renovate icon indicating copy to clipboard operation
renovate copied to clipboard

Published 20 hours ago verified publisher icon renovatebot

refactor(manager/pip-compile): Use python keychain module for credentials

Open mbudnek opened this issue 1 year ago • 0 comments

Changes

This refactors the pip-compile manager to use the python keychain module along with the keychains.envvars module to pass credentials to pip. Doing it this way means there's a significantly lower likelyhood of accidentally leaking credentials into the output file, since credentials looked up via the keychain module won't ever be written to --index-url or --extra-index-url directives in the output file.

Because of this lower likelihood of leaking credentials, I relaxed the usage of --no-emit-index-url to only automatically apply when credentials are found in index URLs in environment variables.

Context

https://github.com/renovatebot/renovate/pull/26853#discussion_r1480524305 https://github.com/containerbase/base/pull/2145

Documentation (please check one with an [x])

  • [x] I have updated the documentation, or
  • [ ] No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • [ ] Code inspection only, or
  • [ ] Newly added/modified unit tests, or
  • [ ] No unit tests but ran on a real repository, or
  • [x] Both unit tests + ran on a real repository

mbudnek avatar Feb 15 '24 21:02 mbudnek