bazelbuild
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/BazelRepositoryModule.java‎
Lines changed: 15 additions & 2 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/BazelRepositoryModule.java‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/ModuleExtensionContext.java‎
Lines changed: 4 additions & 2 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/ModuleExtensionContext.java‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/RegularRunnableExtension.java‎
Lines changed: 9 additions & 3 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/RegularRunnableExtension.java‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/SingleExtensionEvalFunction.java‎
Lines changed: 6 additions & 1 deletion b/‎src/main/java/com/google/devtools/build/lib/bazel/bzlmod/SingleExtensionEvalFunction.java‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/repository/RepositoryFetchFunction.java‎
Lines changed: 4 additions & 0 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/repository/RepositoryFetchFunction.java‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkBaseExternalContext.java‎
Lines changed: 25 additions & 21 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkBaseExternalContext.java‎
Lines changed: 25 additions & 21 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkRepositoryContext.java‎
Lines changed: 4 additions & 2 deletions b/‎src/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkRepositoryContext.java‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/main/java/com/google/devtools/build/lib/runtime/CommandEnvironment.java‎
Lines changed: 24 additions & 0 deletions b/‎src/main/java/com/google/devtools/build/lib/runtime/CommandEnvironment.java‎
Lines changed: 24 additions & 0 deletions
@@ -84,6 +84,7 @@
 import com.google.devtools.build.lib.runtime.BlazeModule;
 import com.google.devtools.build.lib.runtime.BlazeRuntime;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
+import com.google.devtools.build.lib.runtime.CommonCommandOptions;
 import com.google.devtools.build.lib.runtime.InfoItem;
 import com.google.devtools.build.lib.runtime.ProcessWrapper;
 import com.google.devtools.build.lib.runtime.RemoteRepoContentsCache;
@@ -132,6 +133,8 @@ public class BazelRepositoryModule extends BlazeModule {
       ImmutableMap.of();
 
   private final RepositoryCache repositoryCache = new RepositoryCache();
+  private final MutableSupplier<Map<String, String>> repoEnvironmentSupplier =
+      new MutableSupplier<>();
   private final MutableSupplier<Map<String, String>> clientEnvironmentSupplier =
       new MutableSupplier<>();
   private boolean fetchDisabled = false;
@@ -213,9 +216,13 @@ public void workspaceInit(
 
     repositoryFetchFunction =
         new RepositoryFetchFunction(
-            clientEnvironmentSupplier, directories, repositoryCache.getRepoContentsCache());
+            repoEnvironmentSupplier,
+            clientEnvironmentSupplier,
+            directories,
+            repositoryCache.getRepoContentsCache());
     singleExtensionEvalFunction =
-        new SingleExtensionEvalFunction(directories, clientEnvironmentSupplier);
+        new SingleExtensionEvalFunction(
+            directories, repoEnvironmentSupplier, clientEnvironmentSupplier);
 
     if (builtinModules == null) {
       builtinModules = ModuleFileFunction.getBuiltinModules();
@@ -278,6 +285,12 @@ public void beforeCommand(CommandEnvironment env) throws AbruptExitException {
     this.yankedVersionsFunction.setDownloadManager(downloadManager);
     this.vendorCommand.setDownloadManager(downloadManager);
 
+    CommonCommandOptions commandOptions = env.getOptions().getOptions(CommonCommandOptions.class);
+    if (commandOptions.useStrictRepoEnv) {
+      repoEnvironmentSupplier.set(env.getRepoEnvFromOptions());
+    } else {
+      repoEnvironmentSupplier.set(env.getRepoEnv());
+    }
     clientEnvironmentSupplier.set(env.getRepoEnv());
     PackageOptions pkgOptions = env.getOptions().getOptions(PackageOptions.class);
     fetchDisabled = pkgOptions != null && !pkgOptions.fetch;
 
