Skip to content

feat(install): Improve authentication handling and credential masking #4948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ruben-arts merged 10 commits into from
Nov 21, 2025
Merged

feat(install): Improve authentication handling and credential masking #4948

ruben-arts merged 10 commits into from
Nov 21, 2025

Conversation

@millsks
Copy link
Contributor

@millsks millsks commented Nov 20, 2025
edited
Loading

Description

This PR improves security and authentication in the install scripts by adding two main features:

1. Support for .netrc authentication
The install scripts now automatically detect and use .netrc files for authenticated downloads. This means you can keep your credentials in ~/.netrc (the standard location) or specify a custom path with the NETRC environment variable. Both curl and wget will use these credentials when downloading Pixi.

2. Credential masking in output
If you're using authenticated URLs (via PIXI_DOWNLOAD_URL), the username and password won't be printed to the terminal anymore. We replace any username:password@ patterns with ***:***@ in all log messages and errors.

Why this matters:
Before these changes, if you provided a download URL with embedded credentials, they'd show up in plain text in your terminal and logs. This was especially problematic in CI/CD pipelines or when sharing logs publicly. Now your credentials stay hidden, and you have a cleaner way to provide them using .netrc files.

Fixes #4947

How Has This Been Tested?

TEST: How is a HTTP 401 handled? I updated the HTTP_CODE to be 401 manually and ran the script. You will see in the output that it stopped and printed the desired message. 
❯ sh -x install/install.sh
+ set -eu
+ __wrap__
+ VERSION=latest
+ PIXI_HOME=/Users/millsks/.pixi
+ case "$PIXI_HOME" in
+ BIN_DIR=/Users/millsks/.pixi/bin
+ REPOURL=https://github.com/prefix-dev/pixi
++ uname -s
+ PLATFORM=Darwin
++ uname -m
+ ARCH=arm64
+ IS_MSYS=false
+ '[' Darwin = Darwin ']'
+ PLATFORM=apple-darwin
+ case "${ARCH-}" in
+ ARCH=aarch64
+ BINARY=pixi-aarch64-apple-darwin
+ false
+ EXTENSION=.tar.gz
+ hash tar
+ '[' latest = latest ']'
+ DOWNLOAD_URL=https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ printf 'This script will automatically download and install Pixi (%s) for you.\nGetting it from this url: %s\n' latest https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
This script will automatically download and install Pixi (latest) for you.
Getting it from this url: https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ HAVE_CURL=false
+ HAVE_CURL_8_8_0=false
+ hash curl
++ curl --version
++ IFS=' '
++ read -r _ v _
++ printf %s 8.7.1
+ '[' 8.7.1 = 8.8.0 ']'
+ HAVE_CURL=true
+ HAVE_WGET=true
+ hash wget
+ true
++ mktemp /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.XXXXXXXX
+ TEMP_FILE=/var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.KDA0M9Ec
+ trap cleanup EXIT
+ '[' '!' -t 1 ']'
+ CURL_OPTIONS=--no-silent
+ WGET_OPTIONS=--show-progress
+ '[' -n '' ']'
+ '[' -f /Users/millsks/.netrc ']'
+ true
+ CURL_ERR=0
++ curl -SL --no-silent https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz --output /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.KDA0M9Ec --write-out '%{http_code}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.9M  100 20.9M    0     0  11.5M      0  0:00:01  0:00:01 --:--:-- 16.1M
+ HTTP_CODE=200
+ HTTP_CODE=401
+ case "$CURL_ERR" in
+ '[' 401 -eq 401 ']'
+ echo 'error: authentication failed when downloading '\''https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz'\'''
error: authentication failed when downloading 'https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz'
+ echo '       Check your .netrc file, NETRC environment variable, or the hardcoded credentials in PIXI_DOWNLOAD_URL.'
       Check your .netrc file, NETRC environment variable, or the hardcoded credentials in PIXI_DOWNLOAD_URL.
+ exit 1
+ cleanup
+ rm -f /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.KDA0M9Ec
TEST: ~/.netrc exists I touched a blank .netrc and as you see in the script debug output the --netrc option is seen being used in the curl command. 
❯ touch ~/.netrc
❯ sh -x install/install.sh
+ set -eu
+ __wrap__
+ VERSION=latest
+ PIXI_HOME=/Users/millsks/.pixi
+ case "$PIXI_HOME" in
+ BIN_DIR=/Users/millsks/.pixi/bin
+ REPOURL=https://github.com/prefix-dev/pixi
++ uname -s
+ PLATFORM=Darwin
++ uname -m
+ ARCH=arm64
+ IS_MSYS=false
+ '[' Darwin = Darwin ']'
+ PLATFORM=apple-darwin
+ case "${ARCH-}" in
+ ARCH=aarch64
+ BINARY=pixi-aarch64-apple-darwin
+ false
+ EXTENSION=.tar.gz
+ hash tar
+ '[' latest = latest ']'
+ DOWNLOAD_URL=https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ printf 'This script will automatically download and install Pixi (%s) for you.\nGetting it from this url: %s\n' latest https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
This script will automatically download and install Pixi (latest) for you.
Getting it from this url: https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ HAVE_CURL=false
+ HAVE_CURL_8_8_0=false
+ hash curl
++ curl --version
++ IFS=' '
++ read -r _ v _
++ printf %s 8.7.1
+ '[' 8.7.1 = 8.8.0 ']'
+ HAVE_CURL=true
+ HAVE_WGET=true
+ hash wget
+ true
++ mktemp /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.XXXXXXXX
+ TEMP_FILE=/var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.CEgHq5X6
+ trap cleanup EXIT
+ '[' '!' -t 1 ']'
+ CURL_OPTIONS=--no-silent
+ WGET_OPTIONS=--show-progress
+ '[' -n '' ']'
+ '[' -f /Users/millsks/.netrc ']'
+ CURL_OPTIONS='--no-silent --netrc'
+ WGET_OPTIONS='--show-progress --netrc'
+ true
+ CURL_ERR=0
++ curl -SL --no-silent --netrc https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz --output /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.CEgHq5X6 --write-out '%{http_code}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.9M  100 20.9M    0     0  13.0M      0  0:00:01  0:00:01 --:--:-- 15.2M
+ HTTP_CODE=200
+ CURL_ERR=99
+ case "$CURL_ERR" in
+ echo 'error: when download '\''https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz'\'', curl fails with error 99'
error: when download 'https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz', curl fails with error 99
+ exit 1
+ cleanup
+ rm -f /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.CEgHq5X6
TEST: NETRC=$(pwd)/.netrc I touched a blank .netrc file in the root of the repository and ran the script. The debug output shows that the curl command is using the --netrc-file option with the path to the .netrc file. 
❯ touch .netrc
❯ NETRC=$(pwd)/.netrc sh -x install/install.sh
+ set -eu
+ __wrap__
+ VERSION=latest
+ PIXI_HOME=/Users/millsks/.pixi
+ case "$PIXI_HOME" in
+ BIN_DIR=/Users/millsks/.pixi/bin
+ REPOURL=https://github.com/prefix-dev/pixi
++ uname -s
+ PLATFORM=Darwin
++ uname -m
+ ARCH=arm64
+ IS_MSYS=false
+ '[' Darwin = Darwin ']'
+ PLATFORM=apple-darwin
+ case "${ARCH-}" in
+ ARCH=aarch64
+ BINARY=pixi-aarch64-apple-darwin
+ false
+ EXTENSION=.tar.gz
+ hash tar
+ '[' latest = latest ']'
+ DOWNLOAD_URL=https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ printf 'This script will automatically download and install Pixi (%s) for you.\nGetting it from this url: %s\n' latest https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
This script will automatically download and install Pixi (latest) for you.
Getting it from this url: https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz
+ HAVE_CURL=false
+ HAVE_CURL_8_8_0=false
+ hash curl
++ curl --version
++ IFS=' '
++ read -r _ v _
++ printf %s 8.7.1
+ '[' 8.7.1 = 8.8.0 ']'
+ HAVE_CURL=true
+ HAVE_WGET=true
+ hash wget
+ true
++ mktemp /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.XXXXXXXX
+ TEMP_FILE=/var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.y32VJIEt
+ trap cleanup EXIT
+ '[' '!' -t 1 ']'
+ CURL_OPTIONS=--no-silent
+ WGET_OPTIONS=--show-progress
+ '[' -n /path/to/github/repo/pixi/.netrc ']'
+ CURL_OPTIONS='--no-silent --netrc-file /path/to/github/repo/pixi/.netrc'
+ WGET_OPTIONS='--show-progress --netrc-file=/path/to/github/repo/pixi/.netrc'
+ true
+ CURL_ERR=0
>>>>> ++ curl -SL --no-silent --netrc-file /path/to/github/repo/pixi/.netrc https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz --output /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.y32VJIEt --write-out '%{http_code}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 20.9M  100 20.9M    0     0  12.5M      0  0:00:01  0:00:01 --:--:-- 16.7M
+ HTTP_CODE=200
+ CURL_ERR=99
+ case "$CURL_ERR" in
+ echo 'error: when download '\''https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz'\'', curl fails with error 99'
error: when download 'https://github.com/prefix-dev/pixi/releases/latest/download/pixi-aarch64-apple-darwin.tar.gz', curl fails with error 99
+ exit 1
+ cleanup
+ rm -f /var/folders/kb/ywncqvg12kn7pcpnbt727jy40000gn/T//.pixi_install.y32VJIEt

