From f025c6df22d48bd735458fc478b18d2235a715a2 Mon Sep 17 00:00:00 2001 From: Pytgaen <32298455+pytgaen@users.noreply.github.com> Date: Fri, 5 Jul 2024 19:01:38 +0200 Subject: [PATCH] feat: remove unnecesary install when use poetry or pipenv - trivy, sbom not install packages from project if use poetry, pipenv by take advantage of lockfile --- templates/gitlab-ci-python.yml | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml index 87127f0..13a2548 100644 --- a/templates/gitlab-ci-python.yml +++ b/templates/gitlab-ci-python.yml @@ -1169,7 +1169,6 @@ py-trivy: dependencies: [] script: - mkdir -p -m 777 reports - - install_requirements - | if [[ -z "$PYTHON_TRIVY_DIST_URL" ]] then @@ -1190,15 +1189,17 @@ py-trivy: mv ./trivy $python_trivy fi - | - if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]] - then - # When using Poetry, `pip freeze` outputs a requirements.txt with @file URLs for each wheel - # These @file URLs in requirements.txt are not supported by Trivy - # So instead of simply using pip freeze, we use `poetry export` - poetry export -f requirements.txt --without-hashes --output reports/requirements.txt - else - _pip freeze | tee ./reports/requirements.txt - fi + case "$PYTHON_BUILD_SYSTEM" in + poetry*|pipenv*) + log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)" + cp poetry.lock Pipfile.lock ./reports 2>/dev/null || true + ;; + *) + log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)" + install_requirements + _pip freeze | tee ./reports/requirements.txt + ;; + esac if [[ -f "./requirements.txt" ]] then sort -u ./requirements.txt | grep -v "^[ ]*$" > ./requirements.txt.sorted @@ -1238,10 +1239,14 @@ py-sbom: needs: [] script: - mkdir -p -m 777 reports - - install_requirements - | case "$PYTHON_BUILD_SYSTEM" in - setuptools*|reqfile) + poetry*|pipenv*) + log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)" + ;; + *) + log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)" + install_requirements _pip freeze > "${PYTHON_REQS_FILE}" ;; esac -- GitLab