From 3ac43e8d15ff93405e305523d3a9abdd7670a627 Mon Sep 17 00:00:00 2001 From: Zanie Blue Date: Tue, 18 Nov 2025 15:43:44 -0600 Subject: [PATCH] Disable always-authenticate when running under Dependabot (#16773) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot appears to run a proxy which intercepts all requests and adds credentials — credentials are _not_ provided via the CLI or environment variables and there's no way for a user to do so. This means that when `authenticate = "always"` is used (or when the index URL is on a pyx domain), uv will fail even though Dependabot may intercept the request and add credentials. See https://github.com/dependabot/dependabot-core/#private-registry-credential-management --- crates/uv-auth/src/middleware.rs | 15 ++++++++++----- crates/uv-static/src/env_vars.rs | 4 ++++ docs/reference/environment.md | 5 +++++ 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/crates/uv-auth/src/middleware.rs b/crates/uv-auth/src/middleware.rs index e57f7bf8d..ab03d4b56 100644 --- a/crates/uv-auth/src/middleware.rs +++ b/crates/uv-auth/src/middleware.rs @@ -10,6 +10,7 @@ use tracing::{debug, trace, warn}; use uv_preview::{Preview, PreviewFeatures}; use uv_redacted::DisplaySafeUrl; +use uv_static::EnvVars; use uv_warnings::owo_colors::OwoColorize; use crate::credentials::Authentication; @@ -352,11 +353,15 @@ impl Middleware for AuthMiddleware { .is_some_and(|token_store| token_store.is_known_url(request.url())); let must_authenticate = self.only_authenticated - || match auth_policy { - AuthPolicy::Auto => is_known_url, - AuthPolicy::Always => true, - AuthPolicy::Never => false, - }; + || (match auth_policy { + AuthPolicy::Auto => is_known_url, + AuthPolicy::Always => true, + AuthPolicy::Never => false, + } + // Dependabot intercepts HTTP requests and injects credentials, which means that we + // cannot eagerly enforce an `AuthPolicy` as we don't know whether credentials will be + // added outside of uv. + && !std::env::var(EnvVars::DEPENDABOT).is_ok_and(|value| value == "true")); let (mut retry_request, response) = if !must_authenticate { let url = tracing_url(&request, credentials.as_deref()); diff --git a/crates/uv-static/src/env_vars.rs b/crates/uv-static/src/env_vars.rs index 1f9cf3d21..db1024431 100644 --- a/crates/uv-static/src/env_vars.rs +++ b/crates/uv-static/src/env_vars.rs @@ -662,6 +662,10 @@ impl EnvVars { #[attr_added_in("0.8.18")] pub const CONDA_ROOT: &'static str = "_CONDA_ROOT"; + /// Used to determine if we're running in Dependabot. + #[attr_added_in("next release")] + pub const DEPENDABOT: &'static str = "DEPENDABOT"; + /// If set to `1` before a virtual environment is activated, then the /// virtual environment name will not be prepended to the terminal prompt. #[attr_added_in("0.0.5")] diff --git a/docs/reference/environment.md b/docs/reference/environment.md index a228ec127..bb1a3272d 100644 --- a/docs/reference/environment.md +++ b/docs/reference/environment.md @@ -791,6 +791,11 @@ Used to determine the name of the active Conda environment. Used to detect the path of an active Conda environment. +### `DEPENDABOT` +added in `next release` + +Used to determine if we're running in Dependabot. + ### `FISH_VERSION` added in `0.1.28`