2.4

15reactions

jaron-lcommented, Nov 18, 2021

I feel good enough about closing this now. The issue is with the change to how pip handles the constraints flag. pip maintainers have confirmed it’s not a bug but a design choice based on the new pip resolver.

Workarounds:

For Hypermodern python users pass this flag in your poetry export command --without-hashes,

Perhaps a better solution to disabling hashes would be to disable the pip resolver. It doesn’t make sense to me that pip’s resolver would struggle with this when poetry has already done the dependency resolution. That’s what is exported to the requirements file. To do this in CI, do something like the following:

pip install --no-deps -r requirements.txt

This can be useful in some cases where you are using a combination of internal packages and PyPI packages and want to maintain the hashes for security reasons.