From d186ce03b488d3ef08a1c20192675a2288f2f775 Mon Sep 17 00:00:00 2001
From: aitbc1 <aitbc1-agent@keisanki.net>
Date: Fri, 27 Mar 2026 12:58:42 +0100
Subject: [PATCH] fix: use virtual environment to resolve
 externally-managed-environment

PROGRESS: Python project detected, but hitting PEP 668 restriction

Issue: 'externally-managed-environment' - Debian protects system Python
Root cause: Modern Python installations prevent system-wide pip installs
Solution: Use virtual environment (proper Python best practice)

Changes:
- Add python3-full to package installation
- Create virtual environment: python3 -m venv venv
- Activate venv: source venv/bin/activate
- Install poetry and dependencies inside venv
- Run security tools in isolated environment

Updated workflows:
- audit.yml: Virtual environment + poetry install + audit
- fix.yml: Virtual environment + poetry install + safety fixes
- security-scanning.yml: Virtual environment + poetry install + security scans

Expected results:
- Virtual environment created and activated
- Poetry installed without system restrictions
- Dependencies installed in isolated environment
- Security tools (safety, bandit) working properly
- All workflows should complete successfully

This follows Python best practices and resolves PEP 668 restrictions
while maintaining the nuclear fix for workspace control.
---
 .gitea/workflows/audit.yml             | 11 ++++++++++-
 .gitea/workflows/fix.yml               | 11 ++++++++++-
 .gitea/workflows/security-scanning.yml | 11 ++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml
index 820bd9d9..14d8a6d9 100644
--- a/.gitea/workflows/audit.yml
+++ b/.gitea/workflows/audit.yml
@@ -46,7 +46,7 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv
+              apt-get install -y python3 python3-pip python3-venv python3-full
             fi
             
             if ! command -v pip >/dev/null 2>&1; then
@@ -57,6 +57,15 @@ jobs:
             echo "Python version: $(python3 --version)"
             echo "Pip version: $(pip --version)"
             
+            echo "=== VIRTUAL ENVIRONMENT ==="
+            # Create and use virtual environment
+            python3 -m venv venv
+            source venv/bin/activate
+            
+            echo "Virtual environment activated"
+            echo "Python in venv: $(python --version)"
+            echo "Pip in venv: $(pip --version)"
+            
             echo "=== PYTHON DEPENDENCIES ==="
             if command -v poetry >/dev/null 2>&1; then
               echo "Poetry found, installing dependencies..."
diff --git a/.gitea/workflows/fix.yml b/.gitea/workflows/fix.yml
index 9d8cee41..15b6ebdc 100644
--- a/.gitea/workflows/fix.yml
+++ b/.gitea/workflows/fix.yml
@@ -44,7 +44,7 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv
+              apt-get install -y python3 python3-pip python3-venv python3-full
             fi
             
             if ! command -v pip >/dev/null 2>&1; then
@@ -52,6 +52,15 @@ jobs:
               python3 -m pip install --upgrade pip
             fi
             
+            echo "=== VIRTUAL ENVIRONMENT ==="
+            # Create and use virtual environment
+            python3 -m venv venv
+            source venv/bin/activate
+            
+            echo "Virtual environment activated"
+            echo "Python in venv: $(python --version)"
+            echo "Pip in venv: $(pip --version)"
+            
             echo "=== PYTHON DEPENDENCIES ==="
             if command -v poetry >/dev/null 2>&1; then
               echo "Poetry found, installing dependencies..."
diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml
index d53b45ec..0eb5f721 100644
--- a/.gitea/workflows/security-scanning.yml
+++ b/.gitea/workflows/security-scanning.yml
@@ -44,7 +44,7 @@ jobs:
             if ! command -v python3 >/dev/null 2>&1; then
               echo "Installing Python 3..."
               apt-get update
-              apt-get install -y python3 python3-pip python3-venv
+              apt-get install -y python3 python3-pip python3-venv python3-full
             fi
             
             if ! command -v pip >/dev/null 2>&1; then
@@ -52,6 +52,15 @@ jobs:
               python3 -m pip install --upgrade pip
             fi
             
+            echo "=== VIRTUAL ENVIRONMENT ==="
+            # Create and use virtual environment
+            python3 -m venv venv
+            source venv/bin/activate
+            
+            echo "Virtual environment activated"
+            echo "Python in venv: $(python --version)"
+            echo "Pip in venv: $(pip --version)"
+            
             echo "=== PYTHON DEPENDENCIES ==="
             if command -v poetry >/dev/null 2>&1; then
               echo "Poetry found, installing dependencies..."