python: document python keyring provider

[imjasonh]

[ ] Check if this is a typo or other quick fix and ignore the rest :)

Type of change

Add documentation for Python keyring provider

What should this PR do?

Allow readers to install and use the keyring provider, in environments where that is possible.

Why are we making this change?

We should recommend the use of short-lived credentials wherever possible, and this new release makes it easier for Python users to use these tokens.

What are the acceptance criteria?

• The recommendation of short-lived credentials should be clear and motivated
• Installation and configuration instructions should be clear

How should this PR be tested?

By running the documented commands to pull a private Python package using the keyring provider.

[netlify]

✅ Deploy Preview for ornate-narwhal-088216 ready!

Name	Link
🔨 Latest commit	2c98731
🔍 Latest deploy log	https://app.netlify.com/projects/ornate-narwhal-088216/deploys/69692da4b7c66d0008b5f009
😎 Deploy Preview	https://deploy-preview-2826--ornate-narwhal-088216.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[imjasonh]

Just posting this as a WIP while we work out where this should ideally live.

Should the recommendation of short-lived credentials go in access.md, with a note that these are only really easily usable for Python today, and the new Python-specific setup instructions go in https://edu.chainguard.dev/chainguard/libraries/python/build-configuration/#authentication ?

[mosabua]

I think we should still have them in access.md .. just like .netrc ...

In the section in access we link to our docs for using the applicable python tools (pip and whatever else) ..

And in the tools (like pip) sections we link out to the access section.. that way all the content can be maintained in one place and found from multiple others.

Let me know when this is ready for me to review @imjasonh @angela-zhang

[mosabua]

I scheduled to chat tomorrow ..

[mosabua]

I think we have to explain this all in more detail, especially talking about using this within each project and not attempting it for a global install ..

[mosabua]

I think we have to explain more here or in the project repo for how to use and install

e.g I can only do pip3 install .. but then brew complains .. so how am I really supposed to use it globally .. or should I only use it locally in a venv per project .. so should I add it as dev dependency in each project somehow?

[angela-zhang]

I also used pip3 install on my local Mac - can we recommend customers install it globally in their existing CI workflow? I imagine each customer will have different environments/setups

[angela-zhang]

also, here are some similar examples:
https://pypi.org/project/keyrings.codeartifact/
https://pypi.org/project/keyrings.google-artifactregistry-auth/

[mosabua]

How would it do that so it does it for every uv build run and for any package?

[imjasonh]

I don't know that we can, since uv expects per-project configuration. I'm not a uv expert though, and there may be a way I'm not aware of.

[mosabua]

Well.. how are users to use it then if they just want to run uv build and whatever and not manually install packages..

[mosabua]

We should still add info for uv that you can use uv build and such after you manually did the pip install .. but in a configured proejct you have to do

uv pip install keyring keyrings-chainguard-libraries --extra-index-url https://pypi.org/simple/

and then you can use uv build from Chainguard Libraries as configured otherwise in the project

[mosabua]

Well.. how are users to use it then if they just want to run uv build and whatever and not manually install packages..

[mosabua]

Looks good now. As discussed, if others run into trouble we can amend more in a follow up PR.