🐛 fix(env): prevent pip credential hang with private indexes#1030
Merged
gaborbernat merged 3 commits intopypa:mainfrom Apr 10, 2026
Merged
🐛 fix(env): prevent pip credential hang with private indexes#1030gaborbernat merged 3 commits intopypa:mainfrom
gaborbernat merged 3 commits intopypa:mainfrom
Conversation
Contributor
I might steal the little robot. :) |
henryiii
reviewed
Apr 10, 2026
Contributor
|
Haven't used Claude Code, but pretty sure Claude Code has a configuration mechanism to force it to always run prek/pre-commit. Ah, yes, it's hooks: https://code.claude.com/docs/en/hooks-guide Edit: ahh, this is a mergabilty check, never mind. |
When a private PyPI index requires authentication, pip prompts for credentials interactively. Since build captures subprocess output, the prompt is invisible and the process appears stuck (issue pypa#409). Pass --no-input to all pip invocations so pip fails fast with a clear error instead of hanging. When the keyring CLI is on PATH, automatically set PIP_KEYRING_PROVIDER=subprocess so pip delegates credential lookups to the system keyring without needing it installed inside the isolated build environment. Respect any user-set PIP_KEYRING_PROVIDER. Add a keyring optional dependency for convenience (pip install build[keyring]).
The uv backend also supports keyring via UV_KEYRING_PROVIDER. When the keyring CLI is on PATH and UV_KEYRING_PROVIDER is not already set, build now sets it to subprocess for the uv installer too.
henryiii
approved these changes
Apr 10, 2026
Contributor
henryiii
left a comment
There was a problem hiding this comment.
Not really familiar with keyring, but this looks reasonable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Running
python -m buildagainst a private PyPI index that requires authentication causes the process to appear frozen. 🔒 pip prompts for credentials interactively, but since build captures subprocess output, the prompt is invisible and there is no way for the user to respond.All pip subprocess calls now include
--no-input, converting the silent hang into a clear authentication error. When thekeyringCLI is available onPATH, build setsPIP_KEYRING_PROVIDER=subprocess(orUV_KEYRING_PROVIDER=subprocessfor the uv installer) in the subprocess environment so the installer delegates credential lookups to the system keyring binary rather than trying to importkeyring(which is unavailable inside the isolated build venv). This respects any user-set provider env var and is silently ignored by older pip versions that predate the flag. Abuild[keyring]optional extra is provided for convenience.The corporate environments documentation is rewritten to reflect actual behavior: how keyring auto-detection works for both pip and uv installers, how to install keyring system-wide via
pipx, and how to configure the keyring provider explicitly for CI or non-standard setups.Fixes #409