Validation to ensure requirements_lock is pinned. (#732)

* Light validation to ensure lockfile is pinned.

* Clean up

* .

Co-authored-by: Alex Eagle <[email protected]>

Author: groodt

examples/pip_install/requirements.in

@@ -1,6 +1,3 @@
-boto3==1.14.51
-s3cmd==2.1.0
-yamllint==1.26.3
-
-# Last available for Python 3.6.
-setuptools==59.6.0
+boto3~=1.14.51
+s3cmd~=2.1.0
+yamllint~=1.26.3

examples/pip_install/requirements.txt

@@ -98,6 +98,4 @@ yamllint==1.26.3 \
 setuptools==59.6.0 \
     --hash=sha256:22c7348c6d2976a52632c67f7ab0cdf40147db7789f9aed18734643fe9cf3373 \
     --hash=sha256:4ce92f1e1f8f01233ee9952c04f6b81d1e02939d6e1b488428154974a4d0783e
-    # via
-    #   -r requirements.in
-    #   yamllint
+    # via yamllint

examples/pip_parse/BUILD

@@ -59,7 +59,7 @@ alias(
 compile_pip_requirements(
     name = "requirements",
     extra_args = ["--allow-unsafe"],
-    requirements_in = "requirements.txt",
+    requirements_in = "requirements.in",
     requirements_txt = "requirements_lock.txt",
 )
 

examples/pip_parse/requirements.in

@@ -0,0 +1,3 @@
+requests~=2.25.1
+s3cmd~=2.1.0
+yamllint~=1.26.3

examples/pip_parse/requirements.txt

@@ -66,11 +66,11 @@ pyyaml==6.0 \
 requests==2.25.1 \
     --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
     --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
-    # via -r requirements.txt
+    # via -r requirements.in
 s3cmd==2.1.0 \
     --hash=sha256:49cd23d516b17974b22b611a95ce4d93fe326feaa07320bd1d234fed68cbccfa \
     --hash=sha256:966b0a494a916fc3b4324de38f089c86c70ee90e8e1cae6d59102103a4c0cc03
-    # via -r requirements.txt
+    # via -r requirements.in
 six==1.16.0 \
     --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
     --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
@@ -81,12 +81,10 @@ urllib3==1.26.7 \
     # via requests
 yamllint==1.26.3 \
     --hash=sha256:3934dcde484374596d6b52d8db412929a169f6d9e52e20f9ade5bf3523d9b96e
-    # via -r requirements.txt
+    # via -r requirements.in
 
 # The following packages are considered to be unsafe in a requirements file:
 setuptools==59.6.0 \
     --hash=sha256:22c7348c6d2976a52632c67f7ab0cdf40147db7789f9aed18734643fe9cf3373 \
     --hash=sha256:4ce92f1e1f8f01233ee9952c04f6b81d1e02939d6e1b488428154974a4d0783e
-    # via
-    #   -r requirements.txt
-    #   yamllint
+    # via yamllint

examples/pip_parse/requirements_lock.txt

@@ -31,16 +31,30 @@ def parse_install_requirements(
     parser = RequirementsFileParser(ps, line_parser)
     install_req_and_lines: List[Tuple[InstallRequirement, str]] = []
     _, content = get_file_content(requirements_lock, ps)
+    unpinned_reqs = []
     for parsed_line, (_, line) in zip(
         parser.parse(requirements_lock, constraint=False), preprocess(content)
     ):
         if parsed_line.is_requirement:
+            install_req = constructors.install_req_from_line(parsed_line.requirement)
+            if not install_req.is_pinned:
+                unpinned_reqs.append(str(install_req))
             install_req_and_lines.append(
-                (constructors.install_req_from_line(parsed_line.requirement), line)
+                (install_req, line)
             )
 
         else:
             extra_pip_args.extend(shlex.split(line))
+
+    if len(unpinned_reqs) > 0:
+        unpinned_reqs_str = "\n".join(unpinned_reqs)
+        raise RuntimeError(f"""\
+The `requirements_lock` file must be fully pinned. See `compile_pip_requirements`.
+Alternatively, use `pip-tools` or a similar mechanism to produce a pinned lockfile.
+
+The following requirements were not pinned:
+{unpinned_reqs_str}""")
+
     return install_req_and_lines