From 2b5984efa4714d694b8a11ebf051bb7a9256c88c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C3=ABtan=20Montury?=
 <10528250-pytgaen@users.noreply.gitlab.com>
Date: Tue, 15 Apr 2025 22:54:37 +0200
Subject: [PATCH] docs: document how to manage private repositories credentials

---
 README.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/README.md b/README.md
index 0105071..0bb38d7 100644
--- a/README.md
+++ b/README.md
@@ -462,6 +462,30 @@ current_version = "0.0.0"
 filename = "project-name/__init__.py"
 ```
 
+#### Manage your private repositories credentials
+
+When using Poetry, UV or other dependency management systems, it is possible to use private repositories (for retrieving project dependencies and/or publishing your project packages).
+
+Each tool has its own way of providing credentials as environment variables (see [Poetry documentation](https://python-poetry.org/docs/configuration#http-basicnameusernamepassword), [UV documentation](https://docs.astral.sh/uv/configuration/environment/#uv_index_name_password)). 
+You should manage those credentials as any other secret (i.e. defined as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project), if possible [**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently displayed in your job logs).
+
+##### How to propagate AWS CodeArtifact credentials
+
+If you're using the **AWS CodeArtifact variant**, you can propagate AWS CodeArtifact credentials (obtained dynamically by the variant) for Poetry and UV by declaring the following variables (replace the `AWS_REPO_NAME` part with your actual configured private repository name):
+
+```yaml
+variables:
+  # if using Poetry
+  POETRY_HTTP_BASIC_AWS_REPO_NAME_USER: $PYTHON_REPOSITORY_USER
+  POETRY_HTTP_BASIC_AWS_REPO_NAME_PASSWORD: $PYTHON_REPOSITORY_PASSWORD
+  # if using UV
+  UV_INDEX_AWS_REPO_NAME_USERNAME: $PYTHON_REPOSITORY_USER
+  UV_INDEX_AWS_REPO_NAME_PASSWORD: $PYTHON_REPOSITORY_PASSWORD
+```
+
+:information_source: the AWS CodeArtifact variant obtains temporary authentication credentials and makes them available in the `$PYTHON_REPOSITORY_USER` / `$PYTHON_REPOSITORY_PASSWORD` variable.
+The above piece of code will simply reuse those values as Poetry/UV configuration.
+
 #### `semantic-release` integration
 
 If you activate the [`semantic-release-info` job from the `semantic-release` template](https://gitlab.com/to-be-continuous/semantic-release/#semantic-release-info-job), the `py-release` job will rely on the generated next version info.
-- 
GitLab