There is some discussion around this topic. For example:
I would love to know the thoughts of more experienced people, and that is the reason I am posting this.
My questions are:
Allowing environment variable expansion in the [tool] section of pyproject.toml is clearly a tool-specific choice.
Allowing it in [project] would be problematic, because if you had something like
[project]
version = "${MY_VERSION}"
this would violate the expectation that, as version is not defined as “dynamic”, a consumer can read the pyproject.toml and know what version would end up in the final built wheel.
If this is solely about credential information in URLs, a better approach is to use a keyring module to supply credentials at runtime, and not to embed the means of supplying credentials into the pyproject.toml (some people might want tu use an environment variable, others may prefer to use their system’s password store, etc).