I. e. I would like to know whether is possible to make pyproject.toml behave like meta.yaml in conda, regarding the source section, as follows:
source:
git_url: https://github.com/ilanschnell/bsdiff4.git
git_rev: 1.1.4 # (Defaults to "HEAD")
git_depth: 1 # (Defaults to -1/not shallow)
I would like to pack the source code from another project, eventually write wrappers and interfaces but not modify the original one. Alternative ideas are welcome!
The former is possible with a package_name @ urldependency specifier. I’ve also seen many metadata fields used in pyproject.toml. Project urls and version specifiers are so common they’re usually provided in default templates. But unfortunately I’ve not seen a field for git_depth before (what tool to be used with pip needs this?).
This worked just now for me, allowing me to install a dep from a private repo’s github page (with a read permissions fine grained PAT set up):
I would not recommend adding an access token to pyproject.toml. You never want to commit secrets to your repo! Even in a private repo it’s a liability.
A local installer will be able to pull the dependency from a private repository as long as you’re properly authenticated to github (or wherever you’re getting it from)
I am sorry, I just copied the example they have on the conda recipe page, I have not really used git_depth so far and I do not need it as far as I know to prepare conda packages.
I mitght be interpreting your suggestion wrongly but I think that dependencies refers to other packages that my package depends on, right?
What I would like to do is to have a git repository, with the following contents:
dummysrc/
└── cli
└── foo.py
and another git repository that contains the pyproject.toml, like:
dummypkg/
└── pyproject.toml
on pyproject.toml I somehow specify that it needs to point to dummypkg.
I ran the test just to rule out any possibility with the following pyproject.py:
ERROR: dummysrc@ git+ssh://git@gitlab.xxxxxxxxxxx/dummysrc.git@main from git+ssh://****@gitlabxxxxxxxxxxxxxx/dummysrc.git@main (from dummypkg==0.0.5) does not appear to be a Python project: neither 'setup.py' nor 'pyproject.toml' found.
I just found hacky ways of doing that so far — like defining custom methods inside the setup.py file, that might not be that hacky but I have a feeling that it is — what I would like to avoid. I might opt to use conda instead if I can not find such functionality.
I’ve taken great care to use fine grained permissions to scope the token as “read this repo only”. And it only ever gets checked in to the private repo it refers to, and another private repo. So if someone can read the token, worst case scenario, they already had read access to the repo it granted read access to. And there’re no hugely valuable secrets in either, just a bunch of Python code.
There’re definitely better ways for sure, but this slight hack might be useful to someone one day. , and the point of it was just to show that package_name @ url can be used perfectly well in pyproject.toml’s project.dependency array
@jamestwebber thanks for your inputs regarding security. Yes, I am aware of secrets in the repository. I do not think I will need authentication for this situation since our projects are all public and open.
@georgekontogiorgos Have you considered something like git submodules? To me it does not seem like you need any Python packaging tricks. Seems like you simply need to build the project source directory tree first (with git submodules for example), and then do a relatively straightforward Python packaging.
@sinoroc thank you for the suggestion, it was indeed what I was looking for. Unfortunately the repository I want to point to have much more misalignments with standards of pyproject.toml and pip packages in general and thus I gave up on the idea, instead I will contact the maintainers of the repo to try to refactor it to be compatible with the standards.