@@ -55,7 +55,8 @@ protected ModuleExtensionContext(
       Path workingDirectory,
       BlazeDirectories directories,
       Environment env,
-      Map<String, String> envVariables,
+      Map<String, String> repoEnvVariables,
+      Map<String, String> clientEnvVariables,
       DownloadManager downloadManager,
       double timeoutScaling,
       @Nullable ProcessWrapper processWrapper,
@@ -69,7 +70,8 @@ protected ModuleExtensionContext(
         workingDirectory,
         directories,
         env,
-        envVariables,
+        repoEnvVariables,
+        clientEnvVariables,
         downloadManager,
         timeoutScaling,
         processWrapper,
 
@@ -73,6 +73,7 @@ final class RegularRunnableExtension implements RunnableExtension {
   private final ModuleExtension extension;
   private final ImmutableMap<String, Optional<String>> staticEnvVars;
   private final BlazeDirectories directories;
+  private final Supplier<Map<String, String>> repoEnvironmentSupplier;
   private final Supplier<Map<String, String>> clientEnvironmentSupplier;
   private final double timeoutScaling;
   @Nullable private final ProcessWrapper processWrapper;
@@ -84,6 +85,7 @@ final class RegularRunnableExtension implements RunnableExtension {
       ModuleExtension extension,
       ImmutableMap<String, Optional<String>> staticEnvVars,
       BlazeDirectories directories,
+      Supplier<Map<String, String>> repoEnvironmentSupplier,
       Supplier<Map<String, String>> clientEnvironmentSupplier,
       double timeoutScaling,
       @Nullable ProcessWrapper processWrapper,
@@ -93,6 +95,7 @@ final class RegularRunnableExtension implements RunnableExtension {
     this.extension = extension;
     this.staticEnvVars = staticEnvVars;
     this.directories = directories;
+    this.repoEnvironmentSupplier = repoEnvironmentSupplier;
     this.clientEnvironmentSupplier = clientEnvironmentSupplier;
     this.timeoutScaling = timeoutScaling;
     this.processWrapper = processWrapper;
@@ -141,6 +144,7 @@ static RegularRunnableExtension load(
       StarlarkSemantics starlarkSemantics,
       Environment env,
       BlazeDirectories directories,
+      Supplier<Map<String, String>> repoEnvironmentSupplier,
       Supplier<Map<String, String>> clientEnvironmentSupplier,
       double timeoutScaling,
       @Nullable ProcessWrapper processWrapper,
@@ -176,16 +180,17 @@ static RegularRunnableExtension load(
           SpellChecker.didYouMean(extensionId.extensionName(), exportedExtensions));
     }
 
-    ImmutableMap<String, Optional<String>> envVars =
+    ImmutableMap<String, Optional<String>> staticEnvVars =
         RepositoryUtils.getEnvVarValues(env, ImmutableSet.copyOf(extension.envVariables()));
-    if (envVars == null) {
+    if (staticEnvVars == null) {
       return null;
     }
     return new RegularRunnableExtension(
         bzlLoadValue,
         extension,
-        envVars,
+        staticEnvVars,
         directories,
+        repoEnvironmentSupplier,
         clientEnvironmentSupplier,
         timeoutScaling,
         processWrapper,
@@ -364,6 +369,7 @@ private ModuleExtensionContext createContext(
         workingDirectory,
         directories,
         env,
+        repoEnvironmentSupplier.get(),
         clientEnvironmentSupplier.get(),
         downloadManager,
         timeoutScaling,
 
@@ -63,6 +63,7 @@
  */
 public class SingleExtensionEvalFunction implements SkyFunction {
   private final BlazeDirectories directories;
+  private final Supplier<Map<String, String>> repoEnvironmentSupplier;
   private final Supplier<Map<String, String>> clientEnvironmentSupplier;
 
   private double timeoutScaling = 1.0;
@@ -71,8 +72,11 @@ public class SingleExtensionEvalFunction implements SkyFunction {
   @Nullable private DownloadManager downloadManager = null;
 
   public SingleExtensionEvalFunction(
-      BlazeDirectories directories, Supplier<Map<String, String>> clientEnvironmentSupplier) {
+      BlazeDirectories directories,
+      Supplier<Map<String, String>> repoEnvironmentSupplier,
+      Supplier<Map<String, String>> clientEnvironmentSupplier) {
     this.directories = directories;
+    this.repoEnvironmentSupplier = repoEnvironmentSupplier;
     this.clientEnvironmentSupplier = clientEnvironmentSupplier;
   }
 
