feat: Support supplying .netrc file (#1857)

adincebic · cgrindel · claude · web-flow · commit dc3e9d4eabb0 · 2025-10-13T08:24:01.000-06:00
This is very useful for the packages that require form of authentication
to clone or download binary artifacts.
It is true that SPM and rules_swift_package_manager work without this if
the `.netrc` file is in `$HOME` but there are use cases where it is
desirable to have `.netrc` relative to the bazel workspace.

---------

Co-authored-by: Chuck Grindel &lt;chuck.grindel@gmail.com&gt;
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/docs/bzlmod_extensions_overview.md b/docs/bzlmod_extensions_overview.md
@@ -21,7 +21,7 @@ swift_deps.configure_package(<a href="#swift_deps.configure_package-name">name</
 swift_deps.configure_swift_package(<a href="#swift_deps.configure_swift_package-build_path">build_path</a>, <a href="#swift_deps.configure_swift_package-cache_path">cache_path</a>, <a href="#swift_deps.configure_swift_package-config_path">config_path</a>, <a href="#swift_deps.configure_swift_package-dependency_caching">dependency_caching</a>,
                                    <a href="#swift_deps.configure_swift_package-manifest_cache">manifest_cache</a>, <a href="#swift_deps.configure_swift_package-manifest_caching">manifest_caching</a>, <a href="#swift_deps.configure_swift_package-replace_scm_with_registry">replace_scm_with_registry</a>,
                                    <a href="#swift_deps.configure_swift_package-security_path">security_path</a>, <a href="#swift_deps.configure_swift_package-use_registry_identity_for_scm">use_registry_identity_for_scm</a>)
-swift_deps.from_package(<a href="#swift_deps.from_package-declare_swift_deps_info">declare_swift_deps_info</a>, <a href="#swift_deps.from_package-declare_swift_package">declare_swift_package</a>, <a href="#swift_deps.from_package-env">env</a>, <a href="#swift_deps.from_package-env_inherit">env_inherit</a>,
+swift_deps.from_package(<a href="#swift_deps.from_package-declare_swift_deps_info">declare_swift_deps_info</a>, <a href="#swift_deps.from_package-declare_swift_package">declare_swift_package</a>, <a href="#swift_deps.from_package-env">env</a>, <a href="#swift_deps.from_package-env_inherit">env_inherit</a>, <a href="#swift_deps.from_package-netrc">netrc</a>,
                         <a href="#swift_deps.from_package-registries">registries</a>, <a href="#swift_deps.from_package-resolve_transitive_local_dependencies">resolve_transitive_local_dependencies</a>, <a href="#swift_deps.from_package-resolved">resolved</a>, <a href="#swift_deps.from_package-swift">swift</a>)
 </pre>
 
