[FR]: Add authentication support to uv rules

[zsol]

What is the current behavior?

Currently, authentication for external python packages discovered by uv is not supported.

Describe the feature

We should allow users to depend on packages that require authentication. These packages live on private registries, typically behind some kind of HTTP authentication - either using Basic auth or a Bearer token.
There are two main operations to authenticate: resolution, and archive fetching. Because resolution is entirely delegated to uv, and it contains a pretty robust credential management and authentication system, I propose we let the rules_py rely on the user configuring uv correctly, and then extracting necessary credentials from it at analysis time.

This would allow us to support not only static, long-lived credentials, but also passwords & tokens managed in the user's keyring, as well as short-lived JWTs used in services like pyx and Artifactory.

The way this could work at a high level is by:

1. assuming the user has uv configured as normal according to the uv docs
2. having the user declare their authenticated services via a new authenticate module tag
3. at analysis time rules_py would run uv auth token $service for each configured service to extract (potentially short-lived) credentials
4. these credentials would get passed down to the relevant http_file targets

If that all sounds good, I can take a stab at the implementation.

[arrdem]

So I think the correct way to do this would be to leave rules_py as it is, and figure out how we can make UV act as a credentials provider that Bazel can understand. Maybe we add some custom code to the vendored (and stale) uv we're currently using.

The present authentication story isn't "we don't support authentication", it's "configure the Bazel downloader to handle authentication so that we can participate in a maximum of Bazel caching".

Would love to work with you to make sure we can put a clear story for that "in the box".

[zsol]

I was completely unaware of credentials helper support in Bazel (I assume this is what you're referring to), thanks for mentioning that!

IIUC, the best way to set this up would be for the user to:

1. fetch an executable that implements Bazel's credential helper protocol and store it in the workspace (looks like this can't be a simple target)
2. generate a .bazelrc snippet into the workspace that sets up their domains to map to the above executable

And then every time the user adds/removes an index that requires authentication, they'd have to regenerate the .bazelrc snippet.

For 1) I think we can teach uv itself how to talk this protocol (e.g. uv auth credential-helper get), but worst case it can be a simple binary that wraps uv auth token.
For 2) I imagine a public target in rules_py that the user can run which would output the required .bazelrc lines. This would simply list all the configured domains within uv (I can add a command for that in uv), and massage them into the format appropriate for .bazelrc.

[zsol]

Just checking in here, as astral-sh/uv#16886 landed, so from the next uv release we'll be able to use uv auth helper --protocol=bazel as a credential helper for Bazel.

[arrdem]

Need to bump the uv binaries we're using to 0.9.17 and we can write some examples for this.

[zsol]

I've written this small snippet to help people authenticate specifically against pyx, but some general purpose examples would be amazing. Happy to include them in the uv docs, too.