Skip to content

[9.0.0] Add --experimental_strict_repo_env option#27780

Merged
meteorcloudy merged 1 commit intobazelbuild:release-9.0.0from
bazel-io:cp24404-9.0.0
Nov 25, 2025
Merged

[9.0.0] Add --experimental_strict_repo_env option#27780
meteorcloudy merged 1 commit intobazelbuild:release-9.0.0from
bazel-io:cp24404-9.0.0

Conversation

@bazel-io
Copy link
Copy Markdown
Member

@bazel-io bazel-io commented Nov 25, 2025

This PR introduces a new flag --experimental_strict_repo_env which stops repository rules and module extensions from inheriting the client environment (making --repo_env=NAME more than just an advisory notice).

When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via --repo_env==VARNAME, see #26300 for more details);

  • PATH - All platforms
  • PATHEXT - Windows

See test_execute_environment_strict_vars in src/test/shell/bazel/starlark_repository_test.sh for a demonstration.

Note that the behavior is different to the similarly named --incompatible_strict_action_env, which stops all environment variables (--action_env affects actions with use_default_shell_env = True) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables by default, this is best left up to individual projects and users.

This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than PATH that should be included).

Closes #10996

Closes #24404.

PiperOrigin-RevId: 836494750
Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8

Commit 60bc017

@Silic0nS0ldier @bazel-io
Add --experimental_strict_repo_env option
4911217 
This PR introduces a new flag `--experimental_strict_repo_env` which stops repository rules and module extensions from inheriting the client environment (making `--repo_env=NAME` more than just an advisory notice).

When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via `--repo_env==VARNAME`, see bazelbuild#26300 for more details);
- `PATH` - All platforms
- `PATHEXT` - Windows

See `test_execute_environment_strict_vars` in `src/test/shell/bazel/starlark_repository_test.sh` for a demonstration.

Note that the behavior is different to the similarly named `--incompatible_strict_action_env`, which stops _all_ environment variables (`--action_env` affects actions with `use_default_shell_env = True`) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables _by default_, this is best left up to individual projects and users.

This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than `PATH` that should be included).

Closes bazelbuild#10996

Closes bazelbuild#24404.

PiperOrigin-RevId: 836494750
Change-Id: Ic05e5ca47a14badb2cd23f810e775c3341ddfaa8
@bazel-io bazel-io added the team-Configurability platforms, toolchains, cquery, select(), config transitions label Nov 25, 2025
@bazel-io bazel-io requested a review from a team as a code owner November 25, 2025 05:53
@bazel-io bazel-io added team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. awaiting-review PR is awaiting review from an assigned reviewer labels Nov 25, 2025
@bazel-io bazel-io mentioned this pull request Nov 25, 2025
Closed
@meteorcloudy meteorcloudy added this pull request to the merge queue Nov 25, 2025
Merged via the queue into bazelbuild:release-9.0.0 with commit 6b55942 Nov 25, 2025
46 checks passed
@github-actions github-actions bot removed the awaiting-review PR is awaiting review from an assigned reviewer label Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meteorcloudy meteorcloudy meteorcloudy approved these changes

Assignees

No one assigned

Labels

team-Configurability platforms, toolchains, cquery, select(), config transitions team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bazel-io @meteorcloudy @Silic0nS0ldier