Open aaron-michaux opened 2 months ago
aignas
commented
2 months ago Wolud using the bazel downloader as described in the docs work for you in this case? It should hopefully not leak the credentials upon failures, but it is only supported in bzlmod.
aaron-michaux
commented
2 months ago Alas, we cannot use bzlmod because of complicated dependencies. Maybe in a few years we could.
aignas
commented
2 months ago bzlmod usage can be incremental - i.e. you could use bzlmod for rules_python but WORKSPACE for the rest. But you know better here.
I thought that when you use the envsubst feature you don't need to specify the --index-url manually anymore? Maybe I am misremembering that part...
aaron-michaux
commented
2 months ago I tried envsubst without extra_pip_args (i.e., -index-url), however that doesn't work. The docs say that envsubst allows env-variable substitution in extra_pip_args arguments. That is, it allows you to use ["--index-url", "${PIP_INDEX_URL}"], such that PIP_INDEX_URL is read from the environment.
aignas
commented
2 months ago aaron-michaux
commented
2 months ago Wouldn't that imply that the password is stored plain text in a WORKSPACE or .bzl file? And checked into git? How would different users have different passwords?
๐ bug report
Affected Rule
Is this a regression?
No
Description
We have an "index-url" that uses secure credentials. We do not want those credentials to leak into error logs when there's a pip error. However, the combo of setting
envsubstandextra_pip_argsprecisely does this.(We cannot use bzlmod, so we cannot use the bazel http downloader for python pip.)
๐ฌ Minimal Reproduction
Any pip_parse rule that errors will print the
extra_pip_args.Note that pip itself is smart enough to ***** out the password on PIP_INDEX_URL.
๐ฅ Exception or Error
๐ Your Environment
Operating System:
Output of
bazel version:Rules_python version:
Anything else relevant?
=)