23 KiB
tox-poetry-installer
A plugin for Tox that allows test environment dependencies to be installed using Poetry from its lockfile.
⚠️ This project is alpha software and should not be used in production environments ⚠️
Documentation
- Installation
- Quick Start
- Plugin Usage
- Reference
- Why would I use this? (What problems does this solve?)
- Developing
- Contributing
- Roadmap
Related resources:
Similar projects:
Installation
Add the plugin as a development dependency of a Poetry project:
~ $: poetry add tox-poetry-installer --dev
Confirm that the plugin is installed, and Tox recognizes it, by checking the Tox version:
~ $: poetry run tox --version
3.20.0 imported from .venv/lib64/python3.8/site-packages/tox/__init__.py
registered plugins:
tox-poetry-installer-0.5.0 at .venv/lib64/python3.8/site-packages/tox_poetry_installer.py
If using Pip, ensure that the plugin is installed to the same environment as Tox:
# Calling the virtualenv's 'pip' binary directly will cause pip to install to that virtualenv
~ $: /path/to/my/automation/virtualenv/bin/pip install tox
~ $: /path/to/my/automation/virtualenv/bin/pip install tox-poetry-installer
Note: While it is possible to install this plugin using Tox's
requires
configuration option, it is not recommended. Dependencies from the requires
option are
installed using the default Tox installation backend which opens up the
possibility of transient dependency problems in your automation
environment.
Quick Start
To add dependencies from the lockfile to a Tox environment, add the option locked_deps
to the environment configuration and list names of dependencies (with no version
specifier) under it:
[testenv]
description = Some very cool tests
locked_deps =
black
pylint
mypy
commands = ...
The standard deps
option can be used in parallel with the locked_deps
option to
install unlocked dependencies (dependencies not in the lockfile) alongside locked
dependencies:
[testenv]
description = Some very cool tests
locked_deps =
black
pylint
mypy
deps =
pytest == 6.1.1
pytest-cov >= 2.10, <2.11
commands = ...
Alternatively, to quickly install all Poetry dev-dependencies to a Tox environment, add the
install_dev_deps = true
option to the environment configuration.
Note: Regardless of the settings outlined above, all dependencies of the project package (the one Tox is testing) will always be installed from the lockfile.
Reference
Configuration Options
All options listed below are Tox environment options and can be applied to one or more
environment sections of the tox.ini
file. They cannot be applied to the global Tox
configuration section.
NOTE: Environment settings applied to the main testenv
environment will be
inherited by child environments (i.e. testenv:foo
) unless they are explicitly
overridden by the child environment's configuration.
locked_deps
- Type: multi-line list
- Default:
[]
Names of packages in the Poetry lockfile to install to the Tox environment. All dependencies specified here will be installed to the Tox environment using the details given by the Poetry lockfile.
require_locked_deps
- Type: boolean
- Default:
false
Whether the environment should allow unlocked dependencies (dependencies not in the
Poetry lockfile) to be installed alongside locked dependencies. If true
then an error
will be raised if the environment specifies unlocked dependencies to install and the
plugin will block any other plugins from using the
tox_testenv_install_deps
hook.
install_dev_deps
- Type: boolean
- Default:
false
Whether all Poetry dev-dependencies should be installed to the environment. If true
then all dependencies specified in the
dev-dependencies
section
of pyproject.toml
will be installed automatically.
Command-line Arguments
All arguments listed below can be passed to the tox
command to modify runtime behavior
of the plugin.
--require-poetry
Indicates that Poetry is expected to be available to Tox and, if it is not, then the Tox
run should fail. If provided and the poetry
package is not installed to the same
environment as the tox
package then Tox will fail.
NOTE: See Advanced Usage for more information.
