At work, we have a number of custom-written Bazel rulesets stored in organization repositories on GitHub1. This post explains how we use these non-public rulesets in our Bazel projects.
Update 2023-05-23: You may also want to read my blog post Practical Bazel: Downloading Private Release Assets from GitHub.
In order to download code from a GitHub private repository, one must provide authentication credentials as part of the request. The easiest way to do this is to create a GitHub personal access token (PAT) and use HTTP bearer authentication with this token.
A PAT is a 40-character string that looks something like
PATs are typically set up in the GitHub UI or using the GitHub REST API, but
a quick-and-dirty-way to get one is to install the GitHub CLI,
gh auth login, and retrieve the PAT that the
CLI uses with
gh auth token.
Once you have a PAT, it can be used with HTTP bearer authentication
when making a request to GitHub. For example, imagine you have a ruleset
rules_mylang that is stored in the GitHub organization
myorg, and you
want to download its release
release-1.2.3. Here’s how this can be done
The underlying HTTP request and response looks like:
Next, we need to configure Bazel to add this
Authorization header when
retrieving the ruleset. Fortunately, this is quite easy when using
First, add the following line to
Next, add an
auth_patterns option in
http_archive() as below:
With these changes, using non-public rulesets in Bazel is quite straightforward!
Hopefully they will be open sourced some day! ↩︎