Add S3 authentication (#176)

Author: pavelzw

.github/workflows/build.yml

@@ -47,7 +47,7 @@ jobs:
         run: |
           set -euo pipefail
           latest_version="$(jq -r '.version' package.json)"
-          count_expected=15
+          count_expected=16
           count_actual="$(grep -c "setup-pixi@v$latest_version" README.md || true)"
           if [ "$count_actual" -ne "$count_expected" ]; then
             echo "::error file=README.md::Expected $count_expected mentions of \`setup-pixi@v$latest_version\` in README.md, but found $count_actual."

.github/workflows/test.yml

@@ -438,6 +438,25 @@ jobs:
         run: |
           test -f .pixi/envs/default/conda-meta/private-package-0.0.1-0.json
 
+  auth-s3-install:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Move pixi.toml
+        run: mv test/auth-s3/* .
+      - uses: ./
+        with:
+          cache: false
+          auth-host: s3://rattler-s3-testing
+          auth-s3-access-key-id: ${{ secrets.PIXI_TEST_R2_ACCESS_KEY_ID }}
+          auth-s3-secret-access-key: ${{ secrets.PIXI_TEST_R2_SECRET_ACCESS_KEY }}
+      - name: Ensure private package is installed
+        run: |
+          test -f .pixi/envs/default/conda-meta/my-webserver-0.1.0-pyh4616a5c_0.json
+
   pixi-shell:
     strategy:
       matrix:

README.md

@@ -23,9 +23,10 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m
 ## Usage
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
-    pixi-version: v0.41.1
+    pixi-version: v0.41.4
+
     cache: true
     auth-host: prefix.dev
     auth-token: ${{ secrets.PREFIX_DEV_TOKEN }}
@@ -34,7 +35,7 @@ GitHub Action to set up the [pixi](https://github.com/prefix-dev/pixi) package m
 
 > [!WARNING]
 > Since pixi is not yet stable, the API of this action may change between minor versions.
-> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.2`) to avoid breaking changes.
+> Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.3`) to avoid breaking changes.
 > You can automatically update the version of this action by using [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).
 >
 > Put the following in your `.github/dependabot.yml` file to enable Dependabot for your GitHub Actions:
@@ -73,7 +74,7 @@ In order to not exceed the [10 GB cache size limit](https://docs.github.com/en/a
 This can be done by setting the `cache-write` argument.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     cache: true
     cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
@@ -118,7 +119,7 @@ test:
       environment: [py311, py312]
   steps:
     - uses: actions/checkout@v4
-    - uses: prefix-dev/setup-pixi@v0.8.2
+    - uses: prefix-dev/setup-pixi@v0.8.3
       with:
         environments: ${{ matrix.environment }}
 ```
@@ -128,7 +129,7 @@ test:
 The following example will install both the `py311` and the `py312` environment on the runner.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     # separated by spaces
     environments: >-
@@ -149,6 +150,7 @@ There are currently three ways to authenticate with pixi:
 - using a token
 - using a username and password
 - using a conda-token
+- using an S3 key pair
 
 For more information, see the [pixi documentation](https://prefix.dev/docs/pixi/authentication).
 
@@ -163,7 +165,7 @@ Specify the token using the `auth-token` input argument.
 This form of authentication (bearer token in the request headers) is mainly used at [prefix.dev](https://prefix.dev).
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     auth-host: prefix.dev
     auth-token: ${{ secrets.PREFIX_DEV_TOKEN }}
@@ -175,7 +177,7 @@ Specify the username and password using the `auth-username` and `auth-password`
 This form of authentication (HTTP Basic Auth) is used in some enterprise environments with [artifactory](https://jfrog.com/artifactory) for example.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     auth-host: custom-artifactory.com
     auth-username: ${{ secrets.PIXI_USERNAME }}
@@ -184,16 +186,33 @@ This form of authentication (HTTP Basic Auth) is used in some enterprise environ
 
 #### Conda-token
 
-Specify the conda-token using the `conda-token` input argument.
+Specify the conda-token using the `auth-conda-token` input argument.
 This form of authentication (token is encoded in URL: `https://my-quetz-instance.com/t/<token>/get/custom-channel`) is used at [anaconda.org](https://anaconda.org) or with [quetz instances](https://github.com/mamba-org/quetz).
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     auth-host: anaconda.org # or my-quetz-instance.com
-    conda-token: ${{ secrets.CONDA_TOKEN }}
+    auth-conda-token: ${{ secrets.CONDA_TOKEN }}
 ```
 
