Auth error with Google Artifact Registry on v0.35

[clement-chaneching]

Checks

• I have checked that this issue has not already been reported.

• I have confirmed this bug exists on the latest version of pixi, using pixi --version.

Reproducible example

Update to pixi v0.35 and cannot run pixi install with a private google artifact registry:

[pypi-options]
extra-index-urls = ["https://oauth2accesstoken@artifact_registry/simple"]

Same for my GCS conda registry:
channels = ["conda-forge", "gcs://private-registry"]

Issue description

It throws the following error:

pixi install
  × default: error installing/updating PyPI dependencies
  ├─▶ Failed to read `--find-links` URL: https://oauth2accesstoken@artifact registry
  ├─▶ Failed to fetch: `https:/artifact registry
  ╰─▶ HTTP status client error (404 Not Found) for url (https:/artifact registry)

With conda:

ERROR error=HTTP status client error (401 Unauthorized) for url (https://storage.googleapis.com/private-registry/linux-64/repodata.json)
  × HTTP status client error (401 Unauthorized) for url (https://storage.googleapis.com/private-registry/linux-64/repodata.json)

Expected behavior

Used to work with pixi < 0.35

[ruben-arts]

Hi @clement-chaneching, thanks for sharing. We're working on fixes for find links: #2417

[RaphaelMelanconAtBentley]

Having the same issue with Azure Artifacts. Works on 0.34.0, but not on 0.35.0...

[clement-chaneching]

Thanks for the quick fix!
I now have a different GCP auth error on version >0.35
Pixi cannot use my GCP credentials to authenticate to my private conda registry, while it used to work on v0.34.

ERROR resolve_conda{group=prod platform=linux-64}: rattler_repodata_gateway::fetch: error=HTTP status client error (401 Unauthorized) for url (https://storage.googleapis.com/blunomy-conda-registry/linux-64/repodata.json)
ERROR resolve_conda{group=prod platform=linux-64}: rattler_repodata_gateway::gateway: error=HTTP status client error (401 Unauthorized) for url (https://storage.googleapis.com/blunomy-conda-registry/linux-64/repodata.json)
  × HTTP status client error (401 Unauthorized) for url (https://storage.googleapis.com/blunomy-conda-registry/linux-64/repodata.json)

Also when using version 0.34, it works locally when using user account but not when using Workload Identity Provider in the CICD (which is the recommended method to authenticate to GCP https://github.com/google-github-actions/auth).

✔ Pixi has been updated to version 0.34.0.
Global environments as specified in '/home/runner/.pixi/manifests/pixi-global.toml'
└── keyring (installed)
    ├─ dependencies: keyring 25.5.0, keyrings.google-artifactregistry-auth 1.1.1
    └─ exposes: keyring
  × failed to fetch firestore-aio-2.0.8-pyh4616a5c_0.conda
  ╰─▶ unsupported account external_account

But this should probably be a different issue.

[wolfv]

@clement-chaneching argh, that sucks. I looked into it and found the cause (we added Bearer twice...). It will work again in the next release. I am adding a test now. Sorry again!

[wolfv]

@clement-chaneching fix incoming: conda/rattler#966 :)