Skip to content

Commit 61c2a04

Browse files
maxrakemaxrake
committed
build: update poetry to latest version
Poetry is the workflow management tool used for this project and forms the root of all other actions taken when working with this repository. It is also used to manage dependencies and therefore should be treated very carefully, with updates to newer versions taken deliberately. This PR updates `poetry` to the latest version of v1.8.1 to account for the [changes introduced](https://python-poetry.org/history) in both v1.8.0 and v1.8.1, with these actions taken: * Bump all instances of `poetry` to the new version * Installs in workflows * pre-commit hook revision * Dockerfiles * Update the lockfile with the new version of `poetry` None of the changes or new features in these new versions required any updates to the use of `poetry` in this project. Interestingly, a change to "Upgrade the warning about an inconsistent lockfile to an error" ([#8737](python-poetry/poetry#8737)) still does not address the lockfile injection attack outlined in the ["Bad Beat Poetry"](https://blog.phylum.io/bad-beat-poetry/) blog post. Therefore, it is still recommended to check and refresh the lockfile every time before using it to install an environment: ``` poetry check --lock poetry lock --no-update --no-cache poetry install ... ``` A review of the latest `poetry-core` release ([v1.9.0](https://github.com/python-poetry/poetry-core/releases/tag/1.9.0)) did not prove that an upgrade to that version in the `phylum-ci` project is needed at this time.
1 parent 55f22c8 commit 61c2a04

File tree

8 files changed

+10
-10
lines changed

8 files changed

+10
-10
lines changed

.github/workflows/auto_updates.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
git_commit_gpgsign: true
3636

3737
- name: Install poetry
38-
run: pipx install poetry==1.7.1
38+
run: pipx install poetry==1.8.1
3939

4040
- name: Configure poetry
4141
run: poetry config virtualenvs.in-project true

.github/workflows/preview.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
fetch-depth: 0
3838

3939
- name: Install poetry
40-
run: pipx install poetry==1.7.1
40+
run: pipx install poetry==1.8.1
4141

4242
- name: Configure poetry
4343
run: |

.github/workflows/release.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ jobs:
6565
git_tag_gpgsign: true
6666

6767
- name: Install poetry
68-
run: pipx install poetry==1.7.1
68+
run: pipx install poetry==1.8.1
6969

7070
- name: Configure poetry
7171
run: |

.github/workflows/test.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
2828

2929
- name: Install poetry
30-
run: pipx install poetry==1.7.1
30+
run: pipx install poetry==1.8.1
3131

3232
- name: Configure poetry
3333
run: poetry config virtualenvs.in-project true
@@ -70,7 +70,7 @@ jobs:
7070
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
7171

7272
- name: Install poetry
73-
run: pipx install poetry==1.7.1
73+
run: pipx install poetry==1.8.1
7474

7575
- name: Configure poetry
7676
run: poetry config virtualenvs.in-project true
@@ -112,7 +112,7 @@ jobs:
112112

113113
- name: Install poetry
114114
if: ${{ matrix.build == 'wheel' }}
115-
run: pipx install poetry==1.7.1
115+
run: pipx install poetry==1.8.1
116116

117117
- name: Configure poetry
118118
if: ${{ matrix.build == 'wheel' }}

.pre-commit-config.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ repos:
5252
# https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version
5353
# NOTE: This `rev` should be manually updated whenever `poetry` is updated. The `rev` can be found by checking out
5454
# the `poetry` repository and running the command: `git show-ref --tags <tag_name>`
55-
rev: 7696e93872a965261ea154b5e423c44e8317fd38 # frozen: 1.7.1
55+
rev: 3de374c01c9a0c927abd419813a47746c45afb11 # frozen: 1.8.1
5656
hooks:
5757
- id: poetry-check
5858
args: [--lock]

Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ ENV PHYLUM_VENV="/opt/venv"
8484
ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
8585
ENV PIP_NO_COMPILE=1
8686
ENV PIP_DISABLE_PIP_VERSION_CHECK=1
87-
ENV POETRY_VERSION="1.7.1"
87+
ENV POETRY_VERSION="1.8.1"
8888

8989
WORKDIR ${APP_PATH}
9090

Dockerfile.slim

+1-1
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ ENV PHYLUM_VENV="/opt/venv"
9292
ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
9393
ENV PIP_NO_COMPILE=1
9494
ENV PIP_DISABLE_PIP_VERSION_CHECK=1
95-
ENV POETRY_VERSION="1.7.1"
95+
ENV POETRY_VERSION="1.8.1"
9696

9797
WORKDIR ${APP_PATH}
9898

poetry.lock

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)