feat: Add pixi-url-bearer-token to authenticate when downloading from pixi-url (#210)

ytausch · pavelzw · web-flow · commit 273e4808c831 · 2025-07-11T18:38:08.000+02:00
Co-authored-by: Pavel Zwerschke &lt;pavelzw@gmail.com&gt;
diff --git a/.github/assets/pixi-url-auth-test/Caddyfile b/.github/assets/pixi-url-auth-test/Caddyfile
@@ -0,0 +1,7 @@
+:8080 {
+    @unauthorized not header Authorization "Bearer s3cr3tT0k3nABC123"
+    respond @unauthorized "Unauthorized: Invalid token" 401
+
+    root * ./assets
+    file_server
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -47,7 +47,7 @@ jobs:
         run: |
           set -euo pipefail
           latest_version="$(jq -r '.version' package.json)"
-          count_expected=17
+          count_expected=18
           count_actual="$(grep -c "setup-pixi@v$latest_version" README.md || true)"
           if [ "$count_actual" -ne "$count_expected" ]; then
             echo "::error file=README.md::Expected $count_expected mentions of \`setup-pixi@v$latest_version\` in README.md, but found $count_actual."
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -190,6 +190,47 @@ jobs:
           pixi-url: https://github.com/prefix-dev/pixi/releases/download/v0.14.0/pixi-x86_64-unknown-linux-musl
       - run: pixi --version | grep -q "pixi 0.14.0"
 
+  pixi-url-bearer-token:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Move pixi.toml
+        run: mv test/old-pixi-lockfiles/* .
+      - name: Setup caddy
+        run: |
+          set -euo pipefail
+          curl -Ls -o caddy.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.0/caddy_2.10.0_linux_amd64.tar.gz
+          tar -xzf caddy.tar.gz
+          chmod +x caddy
+
+          mkdir -p assets
+          curl -Ls -o assets/pixi https://github.com/prefix-dev/pixi/releases/download/v0.14.0/pixi-x86_64-unknown-linux-musl
+
+          cp .github/assets/pixi-url-auth-test/Caddyfile .
+
+          ./caddy run --config Caddyfile &
+      - run: ps -aux | grep caddy
+      - name: Run with wrong token
+        uses: ./
+        id: wrongtoken
+        with:
+          cache: false
+          pixi-url: http://localhost:8080/pixi
+          pixi-url-bearer-token: wrongtoken
+        continue-on-error: true
+      - name: Fail if wrong token did not fail
+        run: |
+          echo "Unexpected success!"
+          exit 1
+        if: ${{ steps.wrongtoken.outcome != 'failure' }}
+      - name: Run with correct token
+        uses: ./
+        with:
+          cache: false
+          pixi-url: http://localhost:8080/pixi
+          pixi-url-bearer-token: s3cr3tT0k3nABC123
+      - run: pixi --version | grep -q "pixi 0.14.0"
+
   custom-manifest-path:
     strategy:
       matrix:
diff --git a/README.md b/README.md
@@ -23,7 +23,7 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m
 ## Usage
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     pixi-version: v0.49.0
 
