background
Python 3.9
pip 21.2.3
poetry 1.1.8
Execute the command to export requirements.txt
poetry export -f requirements.txt --output requirements.txt
seerequirements.txt
Each library has a hash encryption field
Execute the PIP install command
pip3 install --no-cache-dir --upgrade -r requirements.txt
It’s wrong
#8 28.40 Collecting websockets==10.0 #8 28.51 Downloading websockets-10.0-cp39-cp39-manylinux2010_x86_64.whl (107 kB) #8 29.38 Collecting cffi>=1.1 #8 29.38 ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not: #8 29.38 cffi>=1.1 from https://files.pythonhosted.org/packages/be/2a/6d266eea47dbb2d872bbd1b8954a2d167668481ff34ebb70ffdd1113eeab/cffi-1.14.6-cp39-cp39-manylinux1_x86_64.whl#sha256=f3ebe6e73c319340830a9b2825d32eb6d8475c1dac020b4f0aa774ee3b898d1c (from bcrypt==3.2.0->-r /code/requirements.txt (line 19)) ------ executor failed running [/bin/sh -c pip install --no-cache-dir --upgrade -r /code/requirements.txt]: exit code: 1
Troubleshooting ideas
Uninstall cffi library and reinstall it. No
Regenerate the requirements.txt file and then install it. No
No, Google searched and found the issue of similar problems. It seems that it is a known problem, and the official poetry hasn’t fixed it yet. It only provides a way to avoid it
https://github.com/actions/virtual-environments/issues/2245
Solution
This flag is passed in the poetry export command — without-hashes
poetry export --without-hashes -f requirements.txt --output requirements.txt
I use this method. It can be used in practice. It is suitable for small partners who use poetry
The following scenes have not been tried
Scene 1
Stop using PIP — constraints flag to pass packages with fixed hashes
Scene 2
If you use PIP directly, fix it to versions before 20.3
python -m pip install --upgrade pip==20.2.4
Scene 3
If you are using another Virtualenv depends on pip. Please ensure that its version is fixed
python -m pip install --upgrade virtualenv==20.0.26
Or use the environment variable virtualenv_ PIP=20.2.4