Skip to content

Add Configuration variable to allow using custom Authorization header #710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Lan-Hekary wants to merge 3 commits into
base: master
Choose a base branch
from
+23 −4
Open

Add Configuration variable to allow using custom Authorization header #710

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
28f6577
Add Configuration variable to allow using custom Authorization header
Lan-Hekary Feb 22, 2026
c859aa3
Update README.md
Lan-Hekary Feb 22, 2026
d11b215
Apply Suggestion
Lan-Hekary Feb 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,11 @@ This behavior can be disabled by setting the environment variable `BAZELISK_SKIP

You can control the user agent that Bazelisk sends in all HTTP requests by setting `BAZELISK_USER_AGENT` to the desired value.

You can set the Authorization header that Bazelisk sends in all HTTP requests by setting `BAZELISK_AUTH_HEADER` to the desired value.
```shell
export BAZELISK_AUTH_HEADER="Bearer <your_token_here>"
```

# .bazeliskrc configuration file

A `.bazeliskrc` file in the root directory of a workspace or the user home directory allows users to set environment variables persistently. (The Python implementation of Bazelisk doesn't check the user home directory yet, only the workspace directory.)
Expand Down Expand Up @@ -269,6 +274,7 @@ The following variables can be set:
- `BAZELISK_SHUTDOWN`
- `BAZELISK_SKIP_WRAPPER`
- `BAZELISK_USER_AGENT`
- `BAZELISK_AUTH_HEADER`
- `BAZELISK_VERIFY_SHA256`
- `USE_BAZEL_VERSION`

Expand Down
5 changes: 5 additions & 0 deletions core/core.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ func RunBazeliskWithArgsFuncAndConfigAndOut(argsFunc ArgsFunc, repos *Repositori
// repositories and config, writing its stdout and stderr to the passed writers.
func RunBazeliskWithArgsFuncAndConfigAndOutAndErr(argsFunc ArgsFunc, repos *Repositories, config config.Config, stdout, stderr io.Writer) (int, error) {
httputil.UserAgent = getUserAgent(config)
httputil.AuthHeader = getAuthHeader(config)

// bazeliskVersion command must be the only argument
if len(os.Args[1:]) == 1 && os.Args[1] == "bazeliskVersion" {
Expand Down Expand Up @@ -324,6 +325,10 @@ func getUserAgent(config config.Config) string {
return fmt.Sprintf("Bazelisk/%s", BazeliskVersion)
}

func getAuthHeader(config config.Config) string {
return config.Get("BAZELISK_AUTH_HEADER")
}

// GetBazelVersion returns the Bazel version that should be used.
func GetBazelVersion(config config.Config) (string, error) {
// Check in this order:
Expand Down
16 changes: 12 additions & 4 deletions httputil/httputil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ var (
DefaultTransport = http.DefaultTransport
// UserAgent is passed to every HTTP request as part of the 'User-Agent' header.
UserAgent = "Bazelisk"
// AuthHeader is optionally set to a value that is passed as part of the 'Authorization' header in HTTP requests.
AuthHeader = ""
linkPattern = regexp.MustCompile(`<(.*?)>; rel="(\w+)"`)

// RetryClock is used for waiting between HTTP request retries.
Expand Down Expand Up @@ -215,10 +217,16 @@ func DownloadBinary(originURL, destDir, destFile string, config config.Config) (
log.Printf("Downloading %s...", originURL)

var auth string = ""
t, err := tryFindNetrcFileCreds(u.Host)
if err == nil {
// successfully parsed netrc for given host
auth = t
if AuthHeader != "" {
Copy link
Copy Markdown
Member

@fweikert fweikert Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should raise an error if both AuthHeader is set and a .netrc file exists.

Copy link
Copy Markdown
Author

@Lan-Hekary Lan-Hekary Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope,
.netrc file can exists but does not have the host or does have the host and the password.
But for the specific endpoint to download you need to use the token.
This is the actual case in my infrastructure.
I have .netrc but I can't use the password in it as a basic auth header. I need a seperate Access Token for baselisk.

Copy link
Copy Markdown
Author

@Lan-Hekary Lan-Hekary Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @fweikert
Do you have any other notes on this review ?

// If AuthHeader is set, use it as the Authorization header.
log.Printf("Authorization header is set using BAZELISK_AUTH_HEADER, using it for %s", u.Host)
Comment thread
Lan-Hekary marked this conversation as resolved.
auth = AuthHeader
} else {
t, err := tryFindNetrcFileCreds(u.Host)
if err == nil {
// successfully parsed netrc for given host
auth = t
}
}

resp, err := get(originURL, auth)
Expand Down