Errors
If the plugin encounters an error while processing a Tox environment then it will mark the environment as failed and set the environment status to one of the values below:
NOTE: In addition to the reasons noted below, the plugin can encounter errors if the
Poetry lockfile is not up-to-date with pyproject.toml
. To resynchronize the
lockfile with the pyproject.toml
run one of
poetry update
or
poetry lock
Poetry Not Installed Error
- Status value:
PoetryNotInstalledError
- Cause: Indicates that the
poetry
module could not be imported from the same environment as the runningtox
module and the runtime flags specified--require-poetry
. - Resolution options:
- Install Poetry: ensure that
poetry
is installed to the same environment astox
. - Skip running the plugin: remove the
--require-poetry
flag from the runtime options.
- Install Poetry: ensure that
NOTE: See Advanced Usage for more information.
Locked Dependency Version Conflict Error
- Status value:
LockedDepVersionConflictError
- Cause: Indicates that a dependency specified in the
locked_deps
configuration option intox.ini
includes a PEP-508 version specifier (i.e.pytest >=6.0, <6.1
). - Resolution options:
- Use the dependency version from the lockfile: remove any/all version specifiers
from the item in the
locked_deps
list intox.ini
. - Do not install the dependency: remove the item from the
locked_deps
list intox.ini
.
- Use the dependency version from the lockfile: remove any/all version specifiers
from the item in the
Locked Dependency Not Found Error
- Status value:
LockedDepNotFoundError
- Cause: Indicates that a dependency specified in the
locked_deps
configuration option intox.ini
could not be found in the Poetry lockfile. - Resolution options:
- Add the dependency to the lockfile: run
poetry add <dependency>
; see the Poetry documentation for more information. - Do not install the dependency: remove the item from the
locked_deps
list intox.ini
.
- Add the dependency to the lockfile: run
Extra Not Found Error
- Status value:
ExtraNotFoundError
- Cause: Indicates that the
extras
configuration option specified a setuptools extra that is not configured by Poetry inpyproject.toml
- Resolution options:
- Configure the extra: add a section for the named extra to the
extras
section ofpyproject.toml
and optionally assign dependencies to the named extra using the--optional
dependency setting. - Remove the extra: remove the item from the
extras
list intox.ini
.
- Configure the extra: add a section for the named extra to the
Locked Dependencies Required Error
- Status value:
LockedDepsRequiredError
- Cause: Indicates that an environment with the
require_locked_deps
configuration option also specified unlocked dependencies usingdeps
option intox.ini
. - Resolution options:
- Remove all unlocked dependencies: remove the
deps
configuration option intox.ini
. - Allow unlocked dependencies: remove the
require_locked_deps
configuration option intox.ini
or explicitly setrequire_locked_deps = false
.
- Remove all unlocked dependencies: remove the
Advanced Usage
Unsupported Tox configuration options
The tox.ini
configuration options listed below have no effect on the dependencies
installed by this plugin the Poetry lockfile. Note that these settings will still be
applied by the default Tox installation backend when installing unlocked dependencies
using the built-in deps
option.
All of these options are obsoleted by using the Poetry backend. If a given package
installs successfully using Poetry (using either poetry add <package>
or
poetry install
) then the required configuration options are already properly set in
the Poetry configuration and the plugin will automatically use the same settings when
installing the package.
Reinstalling locked dependencies to a Tox environment
Updating the poetry.lock
file will not automatically cause Tox to install the updated
lockfile specifications to the Tox environments that specify them.
The Tox environment(s) with updated locked dependencies must be deleted and recreated
using the --recreate
runtime flag. Alternatively Tox can be configured to always recreate an environment by
setting the recreate
option in tox.ini
.
Installing Poetry's unsafe dependencies
There are several packages that cannot be installed from the lockfile because they are
excluded by Poetry itself. As a result these packages cannot be installed by this plugin
either as environment dependencies (passed directly to locked_deps
) or
as transient dependencies (a dependency of a locked dependency).
