Avoid directly installing non-frozen dependencies

Currently the Dockerfile specifies running `pip install -e ...`, which will indirectly install dependencies from `requirements.txt`. This is generally safe, but should be avoided, since we are exclusively using frozen dependencies. Change-Id: Ie368ddb9f1229cc248c8d8804c71889c4339aa85
2017-10-20 10:54:10 -05:00 · 2017-10-20 10:54:10 -05:00 · ecbe862a24
commit ecbe862a24
parent 045e7b72b1
3 changed files with 10 additions and 8 deletions
--- a/requirements-direct.txt
+++ b/requirements-direct.txt
@ -0,0 +1,7 @@
+click==6.7
+jinja2==2.9.6
+jsonpath-ng==1.4.3
+jsonschema==2.6.0
+pbr==3.0.1
+pyyaml==3.12
+requests==2.18.4
--- a/requirements.txt
+++ b/requirements.txt
@ -1,7 +1,2 @@
-click==6.7
-jinja2==2.9.6
-jsonpath-ng==1.4.3
-jsonschema==2.6.0
-pbr==3.0.1
-pyyaml==3.12
-requests==2.18.4
+# Warning: This file should be empty.
+# Specify direct dependencies in requirements-direct.txt instead.
--- a/tox.ini
+++ b/tox.ini
@ -17,7 +17,7 @@ commands =
    python setup.py build_sphinx {posargs}

 [testenv:freeze]
-deps = -r{toxinidir}/requirements.txt
+deps = -r{toxinidir}/requirements-direct.txt
 whitelist_externals=sh
 commands=
    sh -c "pip freeze | grep -v '^promenade' > {toxinidir}/requirements-frozen.txt"