mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-08-04 19:08:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Enable environment variable authentication for named indexes (#7741)

Browse source 
## Summary

This PR enables users to provide index credentials via named environment
variables.

For example, given an index named `internal` that requires a username
(`public`) and password
(`koala`), you can define the index (without credentials) in your
`pyproject.toml`:

```toml
[[tool.uv.index]]
name = "internal"
url = "https://pypi-proxy.corp.dev/simple"
```

Then set the `UV_INDEX_INTERNAL_USERNAME` and
`UV_INDEX_INTERNAL_PASSWORD`
environment variables, where `INTERNAL` is the uppercase version of the
index name:

```sh
export UV_INDEX_INTERNAL_USERNAME=public
export UV_INDEX_INTERNAL_PASSWORD=koala
```
This commit is contained in:
Charlie Marsh 2024-10-15 15:35:07 -07:00 committed by GitHub
parent 5b391770df
commit 1925922770
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 284 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

39
docs/configuration/indexes.md
View file

@ -95,6 +95,45 @@ Users can opt in to alternate index behaviors via the`--index-strategy` command-
While `unsafe-best-match` is the closest to pip's behavior, it exposes users to the risk of
"dependency confusion" attacks.
## Providing credentials
Most private registries require authentication to access packages, typically via a username and
password (or access token).
To authenticate with a provide index, either provide credentials via environment variables or embed
them in the URL.
For example, given an index named `internal` that requires a username (`public`) and password
(`koala`), define the index (without credentials) in your `pyproject.toml`:
```toml
[[tool.uv.index]]
name = "internal"
url = "https://example.com/simple"
```
From there, you can set the `UV_INDEX_INTERNAL_USERNAME` and `UV_INDEX_INTERNAL_PASSWORD`
environment variables, where `INTERNAL` is the uppercase version of the index name:
```sh
export UV_INDEX_INTERNAL_USERNAME=public
export UV_INDEX_INTERNAL_PASSWORD=koala
```
By providing credentials via environment variables, you can avoid storing sensitive information in
the plaintext `pyproject.toml` file.
Alternatively, credentials can be embedded directly in the index definition:
```toml
[[tool.uv.index]]
name = "internal"
url = "https://public:koala@https://pypi-proxy.corp.dev/simple"
```
For security purposes, credentials are _never_ stored in the `uv.lock` file; as such, uv _must_ have
access to the authenticated URL at installation time.
## `--index-url` and `--extra-index-url`
In addition to the `[[tool.uv.index]]` configuration option, uv supports pip-style `--index-url` and