As of Poetry-1.1.4 there are four packages classified as "unsafe" by Poetry and excluded from the lockfile:
setuptools
distribute
pip
wheel
When one of these packages is encountered by the plugin a warning will be logged and
the package will not be installed to the environment. If the unsafe package
is required for the environment then it will need to be specified as an unlocked
dependency using the deps
configuration option in tox.ini
, ideally with an exact pinned version.
- The set of packages excluded from the Poetry lockfile can be found at
poetry.puzzle.provider.Provider.UNSAFE_DEPENDENCIES
- There is an ongoing discussion of Poetry's handling of these packages at python-poetry/poetry#1584
Installing alongside an existing Poetry installation
The plugin specifies the poetry
package as an optional dependency to support an
externally managed Poetry installation such as in a container or CI environment. This
gives greater flexibility when using Poetry arguments like --no-root
, --no-dev
, or
--remove-untracked
which can cause Poetry to uninstall itself if Poetry is specified
as a dependency of one of the packages it is managing (like this plugin).
To have the plugin use the externally-managed Poetry package simply do not install the
poetry
extra when installing this plugin:
# Installing Poetry as a dependency with the plugin
poetry add tox-poetry-installer[poetry]
# Relying on an externally managed Poetry installation
poetry add tox-poetry-installer
Note that Poetry is an optional dependency to support this use case only: Poetry must be installed to the same environment as Tox for the plugin to function. To check that the local environment has all of the required modules in scope run the below command:
python -c '\
import tox;\
import tox_poetry_installer;\
from poetry.poetry import Poetry;\
'
NOTE: To force Tox to fail if Poetry is not installed, run the tox
command with
the --require-poetry
option.
Why would I use this?
Introduction
The lockfile is a file generated by a package manager for a project that records what dependencies are installed, the versions of those dependencies, and any additional metadata that the package manager needs to recreate the local project environment. This allows developers to have confidence that a bug they are encountering that may be caused by one of their dependencies will be reproducible on another device. In addition, installing a project environment from a lockfile gives confidence that automated systems running tests or performing builds are using the same environment as a developer.
Poetry is a project dependency manager for Python projects, and so it creates and manages a lockfile so that its users can benefit from all the features described above. Tox is an automation tool that allows Python developers to run tests suites, perform builds, and automate tasks within self-contained Python virtual environments. To make these environments useful Tox supports installing dependencies in each environment. However, since these environments are created on the fly and Tox does not maintain a lockfile, there can be subtle differences between the dependencies a developer is using and the dependencies Tox uses.
This is where this plugin comes into play.
By default Tox uses Pip to install the PEP-508 compliant dependencies to a test environment. This plugin extends the default Tox dependency installation behavior to support installing dependencies using a Poetry-based installation method that makes use of the dependency metadata from Poetry's lockfile.
The Problem
Environment dependencies for a Tox environment are usually specified in PEP-508 format, like the below example:
# from tox.ini
...
[testenv]
description = Some very cool tests
deps =
foo == 1.2.3
bar >=1.3,<2.0
baz
...
Let's assume these dependencies are also useful during development, so they can be added to the Poetry environment using this command:
poetry add --dev \
foo==1.2.3 \
bar>=1.3,<2.0 \
baz
However there is a potential problem that could arise from each of these environment dependencies that would only appear in the Tox environment and not in the Poetry environment in use by a developer:
-
The
foo
dependency is pinned to a specific version: let's imagine a security vulnerability is discovered infoo
and the maintainers release version1.2.4
to fix it. A developer can runpoetry remove foo
and thenpoetry add foo^1.2
to get the new version, but the Tox environment is left unchanged. The development environment, as defined by the lockfile, is now patched against the vulnerability but the Tox environment is not. -
The
bar
dependency specifies a dynamic range: a dynamic range allows a range of versions to be installed, but the lockfile will have an exact version specified so that the Poetry environment is reproducible; this allows versions to be updated withpoetry update
rather than with theremove
andadd
commands used above. If the maintainers ofbar
release version1.6.0
then the Tox environment will install it because it is valid for the specified version range. Meanwhile the Poetry environment will continue to install the version from the lockfile untilpoetry update bar
explicitly updates it. The development environment is now has a different version ofbar
than the Tox environment. -
The
baz
dependency is unpinned: unpinned dependencies are generally a bad idea, but here it can cause real problems. Poetry will interpret an unbound dependency using the carrot requirement but Pip (via Tox) will interpret it as a wildcard. If the latest version ofbaz
is1.0.0
thenpoetry add baz
will result in a constraint ofbaz>=1.0.0,<2.0.0
while the Tox environment will have a constraint ofbaz==*
. The Tox environment can now install an incompatible version ofbaz
and any errors that causes cannot be replicated usingpoetry update
.
