Add ability to unset variables with --{action,host_action,repo,run,test}_env#26300
Closed
fmeum wants to merge 5 commits intobazelbuild:masterfrom
Closed
Add ability to unset variables with --{action,host_action,repo,run,test}_env#26300fmeum wants to merge 5 commits intobazelbuild:masterfrom
--{action,host_action,repo,run,test}_env#26300fmeum wants to merge 5 commits intobazelbuild:masterfrom
Conversation
--*_env--{action,repo,run,test}_env
--{action,repo,run,test}_env--{action,host_action,repo,run,test}_env
4b0b475 to
8917c42
Compare
--{action,host_action,repo,run,test}_env--{action,host_action,repo,run,test}_env
Member
|
Not sure whether I should love or hate the |
Collaborator
Author
I knew I forgot something when I wrote the PR description, added a new paragraph to explain why I didn't go with this approach. Just to be clear, I also don't like the new syntax, but it does at least have clear semantics. |
Collaborator
Author
|
@meisterT Friendly ping |
meisterT
reviewed
Jul 4, 2025
src/main/java/com/google/devtools/build/lib/analysis/config/FragmentOptions.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/devtools/build/lib/runtime/commands/RunCommand.java
Outdated
Show resolved
Hide resolved
tjgq
requested changes
Jul 7, 2025
src/main/java/com/google/devtools/common/options/Converters.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/devtools/build/lib/runtime/commands/RunCommand.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/devtools/build/lib/analysis/test/TestConfiguration.java
Outdated
Show resolved
Hide resolved
tjgq
approved these changes
Jul 8, 2025
copybara-service bot
pushed a commit
that referenced
this pull request
Nov 25, 2025
This PR introduces a new flag `--experimental_strict_repo_env` which stops repository rules and module extensions from inheriting the client environment (making `--repo_env=NAME` more than just an advisory notice). When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via `--repo_env==VARNAME`, see #26300 for more details); - `PATH` - All platforms - `PATHEXT` - Windows See `test_execute_environment_strict_vars` in `src/test/shell/bazel/starlark_repository_test.sh` for a demonstration. Note that the behavior is different to the similarly named `--incompatible_strict_action_env`, which stops _all_ environment variables (`--action_env` affects actions with `use_default_shell_env = True`) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables _by default_, this is best left up to individual projects and users. This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than `PATH` that should be included). Closes #10996 Closes #24404. PiperOrigin-RevId: 836494750 Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8
bazel-io
pushed a commit
to bazel-io/bazel
that referenced
this pull request
Nov 25, 2025
This PR introduces a new flag `--experimental_strict_repo_env` which stops repository rules and module extensions from inheriting the client environment (making `--repo_env=NAME` more than just an advisory notice). When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via `--repo_env==VARNAME`, see bazelbuild#26300 for more details); - `PATH` - All platforms - `PATHEXT` - Windows See `test_execute_environment_strict_vars` in `src/test/shell/bazel/starlark_repository_test.sh` for a demonstration. Note that the behavior is different to the similarly named `--incompatible_strict_action_env`, which stops _all_ environment variables (`--action_env` affects actions with `use_default_shell_env = True`) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables _by default_, this is best left up to individual projects and users. This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than `PATH` that should be included). Closes bazelbuild#10996 Closes bazelbuild#24404. PiperOrigin-RevId: 836494750 Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 25, 2025
This PR introduces a new flag `--experimental_strict_repo_env` which stops repository rules and module extensions from inheriting the client environment (making `--repo_env=NAME` more than just an advisory notice). When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via `--repo_env==VARNAME`, see #26300 for more details); - `PATH` - All platforms - `PATHEXT` - Windows See `test_execute_environment_strict_vars` in `src/test/shell/bazel/starlark_repository_test.sh` for a demonstration. Note that the behavior is different to the similarly named `--incompatible_strict_action_env`, which stops _all_ environment variables (`--action_env` affects actions with `use_default_shell_env = True`) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables _by default_, this is best left up to individual projects and users. This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than `PATH` that should be included). Closes #10996 Closes #24404. PiperOrigin-RevId: 836494750 Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8 Commit 60bc017 Co-authored-by: Jordan Mele <jordan.mele@outlook.com.au>
aranguyen
pushed a commit
to aranguyen/bazel
that referenced
this pull request
Nov 26, 2025
This PR introduces a new flag `--experimental_strict_repo_env` which stops repository rules and module extensions from inheriting the client environment (making `--repo_env=NAME` more than just an advisory notice). When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via `--repo_env==VARNAME`, see bazelbuild#26300 for more details); - `PATH` - All platforms - `PATHEXT` - Windows See `test_execute_environment_strict_vars` in `src/test/shell/bazel/starlark_repository_test.sh` for a demonstration. Note that the behavior is different to the similarly named `--incompatible_strict_action_env`, which stops _all_ environment variables (`--action_env` affects actions with `use_default_shell_env = True`) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables _by default_, this is best left up to individual projects and users. This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than `PATH` that should be included). Closes bazelbuild#10996 Closes bazelbuild#24404. PiperOrigin-RevId: 836494750 Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The special syntax
--action_env==NAME(or--action_env =NAME) can be used to unset the variableNAME(also for all the other--*_envflags). For the hermetic environments (--action_env,--host_action_envand--test_env), this clears any previous occurrences of--action_env=NAME=VALUEand--action_env=NAME. For the non-hermetic environments (--repo_env,--run_env), it additionally ensures that the given variable is explicitly unset in the final environment.The particular syntax is somewhat quirky, but it is backwards compatible and doesn't limit the possible space of env variable names and values (as, say,
--action_env=-NAMEwould).This has a number of applications:
LD_LIBRARY_PATHand/orPATH. This is the primary motivation for this change as the author plans to addLC_CTYPE=C.UTF-8in the future, which would result in Bazel actions supporting Unicode by default. Without the ability to remove this variable, users would be bound to have anLC_CTYPEvariable set in all actions usinguse_default_shell_env(unless they use a Bazel wrapper that forces the variable to be unset and also specify--action_env=LC_CTYPE).runenvironment in bc83389, but with the new syntax, users have full flexibility and can apply the same type of "cleaning" to repo rule environments. This provides an onramp for a future in which--repo_envand/or--run_envcould become hermetic.--configs inheritance as well as appending to command-line invocations - previously, there was no way to fully undo the effect of an--action_env=FOO=bar.Point 3 also explains why this change doesn't introduce dedicated
--unset_*_envflags: they would introduce unpleasant confusion around precedence (what does--action_env=FOO=bar --unset_action_env=FOO --action_env=FOO=barmean?) and/or introduce new flags that accumulate repeated uses with no way of resetting any particular ones.RELNOTES[NEW]: The new
--*_env==NAMEsyntax can be used with any of--action_env,--host_action_env,--repo_env,--run_env, and--test_envto undo any previous occurrences of the respective flags for that environment variable name. For--repo_envand--run_env, this also results in the variable being unset if it is set in the environment of the Bazel client.