we have a gitea action that publishes to the pypi package repo inside gitea which we can at least just hide secrets to (root creds ftw) but that doesnt totaly help wherever we want to use those packages.
in our case we use PDM as a package manager and in it you can specify the “indexes” for it to look for packages ie
[[tool.pdm.source]]
name = "database"
url = "https://git.xxxx.xxx/api/packages/Database/pypi/simple"
verify_ssl = true
this means we need to manualy run the pdm install -v and then interactively insert the creds then save it to keystring. or alternatively on all machine accounts that run pdm install to have a .pypirc file in their home folders (some dont even have homes).
which got me thinking… wont it be possible to have a user specifically for pulling the packages. cant see code, read only. only x projects etc that we can specify in the pyproject.toml file and capture in version control even (bad idea to put it in vc usually but if its a locked down user then no harm)
[[tool.pdm.source]]
name = "database"
url = "https://git.xxxx.xxx/api/packages/Database/pypi/simple"
verify_ssl = true
username = package-user
password = package-user-password