I propose adding support for --kind lock lockfiles too, since these are the default.
Why is this needed?
Currently running conda-lock lock --strip-auth when private PyPi repositories are configured results in credentials being written directly to the lockfile, meaning it cannot be committed to source control.
Currently this blocks users who have the following constraints
Building for multiple platforms (unified lockfile)
Depend on packages in private PyPi repositories (auth)
What should happen?
A biasic solution would be to allow stripping auth in --kind lock lockfiles. E.g. conda-lock lock --strip-auth --kind lock should strip credentials from private PyPi repositories urls.
HoweverI think a more flexible solution would be to support transparent environment variable references in configured private PyPi repositories. In this solution the workflow would be something like:
Configure PyPi repositories with environment variable references (requires an additional configuration layer in conda-lock, see #460)
Environment variables are resolved during conda-lock lock step for the resolver
URLs written to the lockfile contain un-resolved environment variable references, e.g.
conda-lock install supports dereferencing these environment variables at install time.
I'm not certain about the complexities involved in doing this, but if there was support for the general idea I would happily attempt an implementation.
Checklist
What is the idea?
https://github.com/conda/conda-lock/pull/323 added support for stripping credentials from PyPi packages in
--kind explicit
lockfiles.I propose adding support for
--kind lock
lockfiles too, since these are the default.Why is this needed?
Currently running
conda-lock lock --strip-auth
when private PyPi repositories are configured results in credentials being written directly to the lockfile, meaning it cannot be committed to source control.Currently this blocks users who have the following constraints
What should happen?
A biasic solution would be to allow stripping auth in
--kind lock
lockfiles. E.g.conda-lock lock --strip-auth --kind lock
should strip credentials from private PyPi repositories urls.HoweverI think a more flexible solution would be to support transparent environment variable references in configured private PyPi repositories. In this solution the workflow would be something like:
conda-lock
, see #460)conda-lock lock
step for the resolverconda-lock install
supports dereferencing these environment variables at install time.I'm not certain about the complexities involved in doing this, but if there was support for the general idea I would happily attempt an implementation.
Additional Context
Note also https://github.com/conda/conda-lock/issues/460 which proposes improvements to how auth is configured for private PyPi repositories.