Install octodns from PyPI rather than a Git clone

[solvaholic]

When exploring @barnumbirr suggestion in #22 to use PyPI, I realized I'd like to log all of octodns-sync dependencies in requirements.txt. That'd enable Dependabot and vulnerability scanning.

So I made the new requirements.txt like this:

_ver="0.9.11"
_url="https://raw.githubusercontent.com/octodns/octodns/v${_ver}/requirements.txt"
curl -LO "$_url"
printf "octodns==%s\n" "$_ver" >> requirements.txt

Building the contents that way removed this requirement:

git+http://github.com/github/octodns@v0.9.11#egg=octodns

Installing with pip means the image does not need Git, so that's out - which shrank the image by about 80MB 🎉

(That's a 22% reduction, which I hope will be reflected in the the runners' docker pull times.)

[barnumbirr]

Hey @solvaholic,

good job on this one. If I may comment on one thing: I understand what you're trying to do with Dependabot and vulnerability scanning but I believe you're making your life harder than what it needs to be. octodns's requirements file is part of upstream project, so it and it's security concerns should be the responsibility of upstream developers. Keeping track of upstream dependency changes in your own project will get quite cumbersome over time (you seem to have missed fqdn==1.5.0).

[solvaholic]

Hi @barnumbirr 👋 Thank you! And thanks for bringing this up:

I understand what you're trying to do with Dependabot and vulnerability scanning but I believe you're making your life harder than what it needs to be. octodns's requirements file is part of upstream project, so it and it's security concerns should be the responsibility of upstream developers.

I'm hoping to use Dependabot to notice when octodns has a new release and to simplify the process of bumping that version in octodns-sync.

While I don't plan to address octodns's vulnerabilities directly in octodns-sync, I'd like to notice them - and to make them visible to octodns-sync users who record this project as a dependency.

Keeping track of upstream dependency changes in your own project will get quite cumbersome over time (you seem to have missed fqdn==1.5.0).

The fqdn requirement is relatively new, from https://github.com/octodns/octodns/pull/631. I expect it'll roll up into the next release. That will make a visible test of the automation 🤞

I haven't used Dependabot or the vulnerability alerts before, so I'm prepared to change my mind once I see how they work. The tooling needs to make octodns-sync simpler to manage, definitely not harder.

[barnumbirr]

I'm hoping to use Dependabot to notice when octodns has a new release and to simplify the process of bumping that version in octodns-sync.

While I don't plan to address octodns's vulnerabilities directly in octodns-sync, I'd like to notice them - and to make them visible to octodns-sync users who record this project as a dependency.

I see your point. Guess you're right in giving it a go, let's see how it pans out.

[solvaholic]

If that Dependabot config (32755cf) works out OK I'd like to add these as well:

  # Maintain dependencies for Docker images
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "friday"

  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "friday"

[solvaholic]

The dependency graph definitely got noisy. Dependabot seems to have only checked octodns, though, so 👍