All of these problems can apply not only to the dependencies specified for a Tox environment, but also to the dependencies of those dependencies, those dependencies' dependencies, and so on.
The Solution
This plugin allows dependencies specified in Tox environment take their version directly from the Poetry lockfile without needing an independent version to be specified in the Tox environment configuration. The modified version of the example environment given below appears less stable than the one presented above because it does not specify any versions for its dependencies:
# from tox.ini
...
[testenv]
description = Some very cool tests
require_locked_deps = true
locked_deps =
foo
bar
baz
...
However with the tox-poetry-installer
plugin installed the require_locked_deps = true
setting means that Tox will install these dependencies from the Poetry lockfile so that the
version installed to the Tox environment exactly matches the version Poetry is managing. When
poetry update
updates the lockfile with new versions of these dependencies, Tox will
automatically install these new versions without needing any changes to the configuration.
Developing
This project requires a developer to have Poetry version 1.0+ installed on their workstation, see the installation instructions here.
# Clone the repository...
# ...over HTTPS
git clone https://github.com/enpaul/tox-poetry-installer.git
# ...over SSH
git clone git@github.com:enpaul/tox-poetry-installer.git
# Create a the local project virtual environment and install dependencies
cd tox-poetry-installer
poetry install
# Install pre-commit hooks
poetry run pre-commit install
# Run tests and static analysis
poetry run tox
Contributing
All project contributors and participants are expected to adhere to the Contributor Covenant Code of Conduct, Version 2.
The devel
branch has the latest (potentially unstable) changes. The
tagged versions correspond to the
releases on PyPI.
- To report a bug, request a feature, or ask for assistance, please open an issue on the Github repository.
- To report a security concern or code of conduct violation, please contact the project author directly at me [at] enp dot one.
- To submit an update, please fork the repository and open a pull request.
Roadmap
This project is under active development and is classified as alpha software, not yet ready for usage in production environments.
- Beta classification will be assigned when the initial feature set is finalized
- Stable classification will be assigned when the test suite covers an acceptable number of use cases
Path to Beta
- Verify that primary package dependencies (from the
.package
env) are installed correctly using the Poetry backend. - Support the
extras
Tox configuration option (#4) - Add per-environment Tox configuration option to fall back to default installation backend.
- Add warnings when an unsupported Tox configuration option is detected while using the Poetry backend. (#5)
- Add trivial tests to ensure the project metadata is consistent between the pyproject.toml and the module constants.
- Update to use poetry-core and improve robustness of the Tox and Poetry module imports to avoid potentially breaking API changes in upstream packages. (#2)
- Find and implement a way to mitigate the UNSAFE_DEPENDENCIES issue in Poetry. (#6)
- Fix logging to make proper use of Tox's logging reporter infrastructure (#3)
- Add configuration option for installing all dev-dependencies to a testenv (#14)
Path to Stable
Everything in Beta plus...
- Add tests for each feature version of Tox between 2.3 and 3.20
- Add tests for Python-3.6, 3.7, and 3.8
- Add Github Actions based CI
- Add CI for CPython, PyPy, and Conda
- Add CI for Linux and Windows