Advice to avoid `--extra-index-url` to install private packages from GitLab CI

The ways I have seen this issue solved is with file hashing (typically via a requirements.txt file), or a controlled supply chain that is exposed via its own package server.

And as for option 1, see How should a lockfile PEP (665 successor) look like? where a potential lock file spec is being discussed.

3 Likes