@@ -82,6 +82,7 @@ Load Swift packages from `Package.swift` and `Package.resolved` files.
 | <a id="swift_deps.from_package-declare_swift_package"></a>declare_swift_package |  Declare a `swift_package_tool` repository named `swift_package` which defines two targets: `update` and `resolve`. These targets run can be used to run the `swift package` binary in a Bazel context. The flags used when running the underlying `swift package` can be configured using the `configure_swift_package` tag.<br><br>They can be `bazel run` to update/resolve the `resolved` file:<br><br><pre><code>bazel run @swift_package//:update&#10;bazel run @swift_package//:resolve</code></pre>   | Boolean | optional |  `True`  |
 | <a id="swift_deps.from_package-env"></a>env |  Environment variables that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  `{}`  |
 | <a id="swift_deps.from_package-env_inherit"></a>env_inherit |  Environment variables to inherit from the external environment that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | List of strings | optional |  `[]`  |
+| <a id="swift_deps.from_package-netrc"></a>netrc |  A `.netrc` file that contains authentication credentials used for fetching Swift packages and or binary artifacts.<br><br>When provided, this file will be passed to Swift Package Manager commands using the `--netrc-file` flag during package resolution and updates.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
 | <a id="swift_deps.from_package-registries"></a>registries |  A `registries.json` file that defines the configured Swift package registries.<br><br>The `registries.json` file is used when resolving Swift packages from a Swift package registry. It is created by Swift Package Manager when using the `swift package-registry` commands.<br><br>When using the `swift_package_tool` rules, this file is symlinked to the `config_path` directory defined in the `configure_swift_package` tag. If not using the `swift_package_tool` rules, the file must be in one of Swift Package Manager's search paths or in the manually specified `--config-path` directory.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
 | <a id="swift_deps.from_package-resolve_transitive_local_dependencies"></a>resolve_transitive_local_dependencies |  Local Swift packages that are declared directly in the `Package.swift` file can depend on other local packages. By default these transitive dependencies will be automatically resolved and made available during the build process.<br><br>The process of resolving transitive local dependencies can become time consuming as the number of local Swift packages grows. Setting this flag to `False` will skip resolving local packages and instead require every local Swift package that is required during the build to be explicitly defined in the `Package.swift` file.<br><br>This time appears as `Fetching module extension swift_deps in @@rules_swift_package_manager~//:extensions.bzl;` in the output log.   | Boolean | optional |  `True`  |
 | <a id="swift_deps.from_package-resolved"></a>resolved |  A `Package.resolved`.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
diff --git a/docs/repository_rules_overview.md b/docs/repository_rules_overview.md
@@ -47,7 +47,7 @@ Used to build a local Swift package.
 <pre>
 load("@rules_swift_package_manager//swiftpkg:defs.bzl", "registry_swift_package")
 
-registry_swift_package(<a href="#registry_swift_package-name">name</a>, <a href="#registry_swift_package-bazel_package_name">bazel_package_name</a>, <a href="#registry_swift_package-dependencies_index">dependencies_index</a>, <a href="#registry_swift_package-env">env</a>, <a href="#registry_swift_package-env_inherit">env_inherit</a>, <a href="#registry_swift_package-id">id</a>,
+registry_swift_package(<a href="#registry_swift_package-name">name</a>, <a href="#registry_swift_package-bazel_package_name">bazel_package_name</a>, <a href="#registry_swift_package-dependencies_index">dependencies_index</a>, <a href="#registry_swift_package-env">env</a>, <a href="#registry_swift_package-env_inherit">env_inherit</a>, <a href="#registry_swift_package-id">id</a>, <a href="#registry_swift_package-netrc">netrc</a>,
                        <a href="#registry_swift_package-registries">registries</a>, <a href="#registry_swift_package-replace_scm_with_registry">replace_scm_with_registry</a>, <a href="#registry_swift_package-repo_mapping">repo_mapping</a>, <a href="#registry_swift_package-resolved">resolved</a>, <a href="#registry_swift_package-version">version</a>)
 </pre>
 
