Skip to content

Comments

Disable always-authenticate when running under Dependabot#16773

Merged
zanieb merged 1 commit intomainfrom
zb/authenticate
Nov 18, 2025
Merged

Disable always-authenticate when running under Dependabot#16773
zanieb merged 1 commit intomainfrom
zb/authenticate

Conversation

@zanieb
Copy link
Member

@zanieb zanieb commented Nov 18, 2025
edited
Loading

Dependabot appears to run a proxy which intercepts all requests and adds credentials — credentials are not provided via the CLI or environment variables and there's no way for a user to do so. This means that when authenticate = "always" is used (or when the index URL is on a pyx domain), uv will fail even though Dependabot may intercept the request and add credentials.

See https://github.com/dependabot/dependabot-core/#private-registry-credential-management

@zanieb zanieb temporarily deployed to uv-test-registries November 18, 2025 19:22 — with GitHub Actions Inactive
@zanieb zanieb changed the title Disable always-authenticate when running under DEPENDABOT Disable always-authenticate when running under Dependabot Nov 18, 2025
@zanieb zanieb temporarily deployed to uv-test-registries November 18, 2025 19:58 — with GitHub Actions Inactive
@zanieb zanieb marked this pull request as ready for review November 18, 2025 21:03
@zanieb zanieb requested a review from charliermarsh November 18, 2025 21:03
woodruffw
woodruffw approved these changes Nov 18, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Distressing, but makes sense.

@zanieb zanieb merged commit 3ac43e8 into main Nov 18, 2025
100 checks passed
@zanieb zanieb deleted the zb/authenticate branch November 18, 2025 21:43
charliermarsh
charliermarsh reviewed Nov 18, 2025
View reviewed changes
crates/uv-auth/src/middleware.rs
// Dependabot intercepts HTTP requests and injects credentials, which means that we
// cannot eagerly enforce an `AuthPolicy` as we don't know whether credentials will be
// added outside of uv.
&& !std::env::var(EnvVars::DEPENDABOT).is_ok_and(|value| value == "true"));
Copy link
Member

@charliermarsh charliermarsh Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we avoid doing re-reading this in this hot path?

Copy link
Member Author

@zanieb zanieb Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uh we could. I assumed it was very cheap. I guess we're validating that the value is utf-8 and allocating a string?

I'm a little wary of the indirection of moving it out, I'm not sure where I'd put it.

Copy link
Member

@charliermarsh charliermarsh Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make it a once cell?

Copy link
Member

@woodruffw woodruffw Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, environment accesses are somewhat expensive in Rust, since Rust acquires a lock on the entire environment (at least on macOS/Linux) for individual variable accesses. That wouldn't matter much in a lot of workloads, but I can imagine we'd have environment read contention in our setting because of work-splitting across multiple tokio-managed threads.

(It's probably still not a ton, but a OnceCell or LazyLock would avoid it as a concern.)

Ref: https://doc.rust-lang.org/src/std/sys/env/unix.rs.html

@BrewTestBot BrewTestBot mentioned this pull request Nov 21, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 21, 2025
@tmeijn
build(deps): update astral-sh/uv to v0.9.11
9551d99 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.10` -> `0.9.11` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.9.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0911)

[Compare Source](astral-sh/uv@0.9.10...0.9.11)

Released on 2025-11-20.

##### Python

- Add CPython 3.15.0a2

See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20251120) for details.

##### Enhancements

- Add SBOM support to `uv export` ([#&#8203;16523](astral-sh/uv#16523))
- Publish to `crates.io` ([#&#8203;16770](astral-sh/uv#16770))

##### Preview features

- Add `uv workspace list --paths` ([#&#8203;16776](astral-sh/uv#16776))
- Fix the preview warning on `uv workspace dir` ([#&#8203;16775](astral-sh/uv#16775))

##### Bug fixes

- Fix `uv init` author serialization via `toml_edit` inline tables ([#&#8203;16778](astral-sh/uv#16778))
- Fix status messages without TTY ([#&#8203;16785](astral-sh/uv#16785))
- Preserve end-of-line comment whitespace when editing `pyproject.toml` ([#&#8203;16734](astral-sh/uv#16734))
- Disable `always-authenticate` when running under Dependabot ([#&#8203;16773](astral-sh/uv#16773))

##### Documentation

- Document the new behavior for free-threaded python versions ([#&#8203;16781](astral-sh/uv#16781))
- Improve note about build system in publish guide ([#&#8203;16788](astral-sh/uv#16788))
- Move do not upload publish note out of the guide into concepts ([#&#8203;16789](astral-sh/uv#16789))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliermarsh charliermarsh charliermarsh left review comments

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zanieb @charliermarsh @woodruffw