PREQ-4933 Use plain poetry install to respect lock file#241
Conversation
Replace `jf poetry install` with `poetry install` in build-poetry. The JFrog CLI command internally runs `poetry update` which ignores the lock file and re-resolves all dependencies, breaking builds when pyproject.toml constraints reference versions absent from the CI indexes (e.g. syrupy 5.*). `jf poetry-config` is kept to configure the Repox registry; only the install step changes.
SummaryThis PR replaces The fix keeps Changes:
What reviewers should knowFocus areas for review:
|
There was a problem hiding this comment.
Pull request overview
Updates the build-poetry GitHub Action’s install step to use plain poetry install (while keeping jf poetry-config) so dependency installation respects poetry.lock and avoids unintended re-resolution caused by jf poetry install.
Changes:
- Replace
jf poetry installwithpoetry installin the install function used by the action. - Update shellspec expectations to match the new install command/output.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| build-poetry/build.sh | Switch dependency installation to poetry install after JFrog repo configuration to ensure lockfile is honored. |
| spec/build-poetry_spec.sh | Adjust shellspec assertions to expect poetry install and updated test description text. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
jf poetry-config adds the Repox source to pyproject.toml but does not configure Poetry's own authentication — that is handled internally by jf poetry install. Since we now use plain poetry install, we need to explicitly set POETRY_HTTP_BASIC_REPOX credentials. - Retrieve ARTIFACTORY_USERNAME from Vault alongside the access token - Export POETRY_HTTP_BASIC_REPOX_USERNAME and _PASSWORD before install
tomverin
force-pushed
the
fix/PREQ-4933-poetry-install-lock
branch
from
4c8d8d2 to
8b0c3c0
Compare
SonarQube reviewer guide
|
Summary
jf poetry installwith plainpoetry installin thebuild-poetryactionpoetry update, which ignores the lock file and re-resolves all dependencies — breaking builds whenpyproject.tomlconstraints reference versions absent from the configured Repox indexes (e.g.syrupy 5.*)jf poetry-configis kept to configure the Repox registry; only the install step changesARTIFACTORY_USERNAMEfrom Vault and exportPOETRY_HTTP_BASIC_REPOX_USERNAME/_PASSWORDso that plainpoetry installcan authenticate to Repox (credentials were previously handled internally byjf poetry install)Context
poetry updateafter configuring the repoChanges
build-poetry/build.shjfrog_poetry_install(): replacejf poetry install --build-name --build-numberwithpoetry installPOETRY_HTTP_BASIC_REPOX_USERNAMEandPOETRY_HTTP_BASIC_REPOX_PASSWORDbefore install so Poetry can authenticate to the Repox source configured byjf poetry-configARTIFACTORY_USERNAMEto required env varsbuild-poetry/action.ymlARTIFACTORY_USERNAMEfrom the same Vault path asARTIFACTORY_ACCESS_TOKENARTIFACTORY_USERNAMEas env var to the build stepspec/build-poetry_spec.shARTIFACTORY_USERNAMEto test envpoetry installinstead ofjf poetry installTrade-off
Dependency-level build info tracking in JFrog is lost (
jf poetry install --build-name --build-number). The artifact upload,build-collect-env, andbuild-publishin the publish step still capture what matters for promotion and traceability.Test plan