Recently I've started to use #Bazel regularly and was a bit surprised that no one in actually cares of credentials storage on developers' machines: everyone just keeps the token in their ~/.netrc and everyone is okay with that.

And I've been using ~/.netrc.gpg and ~/.authinfo.gpg for years now, I have all my setup prepared for that (like gpg-agent integration with my emacs), so I tried to check how can I make Bazel do that. But my googling shows that no one actually tried. Maybe really I was the only person to care about that. But anyway personally I was frustrated that my precious token is stored in plain text.

So behold the ugly piece of Perl which does the job: https://github.com/rayslava/bzl_cred_helper

I used #perl because it's already preinstalled in our environments and seems to be a much better option than shell-script for JSON generation and parsing. It seems that's why the language still lives—it's preinstalled and it works better than bash for cases a little more complex than echoing a line 🤔

Now my "bazel build --credential_helper=/path/to/bzl_cred_helper.pl '//pkg:*'" successfully works with the encrypted #netrc.