I don't have a private PyPI, what now?

The situation is as follows: the company you work for is small, and you want to publish a Python package internally. However, you don’t want to pay for a service to do this or add a new tool.

Although this may seem like a specific situation, we can say that it can happen quite frequently. In Brazil, literally 99% of companies are small businesses. According to Forbes, the statistic is exactly the same in the USA (the first country that appeared in the search :)).

So today, I’ll show you the ~~hacks~~ strategies I use to solve this problem with GitHub. If you use GitLab, you can see how to do it in this post.

Alternatives

Prerequisites

A private repository on GitHub with a wheel published there.
GitHub Personal Access Token

For both options, you need to have a Personal Access Token from GitHub that grants read access to the desired repository. Got the token? Now configure it as the GH_API_TOKEN environment variable.

Installing directly from requirements.txt

You can add the following line to your requirements.txt:

your-repo @ git+https://${GH_API_TOKEN}@github.com/org-or-user/your-repo@2.3.0

IMPORTANT: This option is great but exposes the environment variable during the installation of dependencies, which is a security flaw. This is a known bug that has existed since 2021.

To address this issue (until the fix arrives), you can add -q to the installation command to omit all output. The downside is that you won’t see what is being installed.

pip install -q -r requirements.txt

Downloading the wheel with GitHub CLI

If you prefer to do this outside of requirements.txt, you can also:

Install gh, the GitHub CLI
Authenticate with the environment variable
Download the release
Install using pip install and the file

RUN apt install gh
RUN echo $GH_API_TOKEN | gh auth login --with-token
RUN gh release download 1.0.0 --repo https://github.com/org-or-user/your-repo/ -p '*.whl' -D /tmp
RUN pip install "/tmp/your-repo-1.0.0-py3-none-any.whl"

That’s it for today, folks

GitHub is already working on different ways to publish packages there - just not for Python yet, unfortunately. Until that day comes, here are these alternatives.

Enjoy! 🐍

Translations

pt-br: Não tenho um Pypi privado e agora?