Skip to content

Add Registry Proxy Support for Pip Backend#1585

Merged
taylormadore merged 5 commits into
hermetoproject:mainfrom
taylormadore:pip-proxy
Jun 9, 2026
Merged

Add Registry Proxy Support for Pip Backend#1585
taylormadore merged 5 commits into
hermetoproject:mainfrom
taylormadore:pip-proxy

Conversation

@taylormadore

@taylormadore taylormadore commented May 28, 2026

Copy link
Copy Markdown
Member

This PR adds support to the pip backend for fetching packages via a registry proxy and reporting them

github-advanced-security[bot]
github-advanced-security AI found potential problems May 28, 2026
View reviewed changes
Comment thread hermeto/core/package_managers/pip/packages.py Fixed
Comment thread hermeto/core/package_managers/pip/packages.py Fixed
a-ovchinnikov
a-ovchinnikov reviewed May 29, 2026
View reviewed changes

@a-ovchinnikov a-ovchinnikov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of small nitpicks, LGTM otherwise.

Comment thread hermeto/core/package_managers/pip/main.py Outdated
Comment thread hermeto/core/package_managers/pip/package_distributions.py Outdated
@slimreaper35 slimreaper35 mentioned this pull request Jun 1, 2026
Closed
eskultety
eskultety reviewed Jun 2, 2026
View reviewed changes

@eskultety eskultety left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is still a draft, I suggest proposing the refactoring patches in a standalone PR. I had a couple of nitpicks but patches 1-4 are very clean and ready to go in immediately.
I haven't looked at the proxy stuff just yet.

Comment thread hermeto/core/package_managers/pip/packages.py Outdated
Comment thread hermeto/core/package_managers/pip/packages.py Outdated
@taylormadore taylormadore force-pushed the pip-proxy branch 2 times, most recently from de31ddd to 09e2e22 Compare June 8, 2026 19:21
@taylormadore taylormadore marked this pull request as ready for review June 8, 2026 19:40
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 8, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds proxy and authentication support for the Pip package manager, enabling PyPI packages to be resolved and downloaded through a proxy and recording the proxy URL in the generated SBOM components. The review feedback identifies a critical runtime issue where PyPISimple does not accept an auth parameter directly, and offers valuable improvements regarding robust configuration checks and appending rather than overwriting external references in the SBOM component.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread hermeto/core/package_managers/pip/package_distributions.py
Comment thread hermeto/core/package_managers/pip/main.py
Comment thread hermeto/core/package_managers/pip/packages.py Outdated
a-ovchinnikov
a-ovchinnikov approved these changes Jun 8, 2026
View reviewed changes
Comment thread hermeto/core/package_managers/pip/package_distributions.py
@taylormadore
feat(pip): add proxy support
ab32f06 
When a proxy URL is configured, route PyPI index queries through the
proxy instead of hitting the upstream index directly. The PURL still
records the canonical index URL so downstream tooling can reason about
package provenance independently of the download path.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
@taylormadore
feat(pip): add proxy authentication
0965dec 
Pass HTTP basic-auth credentials to pypi_simple and aiohttp when proxy
login/password are configured

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
@taylormadore
feat(pip): record proxy URL in SBOM external references
73b1652 
When packages are fetched through a proxy, attach the proxy URL as a
distribution ExternalReference on the SBOM component. This preserves
the canonical index URL in the PURL while recording the actual download
source.

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
@taylormadore
test(proxy): enable Nexus proxy for pip integration tests
06a1361 
Signed-off-by: Taylor Madore <tmadore@redhat.com>
@taylormadore
fix(tests): exclude non-proxyable registries from proxy validation
4d3f81e 
Components with repository_url are from non-canonical registries, not
direct sources. Remove repository_url from _DIRECT_SOURCE_QUALIFIERS
and instead skip registries that lack proxy support (e.g. JSR).

Signed-off-by: Taylor Madore <tmadore@redhat.com>
Assisted-by: Claude
@slimreaper35 slimreaper35 mentioned this pull request Jun 9, 2026
Merged
@taylormadore taylormadore added this pull request to the merge queue Jun 9, 2026
Merged via the queue into hermetoproject:main with commit 751e8a0 Jun 9, 2026
13 checks passed
@taylormadore taylormadore deleted the pip-proxy branch June 9, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-ovchinnikov a-ovchinnikov a-ovchinnikov approved these changes

@slimreaper35 slimreaper35 slimreaper35 approved these changes

@eskultety eskultety Awaiting requested review from eskultety

+2 more reviewers

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@taylormadore @a-ovchinnikov @eskultety @github-advanced-security @slimreaper35