http_archive patching via bzlmod doesn't use credentials stored in .netrc files

[guw]

Description of the bug:

This looks similar to #15286 but seems to be a specific problem when consuming things via proxied/internal bazel registry requiring authentication.

MODULES.bazel:

bazel_dep(name = "rules_oci", version = "1.7.4")

bazel build //....  --registry=https://internal-nexus.server/bazel-central-registy/

WARNING: Download from https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch failed: class com.google.devtools.build.lib.bazel.repository.downloader.UnrecoverableHttpException GET returned 401 Unauthorized
INFO: Repository rules_oci~ instantiated at:
  <builtin>: in <toplevel>
Repository rule http_archive defined at:
  /private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/http.bzl:369:31: in <toplevel>
ERROR: An error occurred during the fetch of repository 'rules_oci~':
   Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/http.bzl", line 144, column 10, in _http_archive_impl
		patch(ctx, auth = auth)
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 162, column 36, in patch
		patchfile = _download_patch(ctx, patch_url, integrity, auth)
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 85, column 17, in _download_patch
		ctx.download(
Error in download: java.io.IOException: Error downloading [https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch] to /private/var/tmp/_bazel_user/12345/external/rules_oci~/.tmp_remote_patches/module_dot_bazel_version.patch: GET returned 401 Unauthorized
ERROR: <builtin>: fetching http_archive rule //:rules_oci~: Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/http.bzl", line 144, column 10, in _http_archive_impl
		patch(ctx, auth = auth)
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 162, column 36, in patch
		patchfile = _download_patch(ctx, patch_url, integrity, auth)
	File "/private/var/tmp/_bazel_user/12345/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 85, column 17, in _download_patch
		ctx.download(
Error in download: java.io.IOException: Error downloading [https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch] to /private/var/tmp/_bazel_user/12345/external/rules_oci~/.tmp_remote_patches/module_dot_bazel_version.patch: GET returned 401 Unauthorized
ERROR: Skipping '//:buildfarm-server': no such package '@@rules_oci~//oci': java.io.IOException: Error downloading [https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch] to /private/var/tmp/_bazel_user/12345/external/rules_oci~/.tmp_remote_patches/module_dot_bazel_version.patch: GET returned 401 Unauthorized
ERROR: no such package '@@rules_oci~//oci': java.io.IOException: Error downloading [https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch] to /private/var/tmp/_bazel_user/12345/external/rules_oci~/.tmp_remote_patches/module_dot_bazel_version.patch: GET returned 401 Unauthorized

Note, curl --netrc works. Thus, somewhere within the bzlmod fetch it seems to loose the authentication info from ~.netrc file.

❯ curl --netrc https://internal-nexus.server/bazel-central-registy/modules/rules_oci/1.7.4/patches/module_dot_bazel_version.patch
===================================================================
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -1,9 +1,9 @@
 "bazel-contrib/rules_oci"
 
 module(
     name = "rules_oci",
-    version = "0.0.0",
+    version = "1.7.4",
     compatibility_level = 1,
 )
 
 # Minimum 1.36.0 to include https://github.com/aspect-build/bazel-lib/pull/594

Which category does this issue belong to?

Core, External Dependency

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

No response

Which operating system are you running Bazel on?

No response

What is the output of bazel info release?

7.1.1

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

No response

Is this a regression? If yes, please try to identify the Bazel commit where the bug was introduced.

No response

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response

[meteorcloudy]

This is definitely a bug, but I did some investigation, it looks like the IndexRegistry uses the same downloadManager set here. So it should respect the netrc file.

[meteorcloudy]

Oh, I see, the problem is with the remote_patches URLs. We missed getting proper authentication for them at https://cs.opensource.google/bazel/bazel/+/master:tools/build_defs/repo/http.bzl;l=137

[meteorcloudy]

@bazel-io fork 7.2.0

[iancha1992]

A fix for this issue has been included in Bazel 7.2.0 RC1. Please test out the release candidate and report any issues as soon as possible.
If you're using Bazelisk, you can point to the latest RC by setting USE_BAZEL_VERSION=7.2.0rc1. Thanks!