Skip to content

Instantly share code, notes, and snippets.

@braxton-bell
Last active April 2, 2026 19:44
Show Gist options
  • Select an option

  • Save braxton-bell/3e4cb9b433297cb3d74e1ffa94182e8c to your computer and use it in GitHub Desktop.

Select an option

Save braxton-bell/3e4cb9b433297cb3d74e1ffa94182e8c to your computer and use it in GitHub Desktop.
Installing Private Python Packages via `git+https`

Installing Private Python Packages via git+https

Install Python packages from private Git repositories using uv or pip without leaking tokens into URLs, shell history, or package metadata.

Why Not Inline Tokens?

Embedding a PAT directly in the URL (git+https://<token>@github.com/...) works, but the token gets persisted in:

  • direct_url.json inside the installed package's .dist-info/
  • uv's tool receipts (~/.local/share/uv/tools/)
  • Shell history

Use .netrc instead. Git, uv, and pip all honor it transparently.

Setup

1. Generate a Personal Access Token

Host Where Scope
GitHub Settings → Developer settings → PATs Contents (read-only)
Gitea Settings → Applications → Access Tokens Contents (read-only)

2. Create a .netrc File

Linux / macOS~/.netrc

machine github.com
login <your-username>
password <your-pat>
chmod 600 ~/.netrc

Windows%USERPROFILE%\_netrc

machine github.com
login <your-username>
password <your-pat>

Replace github.com with your Git host (e.g., gitea.example.com). Add multiple machine blocks for multiple hosts.

3. Install

As a project dependency:

uv add git+https://github.com/<owner>/<repo>.git

As a CLI tool:

uv tool install git+https://github.com/<owner>/<repo>.git

With pip:

pip install git+https://github.com/<owner>/<repo>.git

Pinned to a tag or commit (recommended for reproducibility):

uv add git+https://github.com/<owner>/<repo>.git@v1.0.0
uv add git+https://github.com/<owner>/<repo>.git@abc1234

In pyproject.toml

PEP 440 direct reference:

dependencies = [
    "my-package @ git+https://github.com/<owner>/<repo>.git@v1.0.0",
]

uv source override:

[tool.uv.sources]
my-package = { git = "https://github.com/<owner>/<repo>.git", tag = "v1.0.0" }

No tokens in the file — credentials are resolved from .netrc at install time.

Windows Alternative: Git Credential Manager

Git for Windows ships with Git Credential Manager (GCM), which stores credentials in Windows Credential Manager (encrypted at rest, tied to your user account). This is the most secure option on Windows — no plaintext files involved.

Check if GCM is active:

git config --global credential.helper

If it returns manager or manager-core, you're good.

Option A — Let GCM prompt you:

Run any authenticated git operation once:

git clone https://github.com/<owner>/<repo>.git C:\temp\test-clone

GCM will prompt for credentials, store them, and every subsequent git+https:// call from uv, pip, etc. will pick them up automatically.

Option B — Store manually without a prompt:

cmdkey /generic:git:https://github.com /user:<your-username> /pass:<your-pat>

To view or manage later:

Open Credential Manager (search in Start) → Windows Credentials → look for git:https://github.com.

This works transparently with uv and pip the same way .netrc does.

Verify

git clone https://github.com/<owner>/<repo>.git /tmp/test-clone

If this succeeds without prompting for credentials, your install commands will work too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment