From aed22b7d8b53cb705ee0aac92d0da6cc431f79c1 Mon Sep 17 00:00:00 2001 From: aitbc1 Date: Fri, 27 Mar 2026 13:17:29 +0100 Subject: [PATCH] fix: use pipx for poetry + venv for project dependencies SOLUTION: Hybrid approach using pipx + virtual environment Strategy: - pipx: Install poetry (manages its own virtual environment) - venv: Isolate project dependencies and security tools - This avoids PEP 668 restrictions completely Changes: - Install pipx system-wide for poetry management - Use 'pipx install poetry' (bypasses system pip restrictions) - Create separate venv for project dependencies - Use poetry (via pipx) to install project dependencies - Use venv/bin/pip for security tools (safety, bandit) - Maintain complete isolation for both environments Benefits: - Poetry: Self-contained virtual environment via pipx - Project: Isolated dependencies in project venv - Security: Tools in project venv for consistency - No conflicts: Complete separation of concerns - PEP 668 compliant: No system Python modifications Updated workflows: - audit.yml: pipx poetry + project venv - fix.yml: pipx poetry + project venv + safety - security-scanning.yml: pipx poetry + project venv + security tools Expected results: - Poetry installed via pipx without system restrictions - Project dependencies installed via poetry in project venv - Security tools working in isolated project venv - Complete compliance with PEP 668 requirements - All workflows should complete successfully --- .gitea/workflows/audit.yml | 37 +++++++++++++++++--------- .gitea/workflows/fix.yml | 37 +++++++++++++++++--------- .gitea/workflows/security-scanning.yml | 37 +++++++++++++++++--------- 3 files changed, 72 insertions(+), 39 deletions(-) diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml index 02768bbc..53b848da 100644 --- a/.gitea/workflows/audit.yml +++ b/.gitea/workflows/audit.yml @@ -46,28 +46,39 @@ jobs: if ! command -v python3 >/dev/null 2>&1; then echo "Installing Python 3..." apt-get update - apt-get install -y python3 python3-pip python3-venv python3-full + apt-get install -y python3 python3-pip python3-venv python3-full pipx fi - echo "=== VIRTUAL ENVIRONMENT ===" - # Create and use virtual environment + # Install pipx if not available (for poetry) + if ! command -v pipx >/dev/null 2>&1; then + echo "Installing pipx..." + python3 -m pip install --user pipx + python3 -m pipx ensurepath + fi + + echo "=== POETRY INSTALLATION (via pipx) ===" + # Use pipx to install poetry (manages its own venv) + if ! command -v poetry >/dev/null 2>&1; then + echo "Installing poetry with pipx..." + pipx install poetry + else + echo "Poetry already available" + fi + + echo "=== PROJECT VIRTUAL ENVIRONMENT ===" + # Create venv for project dependencies python3 -m venv venv source venv/bin/activate - echo "Virtual environment activated" + echo "Project venv activated" echo "Python in venv: $(python --version)" echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" - # Use venv pip explicitly to avoid system pip - if command -v poetry >/dev/null 2>&1; then - echo "Poetry found, installing dependencies..." - poetry install - else - echo "Installing poetry with venv pip..." - venv/bin/pip install poetry - poetry install - fi + # Use poetry (installed via pipx) to install project dependencies + echo "Installing project dependencies with poetry..." + poetry install + echo "✅ Python dependencies installed!" else echo "❌ No supported project type found!" diff --git a/.gitea/workflows/fix.yml b/.gitea/workflows/fix.yml index b1e2c34e..b69a5213 100644 --- a/.gitea/workflows/fix.yml +++ b/.gitea/workflows/fix.yml @@ -44,28 +44,39 @@ jobs: if ! command -v python3 >/dev/null 2>&1; then echo "Installing Python 3..." apt-get update - apt-get install -y python3 python3-pip python3-venv python3-full + apt-get install -y python3 python3-pip python3-venv python3-full pipx fi - echo "=== VIRTUAL ENVIRONMENT ===" - # Create and use virtual environment + # Install pipx if not available (for poetry) + if ! command -v pipx >/dev/null 2>&1; then + echo "Installing pipx..." + python3 -m pip install --user pipx + python3 -m pipx ensurepath + fi + + echo "=== POETRY INSTALLATION (via pipx) ===" + # Use pipx to install poetry (manages its own venv) + if ! command -v poetry >/dev/null 2>&1; then + echo "Installing poetry with pipx..." + pipx install poetry + else + echo "Poetry already available" + fi + + echo "=== PROJECT VIRTUAL ENVIRONMENT ===" + # Create venv for project dependencies python3 -m venv venv source venv/bin/activate - echo "Virtual environment activated" + echo "Project venv activated" echo "Python in venv: $(python --version)" echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" - # Use venv pip explicitly to avoid system pip - if command -v poetry >/dev/null 2>&1; then - echo "Poetry found, installing dependencies..." - poetry install - else - echo "Installing poetry with venv pip..." - venv/bin/pip install poetry - poetry install - fi + # Use poetry (installed via pipx) to install project dependencies + echo "Installing project dependencies with poetry..." + poetry install + echo "✅ Python dependencies installed!" echo "=== SECURITY FIXES ===" # Check for common Python security issues diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml index 51729c3d..257b3200 100644 --- a/.gitea/workflows/security-scanning.yml +++ b/.gitea/workflows/security-scanning.yml @@ -44,28 +44,39 @@ jobs: if ! command -v python3 >/dev/null 2>&1; then echo "Installing Python 3..." apt-get update - apt-get install -y python3 python3-pip python3-venv python3-full + apt-get install -y python3 python3-pip python3-venv python3-full pipx fi - echo "=== VIRTUAL ENVIRONMENT ===" - # Create and use virtual environment + # Install pipx if not available (for poetry) + if ! command -v pipx >/dev/null 2>&1; then + echo "Installing pipx..." + python3 -m pip install --user pipx + python3 -m pipx ensurepath + fi + + echo "=== POETRY INSTALLATION (via pipx) ===" + # Use pipx to install poetry (manages its own venv) + if ! command -v poetry >/dev/null 2>&1; then + echo "Installing poetry with pipx..." + pipx install poetry + else + echo "Poetry already available" + fi + + echo "=== PROJECT VIRTUAL ENVIRONMENT ===" + # Create venv for project dependencies python3 -m venv venv source venv/bin/activate - echo "Virtual environment activated" + echo "Project venv activated" echo "Python in venv: $(python --version)" echo "Pip in venv: $(pip --version)" echo "=== PYTHON DEPENDENCIES ===" - # Use venv pip explicitly to avoid system pip - if command -v poetry >/dev/null 2>&1; then - echo "Poetry found, installing dependencies..." - poetry install - else - echo "Installing poetry with venv pip..." - venv/bin/pip install poetry - poetry install - fi + # Use poetry (installed via pipx) to install project dependencies + echo "Installing project dependencies with poetry..." + poetry install + echo "✅ Running security scan..." venv/bin/pip install safety bandit echo "=== Safety check (dependencies) ==="