setup-python: pip install on latest ubuntu fails with error

Description: github actions for python 3.8 fails with the following error:

ERROR: Invalid requirement: 'Warning: The lock flag' (from line 2 of requirements.txt)

Action version:

runs-on: ubuntu-latest (python-version: [ '3.8' ])
- name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.python-version }}

Platform:

  • Ubuntu)
  • macOS
  • Windows

Runner type:

  • Hosted
  • Self-hosted

Tools version:

Repro steps:
Create a repo with Pipfile, add dependencies and lock the Pipfile. run:

python -m pip install --upgrade pip setuptools pipenv virtualenv PyYAML flake8 pylint nose coverage
pipenv --python '3.8' lock -r > requirements.txt
pip install -r requirements.txt

Expected behavior: pip should install all required packages

Actual behavior: pip fails with thee following error:

ERROR: Invalid requirement: 'Warning: The lock flag' (from line 2 of requirements.txt)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 7
  • Comments: 15 (3 by maintainers)

Commits related to this issue

Most upvoted comments

A quick fix is sticking to the immediately previous version

python -m pip install --upgrade pip setuptools pipenv==2022.4.21 virtualenv PyYAML flake8 pylint nose coverage

Update:

You should consider using pipenv to install dependencies and not convert them to requirements.txt and install using pip (because this).

A good way of doing so can be pipenv install --system if you don’t want to change how you run commands inside your environment.

+5
singhpratyush on May 4, 2022

@ianyoung There was a deprecation warning around install -r for a number of releases, please use the newer pipenv requirements command.

+1
matteius on Aug 16, 2022

@singhpratyush

The reason I do it is because https://github.com/pypa/pipenv/issues/356. The dependency installation needs to happen as a part of building a Docker image on the CI pipeline, and it times out when using pipenv to do it.

The issue you linked to is from 2019, I think a lot has changed since then. Furthermore you are doing a pipenv lock -r to generate your requirements which goes through the same locking and resolution process that used to have timeout issues, in order to generate a requirements file. If you already have the lock file you can speed this up by simply installing from it and skipping lock in your CI altogether, which would be preferable for security reasons. Simply run pipenv sync or pipenv install --deploy to install the dependencies from your lock file using pipenv and then you can uninstall pipenv just the same as you are in that article to reduce space.

I haven’t dug deep inside how cross-compatible this process is (as you mentioned requirements.txt does not include hashes to validate against), but it has worked fine for me for the last 2-3 years.

It is less about compatibility and more about security. If you are generating your lock file on every CI run and installing requirements from that without hash checking, then you aren’t verifying that the packages you install in the CI today match the exact versions that you installed yesterday. The version numbers will match, but the package contents could have changed either because it resolved to a different pypi server (DNS poisoning or otherwise), package confusion attack against a private package in the public pypi, or general bad actor published a different version of a package that was not pinned and that gets pulled in automatically. There are many ways this could happen and that is what the hash checking helps prevent against, but it doesn’t provide protection if the CI regenerates the hashes every build, or discards them during the install phase.

+1
matteius on May 2, 2022
Read more comments on GitHub
← setup-python: no such option: --root-user-action
setup-python: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available. →