Skip to content

Add Configuration variable to allow using custom Authorization header #710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add Configuration variable to allow using custom Authorization header #710

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
187e26d
Add Configuration variable to allow using custom Authorization header
Lan-Hekary Jul 9, 2025
6d5db3a
Consistent Formatting
Lan-Hekary Jul 17, 2025
086d75a
Update README.md
Lan-Hekary Jul 17, 2025
2765f17
Update README.md
Lan-Hekary Jul 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,11 @@ This behavior can be disabled by setting the environment variable `BAZELISK_SKIP

You can control the user agent that Bazelisk sends in all HTTP requests by setting `BAZELISK_USER_AGENT` to the desired value.

You can set the Authorization header that Bazelisk sends in all HTTP requests by setting `BAZELISK_AUTH_HEADER` to the desired value.
```shell
export BAZELISK_AUTH_HEADER="Bearer <your_token_here>"
```

On Windows, Bazelisk will also consider the following files in addition to `tools/bazel`:

* `tools/bazel.ps1` (PowerShell)
Expand Down Expand Up @@ -254,6 +259,7 @@ The following variables can be set:
- `BAZELISK_SHUTDOWN`
- `BAZELISK_SKIP_WRAPPER`
- `BAZELISK_USER_AGENT`
- `BAZELISK_AUTH_HEADER`
- `BAZELISK_VERIFY_SHA256`
- `USE_BAZEL_VERSION`

Expand Down
9 changes: 9 additions & 0 deletions core/core.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ func RunBazeliskWithArgsFuncAndConfig(argsFunc ArgsFunc, repos *Repositories, co
// repositories and config, writing its stdout to the passed writer.
func RunBazeliskWithArgsFuncAndConfigAndOut(argsFunc ArgsFunc, repos *Repositories, config config.Config, out io.Writer) (int, error) {
httputil.UserAgent = getUserAgent(config)
httputil.AuthHeader = getAuthHeader(config)

bazelInstallation, err := GetBazelInstallation(repos, config)
if err != nil {
Expand Down Expand Up @@ -300,6 +301,14 @@ func getUserAgent(config config.Config) string {
return fmt.Sprintf("Bazelisk/%s", BazeliskVersion)
}

func getAuthHeader(config config.Config) string {
auth_header := config.Get("BAZELISK_AUTH_HEADER")
if len(auth_header) > 0 {
return auth_header
}
return ""
}

// GetBazelVersion returns the Bazel version that should be used.
func GetBazelVersion(config config.Config) (string, error) {
// Check in this order:
Expand Down
16 changes: 12 additions & 4 deletions httputil/httputil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ var (
DefaultTransport = http.DefaultTransport
// UserAgent is passed to every HTTP request as part of the 'User-Agent' header.
UserAgent = "Bazelisk"
// AuthHeader is optionally set to a value that is passed as part of the 'Authorization' header in HTTP requests.
AuthHeader = ""
linkPattern = regexp.MustCompile(`<(.*?)>; rel="(\w+)"`)

// RetryClock is used for waiting between HTTP request retries.
Expand Down Expand Up @@ -213,10 +215,16 @@ func DownloadBinary(originURL, destDir, destFile string, config config.Config) (
log.Printf("Downloading %s...", originURL)

var auth string = ""
t, err := tryFindNetrcFileCreds(u.Host)
if err == nil {
// successfully parsed netrc for given host
auth = t
if AuthHeader != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should raise an error if both AuthHeader is set and a .netrc file exists.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope,
.netrc file can exists but does not have the host or does have the host and the password.
But for the specific endpoint to download you need to use the token.
This is the actual case in my infrastructure.
I have .netrc but I can't use the password in it as a basic auth header. I need a seperate Access Token for baselisk.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @fweikert
Do you have any other notes on this review ?

// If AuthHeader is set, use it as the Authorization header.
log.Printf("Authorization header is set using BAZELISK_AUTH_HEADER, using it for %s", u.Host)
auth = AuthHeader
} else {
t, err := tryFindNetrcFileCreds(u.Host)
if err == nil {
// successfully parsed netrc for given host
auth = t
}
}

resp, err := get(originURL, auth)
Expand Down