Flip --experimental_strict_action_env on by default.
Also rename it to --incompatible_strict_action_env. See #6648 and #2574. For a while, many actions did not respect the --action_env command line option, but those have been fixed now. So, I think it's time to flip on this flag for greater hermeticity by default.
Closes #6263.
RELNOTES: The --experimental_strict_action_env option has been renamed to --incompatible_strict_action_env and is now on by default. This means Bazel will no longer use the client's PATH and LD_LIBRARY_PATH environmental variables in the default action environment. If the old behavior is desired, pass --action_env=PATH and --action_env=LD_LIBRARY_PATH. --noincompatible_strict_action_env will also temporarily restore the old behavior. However, as --action_env is a more general and explicit way to pass client environmental variables into actions, --noincompatible_strict_action_env will eventually be deprecated and removed. See #6648 for more details.
PiperOrigin-RevId: 222053105
diff --git a/compile.sh b/compile.sh
index ed506d2..c2460fa 100755
--- a/compile.sh
+++ b/compile.sh
@@ -93,6 +93,7 @@
# We set host and target platform directly since the defaults in @bazel_tools
# have not yet been generated.
bazel_build "src:bazel_nojdk${EXE_EXT}" \
+ --action_env=PATH \
--host_platform=@bazel_tools//platforms:host_platform \
--platforms=@bazel_tools//platforms:target_platform \
|| fail "Could not build Bazel"
diff --git a/site/docs/remote-caching.md b/site/docs/remote-caching.md
index e67f5a8..84c2abf 100644
--- a/site/docs/remote-caching.md
+++ b/site/docs/remote-caching.md
@@ -332,12 +332,6 @@
when enabling the disk cache for all developers of a project via the project's
checked in `.bazelrc` file.
-To enable cache hits across different workspaces, use the following flag:
-
-```
-build --experimental_strict_action_env
-```
-
## Known issues
**Input file modification during a build**
@@ -352,15 +346,14 @@
**Environment variables leaking into an action**
-An action definition contains environment variables. This can be a problem
-for sharing remote cache hits across machines. For example, environments
-with different `$PATH` variables won't share cache hits. You can specify
-`--experimental_strict_action_env` to ensure that that's not the case and
-that only environment variables explicitly whitelisted via `--action_env`
-are included in an action definition. Bazel's Debian/Ubuntu package used
-to install `/etc/bazel.bazelrc` with a whitelist of environment variables
-including `$PATH`. If you are getting fewer cache hits than expected, check
-that your environment doesn't have an old `/etc/bazel.bazelrc` file.
+An action definition contains environment variables. This can be a problem for
+sharing remote cache hits across machines. For example, environments with
+different `$PATH` variables won't share cache hits. Only environment variables
+explicitly whitelisted via `--action_env` are included in an action
+definition. Bazel's Debian/Ubuntu package used to install `/etc/bazel.bazelrc`
+with a whitelist of environment variables including `$PATH`. If you are getting
+fewer cache hits than expected, check that your environment doesn't have an old
+`/etc/bazel.bazelrc` file.
**Bazel does not track tools outside a workspace**
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
index 2910ce9..fc4aad7 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
@@ -101,6 +101,7 @@
import com.google.devtools.common.options.Option;
import com.google.devtools.common.options.OptionDocumentationCategory;
import com.google.devtools.common.options.OptionEffectTag;
+import com.google.devtools.common.options.OptionMetadataTag;
import java.io.IOException;
import java.util.Map;
import java.util.TreeMap;
@@ -113,16 +114,20 @@
/** Command-line options. */
public static class StrictActionEnvOptions extends FragmentOptions {
@Option(
- name = "experimental_strict_action_env",
- defaultValue = "false",
+ name = "incompatible_strict_action_env",
+ oldName = "experimental_strict_action_env",
+ defaultValue = "true",
documentationCategory = OptionDocumentationCategory.UNCATEGORIZED,
effectTags = {OptionEffectTag.LOADING_AND_ANALYSIS},
+ metadataTags = {
+ OptionMetadataTag.INCOMPATIBLE_CHANGE,
+ OptionMetadataTag.TRIGGERED_BY_ALL_INCOMPATIBLE_CHANGES
+ },
help =
"If true, Bazel uses an environment with a static value for PATH and does not "
+ "inherit LD_LIBRARY_PATH or TMPDIR. Use --action_env=ENV_VARIABLE if you want to "
+ "inherit specific environment variables from the client, but note that doing so "
- + "can prevent cross-user caching if a shared cache is used."
