feat: Install main dependency group only by default

[Mehdi-H]

Summary

This PR is linked to #180

• Breaking change : default behavior is now to install only main dependency group from pyproject.toml
  • Previous behavior: poetry installs every dependencies, even the ones not necessary for production, regardless of the dependency groups
• Possibility to specify additional dependency groups with env variable BP_POETRY_INSTALL_WITH, mirroring the --with option from poetry install command
• README.md is updated to describe this new behaviors
• Unit and integration tests where added

Use Cases

Check #180 discussion for more details

Checklist

• I have viewed, signed, and submitted the Contributor License Agreement.
• I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• I have added an integration test, if necessary.
• I have reviewed the styleguide for guidance on my code quality.
• I'm happy with the commit history on this PR (I have rebased/squashed as needed).

[linux-foundation-easycla]

• ❌ The email address for the commit (be22893) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[robdimsdale]

Thanks @Mehdi-H - could you sign the CLA? The bot above has a link. You can either sign as an individual or as part of a corporate CLA.

[robdimsdale]

Thank you for submitting this! This generally looks good. I have a few comments/suggestions/questions inline, and once we address those I think we'll be good to merge this.

[robdimsdale]

I see we removed the spec.Parallel() - was that intentional? Did you observe the tests failing with that present?

[robdimsdale]

I don't think we need this strings.ReplaceAll twice - the second invocation should be redundant.

[robdimsdale]

Can you remove the "" and replace it with another invocation of Expect(logs).To(ContainLines(...))?

We've found that asserting on empty log lines is brittle, because sometimes extra lines get inserted due to environment issues (deprecation warnings, etc).

A second invocation of ContainLines() will continue to preserve the assertions on the line ordering.

[robdimsdale]

For this test, could you also add the environment variable: WithEnv(map[string]string{"BP_POETRY_INSTALL_WITH": "dev"}). and could you also add an assertion that the SBOM contains a dev dependency?

Similarly, could you add an assertion to the default_test to assert that the SBOM does not contain a dev dependency?

[robdimsdale]

Also, as discussed in #180 - although this is technically a breaking change, I don't think it will break any users in practice, as I don't believe users are expecting their apps to contain dependencies other than the main group. The fact that they were, and now will be removing them by default, should be invisible to users.

As such, I'm labeling this as: semver:minor

[robdimsdale]

@Mehdi-H as far as the CLA, I think part of the issue is that your commit was made from an email that isn't associated with your github account. The links in the CLA bot's comment above should help.

[radoshi]

Hi @Mehdi-H @robdimsdale ,

We would like to see this issue fixed as well. I think Mehdi has done all of the heavy lifting here but this PR seems to have fallen off.

Would y'all have any objections if I picked it up and finished it? Here is a draft PR with all the review comments addressed. It passes unit and integration tests.
#347

Thank you,
-Rushabh

[TheSuperiorStanislav]

Hi @Mehdi-H @robdimsdale any progress on this one?