Support authentication when downloading files (e.g. artifacts) #4247
Description
It has been requested several times to make it possible to have artifacts in private GitHub repositories, or other services such as S3 which would require authentication. For GitHub and GitLab (I don't know if this is the same for all other services) the solution is simple: add the entry "Authorization" => "Bearer ${TOKEN}" to the headers. But some of the problems to implement such a solution are:
- how to let the user provide the token?
- how to determine when the tokens are required?
- related to the point above, the authentication method may not be a single one for a
Pkg.add: an environment may have artifacts hosted on different private services, we should have a (user-defined?) mechanism to identify which token to use for each service.
To further complicate things, authentication could be optional: GitHub in general allows unauthenticated downloads from public repositories (also, there's no way to programmatically tell whether a repo is public or private based on the URL only without querying the server), but it recently started aggressively throttling such requests, so that even downloading public artifacts could need a token.
I have the feeling that the Artifacts.toml should optionally have at least some hints for "how to authenticate" for each artifact: for example the name of the environment variable to use as token if it exists? I'm not a fan of this solution, but this to give an idea of the type of approach we may want.
I'm opening the ticket to start the discussion about this, since the new rate limiting also affects Julia's own CI and of many downstream packages.