`[patch]` behavior w.r.t auth

I'm trying to understand if I'm confused or is cargo doing something that it shouldn't.

I have a dependency that is not yet public, but it will be in the future, so we are using a github personal token temporarily.

[dependencies]
not-yet-public = { git = "https://x-access-token:github_pat_...@github.com/us/notyetpublic", rev = "1234" }

That works.

However when used in inner-dependencies, we would rather have the source to be without and auth part and force the auth via [patch] in downstream crates.

So downstream crates can do:

[dependencies]
not-yet-public = { git = "https://github.com/us/notyetpublic" }

[patch."https://github.com/us/notyetpublic"]
not-yet-public = { git = "https://x-access-token:github_pat_...@github.com/us/notyetpublic", rev = "1234" }

each, and use a different rev = when they have different exact pinning requirements and use the same https://github.com/us/notyetpublic without repeating this unfortunate github token everywhere (instead of just on [patch] section).

I think this should work, and is consistent how we sometimes temporary force public things to be replaced with temporary internal forks, etc.

Unfortunately when doing cargo build and cargo update, cargo insists on trying to do git clone https://github.com/us/notyetpublic which doesn't work (not public) and fail the whole command. Which is kind of odd, because https://github.com/us/notyetpublic is completely overridden and should no longer be needed.

Honestly, I find usage of [patch] confusing in complex DAG with many forked deps uses cases I have and not well described in public documentation (at least for non-trivial scenarios), so I mostly arrived here via lots of trial and error. I appreciate any pointers and explanations.

I am not sure what exactly is your configuration, but cargo will only respect the patch settings from the top level crate in a workspace. if your crate is being built as a dependency, the patch section in its manifest won't have any effect, if I recall correctly.

I know.

Each crate will have to [patch] it again. But all will be able to refer to it via shorter, more canonical URL, without the authentication token.

I would suggest you check out cargo's repository and discuss your problem there. a quick search found maybe related issues like #11854, #10756, #11639 etc

1 Like

Thank you. #11639 answers all my questions.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.