@@ -64,6 +64,7 @@ Used to download and build an external Swift package from a registry.
 | <a id="registry_swift_package-env"></a>env |  Environment variables that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  `{}`  |
 | <a id="registry_swift_package-env_inherit"></a>env_inherit |  Environment variables to inherit from the external environment that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | List of strings | optional |  `[]`  |
 | <a id="registry_swift_package-id"></a>id |  The package identifier.   | String | required |  |
+| <a id="registry_swift_package-netrc"></a>netrc |  A `.netrc` file that contains authentication credentials used for fetching Swift packages and or binary artifacts.<br><br>When provided, this file will be passed to Swift Package Manager commands using the `--netrc-file` flag during package resolution and updates.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
 | <a id="registry_swift_package-registries"></a>registries |  A `registries.json` file that defines the configured Swift package registries.<br><br>The `registries.json` file is used when resolving Swift packages from a Swift package registry. It is created by Swift Package Manager when using the `swift package-registry` commands.<br><br>When using the `swift_package_tool` rules, this file is symlinked to the `config_path` directory defined in the `configure_swift_package` tag. If not using the `swift_package_tool` rules, the file must be in one of Swift Package Manager's search paths or in the manually specified `--config-path` directory.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
 | <a id="registry_swift_package-replace_scm_with_registry"></a>replace_scm_with_registry |  When enabled replaces SCM identities in dependencies package description with identities from the registries.<br><br>Using this option requires that the registries provide `repositoryURLs` as metadata for the package.<br><br>When `True` the equivalent `--replace-scm-with-registry` option must be used with the Swift Package Manager CLI (or `swift_package` rule) so that the `resolved` file includes the version and identity information from the registry.<br><br>For more information see the [Swift Package Manager documentation](https://github.com/swiftlang/swift-package-manager/blob/swift-6.0.1-RELEASE/Documentation/PackageRegistry/Registry.md#45-lookup-package-identifiers-registered-for-a-url).   | Boolean | optional |  `False`  |
 | <a id="registry_swift_package-repo_mapping"></a>repo_mapping |  In `WORKSPACE` context only: a dictionary from local repository name to global repository name. This allows controls over workspace dependency resolution for dependencies of this repository.<br><br>For example, an entry `"@foo": "@bar"` declares that, for any time this repository depends on `@foo` (such as a dependency on `@foo//some:target`, it should actually resolve that dependency within globally-declared `@bar` (`@bar//some:target`).<br><br>This attribute is _not_ supported in `MODULE.bazel` context (when invoking a repository rule inside a module extension's implementation function).   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  |
@@ -79,7 +80,7 @@ Used to download and build an external Swift package from a registry.
 load("@rules_swift_package_manager//swiftpkg:defs.bzl", "swift_package")
 
 swift_package(<a href="#swift_package-name">name</a>, <a href="#swift_package-bazel_package_name">bazel_package_name</a>, <a href="#swift_package-branch">branch</a>, <a href="#swift_package-commit">commit</a>, <a href="#swift_package-dependencies_index">dependencies_index</a>, <a href="#swift_package-env">env</a>, <a href="#swift_package-env_inherit">env_inherit</a>,
-              <a href="#swift_package-init_submodules">init_submodules</a>, <a href="#swift_package-patch_args">patch_args</a>, <a href="#swift_package-patch_cmds">patch_cmds</a>, <a href="#swift_package-patch_cmds_win">patch_cmds_win</a>, <a href="#swift_package-patch_tool">patch_tool</a>, <a href="#swift_package-patches">patches</a>,
+              <a href="#swift_package-init_submodules">init_submodules</a>, <a href="#swift_package-netrc">netrc</a>, <a href="#swift_package-patch_args">patch_args</a>, <a href="#swift_package-patch_cmds">patch_cmds</a>, <a href="#swift_package-patch_cmds_win">patch_cmds_win</a>, <a href="#swift_package-patch_tool">patch_tool</a>, <a href="#swift_package-patches">patches</a>,
               <a href="#swift_package-publicly_expose_all_targets">publicly_expose_all_targets</a>, <a href="#swift_package-recursive_init_submodules">recursive_init_submodules</a>, <a href="#swift_package-registries">registries</a>, <a href="#swift_package-remote">remote</a>,
               <a href="#swift_package-replace_scm_with_registry">replace_scm_with_registry</a>, <a href="#swift_package-repo_mapping">repo_mapping</a>, <a href="#swift_package-shallow_since">shallow_since</a>, <a href="#swift_package-tag">tag</a>, <a href="#swift_package-verbose">verbose</a>, <a href="#swift_package-version">version</a>)
 </pre>
@@ -99,6 +100,7 @@ Used to download and build an external Swift package.
 | <a id="swift_package-env"></a>env |  Environment variables that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  `{}`  |
 | <a id="swift_package-env_inherit"></a>env_inherit |  Environment variables to inherit from the external environment that will be passed to the execution environments for this repository rule. (e.g. SPM version check, SPM dependency resolution, SPM package description generation)   | List of strings | optional |  `[]`  |
 | <a id="swift_package-init_submodules"></a>init_submodules |  Whether to clone submodules in the repository.   | Boolean | optional |  `False`  |
+| <a id="swift_package-netrc"></a>netrc |  A `.netrc` file for authentication when downloading binary artifacts.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
 | <a id="swift_package-patch_args"></a>patch_args |  The arguments given to the patch tool. Defaults to -p0, however -p1 will usually be needed for patches generated by git. If multiple -p arguments are specified, the last one will take effect.If arguments other than -p are specified, Bazel will fall back to use patch command line tool instead of the Bazel-native patch implementation. When falling back to patch command line tool and patch_tool attribute is not specified, `patch` will be used.   | List of strings | optional |  `["-p0"]`  |
 | <a id="swift_package-patch_cmds"></a>patch_cmds |  Sequence of Bash commands to be applied on Linux/Macos after patches are applied.   | List of strings | optional |  `[]`  |
 | <a id="swift_package-patch_cmds_win"></a>patch_cmds_win |  Sequence of Powershell commands to be applied on Windows after patches are applied. If this attribute is not set, patch_cmds will be executed on Windows, which requires Bash binary to exist.   | List of strings | optional |  `[]`  |
diff --git a/swiftpkg/bzlmod/swift_deps.bzl b/swiftpkg/bzlmod/swift_deps.bzl
@@ -238,6 +238,7 @@ def _declare_pkg_from_dependency(dep, config_pkg, from_package, config_swift_pac
             env_inherit = from_package.env_inherit,
             init_submodules = init_submodules,
             recursive_init_submodules = recursive_init_submodules,
+            netrc = from_package.netrc,
             patch_args = patch_args,
             patch_cmds = patch_cmds,
             patch_cmds_win = patch_cmds_win,
@@ -289,6 +290,7 @@ def _declare_swift_package_repo(name, from_package, config_swift_package):
             package = from_package.swift.package,
             name = from_package.swift.name,
         ),
+        netrc = from_package.netrc,
         registries = from_package.registries,
         **config_swift_package_kwargs
     )
diff --git a/swiftpkg/internal/swift_package.bzl b/swiftpkg/internal/swift_package.bzl
@@ -220,7 +220,13 @@ _ALL_ATTRS = dicts.add(
     _GIT_ATTRS,
     repo_rules.env_attrs,
     repo_rules.swift_attrs,
-    {"version": attr.string(doc = "The resolved version of the package.")},
+    {
+        "netrc": attr.label(
+            default = None,
+            doc = "A `.netrc` file for authentication when downloading binary artifacts.",
+        ),
+        "version": attr.string(doc = "The resolved version of the package."),
+    },
 )
 
