inlude hash for package when generating requirements.txt

[brutus]

I have a Python package (with pyproject.toml) that is released to an internal package registry.

I use pip-compile to pin its dependencies like this:

pip-compile \
  --quiet \
  --upgrade \
  --resolver backtracking \
  --allow-unsafe \
  --no-header \
  --strip-extras \
  --annotation-style line \
  pyproject.toml

And an Ansible task to deploy it to some hosts:

- name: install Python package
  pip:
    executable: pip3
    name: mypkg
    version: "0.1.2"
    extra_args: --user --no-cache
  environment:
    PIP_CONSTRAINT: /home/user/requirements.txt

Note: the requirements.txt and a pip.conf for the internal registry were copied beforehand. Seems to work okay so far.

When I add --generate-hashes to the pip-compile call, it bails on me:

Hashes are required in --require-hashes mode, but they are missing from some requirements.

The missing hashes are those for mypkg.

Is there a (supported) way to include mypkg in the generated requirements.txt? Or is this the wrong way to handle it?

[chrysle]

Thanks for reporting!

Is there a (supported) way to include mypkg in the generated requirements.txt?

If so I don't know it. The --require-hashes option actually comes from pip. I think it's reasonable to operate in that mode when explicitly generating hashes, since they're normally present. However we might add an option to handle additional dependencies in such cases?

[webknjaz]

It's a pip bug: pypa/pip#9243.

[webknjaz]

Also, it wouldn't make sense to generate the hash for an editable copy of mypkg since it'll change on the next build and will never match. You really need to package it for deployment and hash that.