@@ -124,6 +128,7 @@ public SkyValue compute(SkyKey skyKey, Environment env)
                 starlarkSemantics,
                 env,
                 directories,
+                repoEnvironmentSupplier,
                 clientEnvironmentSupplier,
                 timeoutScaling,
                 processWrapper,
 
@@ -93,6 +93,7 @@ public final class RepositoryFetchFunction implements SkyFunction {
 
   private final BlazeDirectories directories;
   private final LocalRepoContentsCache repoContentsCache;
+  private final Supplier<Map<String, String>> repoEnvironmentSupplier;
   private final Supplier<Map<String, String>> clientEnvironmentSupplier;
 
   private double timeoutScaling = 1.0;
@@ -103,9 +104,11 @@ public final class RepositoryFetchFunction implements SkyFunction {
   @Nullable private SyscallCache syscallCache;
 
   public RepositoryFetchFunction(
+      Supplier<Map<String, String>> repoEnvironmentSupplier,
       Supplier<Map<String, String>> clientEnvironmentSupplier,
       BlazeDirectories directories,
       LocalRepoContentsCache repoContentsCache) {
+    this.repoEnvironmentSupplier = repoEnvironmentSupplier;
     this.clientEnvironmentSupplier = clientEnvironmentSupplier;
     this.directories = directories;
     this.repoContentsCache = repoContentsCache;
@@ -607,6 +610,7 @@ private FetchResult fetchInternal(
                 outputDirectory,
                 ignoredSubdirectories.asIgnoredSubdirectories(),
                 env,
+                ImmutableMap.copyOf(repoEnvironmentSupplier.get()),
                 ImmutableMap.copyOf(clientEnvironmentSupplier.get()),
                 downloadManager,
                 timeoutScaling,
 
@@ -158,7 +158,8 @@ private interface AsyncTask extends SilentCloseable {
   protected final Path workingDirectory;
   protected final BlazeDirectories directories;
   protected final Environment env;
-  protected final ImmutableMap<String, String> envVariables;
+  protected final ImmutableMap<String, String> repoEnvVariables;
+  protected final ImmutableMap<String, String> clientEnvVariables;
   private final StarlarkOS osObject;
   protected final DownloadManager downloadManager;
   protected final double timeoutScaling;
@@ -180,7 +181,8 @@ protected StarlarkBaseExternalContext(
       Path workingDirectory,
       BlazeDirectories directories,
       Environment env,
-      Map<String, String> envVariables,
+      Map<String, String> repoEnvVariables,
+      Map<String, String> clientEnvVariables,
       DownloadManager downloadManager,
       double timeoutScaling,
       @Nullable ProcessWrapper processWrapper,
@@ -191,8 +193,9 @@ protected StarlarkBaseExternalContext(
     this.workingDirectory = workingDirectory;
     this.directories = directories;
     this.env = env;
-    this.envVariables = ImmutableMap.copyOf(envVariables);
-    this.osObject = new StarlarkOS(this.envVariables);
+    this.repoEnvVariables = ImmutableMap.copyOf(repoEnvVariables);
+    this.clientEnvVariables = ImmutableMap.copyOf(clientEnvVariables);
+    this.osObject = new StarlarkOS(this.repoEnvVariables);
     this.downloadManager = downloadManager;
     this.timeoutScaling = timeoutScaling;
     this.processWrapper = processWrapper;
@@ -823,7 +826,7 @@ public Object download(
               canonicalId,
               Optional.<String>empty(),
               outputPath.getPath(),
-              envVariables,
+              clientEnvVariables,
               identifyingStringForLogging,
               downloadPhaser,
               // The repo rule may modify the file after the download, so we cannot guarantee that
@@ -1063,7 +1066,7 @@ public StructImpl downloadAndExtract(
               canonicalId,
               Optional.of(type),
               downloadDirectory,
-              envVariables,
+              clientEnvVariables,
               identifyingStringForLogging,
               downloadPhaser,
               // The archive is not going to be modified and not accessible to the user, so its safe
@@ -1430,15 +1433,15 @@ private static <T> T nullIfNone(Object object, Class<T> type) {
   @Nullable
   public String getEnvironmentValue(String name, Object defaultValue)
       throws InterruptedException, NeedsSkyframeRestartException {
-    // Must look up via AEF, rather than solely copy from `this.envVariables`, in order to
+    // Must look up via AEF, rather than solely copy from `this.repoEnvVariables`, in order to
     // establish a SkyKey dependency relationship.
     if (env.getValue(ActionEnvironmentFunction.key(name)) == null) {
       throw new NeedsSkyframeRestartException();
     }
 
