Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable environment variable authentication for named indexes #7741

Merged
merged 1 commit into from
Oct 15, 2024
Merged

Enable environment variable authentication for named indexes #7741

merged 1 commit into from
Oct 15, 2024

Conversation

charliermarsh
Copy link
Member

Summary

This PR enables users to provide index credentials via named environment variables.

For example, given an index named internal that requires a username (public) and password
(koala), you can define the index (without credentials) in your pyproject.toml:

[[tool.uv.index]]
name = "internal"
url = "https://pypi-proxy.corp.dev/simple"

Then set the UV_INDEX_INTERNAL_USERNAME and UV_INDEX_INTERNAL_PASSWORD
environment variables, where INTERNAL is the uppercase version of the index name:

export UV_INDEX_INTERNAL_USERNAME=public
export UV_INDEX_INTERNAL_PASSWORD=koala

@charliermarsh charliermarsh added registry Related to package indexes and registries security labels Sep 27, 2024
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 6a745ea to 3c4c842 Compare September 27, 2024 17:28
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 3c4c842 to cd3ae91 Compare September 28, 2024 19:03
@charliermarsh charliermarsh force-pushed the charlie/index-api branch 2 times, most recently from f5aa096 to c2f8019 Compare September 28, 2024 23:12
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from cd3ae91 to e90683c Compare September 28, 2024 23:12
@charliermarsh charliermarsh force-pushed the charlie/index-api branch 3 times, most recently from 1cab0d9 to 1ba4caa Compare September 30, 2024 21:20
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from e90683c to af08eb0 Compare September 30, 2024 21:21
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from af08eb0 to f1d41c4 Compare September 30, 2024 22:24
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from f1d41c4 to 9ee37aa Compare October 1, 2024 00:48
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 9ee37aa to 79cbf9f Compare October 1, 2024 00:52
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 79cbf9f to 7f7dcad Compare October 1, 2024 21:22
@charliermarsh charliermarsh force-pushed the charlie/index-api branch 2 times, most recently from 6b44e69 to 23a6de0 Compare October 2, 2024 00:46
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 7f7dcad to 01177b4 Compare October 2, 2024 01:08
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 01177b4 to 5dbcc9f Compare October 3, 2024 18:08
@guillemc23 guillemc23 mentioned this pull request Oct 9, 2024
Open
@charliermarsh charliermarsh force-pushed the charlie/index-api branch 3 times, most recently from 4b0e753 to 9e54908 Compare October 15, 2024 22:07
Base automatically changed from charlie/index-api to main October 15, 2024 22:24
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from 5dbcc9f to cd67a04 Compare October 15, 2024 22:26
@charliermarsh charliermarsh force-pushed the charlie/index-api-environment-vars branch from cd67a04 to 6969269 Compare October 15, 2024 22:27
@charliermarsh charliermarsh enabled auto-merge (squash) October 15, 2024 22:27
@charliermarsh charliermarsh merged commit 1925922 into main Oct 15, 2024
61 checks passed
@charliermarsh charliermarsh deleted the charlie/index-api-environment-vars branch October 15, 2024 22:35
@BrewTestBot BrewTestBot mentioned this pull request Oct 17, 2024
Merged
@odie5533 odie5533 mentioned this pull request Oct 17, 2024
Merged
charliermarsh added a commit that referenced this pull request Oct 17, 2024
@odie5533 @charliermarsh
Respect UV_INDEX_ rather than UV_HTTP_BASIC_ (#8306)
3fd69b4 
The docs reference `UV_INDEX_`, but the code actually uses
UV_HTTP_BASIC_ as the prefix for environment variable credentials.

See PR #7741

Code is at
https://github.com/astral-sh/uv/blob/main/crates/uv-static/src/env_vars.rs#L163

```rust
    /// Generates the environment variable key for the HTTP Basic authentication username.
    pub fn http_basic_username(name: &str) -> String {
        format!("UV_HTTP_BASIC_{name}_USERNAME")
    }

    /// Generates the environment variable key for the HTTP Basic authentication password.
    pub fn http_basic_password(name: &str) -> String {
        format!("UV_HTTP_BASIC_{name}_PASSWORD")
    }
```

---------

Co-authored-by: Charlie Marsh <[email protected]>
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Oct 18, 2024
@tmeijn
build(deps): update astral-sh/uv to v0.4.24
98aa65e 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.4.22` -> `0.4.24` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.4.24`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0424)

[Compare Source](astral-sh/uv@0.4.23...0.4.24)

##### Bug fixes

-   Fix Python executable name in Windows free-threaded Python distributions ([#&#8203;8310](astral-sh/uv#8310))
-   Redact index credentials from lockfile sources ([#&#8203;8307](astral-sh/uv#8307))
-   Respect `UV_INDEX_` rather than `UV_HTTP_BASIC_` as documented ([#&#8203;8306](astral-sh/uv#8306))
-   Improve sources deserialization errors ([#&#8203;8308](astral-sh/uv#8308))

##### Documentation

-   Correct pytorch-to-torch reference in docs ([#&#8203;8291](astral-sh/uv#8291))

### [`v0.4.23`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0423)

[Compare Source](astral-sh/uv@0.4.22...0.4.23)

This release introduces a revamped system for defining package indexes, as an alternative to the existing pip-style
`--index-url` and `--extra-index-url` configuration options.