 swift_package = repository_rule(
diff --git a/swiftpkg/internal/swift_package_tool.bzl b/swiftpkg/internal/swift_package_tool.bzl
@@ -16,13 +16,17 @@ def _swift_package_tool_impl(ctx):
     cmd = ctx.attr.cmd
     package = ctx.attr.package
     package_path = paths.dirname(package)
+    netrc = ctx.file.netrc
     registries = ctx.file.registries
     runfiles = []
 
     toolchain = swift_common.get_toolchain(ctx)
     swift = toolchain.swift_worker
     runfiles.append(swift.executable)
 
+    if netrc:
+        runfiles.append(netrc)
+
     if registries:
         runfiles.append(registries)
 
@@ -43,6 +47,10 @@ def _swift_package_tool_impl(ctx):
         "true" if ctx.attr.dependency_caching else "false",
     )
     template_dict.add("%(manifest_cache)s", ctx.attr.manifest_cache)
+    template_dict.add(
+        "%(netrc_file)s",
+        netrc.short_path if netrc else "",
+    )
     template_dict.add(
         "%(registries_json)s",
         registries.short_path if registries else "",
diff --git a/swiftpkg/internal/swift_package_tool_attrs.bzl b/swiftpkg/internal/swift_package_tool_attrs.bzl
@@ -1,9 +1,17 @@
 """Attributes shared between rules that interact with the Swift package tool."""
 