-    // However, to account for --repo_env we take the value from `this.envVariables`.
+    // However, to account for --repo_env we take the value from `this.repoEnvVariables`.
     // See https://github.com/bazelbuild/bazel/pull/20787#discussion_r1445571248 .
-    String envVarValue = envVariables.get(name);
+    String envVarValue = repoEnvVariables.get(name);
     accumulatedEnvKeys.add(name);
     return envVarValue != null ? envVarValue : nullIfNone(defaultValue, String.class);
   }
@@ -1911,17 +1914,17 @@ public StarlarkExecutionResult execute(
     validateExecuteArguments(arguments);
     int timeout = Starlark.toInt(timeoutI, "timeout");
 
-    Map<String, Object> forceEnvVariablesRaw =
+    Map<String, Object> forceRepoEnvVariablesRaw =
         Dict.cast(uncheckedEnvironment, String.class, Object.class, "environment");
-    Map<String, String> forceEnvVariables = new LinkedHashMap<>();
-    Set<String> removeEnvVariables = new LinkedHashSet<>();
-    for (Map.Entry<String, Object> entry : forceEnvVariablesRaw.entrySet()) {
+    Map<String, String> forceRepoEnvVariables = new LinkedHashMap<>();
+    Set<String> removeRepoEnvVariables = new LinkedHashSet<>();
+    for (Map.Entry<String, Object> entry : forceRepoEnvVariablesRaw.entrySet()) {
       String key = entry.getKey();
       Object value = entry.getValue();
       if (value == Starlark.NONE) {
-        removeEnvVariables.add(key);
+        removeRepoEnvVariables.add(key);
       } else if (value instanceof String s) {
-        forceEnvVariables.put(key, s);
+        forceRepoEnvVariables.put(key, s);
       } else {
         throw Starlark.errorf("environment values must be strings or None, got %s", value);
       }
@@ -1930,7 +1933,8 @@ public StarlarkExecutionResult execute(
     if (canExecuteRemote()) {
       // Remote execution only sees the explicitly set environment variables, so removing env vars
       // isn't necessary.
-      return executeRemote(arguments, timeout, forceEnvVariables, quiet, overrideWorkingDirectory);
+      return executeRemote(
+          arguments, timeout, forceRepoEnvVariables, quiet, overrideWorkingDirectory);
     }
 
