chore(scripts): enhance error handling and update dependency management docs

wmontwe · wmontwe · commit b85fba531f98 · 2026-02-26T18:05:30.000+01:00
diff --git a/scripts/README.md b/scripts/README.md
@@ -6,10 +6,10 @@ Various scripts for CI/CD, release automation, and development tasks.
 
 ### Setup
 
-Install dependencies (all pinned and CVE-free):
+Install direct dependencies (hashed, no transitive deps):
 
 ```bash
-pip install -r requirements.txt
+python3 -m pip install --require-hashes --no-deps -r scripts/requirements.txt
 ```
 
 ### Available Scripts
@@ -29,7 +29,7 @@ It's recommended to use a virtual environment:
 ```bash
 python3 -m venv venv
 source venv/bin/activate  # On macOS/Linux
-pip install -r requirements.txt
+python3 -m pip install --require-hashes --no-deps -r scripts/requirements.txt
 ```
 
 To deactivate: `deactivate`
@@ -39,7 +39,7 @@ To deactivate: `deactivate`
 To verify everything works:
 
 ```bash
-./test_python_scripts.sh
+./scripts/test_python_scripts.sh
 ```
 
 This creates a temporary environment, installs dependencies, runs tests, and cleans up automatically.
@@ -52,3 +52,27 @@ The `requirements.txt` includes **4 direct dependencies** (all pinned to specifi
 - **PyYAML** - YAML parsing for release notes
 - **Jinja2** - Template rendering for changelog files
 - **requests** - HTTP client for GitHub API interactions
+
+## Updating requirements.txt hashes
+
+If `./scripts/test_python_scripts.sh` fails with a `--require-hashes` error, regenerate hashes using a temporary no-hash file:
+
+```bash
+cp scripts/requirements.txt /tmp/requirements-no-hash.txt
+python3 - <<'PY'
+import re, pathlib
+path = pathlib.Path('/tmp/requirements-no-hash.txt')
+text = path.read_text()
+text = re.sub(r"\s+--hash=sha256:[a-f0-9]+", "", text)
+path.write_text(text)
+print("Wrote", path)
+PY
+
+mkdir -p /tmp/pip-hashes
+python3 -m pip download --no-deps -r /tmp/requirements-no-hash.txt -d /tmp/pip-hashes --quiet
+python3 -m pip hash /tmp/pip-hashes/* | sed 's/^.*--hash=/--hash=/'
+rm -rf /tmp/pip-hashes
+rm /tmp/requirements-no-hash.txt
+```
+
+Add the pinned versions and hashes from the output to `scripts/requirements.txt` (direct dependencies only).
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
@@ -9,7 +9,7 @@ PyNaCl==1.6.2 --hash=sha256:c949ea47e4206af7c8f604b8278093b674f7c79ed0d4719cc836
 
 # Required by: scripts/ci/render-notes.py
 # YAML parser for release notes
-PyYAML==6.0.1 --hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab
+PyYAML==6.0.1 --hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43
 
 # Required by: scripts/ci/render-notes.py
 # Template engine for rendering changelog files
diff --git a/scripts/test_python_scripts.sh b/scripts/test_python_scripts.sh
@@ -14,8 +14,16 @@ cleanup() {
     fi
 }
 
+# Print guidance when dependency installs fail under --require-hashes.
+on_install_error() {
+    echo ""
+    echo "Dependency install failed. See scripts/README.md for updating requirements.txt hashes."
+}
+
 # Ensure cleanup happens on exit
 trap cleanup EXIT
+# Print instructions if a command fails (e.g., missing hashes).
+trap on_install_error ERR
 
 echo "Python Scripts Test"
 echo "==================="
