prefix-dev · pavelzw · Jan 4, 2025 · Jan 4, 2025 · Jan 5, 2025
diff --git a/docs/advanced/authentication.md b/docs/advanced/authentication.md
@@ -8,6 +8,8 @@ You can authenticate pixi with a server like prefix.dev, a private quetz instanc
 Different servers use different authentication methods.
 In this documentation page, we detail how you can authenticate against the different servers and where the authentication information is stored.
 
+TODO: update --help string
+
 ```shell
 Usage: pixi auth login [OPTIONS] <HOST>
 
@@ -53,6 +55,17 @@ Login to a basic HTTP secured server:
 pixi auth login myserver.com --username user --password password
 ```
 
+Login to an S3 bucket:
+
+```shell
+pixi auth login s3://my-bucket --access-key-id <access-key-id> --secret-access-key <secret-access-key>
+# if your key uses a session token, you can also use:
+pixi auth login s3://my-bucket --access-key-id <access-key-id> --secret-access-key <secret-access-key> --session-token <session-token>
+```
+
+!!!note
+    S3 authentication is also supported through AWS's typical `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables, see the [S3 section](../advanced/s3.md) for more details.
+
 ## Where does pixi store the authentication information?
 
 The storage location for the authentication information is system-dependent. By default, pixi tries to use the keychain to store this sensitive information securely on your machine.
@@ -96,6 +109,13 @@ The JSON should follow the following format:
     },
     "conda.anaconda.org": {
         "CondaToken": "your_token"
+    },
+    "s3://my-bucket": {
+        "S3Credentials": {
+            "access_key_id": "my-access-key-id",
+            "secret_access_key": "my-secret-access-key",
+            "session_token": null
+        }
     }
 }
 ```

diff --git a/docs/advanced/github_actions.md b/docs/advanced/github_actions.md
@@ -13,7 +13,7 @@ We created [prefix-dev/setup-pixi](https://github.com/prefix-dev/setup-pixi) to
 ## Usage
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     pixi-version: v0.39.4
     cache: true
@@ -24,7 +24,7 @@ We created [prefix-dev/setup-pixi](https://github.com/prefix-dev/setup-pixi) to
 
 !!!warning "Pin your action versions"
     Since pixi is not yet stable, the API of this action may change between minor versions.
-    Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.0`) to avoid breaking changes.
+    Please pin the versions of this action to a specific version (i.e., `prefix-dev/setup-pixi@v0.8.2`) to avoid breaking changes.
     You can automatically update the version of this action by using [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).
 
     Put the following in your `.github/dependabot.yml` file to enable Dependabot for your GitHub Actions:
@@ -66,7 +66,7 @@ You can specify the behavior by setting the `cache` input argument.
     This can be done by setting the `cache-write` argument.
 
     ```yaml
-    - uses: prefix-dev/setup-pixi@v0.8.0
+    - uses: prefix-dev/setup-pixi@v0.8.2
       with:
         cache: true
         cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
@@ -111,7 +111,7 @@ test:
       environment: [py311, py312]
   steps:
   - uses: actions/checkout@v4
-  - uses: prefix-dev/setup-pixi@v0.8.0
+  - uses: prefix-dev/setup-pixi@v0.8.2
     with:
       environments: ${{ matrix.environment }}
 ```
@@ -121,7 +121,7 @@ test:
 The following example will install both the `py311` and the `py312` environment on the runner.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     environments: >- # (1)!
       py311
@@ -147,6 +147,7 @@ There are currently three ways to authenticate with pixi:
 - using a token
 - using a username and password
 - using a conda-token
+- using an S3 key pair
 
 For more information, see [Authentication](./authentication.md).
 
@@ -161,7 +162,7 @@ Specify the token using the `auth-token` input argument.
 This form of authentication (bearer token in the request headers) is mainly used at [prefix.dev](https://prefix.dev).
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     auth-host: prefix.dev
     auth-token: ${{ secrets.PREFIX_DEV_TOKEN }}
@@ -173,7 +174,7 @@ Specify the username and password using the `auth-username` and `auth-password`
 This form of authentication (HTTP Basic Auth) is used in some enterprise environments with [artifactory](https://jfrog.com/artifactory) for example.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     auth-host: custom-artifactory.com
     auth-username: ${{ secrets.PIXI_USERNAME }}
@@ -186,14 +187,32 @@ Specify the conda-token using the `conda-token` input argument.
 This form of authentication (token is encoded in URL: `https://my-quetz-instance.com/t/<token>/get/custom-channel`) is used at [anaconda.org](https://anaconda.org) or with [quetz instances](https://github.com/mamba-org/quetz).
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     auth-host: anaconda.org # (1)!
     conda-token: ${{ secrets.CONDA_TOKEN }}
 ```
 
 1. or my-quetz-instance.com
 
+#### S3
+
+Specify the S3 key pair using the `auth-access-key-id` and `auth-secret-access-key` input arguments.
+You can also specify the session token using the `auth-session-token` input argument.
+
+```yaml
+- uses: prefix-dev/setup-pixi@v0.8.2
+  with:
+    auth-host: s3://my-s3-bucket
+    access-key-id: ${{ secrets.ACCESS_KEY_ID }}
+    secret-access-key: ${{ secrets.SECRET_ACCESS_KEY }}
+    session-token: ${{ secrets.SESSION_TOKEN }} # (1)!
+```
+
+1. only needed if your key uses a session token
+
+See the [S3 section](../advanced/s3.md) for more information about S3 authentication.
+
 ### Custom shell wrapper
 
 `setup-pixi` allows you to run command inside of the pixi environment by specifying a custom shell wrapper with `shell: pixi run bash -e {0}`.
@@ -265,15 +284,15 @@ To this end, `setup-pixi` adds all environment variables set when executing `pix
 As a result, all installed binaries can be accessed without having to call `pixi run`.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     activate-environment: true
 ```
 
 If you are installing multiple environments, you will need to specify the name of the environment that you want to be activated.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     environments: >-
       py311
@@ -290,7 +309,7 @@ You can specify whether `setup-pixi` should run `pixi install --frozen` or `pixi
 See the [official documentation](https://prefix.dev/docs/pixi/cli#install) for more information about the `--frozen` and `--locked` flags.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     locked: true
     # or
@@ -320,7 +339,7 @@ The second type is the debug logging of the pixi executable.
 This can be specified by setting the `log-level` input.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     log-level: vvv # (1)!
 ```
@@ -347,7 +366,7 @@ If nothing is specified, `post-cleanup` will default to `true`.
 On self-hosted runners, you also might want to alter the default pixi install location to a temporary location. You can use `pixi-bin-path: ${{ runner.temp }}/bin/pixi` to do this.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     post-cleanup: true
     pixi-bin-path: ${{ runner.temp }}/bin/pixi # (1)!
@@ -363,7 +382,7 @@ You can also use a preinstalled local version of pixi on the runner by not setti
 This can be overwritten by setting the `manifest-path` input argument.
 
 ```yaml
-- uses: prefix-dev/setup-pixi@v0.8.0
+- uses: prefix-dev/setup-pixi@v0.8.2
   with:
     manifest-path: pyproject.toml
 ```