- )
+ + "can prevent cross-user caching if a shared cache is used.")
public boolean useStrictActionEnv;
@Override
diff --git a/src/test/py/bazel/windows_remote_test.py b/src/test/py/bazel/windows_remote_test.py
index 79bbcdc..d189e66 100644
--- a/src/test/py/bazel/windows_remote_test.py
+++ b/src/test/py/bazel/windows_remote_test.py
@@ -33,7 +33,6 @@
'--define=EXECUTOR=remote',
'--remote_executor=localhost:' + str(self._worker_port),
'--remote_cache=localhost:' + str(self._worker_port),
- '--experimental_strict_action_env=true',
'--remote_timeout=3600',
'--auth_enabled=false',
'--remote_accept_cached=false',
diff --git a/src/test/shell/bazel/bazel_rules_test.sh b/src/test/shell/bazel/bazel_rules_test.sh
index ddbf773..20c5bfb 100755
--- a/src/test/shell/bazel/bazel_rules_test.sh
+++ b/src/test/shell/bazel/bazel_rules_test.sh
@@ -287,29 +287,19 @@
local new_tmpdir="$(mktemp -d "${TEST_TMPDIR}/newfancytmpdirXXXXXX")"
[ -d "${new_tmpdir}" ] || \
fail "Could not create new temporary directory ${new_tmpdir}"
- export PATH="$PATH_TO_BAZEL_WRAPPER:/bin:/usr/bin:/random/path"
if is_windows; then
+ export PATH="$PATH_TO_BAZEL_WRAPPER;/bin;/usr/bin;/random/path;${old_path}"
local old_tmpdir="${TMP:-}"
export TMP="${new_tmpdir}"
else
+ export PATH="$PATH_TO_BAZEL_WRAPPER:/bin:/usr/bin:/random/path"
local old_tmpdir="${TMPDIR:-}"
export TMPDIR="${new_tmpdir}"
fi
- # shut down to force reload of the environment
- bazel shutdown
- bazel build //pkg:test --spawn_strategy=standalone \
+ bazel build //pkg:test --spawn_strategy=standalone --action_env=PATH \
|| fail "Failed to build //pkg:test"
if is_windows; then
- # As of 2018-07-10, Bazel on Windows sets the PATH to
- # "/usr/bin:/bin:" + $PATH of the Bazel server process.
- #
- # MSYS appears to convert path entries in PATH to Windows style when running
- # a native Windows process such as Bazel, but "cygpath -w /bin" returns
- # MSYS_ROOT + "\usr\bin".
- # The point is, the PATH will be quite different from what we expect on
- # Linux. Therefore only assert that the PATH contains
- # "$PATH_TO_BAZEL_WRAPPER" and "/random/path", ignore the rest.
- local -r EXPECTED_PATH=".*:$PATH_TO_BAZEL_WRAPPER:.*:/random/path"
+ local -r EXPECTED_PATH="$PATH_TO_BAZEL_WRAPPER:.*/random/path"
# new_tmpdir is based on $TEST_TMPDIR which is not Unix-style -- convert it.
local -r EXPECTED_TMP="$(cygpath -u "$new_tmpdir")"
else
diff --git a/src/test/shell/bazel/bazel_test_test.sh b/src/test/shell/bazel/bazel_test_test.sh
index aa3bcb4..4d847d4 100755
--- a/src/test/shell/bazel/bazel_test_test.sh
+++ b/src/test/shell/bazel/bazel_test_test.sh
@@ -198,11 +198,11 @@
# We don't just use the local PATH, but use the test's PATH, which is more restrictive.
PATH=$PATH:$PWD/scripts bazel --nomaster_bazelrc test //testing:t1 -s --run_under=hello \
- --test_output=all --experimental_strict_action_env >& $TEST_log && fail "Expected failure"
+ --test_output=all >& $TEST_log && fail "Expected failure"
- # With --noexperimental_strict_action_env, the local PATH is forwarded to the test.
+ # With --action_env=PATH, the local PATH is forwarded to the test.
PATH=$PATH:$PWD/scripts bazel test //testing:t1 -s --run_under=hello \
- --test_output=all --noexperimental_strict_action_env >& $TEST_log || fail "Expected success"
+ --test_output=all --action_env=PATH >& $TEST_log || fail "Expected success"
expect_log 'hello script!!! testing/t1'
# We need to forward the PATH to make it work.
