Reorganize Python deps and use pip-compile

[willbarton]

This change is to simplify our Python dependency specifications and to use pip-tools's pip-compile to generate hashed requirements files with the full dependency tree from input files. This also performs dependency resolution and will highlight any conflicting versions. The model for this is that of Mozilla's Bedrock project, the Django project that serves mozilla.org.

The new file structure is as follows:

• deployment.in: requirements to run consumerfinance.gov in any environment
• test.in: requirements for executing Python tests locally or in CI
• dev.in: requirements for development work, running, and testing
• docs.txt: requirements to build the consumerfinance.gov docs.
• scripts.txt: Requirements for running certain jobs on Jenkins, so scripts can run in Jenkins without having to install all the other requirements.

The contents of base.txt, django.txt, wagtail.txt, and libraries.txt move into deployment.in, which contains the minimum necessary to run consumerfinance.gov. test.in includes tools like coverage, diff_cover, and tox that are required to run our Python tests. docs.in and scripts.in are relatively unchanged, and dev.in combines all of the above to construct a local environment.

These relationships between files now look like this:

flowchart TD
    deployment.in
    test.in
    dev.in
    scripts.in
    docs.in

    deployment.in --> dev.in
    test.in --> dev.in
    scripts.in --> dev.in

Where previously they looked like this:

flowchart TD
    ci.txt
    docs.txt

    base.txt
    deployment.txt
    django.txt
    libraries.txt
    local.txt
    wagtail.txt

    scripts.txt
    test.txt

    django.txt --> base.txt
    wagtail.txt --> base.txt
    libraries.txt --> base.txt

    base.txt --> deployment.txt

    base.txt --> local.txt

Notes and todos

If this approach is okay @chosak and anyone else who wants to review:

• We'll need to update the requirements files in Snyk.
• We'll need to document the process of updating/adding a requirement and running ./compile-requirements.sh.

Checklist

• PR has an informative and human-readable title
• Changes are limited to a single goal (no scope creep)

[chosak]

At a high level, what does this reorganization get us? I get that it gives us SHAs for the packages we install, but what benefit does that provide over the already-pinned version numbers?

Did you look at using pyproject.toml instead, as documented here? That would avoid the need to have so many files floating around.

I do like the collapsing of django.txt and wagtail.txt into the regular requirements file.

[willbarton]

At a high level, what does this reorganization get us? I get that it gives us SHAs for the packages we install, but what benefit does that provide over the already-pinned version numbers?

The big thing it gets us is dependency resolution with failures when a conflict happens. We get to specify our direct requirements in the .in files, and pip-compile will do concrete resolution of all dependencies these need and pin them in the .txt files (yes, with SHAs, etc). Any conflicts will fail the compilation.

[willbarton]

Snyk will fail on this PR until we update the requirements files in Snyk.

When I have an approval I'll do that, before merging.

[chosak]

At a high level, renaming deployment.txt to prod.txt feels potentially confusing to me since we use that set of deployment requirements for non-production environments. Can we leave it as deployment.txt?

It'd also be nice to have some kind of automation around keeping the .in/.txt files synchronized. I didn't see any obvious mechanism for this in the bedrock repo, so perhaps this hasn't been an issue for them.

[chosak]

The create_research_report.groovy file in our internal Jenkins job repo references this file. I don't know if/how that job is being run but it will need to be updated if this file is going away.

[willbarton]

Yes, there are a few separate updates that need to be made. I was waiting to see if this even makes sense.

[chosak]

It seems like prod.txt is being installed twice now?

[chosak]

Description needs to be updated.

[chosak]

Super nitpicky: inconsistent use of periods for these bullets.

[chosak]

This says "testing" but isn't that what test.in is for?

[willbarton]

At a high level, renaming deployment.txt to prod.txt feels potentially confusing to me since we use that set of deployment requirements for non-production environments. Can we leave it as deployment.txt?

I renamed it because I've switched the order of inheritance around a bit. prod now contains the minimum necessary dependencies for running the site, anywhere we need to run it. Previously, we cobbled that min set together from several different files, the composition of which depended on where we might be running.

I can rename it, but I don't feel like deployment accurately reflects its use?

[willbarton]

As next steps here, I'm going to work on:

• Rebasing and getting it up to date
• Renaming prod.txt back to deployment.txt
• Using pyproject.toml
• A GHA to ensure that the .txt files are in sync with the .in files

[willbarton]

Using pyproject.toml

I'm not going to do this for now. I like the idea of organizing the dependencies in a single location, but there doesn't seem to be a way to use pyproject.toml without accidentally making this technically python packageable, which could... introduce a lot of unexpected weirdness without a lot more work.

[willbarton]

It's not entirely clear to me why both backend and filter-backend are running. Digging into the filter-backend runs, it's using this workflow file: https://github.com/cfpb/consumerfinance.gov/actions/runs/7087530960/workflow?pr=7874

Whereas the backend run is using this workflow file: https://github.com/cfpb/consumerfinance.gov/actions/runs/7087530958/workflow?pr=7874

So, this looks like filter-backend is being invoked using the old workflow file that does not include requirements/**.in, so the jobs are being skipped. backend is using the workflow file from the PR that adds requirements/**.in, so the jobs in it are not being skipped.

What I don't understand is why filter-backend is using the old workflow file? But... I don't know that this lack of knowledge on my part is a blocker.

[chosak]

Should this point to deployment.in instead?

[chosak]

I don't think I can let you get away with editing this file without correcting this part above 😄 TDP is no longer a satellite app, neither is ccdb5-ui, so we only have two satellite apps now, not 2.

[chosak]

Ditto re: deployment.in.

[chosak]

Should we consider merging these into the main list for simplicity? I get that these are the two biggies but we also have things like elasticsearch which are also pretty big...

[chosak]

Merging this into the main list of requirements necessitates rewriting this part of the docs.

[chosak]

The deployable-zipfile flow needs to be updated since it references deployment.txt here.

(While you're in there it would be nice to also remove these references:

consumerfinance.gov/docker/deployable-zipfile/_build.sh

Line 18 in 719d850

webfonts_path="$cfgov_refresh_volume/static.in/cfgov-fonts"

to the separate fonts directory here because this is no longer needed as of #7025.)

[willbarton]

The deployable-zipfile flow needs to be updated since it references deployment.txt here.

What needs to change here? deployment.txt still exists and should still be the correct file?

[chosak]

What needs to change here?

My bad - I must have been confused about which files were staying and which were going. Belay that comment.