Redact Git credentials from pyproject.toml (#6074)

## Summary

We retain them if you use `--raw-sources`, but otherwise they're
removed. We still respect them in the subsequent `uv.lock` via an
in-process store.

Closes #6056.

crates/uv-git/src/credentials.rs

@@ -0,0 +1,21 @@
+use std::collections::HashMap;
+use std::sync::{Arc, RwLock};
+
+use cache_key::RepositoryUrl;
+use uv_auth::Credentials;
+
+/// A store for Git credentials.
+#[derive(Debug, Default)]
+pub struct GitStore(RwLock<HashMap<RepositoryUrl, Arc<Credentials>>>);
+
+impl GitStore {
+    /// Insert [`Credentials`] for the given URL into the store.
+    pub fn insert(&self, url: RepositoryUrl, credentials: Credentials) -> Option<Arc<Credentials>> {
+        self.0.write().unwrap().insert(url, Arc::new(credentials))
+    }
+
+    /// Get the [`Credentials`] for the given URL, if they exist.
+    pub fn get(&self, url: &RepositoryUrl) -> Option<Arc<Credentials>> {
+        self.0.read().unwrap().get(url).cloned()
+    }
+}

crates/uv-git/src/lib.rs

@@ -1,5 +1,8 @@
+use std::sync::LazyLock;
+
 use url::Url;
 
+use crate::credentials::GitStore;
 pub use crate::git::GitReference;
 pub use crate::resolver::{
     GitResolver, GitResolverError, RepositoryReference, ResolvedRepositoryReference,
@@ -7,11 +10,17 @@ pub use crate::resolver::{
 pub use crate::sha::{GitOid, GitSha, OidParseError};
 pub use crate::source::{Fetch, GitSource, Reporter};
 
+mod credentials;
 mod git;
 mod resolver;
 mod sha;
 mod source;
 
+/// Global authentication cache for a uv invocation.
+///
+/// This is used to share Git credentials within a single process.
+pub static GIT_STORE: LazyLock<GitStore> = LazyLock::new(GitStore::default);
+
 /// A URL reference to a Git repository.
 #[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Hash, Ord)]
 pub struct GitUrl {
@@ -44,6 +53,7 @@ impl GitUrl {
         }
     }
 
+    /// Set the precise [`GitSha`] to use for this Git URL.
     #[must_use]
     pub fn with_precise(mut self, precise: GitSha) -> Self {
         self.precise = Some(precise);

crates/uv-git/src/source.rs

@@ -1,6 +1,8 @@
 //! Git support is derived from Cargo's implementation.
 //! Cargo is dual-licensed under either Apache 2.0 or MIT, at the user's choice.
 //! Source: <https://github.com/rust-lang/cargo/blob/23eb492cf920ce051abfc56bbaf838514dc8365c/src/cargo/sources/git/source.rs>
+
+use std::borrow::Cow;
 use std::path::{Path, PathBuf};
 
 use anyhow::Result;
@@ -11,7 +13,7 @@ use url::Url;
 use cache_key::{cache_digest, RepositoryUrl};
 
 use crate::git::GitRemote;
-use crate::{GitOid, GitSha, GitUrl};
+use crate::{GitOid, GitSha, GitUrl, GIT_STORE};
 
 /// A remote Git source that can be checked out locally.
 pub struct GitSource {
@@ -52,11 +54,21 @@ impl GitSource {
     /// Fetch the underlying Git repository at the given revision.
     #[instrument(skip(self), fields(repository = %self.git.repository, rev = ?self.git.precise))]
     pub fn fetch(self) -> Result<Fetch> {
+        // Compute the canonical URL for the repository.
+        let canonical = RepositoryUrl::new(&self.git.repository);
+
         // The path to the repo, within the Git database.
-        let ident = cache_digest(&RepositoryUrl::new(&self.git.repository));
+        let ident = cache_digest(&canonical);
         let db_path = self.cache.join("db").join(&ident);
 
-        let remote = GitRemote::new(&self.git.repository);
+        // Authenticate the URL, if necessary.
+        let remote = if let Some(credentials) = GIT_STORE.get(&canonical) {
+            Cow::Owned(credentials.apply(self.git.repository.clone()))
+        } else {
+            Cow::Borrowed(&self.git.repository)
+        };
+
+        let remote = GitRemote::new(&remote);
         let (db, actual_rev, task) = match (self.git.precise, remote.db_at(&db_path).ok()) {
             // If we have a locked revision, and we have a preexisting database
             // which has that revision, then no update needs to happen.