@@ -35,7 +35,7 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m
 
 > [!WARNING]
 > Since pixi is not yet stable, the API of this action may change between minor versions.
-> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.10`) to avoid breaking changes.
+> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.11`) to avoid breaking changes.
 > You can automatically update the version of this action by using [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).
 >
 > Put the following in your `.github/dependabot.yml` file to enable Dependabot for your GitHub Actions:
@@ -74,7 +74,7 @@ In order to not exceed the [10 GB cache size limit](https://docs.github.com/en/a
 This can be done by setting the `cache-write` argument.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     cache: true
     cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
@@ -119,7 +119,7 @@ test:
       environment: [py311, py312]
   steps:
     - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.10
+    - uses: prefix-dev/setup-pixi@v0.8.11
       with:
         environments: ${{ matrix.environment }}
 ```
@@ -129,7 +129,7 @@ test:
 The following example will install both the `py311` and the `py312` environment on the runner.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     # separated by spaces
     environments: >-
@@ -165,7 +165,7 @@ Specify the token using the `auth-token` input argument.
 This form of authentication (bearer token in the request headers) is mainly used at [prefix.dev](https://prefix.dev).
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     auth-host: prefix.dev
     auth-token: ${{ secrets.PREFIX_DEV_TOKEN }}
@@ -177,7 +177,7 @@ Specify the username and password using the `auth-username` and `auth-password`
 This form of authentication (HTTP Basic Auth) is used in some enterprise environments with [artifactory](https://jfrog.com/artifactory) for example.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     auth-host: custom-artifactory.com
     auth-username: ${{ secrets.PIXI_USERNAME }}
@@ -190,7 +190,7 @@ Specify the conda-token using the `auth-conda-token` input argument.
 This form of authentication (token is encoded in URL: `https://my-quetz-instance.com/t/<token>/get/custom-channel`) is used at [anaconda.org](https://anaconda.org) or with [quetz instances](https://github.com/mamba-org/quetz).
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     auth-host: anaconda.org # or my-quetz-instance.com
     auth-conda-token: ${{ secrets.CONDA_TOKEN }}
@@ -202,7 +202,7 @@ Specify the S3 key pair using the `auth-access-key-id` and `auth-secret-access-k
 You can also specify the session token using the `auth-session-token` input argument.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     auth-host: s3://my-s3-bucket
     auth-s3-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
@@ -274,15 +274,15 @@ To this end, `setup-pixi` adds all environment variables set when executing `pix
 As a result, all installed binaries can be accessed without having to call `pixi run`.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     activate-environment: true
 ```
 
