Add documentation on using dependencies from private GitLab package indexes #9583
Conversation
| ## GitLab | ||
|
|
||
| If you want to add a dependency from a private GitLab package index, you need to force uv to pass credentials by adding the token name directly to the index's URL: | ||
|
|
||
| ```toml | ||
| [[tool.uv.index]] | ||
| url = "https://GITLAB_TOKEN@$gitlab.com/api/v4/{PROJECT-OR-GROUP}/-/packages/pypi/simple" | ||
| ``` | ||
|
|
||
| Since the token name is hardcoded in the pyproject.toml file, all users must set up a personal access token with the same name (GITLAB_TOKEN in the example) before installing dependencies. | ||
|
|
There was a problem hiding this comment.
It might be preferred to suggest using UV_INDEX_{name}_USERNAME and UV_INDEX_{name}_PASSWORD for the credentialed pieces.
There was a problem hiding this comment.
Yeah, that too. With credentials but without token name in URL, uv will first try unauthroized request, receive 404 and cry uncle. I'll reword it for better clarity. Any suggestions?
There was a problem hiding this comment.
uv/crates/uv-auth/src/middleware.rs
Lines 148 to 160 in 81569c4
Are you sure the 404 is the problem? It is explicitly one of the status codes that UV will retry with auth for.
There was a problem hiding this comment.
What I'm sure is that adding token name fixes the issue described in the linked report. Take a look at the logs I've linked there. @zanieb seems to know the underlying cause.
There was a problem hiding this comment.
For what it is worth I ran into a very similar issue to the one that you had in terms of uv output, and determined that a strangely configured python package index was returning 200 with no auth, and not listing any versions unless auth was provided. I may try to implement one of the configuration options discussed in your issue and raise a PR, but I am hoping that I can get the creator of the index I need to use at work to simply fix the probable permissions issue.
There was a problem hiding this comment.
Adding the token name fixes it because we skip trying an unauthenticated request.
My earlier comments were incorrect regarding the 404, thanks @Raymi306 for pointing that out — we will search for credentails on a 404. It looks like GitLab is actually returning an okay response? The relevant logs being:
TRACE No credentials in cache for URL https://gitlab.com/api/v4/groups/${ID}/-/packages/pypi/simple/livity-airtable/
TRACE Attempting unauthenticated request for https://gitlab.com/api/v4/groups/${ID}/-/packages/pypi/simple/livity-airtable/
TRACE cached request https://gitlab.com/api/v4/groups/${ID}/-/packages/pypi/simple/livity-airtable/ is storable because its response has a 'public' cache-control directive
TRACE Received package metadata for: livity-airtable
TRACE Selecting candidate for livity-airtable with range * with 0 remote versions
Sorry for misleading you there, I'm not sure why I thought we only retried on 401..
There was a problem hiding this comment.
Cool, thanks for clearing it out.
strangely configured python package index was returning 200
Hmm, the free gitlab.com offering has only one config option in the package registry - forwarding requests to PyPI. It actually might be the issue. I'll investigate it further.
Doc change: adding a section on using dependncies from a GitLab package index.
Relates to #9331
Could mention using explicit source configuration as GitLab may be configured as a proxy to the official PyPI, but I see other sections don't include anything more than strictly necessary.