Merge pull request #2217 from jku/deps-pinning-changes

jku · web-flow · commit a1a53ee50763 · 2022-12-09T19:35:50.000+02:00
build: Change build dependency pinning strategy
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -46,8 +46,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade tox coveralls
+          python3 -m pip install --constraint requirements-build.txt tox coveralls
 
       - name: Run tox (${{ env.TOXENV }})
         # See TOXENV environment variable for the testenv to be executed here
@@ -90,8 +89,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade coveralls
+          python3 -m pip install coveralls
 
       - name: Finalize publishing on coveralls.io
         continue-on-error: true
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -28,7 +28,7 @@ jobs:
           python-version: '3.x'
 
       - name: Install build dependency
-        run: python3 -m pip install --upgrade pip build
+        run: python3 -m pip install --constraint requirements-build.txt build
 
       - name: Build binary wheel and source tarball
         run: python3 -m build --sdist --wheel --outdir dist/ .
diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml
@@ -20,7 +20,6 @@ jobs:
           python-version: "3.x"
       - id: get-version
         run: |
-          python3 -m pip install --upgrade pip
           python3 -m pip install -e .
           script="from tuf.api.metadata import SPECIFICATION_VERSION; \
                   print(f\"v{'.'.join(SPECIFICATION_VERSION)}\")"
diff --git a/requirements-build.txt b/requirements-build.txt
@@ -0,0 +1,4 @@
+# The build and tox versions specified here are also used as constraints
+# during CI and CD Github workflows
+build==0.9.0
+tox==3.27.1
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,8 +1,7 @@
 # Install tuf in editable mode and requirements for local testing with tox,
-# and also for running test suite or individual tests manually
-build
-tox
-twine
-wheel
+# and also for running test suite or individual tests manually.
+# The build and tox versions specified here are also used as constraints
+# during CI and CD Github workflows
+-r requirements-build.txt
 -r requirements-test.txt
 -e .
