fix(uv): allow environment setting for the update action

[aignas]

With this PR we allow users to set extra environment variables using .bazelrc
and to ensure that we can pass UV extra parameters. This should enable users use
this with private indexes in a diff_test usage scenario.

Whilst at it, add integration tests to actually verify that passing works via
env vars. Whilst at it also fix the Windows support for the uv lock rule.

Fixes #3405

[gemini-code-assist]

Code Review

This pull request enables uv lock updates to inherit the default shell environment by setting use_default_shell_env = True in lock.bzl, and introduces a new integration test to verify lock updates with custom index URLs. The review feedback suggests improving the robustness of the test server by explicitly binding to 127.0.0.1 instead of localhost to prevent IPv4/IPv6 resolution mismatches, and properly shutting down the HTTP server in tearDown to avoid resource leaks.

[gemini-code-assist]

Using localhost can lead to flaky tests on dual-stack (IPv4/IPv6) systems or restricted CI environments where localhost resolves to ::1 (IPv6) but the HTTPServer binds to 127.0.0.1 (IPv4). It is safer and more robust to use 127.0.0.1 explicitly.

Suggested change

	self.server_url = "http://localhost:{port}".format(port=self.port)
	self.index_url = "http://{user}:{passwd}@localhost:{port}".format(
	user=self.username,
	passwd=self.password,
	port=self.port,
	)
	self.auth_url = self.index_url
	self.server_url = "http://127.0.0.1:{port}".format(port=self.port)
	self.index_url = "http://{user}:{passwd}@127.0.0.1:{port}".format(
	user=self.username,
	passwd=self.password,
	port=self.port,
	)
	self.auth_url = self.index_url

[gemini-code-assist]

The HTTP server is started in a background thread but is never shut down. This can leak sockets and threads, potentially causing port conflicts or resource exhaustion in environments where multiple tests run sequentially in the same process. We should store the server instance and shut it down in tearDown.

        # Start the HTTP server
        self._start_server()

    def tearDown(self):
        if hasattr(self, "server"):
            self.server.shutdown()
            self.server.server_close()
        super().tearDown()

[gemini-code-assist]

Bind the HTTP server to 127.0.0.1 instead of localhost to match the client connection URL and avoid IPv4/IPv6 resolution mismatches. Also, store the server instance as self.server so it can be shut down in tearDown.

Suggested change

	server = http.server.HTTPServer(
	("localhost", self.port),
	lambda *args, **kwargs: AuthSimpleAPIHandler(
	*args,
	username=self.username,
	password=self.password,
	directory=str(self.docroot),
	**kwargs,
	),
	)
	self._server_thread = threading.Thread(target=server.serve_forever)
	self.server = http.server.HTTPServer(
	("127.0.0.1", self.port),
	lambda *args, **kwargs: AuthSimpleAPIHandler(
	*args,
	username=self.username,
	password=self.password,
	directory=str(self.docroot),
	**kwargs,
	),
	)
	self._server_thread = threading.Thread(target=self.server.serve_forever)

[rickeylev]

FWIW, I'm +1 on changing the bazel run //foo.lock target to run uv directly so that it uses the user's permissions. For casual use, its more convenient than having to setup the mount pair etc

[aignas]

I agree, but if you want a diff_test here, then everything runs as an action, so we would then need to mount the credential helper inside. Maybe the docs should be updated to reflect that better?

[rickeylev]

Ah doh, //requirements.run already works the way I described.

Actually, re-reading the uv docs you linked to, since uv has its own credential store, is what needs to be mounted in the sandbox the uv credential store? And then uv just has to be told where that is.

[rickeylev]

Saw a clever alternative: Use a custom workspace status to put an extra key which is the path to what you want. Then pass version_file to the action and parse out the value. The nominal benefit is it doesn't become part of the cache key.

[aignas]

This is also interesting: https://docs.astral.sh/uv/concepts/authentication/cli/#using-credentials-with-external-tools

[rickeylev]

Does the LHS have to be an absolute path? If its relative, what is it relative to? does it support e.e. %workspace% interpolation?

If you don't know the answer, thats OK. Mostly just for my own edification.

[aignas]

I think it does not need to be an absolute path.

[rickeylev]

is UV_CREDENTIAL_HELPER part of uv itself? I don't see it in the uv docs, nor the rules_python code.

[aignas]

hmmm I think it might be our own, I think I should review this once more.

[aignas]

OK, PTAL, I think this can be merged if there are no extra comments.