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added sufficient tests to cover my changes.
  • I have verified that changes that would impact the JSON schema have been made in schema/model.py.

millsks and others added 10 commits November 18, 2025 14:00
@millsks
Update install.sh
11b157e 
Add reference to a PIXI_DOWNLOAD_URL variable that can be used to download from a private repo without creating a new script to handle this one off use case. It will continue to default to the REPOURL defined at the top of the script.
Initial plan
6749c77
@millsks
Add PIXI_DOWNLOAD_URL support to install.ps1
7655ec8 
Co-authored-by: millsks <[email protected]>
@millsks
Merge pull request #1 from millsks/copilot/update-installer-script-wi…
01428eb 
…ndows
@ruben-arts
docs: add PIXI_DOWNLOAD_URL to the script options table
24830ba
@millsks
Merge branch 'prefix-dev:main' into main
450a6c4
@millsks
fix(install): Enhance authentication handling for curl and wget with …
b1e9082 
….netrc support
@millsks
feat(install): Add credential masking for download URLs in install sc…
39ea983 
…ripts
@millsks
feat(docs): Add support for .netrc authentication in installation ins…
354cd2f 
…tructions
@millsks
docs(install): Improve documentation for mask_credentials function in…
1548eb9 
… install script
@millsks
Copy link
Contributor Author

millsks commented Nov 20, 2025

@ruben-arts @wolfv ready for review.

This ties to the last PR I posted earlier #4942.

ruben-arts
ruben-arts approved these changes Nov 21, 2025
View reviewed changes
Copy link
Contributor

@ruben-arts ruben-arts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the additional improvement!

@ruben-arts ruben-arts merged commit 1e6e430 into prefix-dev:main Nov 21, 2025
45 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruben-arts ruben-arts ruben-arts approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Updated cURL options for private repo downloads.

2 participants

@millsks @ruben-arts