fix(hermeticity): do not leak PATH to actions#28517
Conversation
I have a client who vendored this file into their Bazel workspace, and it caused every new machine to have a non-incremental build with all cache misses, due to the CI system (CircleCI in that case) injecting an unstable value into the PATH (`/tmp/circleci-launch-agent150557664/circleci-agent/1.0.193225-b3de599b/linux/amd64`) Signed-off-by: Alex Eagle <alex@aspect.dev>
|
Hi @alexeagle, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
phlax
left a comment
phlax
left a comment
There was a problem hiding this comment.
lgtm, thanks @alexeagle
cc @keith
|
pretty sure having this passthrough is required for most folks. maybe CI will show that. #24408 would be the long term solution if so |
|
only windows is complaining in CI /usr/bin/env: 'python3': No such file or directory |
|
yea i don't think there's a standard path we can rely on today because the instructions have folks install clang somewhere random |
|
as a short term workaround your folks could override this value and pass whatever hardcoded path would work for you |
|
can we update the docs? from a general pov it would be better not to set these as defaults - sort of against how you would expect bazel to work i think but yep we will probably either need to update docs somewhere or handle support tickets |
|
re win error - i think this PR has helpfully weeded out a non-hermetic build issue with luajit the fail is in our patch here envoy/bazel/foreign_cc/luajit.patch Line 138 in 260fe14 which i think should be using a not sure why only windows fails, i guess its not failing elsewhere due to non-hermeticity - i think the path must be the same on the linux-side so no caches were blown given that windows only runs a subset of build/tests we might want to run this without cache to weed out any other issues |
|
I've suggested the client just comment out this line in their copy of this file. I'd be okay resolving this with a documentation change instead, but then few people read docs, so I'd guess the problem will continue. For your CI, of course you could use a platform-specific bazelrc setting so this only happens on Windows - but I think @keith is pointing out that a green CI run here may not be enough? |
Signed-off-by: Alex Eagle <alex@aspect.dev>
i more meant that if we remove this by default we should add to build docs that for host builds you may need to add this (or i guess improve the build somehow to look in expected places) mho is that this is a welcome change, but im aware that not all agree on that so would prefer to find a consensus re readding for windows - i think that is fine as a workaround in this case, if that is the only issue but would prefer medium term to make sure nothing is using non-hermetic system tools unless absolutely necessary
yeah, i came to the same conclusion - i think we can test this with |
|
i was wondering why this went through CI so quickly i think it gets added again here: Lines 21 to 28 in 4031ea2 i guess this is not an issue for using bazel directly but for using the envoy code paths i think this would need to change also |
|
hrm yea i guess ideally we could wrap this without having to generate config files with these contents at various paths. I still think the path of least resistance would be to make the vendored llvm toolchain work and then allow a |
i think testing properly without
i would agree, but not sure what we need to make it happen - iirc there was gcc issue/s that needed to be ironed out, not sure what else in terms of Envoy CI we are using the RBE toolchain/s for ~everything - i have a local container sans llvm etc and it mostly works (when using RBE) |
Yea I think we'd need a way to disable that and use the default toolchain, but I think we could do that with a custom config |
|
I think we could try to merge this as-is now, where PATH only applies to Windows, but given the instructions we provide for building it's possible this breaks folks who install clang to non-standard directories. But we can try and see how it goes |
|
/retest |
phlax
left a comment
phlax
left a comment
There was a problem hiding this comment.
lgtm, thanks @alexeagle
i will look after at potentially removing path from setup clang also - at least to see what effect it has
I have a client who vendored this file into their Bazel workspace, and it caused every new machine to have a non-incremental build with all cache misses, due to the CI system (CircleCI in that case) injecting an unstable value into the PATH (`/tmp/circleci-launch-agent150557664/circleci-agent/1.0.193225-b3de599b/linux/amd64`) Signed-off-by: Alex Eagle <alex@aspect.dev>
5 participants
I have a client who vendored this file into their Bazel workspace, and it caused every new machine to have a non-incremental build with all cache misses, due to the CI system (CircleCI in that case) injecting an unstable value into the PATH (
/tmp/circleci-launch-agent150557664/circleci-agent/1.0.193225-b3de599b/linux/amd64)Commit Message: Above
Additional Description:
Risk Level: Unsure
Testing: Not familiar with this project, so whatever tests you normally run? The client says this change is green for them.
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]