You can now define named indexes in your `pyproject.toml` file using the `[[tool.uv.index]]` table:

```toml
[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"
```

Packages can be pinned to a specific index via `tool.uv.sources`, to ensure that a given package is installed from the
correct index. For example, to ensure that `torch` is *always* installed from the `pytorch` index:

```toml
[tool.uv.sources]
torch = { index = "pytorch" }

[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"
```

Indexes can also be marked as `explicit = true` to prevent packages from being installed from that index
unless explicitly pinned. For example, to ensure that `torch` is installed from the `pytorch` index, but all other
packages are installed from the default index:

```toml
[tool.uv.sources]
torch = { index = "pytorch" }

[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"
explicit = true
```

To define an additional index outside a `pyproject.toml` file, use the `--index` command-line argument
(or the `UV_INDEX` environment variable); to replace the default index (PyPI), use the `--default-index` command-line
argument (or `UV_DEFAULT_INDEX`).

These changes are entirely backwards-compatible with the deprecated `--index-url` and `--extra-index-url` options,
which continue to work as before.

See the [Index](https://docs.astral.sh/uv/configuration/indexes/) documentation for more.

##### Enhancements

-   Add index URLs when provided via `uv add --index` or `--default-index` ([#&#8203;7746](astral-sh/uv#7746))
-   Add support for named and explicit indexes ([#&#8203;7481](astral-sh/uv#7481))
-   Add templates for popular build backends ([#&#8203;7857](astral-sh/uv#7857))
-   Allow multiple pinned indexes in `tool.uv.sources` ([#&#8203;7769](astral-sh/uv#7769))
-   Allow users to incorporate Git tags into dynamic cache keys ([#&#8203;8259](astral-sh/uv#8259))
-   Pin named indexes in `uv add` ([#&#8203;7747](astral-sh/uv#7747))
-   Respect named `--index` and `--default-index` values in `tool.uv.sources` ([#&#8203;7910](astral-sh/uv#7910))
-   Update to latest PubGrub version ([#&#8203;8245](astral-sh/uv#8245))
-   Enable environment variable authentication for named indexes ([#&#8203;7741](astral-sh/uv#7741))
-   Avoid showing lower-bound warning outside of explicit lock and sync ([#&#8203;8234](astral-sh/uv#8234))
-   Improve logging during lock errors ([#&#8203;8258](astral-sh/uv#8258))
-   Improve styling of `requires-python` warnings ([#&#8203;8240](astral-sh/uv#8240))
-   Show hint in resolution failure on `Forbidden` (`403`) or `Unauthorized` (`401`) ([#&#8203;8264](astral-sh/uv#8264))
-   Update to latest `cargo-dist` version (includes new installer features) ([#&#8203;8270](astral-sh/uv#8270))
-   Warn when patch version in `requires-python` is implicitly `0` ([#&#8203;7959](astral-sh/uv#7959))
-   Add more context on client errors during range requests ([#&#8203;8285](astral-sh/uv#8285))

##### Bug fixes

-   Avoid writing duplicate index URLs with `--emit-index-url` ([#&#8203;8226](astral-sh/uv#8226))
-   Fix error leading to out-of-bound panic in `uv-pep508` ([#&#8203;8282](astral-sh/uv#8282))
-   Fix managed distributions of free-threaded Python on Windows ([#&#8203;8268](astral-sh/uv#8268))
-   Fix selection of free-threaded interpreters during default Python discovery ([#&#8203;8239](astral-sh/uv#8239))
-   Ignore sources in build requirements for non-source trees ([#&#8203;8235](astral-sh/uv#8235))
-   Invalid cache when adding lower bound to lockfile ([#&#8203;8230](astral-sh/uv#8230))
-   Respect index priority when storing credentials ([#&#8203;8256](astral-sh/uv#8256))
-   Respect relative paths in `uv build` sources ([#&#8203;8237](astral-sh/uv#8237))
-   Narrow what the pip3.<minor> logic drops from entry points. ([#&#8203;8273](astral-sh/uv#8273))

##### Documentation

-   Add some additional notes to `--index-url` docs ([#&#8203;8267](astral-sh/uv#8267))
-   Add upgrade note to README ([#&#8203;7937](astral-sh/uv#7937))
-   Remove note that "only a single source may be defined for each dependency" ([#&#8203;8243](astral-sh/uv#8243))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@pythonweb2 pythonweb2 mentioned this pull request Oct 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zanieb zanieb zanieb approved these changes

Assignees
No one assigned
Labels
registry Related to package indexes and registries security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@charliermarsh @zanieb