rattler-build login

[pavelzw]

There is currently no way of logging into private channels using rattler-build without using pixi auth login. Would be nice to have a standalone way of doing this.

[pavelzw]

This actually got more important for us now.
The workaround with using pixi auth login only works when there is no keychain.
In CI on macos-latest, I have the following situation:

    runs-on: macos-latest
    timeout-minutes: 5
...
      - name: Install rattler-build
        uses: mamba-org/setup-micromamba@54d4d5980e1a4aa7cdc8b050cf2d19b7e262ce18
        with:
          environment-name: build
          create-args: >-
            rattler-build=0.6.0
          cache-environment: true
      - uses: prefix-dev/setup-pixi@ccc5c07ed948b849df4b3578d785f3afd7465c67
        with:
          run-install: false
          auth-host: https://my-quetz-instance.com
          auth-conda-token: ${{ secrets.QUETZ_API_KEY }}
      - name: Build conda package
        run: >-
          rattler-build build
          --recipe conda.recipe/recipe.yaml
          -c conda-forge
          -c https://my-quetz-instance.com/get/private-channel

Looking at the logs of this workflow, I can see the following:

Copied ...

Resolving for environment specs:
 - clang_osx-64 15.*


Error: The operation was canceled.

What's happening is that pixi writes the secret to the keychain and rattler-build tries to read the secret from the keychain. This triggers an interactive auth prompt and the workflow gets canceled after timeout-minutes.

[0xbe7a]

You can get rattler-build running on macos for now by manually preparing the keyring with the following bash script:

account_name="your.quetz.server.com"
path=$(which rattler-build)
token="your conda-token"
cdhash=$(/usr/bin/codesign -dvvv $path 2>&1 | grep 'CDHash=' | cut -d'=' -f2)
password="rattler"

security create-keychain -p $password build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $password build.keychain

security add-generic-password -a $account_name -s rattler -A build.keychain
pixi auth login --conda-token $token https://$account_name
security set-generic-password-partition-list -S cdhash:$cdhash -s rattler -a $account_name -k $password build.keychain

[pavelzw]

@0xbe7a's hack works on M1 runners (rattler-build is signed there by default). On regular x64 runners, you still need to run /usr/bin/codesign --sign - --force "$rattler_build_path" after password="rattler".

But then, it works.

[wolfv]

Hi @0xbe7a and @pavelzw – is the problem that the rattler-build binary is not signed with an Apple Certificate? We built some CI to do this for pixi that we could / should copy over.

I do like Bela's force fallback storage option. I am wondering if we should instead implement this as another "auth storage" using generics.

[pavelzw]

is the problem that the rattler-build binary is not signed with an Apple Certificate?

yeah, that's one problem

We built some CI to do this for pixi that we could / should copy over.

This won't fix our specific use case since we are installing rattler-build straight from conda-forge

[pavelzw]

With the newest main build (fa672b9), you can do something like

echo '{"my.quetz.server": {"CondaToken": "${{ inputs.quetz-api-key }}"}}' > ${{ runner.temp }}/credentials.json
echo "RATTLER_AUTH_FILE=${{ runner.temp }}/credentials.json" >> "$GITHUB_ENV"

Still not quite there yet but better than dark codesign magic.

[pavelzw]

Fixed by #685