+#### S3
+
+Specify the S3 key pair using the `auth-access-key-id` and `auth-secret-access-key` input arguments.
+You can also specify the session token using the `auth-session-token` input argument.
+
+```yaml
+- uses: prefix-dev/setup-pixi@v0.8.3
+  with:
+    auth-host: s3://my-s3-bucket
+    auth-s3-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
+    auth-s3-secret-access-key: ${{ secrets.SECRET_ACCESS_KEY }}
+    # only needed if your key uses a session token
+    auth-s3-session-token: ${{ secrets.SESSION_TOKEN }}
+```
+
+See the [pixi documentation](https://pixi.sh/latest/advanced/s3) for more information about S3 authentication.
+
 ### Custom shell wrapper
 
 `setup-pixi` allows you to run command inside of the pixi environment by specifying a custom shell wrapper with `shell: pixi run bash -e {0}`.
@@ -255,15 +274,15 @@ To this end, `setup-pixi` adds all environment variables set when executing `pix
 As a result, all installed binaries can be accessed without having to call `pixi run`.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     activate-environment: true
 ```
 
 If you are installing multiple environments, you will need to specify the name of the environment that you want to be activated.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     environments: >-
       py311
@@ -280,7 +299,7 @@ You can specify whether `setup-pixi` should run `pixi install --frozen` or `pixi
 See the [official documentation](https://prefix.dev/docs/pixi/cli#install) for more information about the `--frozen` and `--locked` flags.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     locked: true
     # or
@@ -299,7 +318,7 @@ The first one is the debug logging of the action itself.
 This can be enabled by running the action with the `RUNNER_DEBUG` environment variable set to `true`.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   env:
     RUNNER_DEBUG: true
 ```
@@ -317,7 +336,7 @@ The second type is the debug logging of the pixi executable.
 This can be specified by setting the `log-level` input.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     # one of `q`, `default`, `v`, `vv`, or `vvv`.
     log-level: vvv
@@ -343,7 +362,7 @@ If nothing is specified, `post-cleanup` will default to `true`.
 On self-hosted runners, you also might want to alter the default pixi install location to a temporary location. You can use `pixi-bin-path: ${{ runner.temp }}/bin/pixi` to do this.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     post-cleanup: true
     # ${{ runner.temp }}\Scripts\pixi.exe on Windows
@@ -359,7 +378,7 @@ You can also use a preinstalled local version of pixi on the runner by not setti
 This can be overwritten by setting the `manifest-path` input argument.
 
 ```yml
-- uses: prefix-dev/setup-pixi@v0.8.2
+- uses: prefix-dev/setup-pixi@v0.8.3
   with:
     manifest-path: pyproject.toml
 ```

action.yml

@@ -55,6 +55,12 @@ inputs:
     description: Password to use for authentication.
   auth-conda-token:
     description: Conda token to use for authentication.
+  auth-s3-access-key-id:
+    description: Access key ID to use for S3 authentication.
+  auth-s3-secret-access-key:
+    description: Secret access key to use for S3 authentication.
+  auth-s3-session-token:
+    description: Session token to use for S3 authentication.
   post-cleanup:
     description: |
       If the action should clean up after itself. Defaults to `true`.

dist/index.js

@@ -1,6 +1,6 @@
 {
   "name": "setup-pixi",
-  "version": "0.8.2",
+  "version": "0.8.3",
   "private": true,
   "description": "Action to set up the pixi package manager.",
   "scripts": {

dist/post.js

@@ -42,6 +42,13 @@ const pixiLogin = () => {
       core.debug(`Logging in to ${auth.host} with username and password`)
       return execute(pixiCmd(`auth login --username ${auth.username} --password ${auth.password} ${auth.host}`, false))
     }
+    if ('s3AccessKeyId' in auth) {
+      core.debug(`Logging in to ${auth.host} with s3 credentials`)
+      const command = auth.s3SessionToken
+        ? `auth login --s3-access-key-id ${auth.s3AccessKeyId} --s3-secret-access-key ${auth.s3SecretAccessKey} --s3-session-token ${auth.s3SessionToken} ${auth.host}`
+        : `auth login --s3-access-key-id ${auth.s3AccessKeyId} --s3-secret-access-key ${auth.s3SecretAccessKey} ${auth.host}`
+      return execute(pixiCmd(command, false))
+    }
     core.debug(`Logging in to ${auth.host} with conda token`)
     return execute(pixiCmd(`auth login --conda-token ${auth.condaToken} ${auth.host}`, false))
   })