Skip to content

[8.6.0] Add --experimental_strict_repo_env option #28189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iancha1992 merged 1 commit into from
Jan 13, 2026
Merged

[8.6.0] Add --experimental_strict_repo_env option #28189

iancha1992 merged 1 commit into from
Jan 13, 2026

Conversation

@Silic0nS0ldier
Copy link
Contributor

@Silic0nS0ldier Silic0nS0ldier commented Jan 8, 2026

This PR introduces a new flag --experimental_strict_repo_env which stops repository rules and module extensions from inheriting the client environment (making --repo_env=NAME more than just an advisory notice).

When enabled up to 2 environment variables will still be forwarded (unless overridden or explicitly removed via --repo_env==VARNAME, see

  • PATH - All platforms
  • PATHEXT - Windows

See test_execute_environment_strict_vars in
src/test/shell/bazel/starlark_repository_test.sh for a demonstration.

Note that the behavior is different to the similarly named --incompatible_strict_action_env, which stops all environment variables (--action_env affects actions with use_default_shell_env = True) except those specified within the defining rule. This is by design as repository rules operate in an inherently non-hermetic domain, covering roles such as integrating with the C/C++ toolchain installed on the host. It does not make sense to lock down environment variables by default, this is best left up to individual projects and users.

This flag is marked experimental to allow for testing and requirement discovery (e.g. env vars other than PATH that should be included).

Closes #10996

Closes #28188.

@Silic0nS0ldier
Copy link
Contributor Author

Silic0nS0ldier commented Jan 8, 2026

A lot changed between v9 and v8. I've yet to properly test the cherry-pick and may have missed some things, using CI to catch the obvious mistakes.

@Wyverald Wyverald changed the title [8.0.0] Add --experimental_strict_repo_env option [8.6.0] Add --experimental_strict_repo_env option Jan 8, 2026
@Silic0nS0ldier Silic0nS0ldier force-pushed the strict-repo-env-bazel-8 branch 2 times, most recently from 7b618c0 to 8654b9c Compare January 11, 2026 11:51
@bazel-io @Silic0nS0ldier
[8.6.0] Add --experimental_strict_repo_env option
8795a5f 
This PR introduces a new flag `--experimental_strict_repo_env` which
stops repository rules and module extensions from inheriting the client
environment (making `--repo_env=NAME` more than just an advisory
notice).

When enabled up to 2 environment variables will still be forwarded
(unless overridden or explicitly removed via `--repo_env==VARNAME`, see
- `PATH` - All platforms
- `PATHEXT` - Windows

See `test_execute_environment_strict_vars` in
`src/test/shell/bazel/starlark_repository_test.sh` for a demonstration.

Note that the behavior is different to the similarly named
`--incompatible_strict_action_env`, which stops _all_ environment
variables (`--action_env` affects actions with `use_default_shell_env =
True`) except those specified within the defining rule. This is by
design as repository rules operate in an inherently non-hermetic domain,
covering roles such as integrating with the C/C++ toolchain installed on
the host. It does not make sense to lock down environment variables _by
default_, this is best left up to individual projects and users.

This flag is marked experimental to allow for testing and requirement
discovery (e.g. env vars other than `PATH` that should be included).

Closes bazelbuild#10996

Closes bazelbuild#28188.
@Silic0nS0ldier Silic0nS0ldier force-pushed the strict-repo-env-bazel-8 branch from 8654b9c to 8795a5f Compare January 11, 2026 12:37
@Silic0nS0ldier Silic0nS0ldier marked this pull request as ready for review January 12, 2026 07:33
@Silic0nS0ldier Silic0nS0ldier requested a review from a team as a code owner January 12, 2026 07:33
@github-actions github-actions bot added team-Configurability platforms, toolchains, cquery, select(), config transitions team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. awaiting-review PR is awaiting review from an assigned reviewer labels Jan 12, 2026
@Silic0nS0ldier Silic0nS0ldier mentioned this pull request Jan 12, 2026
Closed
@iancha1992 iancha1992 enabled auto-merge January 12, 2026 17:51
@iancha1992 iancha1992 added this pull request to the merge queue Jan 13, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 13, 2026
@Wyverald Wyverald added this pull request to the merge queue Jan 13, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 13, 2026
@iancha1992 iancha1992 added this pull request to the merge queue Jan 13, 2026
Merged via the queue into bazelbuild:release-8.6.0 with commit a7906f7 Jan 13, 2026
47 checks passed
@github-actions github-actions bot removed the awaiting-review PR is awaiting review from an assigned reviewer label Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meteorcloudy meteorcloudy meteorcloudy approved these changes

@Wyverald Wyverald Awaiting requested review from Wyverald

@lberki lberki Awaiting requested review from lberki

@aranguyen aranguyen Awaiting requested review from aranguyen

Assignees

No one assigned

Labels

team-Configurability platforms, toolchains, cquery, select(), config transitions team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Silic0nS0ldier @meteorcloudy @iancha1992 @bazel-io