Merge branch 'main' into henrymercer/controlled-switchover

2023-01-16 10:10:15 +00:00 · 2023-01-16 10:10:15 +00:00 · 115587a52c
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,7 @@
  - **Advanced users only**: Workflows that interact directly with the GitHub Actions runner image tool cache to find CodeQL (for example via the `@actions/tool-cache` npm package or direct access to the filesystem) should take into account the following internal layout changes:
    - Previously, the tool cache was pre-populated with _one_ recent version of CodeQL. Now, it is pre-populated with _two_ recent versions of CodeQL.
    - Previously, the CodeQL tools were located within the tool cache under a directory named after the release date, e.g. CodeQL 2.11.6 was located under `CodeQL/0.0.0-20221211/x64/codeql`. Now, the CodeQL tools are located under a directory named after the CodeQL CLI version number and release date, e.g. CodeQL 2.11.6 is now located under `CodeQL/2.11.6-20221211/x64/codeql`.
+- Python automatic dependency installation will no longer fail for projects using Poetry that specify `virtualenvs.options.no-pip = true` in their `poetry.toml`. [#1431](https://github.com/github/codeql-action/pull/1431).

 ## 2.1.38 - 12 Jan 2023

--- a/lib/analyze.js
+++ b/lib/analyze.js
@ -50,6 +50,7 @@ async function setupPythonExtractor(logger) {
        // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
        return;
    }
+    const scriptsFolder = path.resolve(__dirname, "../python-setup");
    let output = "";
    const options = {
        listeners: {
@ -58,10 +59,7 @@ async function setupPythonExtractor(logger) {
            },
        },
    };
-    await new toolrunner.ToolRunner(codeqlPython, [
-        "-c",
-        "import os; import pip; print(os.path.dirname(os.path.dirname(pip.__file__)))",
-    ], options).exec();
+    await new toolrunner.ToolRunner(codeqlPython, [path.join(scriptsFolder, "find_site_packages.py")], options).exec();
    logger.info(`Setting LGTM_INDEX_IMPORT_PATH=${output}`);
    process.env["LGTM_INDEX_IMPORT_PATH"] = output;
    output = "";
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/python-setup/find_site_packages.py
+++ b/python-setup/find_site_packages.py
@ -0,0 +1,34 @@
+"""
+Print the path to the site-packages directory for the current Python environment.
+"""
+from __future__ import print_function
+
+try:
+    import pip
+    import os
+    print(os.path.dirname(os.path.dirname(pip.__file__)))
+except ImportError:
+    import sys
+    print("DEBUG: could not import pip", file=sys.stderr)
+    # if you use poetry with `virtualenvs.options.no-pip = true` you might end up with a
+    # virtualenv without pip, so the above trick doesn't actually work. See
+    # https://python-poetry.org/docs/configuration/#virtualenvsoptionsno-pip
+    #
+    # A possible option is to install `pip` into the virtualenv created by poetry
+    # (`poetry add pip`), but it turns out that doesn't always work :( for the test
+    # poetry/requests-3, I was not allowed to install pip! So I did not pursue this
+    # option further.
+    #
+    # Instead, testing `site.getsitepackages()` contains has the right path, whereas
+    # `site.getusersitepackages()` is about the system python (very confusing).
+    #
+    # We can't use the environment variable POETRY_VIRTUALENVS_OPTIONS_NO_PIP because it
+    # does not work, see https://github.com/python-poetry/poetry/issues/5906
+    import site
+
+    if sys.platform.startswith("win32"):
+        # On windows, the last entry of `site.getsitepackages()` has the right path
+        print(site.getsitepackages()[-1])
+    else:
+        # on unix, the first entry of `site.getsitepackages()` has the right path
+        print(site.getsitepackages()[0])
--- a/python-setup/tests/from_python_exe.py
+++ b/python-setup/tests/from_python_exe.py
@ -9,8 +9,7 @@ def get_details(path_to_python_exe: str) -> Tuple[str, str]:
    import_path = subprocess.check_output(
        [
            path_to_python_exe,
-            "-c",
-            "import os; import pip; print(os.path.dirname(os.path.dirname(pip.__file__)))",
+            os.path.join(os.path.dirname(__file__), "..", "find_site_packages.py")
        ],
        stdin=subprocess.DEVNULL,
    )
--- a/python-setup/tests/poetry/requests-3/poetry.toml
+++ b/python-setup/tests/poetry/requests-3/poetry.toml
@ -1,2 +1,5 @@
 [virtualenvs]
 in-project = true
+
+[virtualenvs.options]
+no-pip = true
--- a/src/analyze.ts
+++ b/src/analyze.ts
@ -88,6 +88,8 @@ async function setupPythonExtractor(logger: Logger) {
    return;
  }

+  const scriptsFolder = path.resolve(__dirname, "../python-setup");
+
  let output = "";
  const options = {
    listeners: {
@ -99,10 +101,7 @@ async function setupPythonExtractor(logger: Logger) {

  await new toolrunner.ToolRunner(
    codeqlPython,
-    [
-      "-c",
-      "import os; import pip; print(os.path.dirname(os.path.dirname(pip.__file__)))",
-    ],
+    [path.join(scriptsFolder, "find_site_packages.py")],
    options
  ).exec();
  logger.info(`Setting LGTM_INDEX_IMPORT_PATH=${output}`);