Allow omitting version pins from command line when version is given in hashed constraints file

[ncoghlan]

What's the problem this feature will solve?

Making it easier to securely bootstrap environment management tools in CI (and other) environments.

Running pip install --update -c ci-constraints.txt pdm currently emits the following error:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    pdm from https://files.pythonhosted.org/packages/6d/c2/045c3c5c37d9dd297631a6fdcdd54bfc73196c8e5b43b7aca954e4de363a/pdm-2.17.3-py3-none-any.whl

Describe the solution you'd like

I would prefer that the command pip install --update -c ci-constraints.txt pdm work (using the version pin given in the constraints file) without requiring duplication of that information in the installation command.

(passing -r ci-constraints.txt instead isn't desirable, since the goal here is to install just enough to let pdm sync --no-self --dev run to create the actual CI environment)

Alternative Solutions

The workaround is to duplicate the locked pdm version in the GitHub CI bootstrapping step. For my use case, I did that via a short helper script:

# Allow bootstrapping `pdm` in CI environments
# with the command `pip install --update -c ci-constraints.txt -r ci-bootstrap-requirements.txt`
ci_constraints_file="ci-constraints.txt"
pdm export --dev --no-extras -o "$ci_constraints_file"
ci_bootstrap_file="ci-bootstrap-requirements.txt"
echo "# This file is autogenerated, do not edit it manually" > "$ci_bootstrap_file"
echo > "$ci_bootstrap_file"
grep "^pdm==" "$ci_constraints_file" | cut -f 1 -d ' ' > "$ci_bootstrap_file"

Additional context

N/A

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[mayeut]

somewhat related: #9243

[pradyunsg]

It's actually a duplicate of that.

#9243 (comment) is this case ~exactly.