Bazel developers are currently working on adding the ability to
retrieve secrets using a credential-helper executable, similar
to how other tools like Docker and Git handle managing secrets.
Until then, the recommended approach is to store secrets in
~/.netrc. This blog post explains how to write a custom Bazel
rule which reads secrets from ~/.netrc.