 If you are installing multiple environments, you will need to specify the name of the environment that you want to be activated.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     environments: >-
       py311
@@ -299,7 +299,7 @@ You can specify whether `setup-pixi` should run `pixi install --frozen` or `pixi
 See the [official documentation](https://prefix.dev/docs/pixi/cli#install) for more information about the `--frozen` and `--locked` flags.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     locked: true
     # or
@@ -318,7 +318,7 @@ The first one is the debug logging of the action itself.
 This can be enabled by running the action with the `RUNNER_DEBUG` environment variable set to `true`.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   env:
     RUNNER_DEBUG: true
 ```
@@ -336,7 +336,7 @@ The second type is the debug logging of the pixi executable.
 This can be specified by setting the `log-level` input.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     # one of `q`, `default`, `v`, `vv`, or `vvv`.
     log-level: vvv
@@ -362,7 +362,7 @@ If nothing is specified, `post-cleanup` will default to `true`.
 On self-hosted runners, you also might want to alter the default pixi install location to a temporary location. You can use `pixi-bin-path: ${{ runner.temp }}/bin/pixi` to do this.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     post-cleanup: true
     # ${{ runner.temp }}\Scripts\pixi.exe on Windows
@@ -378,7 +378,7 @@ You can also use a preinstalled local version of pixi on the runner by not setti
 This can be overwritten by setting the `manifest-path` input argument.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     manifest-path: pyproject.toml
 ```
@@ -388,11 +388,23 @@ This can be overwritten by setting the `manifest-path` input argument.
 If you only want to install pixi and not install the current project, you can use the `run-install` option.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.10
+- uses: prefix-dev/setup-pixi@v0.8.11
   with:
     run-install: false
 ```
 
+### Download pixi from a custom URL
+
+You can also download pixi from a custom URL by setting the `pixi-url` input argument.
+Optionally, you can combine this with the `pixi-url-bearer-token` input argument to authenticate the download request.
+
+```yml
+- uses: prefix-dev/setup-pixi@v0.8.11
+  with:
+    pixi-url: https://pixi-mirror.example.com/releases/download/v0.48.0/pixi-x86_64-unknown-linux-musl
+    pixi-url-bearer-token: ${{ secrets.PIXI_MIRROR_BEARER_TOKEN }}
+```
+
 ## More examples
 
 If you want to see more examples, you can take a look at the [GitHub Workflows of this repository](.github/workflows/test.yml).
diff --git a/action.yml b/action.yml
@@ -10,6 +10,8 @@ inputs:
     description: Version of pixi to install
   pixi-url:
     description: URL of pixi to install
+  pixi-url-bearer-token:
+    description: Bearer token to use for authentication when downloading pixi from a URL.
   log-level:
     description: |
       Log level for the pixi CLI.
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/post.js b/dist/post.js
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "setup-pixi",
-  "version": "0.8.10",
+  "version": "0.8.11",
   "private": true,
   "description": "Action to set up the pixi package manager.",
   "scripts": {
diff --git a/src/main.ts b/src/main.ts
@@ -12,12 +12,14 @@ import { activateEnvironment } from './activate'
 
 const downloadPixi = (source: PixiSource) => {
   const url = 'version' in source ? getPixiUrlFromVersion(source.version) : source.url
+  const auth = 'bearerToken' in source && source.bearerToken ? `Bearer ${source.bearerToken}` : ''
   return core.group('Downloading Pixi', () => {
     core.debug('Installing pixi')
     core.debug(`Downloading pixi from ${url}`)
+    core.debug(`Using Bearer auth: ${auth ? 'yes' : 'no'}`)
     return fs
       .mkdir(path.dirname(options.pixiBinPath), { recursive: true })
-      .then(() => downloadTool(url, options.pixiBinPath))
+      .then(() => downloadTool(url, options.pixiBinPath, auth))
       .then((_downloadPath) => fs.chmod(options.pixiBinPath, 0o755))
       .then(() => {
         core.info(`Pixi installed to ${options.pixiBinPath}`)
diff --git a/src/options.ts b/src/options.ts
@@ -11,6 +11,7 @@ import which from 'which'
 type Inputs = Readonly<{
   pixiVersion?: string
   pixiUrl?: string
+  pixiUrlBearerToken?: string
   logLevel?: LogLevel
   manifestPath?: string
   runInstall?: boolean
@@ -39,6 +40,7 @@ export type PixiSource =
     }
   | {
       url: string
+      bearerToken?: string
     }
 
 type Auth = {
@@ -133,6 +135,9 @@ const validateInputs = (inputs: Inputs): void => {
   if (inputs.pixiVersion && inputs.pixiUrl) {
     throw new Error('You need to specify either pixi-version or pixi-url')
   }
+  if (inputs.pixiUrlBearerToken && !inputs.pixiUrl) {
+    throw new Error('You need to specify pixi-url when using pixi-url-bearer-token')
+  }
   if (inputs.cacheKey !== undefined && inputs.cache === false) {
     throw new Error('Cannot specify cache key without caching')
   }
@@ -223,7 +228,7 @@ const inferOptions = (inputs: Inputs): Options => {
   const pixiSource = inputs.pixiVersion
     ? { version: inputs.pixiVersion }
     : inputs.pixiUrl
-      ? { url: inputs.pixiUrl }
+      ? { url: inputs.pixiUrl, bearerToken: inputs.pixiUrlBearerToken }
       : { version: 'latest' }
 
   const { downloadPixi, pixiBinPath } = determinePixiInstallation(
@@ -340,6 +345,7 @@ const getOptions = () => {
       'pixi-version must either be `latest` or a version string matching `vX.Y.Z`.'
     ),
     pixiUrl: parseOrUndefined('pixi-url', z.string().url()),
+    pixiUrlBearerToken: parseOrUndefined('pixi-url-bearer-token', z.string()),
     logLevel: parseOrUndefined(
       'log-level',
       logLevelSchema,

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "setup-pixi",`
`3`		`- "version": "0.8.10",`
	`3`	`+ "version": "0.8.11",`
`4`	`4`	`"private": true,`
`5`	`5`	`"description": "Action to set up the pixi package manager.",`
`6`	`6`	`"scripts": {`