build(deps): unify pip-compile flags across all lockfiles ([#1138](#1138))

markuslf · markuslf · commit 57bda2ef8d31 · 2026-05-31T21:07:49.000+02:00
Add --strip-extras and --allow-unsafe to every pip-compile invocation
and regenerate all lockfiles. setuptools is now hash-pinned instead of
relying on a preinstalled build host; --strip-extras aligns with the
upcoming pip-tools 8.0.0 default and the pre-commit lockfile.
diff --git a/.github/pre-commit/requirements.txt b/.github/pre-commit/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=requirements.txt --strip-extras requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt --strip-extras requirements.in
 #
 cfgv==3.5.0 \
     --hash=sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0 \
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-tbd
+### Changed
+
+Build, CI/CD:
+
+* requirements: source-install lockfiles now pin every build dependency (including `setuptools`) with hashes, so `pip install --require-hashes` no longer relies on the build host having `setuptools` preinstalled ([#1138](https://github.com/Linuxfabrik/monitoring-plugins/issues/1138))
 
 
 ## [v5.1.0] - 2026-05-30
diff --git a/lockfiles/py310/requirements.txt b/lockfiles/py310/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py310/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py310/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -298,9 +298,7 @@ cryptography==48.0.0 \
 debtcollector==3.1.0 \
     --hash=sha256:278a45608cf16e79c0ae10851d869185c6b78f86610df8f27a451a18c1fec732 \
     --hash=sha256:c64e49a66c0b71289620fc2fdf89c03d740bddb20576ddd4f04ddc01da946668
-    # via
-    #   oslo-utils
-    #   python-keystoneclient
+    # via python-keystoneclient
 exceptiongroup==1.3.1 \
     --hash=sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219 \
     --hash=sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598
@@ -321,7 +319,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -350,8 +348,8 @@ keystoneauth1==5.14.0 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.0 \
     --hash=sha256:00750d63ef0031a05331b9223463b1c7c02b9004cef2346a5b2877f0f9494dd2 \
@@ -946,7 +944,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/lockfiles/py311/requirements.txt b/lockfiles/py311/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py311/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py311/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -298,9 +298,7 @@ cryptography==48.0.0 \
 debtcollector==3.1.0 \
     --hash=sha256:278a45608cf16e79c0ae10851d869185c6b78f86610df8f27a451a18c1fec732 \
     --hash=sha256:c64e49a66c0b71289620fc2fdf89c03d740bddb20576ddd4f04ddc01da946668
-    # via
-    #   oslo-utils
-    #   python-keystoneclient
+    # via python-keystoneclient
 h11==0.16.0 \
     --hash=sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1 \
     --hash=sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86
@@ -317,7 +315,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -346,8 +344,8 @@ keystoneauth1==5.14.0 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.1 \
     --hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
@@ -941,7 +939,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/lockfiles/py312/requirements.txt b/lockfiles/py312/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py312/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py312/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -298,9 +298,7 @@ cryptography==48.0.0 \
 debtcollector==3.1.0 \
     --hash=sha256:278a45608cf16e79c0ae10851d869185c6b78f86610df8f27a451a18c1fec732 \
     --hash=sha256:c64e49a66c0b71289620fc2fdf89c03d740bddb20576ddd4f04ddc01da946668
-    # via
-    #   oslo-utils
-    #   python-keystoneclient
+    # via python-keystoneclient
 h11==0.16.0 \
     --hash=sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1 \
     --hash=sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86
@@ -317,7 +315,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -346,8 +344,8 @@ keystoneauth1==5.14.0 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.1 \
     --hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
@@ -941,7 +939,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/lockfiles/py313-windows/requirements.txt b/lockfiles/py313-windows/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py313-windows/requirements.txt requirements-py313-windows.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py313-windows/requirements.txt --strip-extras requirements-py313-windows.in
 #
 anyio==4.13.0 \
     --hash=sha256:08b310f9e24a9594186fd75b4f73f4a4152069e3853f1ed8bfbf58369f4ad708 \
@@ -307,7 +307,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -323,8 +323,8 @@ idna==3.17 \
     #   httpx
     #   requests
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements-py313-windows.in
 lxml==6.1.1 \
     --hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
diff --git a/lockfiles/py313/requirements.txt b/lockfiles/py313/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py313/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py313/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -317,7 +317,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -346,8 +346,8 @@ keystoneauth1==5.14.0 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.1 \
     --hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
@@ -940,7 +940,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/lockfiles/py314/requirements.txt b/lockfiles/py314/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.14
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py314/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py314/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -317,7 +317,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -346,8 +346,8 @@ keystoneauth1==5.14.0 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.1 \
     --hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
@@ -940,7 +940,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/lockfiles/py39/requirements.txt b/lockfiles/py39/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=lockfiles/py39/requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=lockfiles/py39/requirements.txt --strip-extras requirements.in
 #
 --only-binary lxml
 
@@ -321,7 +321,7 @@ httpcore==1.0.9 \
     --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
     --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
     # via httpx
-httpx[http2]==0.28.1 \
+httpx==0.28.1 \
     --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
     --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via linuxfabrik-lib
@@ -350,8 +350,8 @@ keystoneauth1==5.11.1 \
     #   python-keystoneclient
     #   python-novaclient
 linuxfabrik-lib==4.1.0 \
-    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb \
-    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b
+    --hash=sha256:245296937ef81dbaf447a6dc953eabfa74ad0fde9132ee5d973422d33556e29b \
+    --hash=sha256:836198fcefc8204a96f72913407cf365158764f618e89caea80f3604a51756bb
     # via -r requirements.in
 lxml==6.1.0 \
     --hash=sha256:00750d63ef0031a05331b9223463b1c7c02b9004cef2346a5b2877f0f9494dd2 \
@@ -951,7 +951,8 @@ xmltodict==1.0.4 \
     #   linuxfabrik-lib
     #   pywinrm
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.1 \
+    --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via pbr
diff --git a/requirements-py313-windows.in b/requirements-py313-windows.in
@@ -10,6 +10,7 @@
 #   python -m pip install 'pip<25.1' pip-tools
 #   mkdir -p lockfiles/py313-windows
 #   python -m piptools compile --generate-hashes \
+#       --strip-extras --allow-unsafe \
 #       --output-file=lockfiles/py313-windows/requirements.txt \
 #       requirements-py313-windows.in
 
diff --git a/requirements.in b/requirements.in
@@ -17,6 +17,7 @@
 #     ./.venv-py${v//.}/bin/python -m pip install 'pip<25.1' pip-tools
 #     mkdir -p lockfiles/py${v//.}
 #     ./.venv-py${v//.}/bin/python -m piptools compile --generate-hashes \
+#         --strip-extras --allow-unsafe \
 #         --output-file=lockfiles/py${v//.}/requirements.txt requirements.in
 #   done
 #

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`# This file is autogenerated by pip-compile with Python 3.12`
`3`	`3`	`# by the following command:`
`4`	`4`	`#`
`5`		`-# pip-compile --generate-hashes --output-file=requirements.txt --strip-extras requirements.in`
	`5`	`+# pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt --strip-extras requirements.in`
`6`	`6`	`#`
`7`	`7`	`cfgv==3.5.0 \`
`8`	`8`	`--hash=sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0 \`