Support for keyring auth with py_wheel publish

[ssmall]

🚀 feature request

Relevant Rules

py_wheel

Description

Publishing with py_wheel seems to only support username/password auth. It would be great to support keyring auth methods as well to better support private registries.

For example, https://cloud.google.com/artifact-registry/docs/python/authentication#keyring-setup describes how to set up keyring for Artifact Registry. This already appears to have been address for pulling from private registries in #1578.

Describe the solution you'd like

I'm not very familiar with how wheel publishing works, but I would hope that it would be able to use the same mechanism that is now used for pip.parse

Describe alternatives you've considered

Username and password auth is possible as a workaround, but it goes against most security best practices and is more difficult to integrate in CI.

[aignas]

The pushing is done via a simple bazel run invocation whereas pip.parse is downloading everything using repository_ctx.download which cannot share code.

However, you can supply a twine binary with keyring support via an arg to py_wheel: https://rules-python.readthedocs.io/en/latest/api/python/packaging.html#py_wheel.twine_binary

You would have to use py_console_script_binary with extra deps entries to construct that.