From 70d5e7bc8375b44bcc7215190b731fa842fdef33 Mon Sep 17 00:00:00 2001 From: aitbc1 Date: Fri, 27 Mar 2026 13:01:40 +0100 Subject: [PATCH] fix: use venv pip explicitly to avoid system pip restrictions ISSUE: Still hitting externally-managed-environment despite venv Root cause: Poetry installation using system pip instead of venv pip Solution: Use venv/bin/pip explicitly for all package installations Changes: - Use venv/bin/pip install poetry instead of pip install poetry - Use venv/bin/pip install safety bandit for security tools - Use venv/bin/safety and venv/bin/bandit for execution - Maintain source venv/bin/activate for environment context - Ensure all Python commands use isolated venv environment Updated workflows: - audit.yml: venv pip for poetry installation - fix.yml: venv pip for poetry + safety tools - security-scanning.yml: venv pip for poetry + security tools Expected results: - Poetry installed in virtual environment without system restrictions - Security tools installed and executed in venv - All Python dependencies managed in isolated environment - No more externally-managed-environment errors This ensures complete isolation from system Python and follows PEP 668 requirements while maintaining the nuclear fix approach. --- .gitea/workflows/audit.yml | 13 +++---------- .gitea/workflows/fix.yml | 14 +++++--------- .gitea/workflows/security-scanning.yml | 16 ++++++---------- 3 files changed, 14 insertions(+), 29 deletions(-) diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml index 14d8a6d9..02768bbc 100644 --- a/.gitea/workflows/audit.yml +++ b/.gitea/workflows/audit.yml @@ -49,14 +49,6 @@ jobs: apt-get install -y python3 python3-pip python3-venv python3-full fi - if ! command -v pip >/dev/null 2>&1; then - echo "Installing pip..." - python3 -m pip install --upgrade pip - fi - - echo "Python version: $(python3 --version)" - echo "Pip version: $(pip --version)" - echo "=== VIRTUAL ENVIRONMENT ===" # Create and use virtual environment python3 -m venv venv @@ -67,12 +59,13 @@ jobs: echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" + # Use venv pip explicitly to avoid system pip if command -v poetry >/dev/null 2>&1; then echo "Poetry found, installing dependencies..." poetry install else - echo "Installing poetry..." - pip install poetry + echo "Installing poetry with venv pip..." + venv/bin/pip install poetry poetry install fi echo "✅ Python dependencies installed!" diff --git a/.gitea/workflows/fix.yml b/.gitea/workflows/fix.yml index 15b6ebdc..b1e2c34e 100644 --- a/.gitea/workflows/fix.yml +++ b/.gitea/workflows/fix.yml @@ -47,11 +47,6 @@ jobs: apt-get install -y python3 python3-pip python3-venv python3-full fi - if ! command -v pip >/dev/null 2>&1; then - echo "Installing pip..." - python3 -m pip install --upgrade pip - fi - echo "=== VIRTUAL ENVIRONMENT ===" # Create and use virtual environment python3 -m venv venv @@ -62,20 +57,21 @@ jobs: echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" + # Use venv pip explicitly to avoid system pip if command -v poetry >/dev/null 2>&1; then echo "Poetry found, installing dependencies..." poetry install else - echo "Installing poetry..." - pip install poetry + echo "Installing poetry with venv pip..." + venv/bin/pip install poetry poetry install fi echo "✅ Python dependencies installed!" echo "=== SECURITY FIXES ===" # Check for common Python security issues echo "Running safety check..." - pip install safety - safety check || echo "Safety check completed with warnings" + venv/bin/pip install safety + venv/bin/safety check || echo "Safety check completed with warnings" else echo "❌ No supported project type found!" exit 1 diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml index 0eb5f721..51729c3d 100644 --- a/.gitea/workflows/security-scanning.yml +++ b/.gitea/workflows/security-scanning.yml @@ -47,11 +47,6 @@ jobs: apt-get install -y python3 python3-pip python3-venv python3-full fi - if ! command -v pip >/dev/null 2>&1; then - echo "Installing pip..." - python3 -m pip install --upgrade pip - fi - echo "=== VIRTUAL ENVIRONMENT ===" # Create and use virtual environment python3 -m venv venv @@ -62,20 +57,21 @@ jobs: echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" + # Use venv pip explicitly to avoid system pip if command -v poetry >/dev/null 2>&1; then echo "Poetry found, installing dependencies..." poetry install else - echo "Installing poetry..." - pip install poetry + echo "Installing poetry with venv pip..." + venv/bin/pip install poetry poetry install fi echo "✅ Running security scan..." - pip install safety bandit + venv/bin/pip install safety bandit echo "=== Safety check (dependencies) ===" - safety check || echo "Safety check completed" + venv/bin/safety check || echo "Safety check completed" echo "=== Bandit check (code security) ===" - bandit -r . -f json || echo "Bandit scan completed" + venv/bin/bandit -r . -f json || echo "Bandit scan completed" else echo "❌ No supported project type found!" exit 1