Closed metavee closed 4 months ago
Does pip
itself support references to env vars in requirements files? I don't recall seeing it there...
Ah, interesting. Makes sense, then. Though, personally, I'd want the constraint files to be generated without any extra options.
Is there an easy alternative?
I know pip-compile will pass through pip arguments such as the index URL, but then that shifts the credentials to the pre-commit config, which is also in version control and doesn't natively support environment variable substitutions.
I'm not sure. Does pip support ~/.netrc
?
It does: https://stackoverflow.com/a/55978589/107510
machine pypi.example.com
login johndoe
password changeme
As per the above link, it also seems to be possible to use environment variables in pip.conf
.
Case closed, then?
Yeah, I guess so! It seems like there is a reasonably safe way to use custom indexes without revealing secrets in the files.
I think there is still a minor footgun since it's surprising, but maybe #1876 is the easy way to address that.
Yep, that sounds like a reasonable request.
What's the problem this feature will solve?
When using private package indexes, you can supply credentials in the index URL via environment variables.
If you do this in your
requirements.in
file,pip-compile
will output the credentials into therequirements.txt
file.This makes it difficult to use pip-tools when using a private index, since ideally you could commit requirements.txt to version control without having to make any tweaks or downstream adjustments.
Describe the solution you'd like
I would like any environment variable references to appear in the output requirements.txt file, without the actual values being substituted in.
Alternative Solutions
Additional context
This could complement https://github.com/jazzband/pip-tools/issues/1876 or make it unnecessary.