 _swift_package_registry_attrs = {
+    "netrc": attr.label(
+        allow_single_file = True,
+        doc = """
+A `.netrc` file that contains authentication credentials used for fetching Swift packages and or binary artifacts.
+
+When provided, this file will be passed to Swift Package Manager commands using \
+the `--netrc-file` flag during package resolution and updates.
+""",
+    ),
     "registries": attr.label(
         allow_single_file = [".json"],
-        cfg = "exec",
         doc = """
 A `registries.json` file that defines the configured Swift package registries.
 
diff --git a/swiftpkg/internal/swift_package_tool_repo.bzl b/swiftpkg/internal/swift_package_tool_repo.bzl
@@ -35,6 +35,21 @@ def _swift_package_tool_repo_impl(repository_ctx):
     attrs_content = _package_config_attrs_to_content(repository_ctx.attr)
     package_path = repository_ctx.attr.package
 
+    # We copy .netrc file contents to avoid requiring users to use `exports_files(...)`
+    netrc_attr = None
+    if repository_ctx.attr.netrc:
+        netrc_content = repository_ctx.read(repository_ctx.attr.netrc)
+        repository_ctx.file(".netrc", netrc_content)
+        netrc_attr = '    netrc = ":.netrc",'
+
+    attrs_lines = [line for line in attrs_content.split("\n") if "netrc =" not in line]
+    filtered_attrs = "\n".join(attrs_lines)
+
+    final_attrs_parts = [filtered_attrs]
+    if netrc_attr:
+        final_attrs_parts.append(netrc_attr)
+    final_attrs_content = "\n".join([p for p in final_attrs_parts if p])
+
     repository_ctx.file(
         "BUILD.bazel",
         content = """
@@ -55,7 +70,7 @@ swift_package_tool(
 )
 """.format(
             package = package_path,
-            attrs_content = attrs_content,
+            attrs_content = final_attrs_content,
         ),
     )
 
@@ -74,3 +89,8 @@ swift_package_tool_repo = repository_rule(
     ),
     doc = "Declares a `@swift_package` repository for using the `swift_package_tool` targets.",
 )
+
+# Exported for testing
+swift_package_tool_repo_testing = struct(
+    package_config_attrs_to_content = _package_config_attrs_to_content,
+)
diff --git a/swiftpkg/internal/swift_package_tool_runner_template.sh b/swiftpkg/internal/swift_package_tool_runner_template.sh
@@ -27,6 +27,7 @@ config_path="%(config_path)s"
 enable_build_manifest_caching="%(enable_build_manifest_caching)s"
 enable_dependency_cache="%(enable_dependency_cache)s"
 manifest_cache="%(manifest_cache)s"
+netrc_file="%(netrc_file)s"
 registries_json="%(registries_json)s"
 replace_scm_with_registry="%(replace_scm_with_registry)s"
 security_path="%(security_path)s"
@@ -57,6 +58,11 @@ fi
 
 args+=("--manifest-cache=$manifest_cache")
 
+# If netrc_file is set, add the --netrc-file flag.
+if [ -n "$netrc_file" ]; then
+	args+=("--netrc-file" "$(readlink -f "$netrc_file")")
+fi
+
 # If registries_json is set, symlink the `.json` file to the `config_path/configuration` directory.
 if [ -n "$registries_json" ]; then
 	mkdir -p "$config_path"
diff --git a/swiftpkg/tests/BUILD.bazel b/swiftpkg/tests/BUILD.bazel
@@ -17,6 +17,7 @@ load(":resource_files_tests.bzl", "resource_files_test_suite")
 load(":semver_tests.bzl", "semver_test_suite")
 load(":starlark_codegen_tests.bzl", "starlark_codegen_test_suite")
 load(":swift_files_tests.bzl", "swift_files_test_suite")
+load(":swift_package_tool_repo_tests.bzl", "swift_package_tool_repo_test_suite")
 load(":swiftpkg_build_files_tests.bzl", "swiftpkg_build_files_test_suite")
 load(":validations_tests.bzl", "validations_test_suite")
 
@@ -58,6 +59,8 @@ swift_files_test_suite()
 
 swiftpkg_build_files_test_suite()
 
+swift_package_tool_repo_test_suite()
+
 validations_test_suite()
 
 bzl_library(
diff --git a/swiftpkg/tests/swift_package_tool_repo_tests.bzl b/swiftpkg/tests/swift_package_tool_repo_tests.bzl