     // Execute on the local/host machine
@@ -1949,8 +1953,8 @@ public StarlarkExecutionResult execute(
         WorkspaceRuleEvent.newExecuteEvent(
             args,
             timeout,
-            Maps.filterKeys(envVariables, k -> !removeEnvVariables.contains(k)),
-            forceEnvVariables,
+            Maps.filterKeys(repoEnvVariables, k -> !removeRepoEnvVariables.contains(k)),
+            forceRepoEnvVariables,
             workingDirectory.getPathString(),
             quiet,
             identifyingStringForLogging,
@@ -1982,8 +1986,8 @@ public StarlarkExecutionResult execute(
       return StarlarkExecutionResult.builder(osObject.getEnvironmentVariables())
           .addArguments(args)
           .setDirectory(workingDirectoryPath.getPathFile())
-          .addEnvironmentVariables(forceEnvVariables)
-          .removeEnvironmentVariables(removeEnvVariables)
+          .addEnvironmentVariables(forceRepoEnvVariables)
+          .removeEnvironmentVariables(removeRepoEnvVariables)
           .setTimeout(timeoutMillis)
           .setQuiet(quiet)
           .execute();
@@ -2247,7 +2251,7 @@ public StarlarkPath which(String program, StarlarkThread thread) throws EvalExce
 
   @Nullable
   private StarlarkPath findCommandOnPath(String program) throws IOException {
-    String pathEnvVariable = envVariables.get("PATH");
+    String pathEnvVariable = repoEnvVariables.get("PATH");
     if (pathEnvVariable == null) {
       return null;
     }
 
@@ -90,7 +90,8 @@ public StarlarkRepositoryContext(
       Path outputDirectory,
       IgnoredSubdirectories ignoredSubdirectories,
       Environment environment,
-      ImmutableMap<String, String> env,
+      ImmutableMap<String, String> repoEnvVariables,
+      ImmutableMap<String, String> clientEnvVariables,
       DownloadManager downloadManager,
       double timeoutScaling,
       @Nullable ProcessWrapper processWrapper,
@@ -103,7 +104,8 @@ public StarlarkRepositoryContext(
         outputDirectory,
         directories,
         environment,
-        env,
+        repoEnvVariables,
+        clientEnvVariables,
         downloadManager,
         timeoutScaling,
         processWrapper,
 
@@ -335,6 +335,19 @@ public void exit(AbruptExitException exception) {
                 : UUID.randomUUID().toString();
 
     this.repoEnv.putAll(clientEnv);
+
+    Set<String> defaultRepoEnvInherited = new TreeSet<>();
+    defaultRepoEnvInherited.add("PATH");
+    if (OS.getCurrent() == OS.WINDOWS) {
+      defaultRepoEnvInherited.add("PATHEXT");
+    }
+    for (String name : defaultRepoEnvInherited) {
+      String value = clientEnv.get(name);
+      if (value != null) {
+        this.repoEnvFromOptions.put(name, value);
+      }
+    }
+
     // TODO: This only needs to check for loads() rather than analyzes() due to
     //  the effect of --action_env on the repository env. Revert back to
     //  analyzes() when --action_env no longer affects it.
@@ -347,6 +360,7 @@ public void exit(AbruptExitException exception) {
             visibleActionEnv.remove(name);
             if (!options.getOptions(CommonCommandOptions.class).repoEnvIgnoresActionEnv) {
               repoEnv.put(name, value);
+              repoEnvFromOptions.put(name, value);
             }
           }
           case Converters.EnvVar.Inherit(String name) -> {
@@ -356,6 +370,7 @@ public void exit(AbruptExitException exception) {
             visibleActionEnv.remove(name);
             if (!options.getOptions(CommonCommandOptions.class).repoEnvIgnoresActionEnv) {
               repoEnv.remove(name);
+              repoEnvFromOptions.remove(name);
             }
           }
         }
@@ -981,6 +996,15 @@ public Map<String, String> getRepoEnv() {
     return Collections.unmodifiableMap(repoEnv);
   }
 
+  /**
+   * Returns the repository environment created from specific client environment variables ({@code
+   * PATH} and on Windows {@code PATH_EXT}), {@code --repo_env}, and {@code --action_env=NAME=VALUE}
+   * (when {@code --incompatible_repo_env_ignores_action_env=false}).
+   */
+  public Map<String, String> getRepoEnvFromOptions() {
+    return Collections.unmodifiableMap(repoEnvFromOptions);
+  }
+
   /** Returns the file cache to use during this build. */
   public InputMetadataProvider getFileCache() {
     if (fileCache == null) {