bazel: improve strict action env context

- Bazel strict action env set a default PATH to `/bin/:/usr/bin:/usr/local/bin`. This was previously changed to disable this behavior to improve hermeticity. However the previous change was only removing `/bin:/usr/bin`, keeping `/usr/local/bin`, this commit also remove this entry.
5 years ago · 20752ba4f7
parent 224737f0f7
commit 20752ba4f7
2 changed files with 25 additions and 8 deletions
--- a/pkgs/development/tools/build-managers/bazel/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/default.nix
@ -19,6 +19,7 @@
 , enableNixHacks ? false
 , gcc-unwrapped
 , autoPatchelfHook
+, substituteAll
 }:

 let
@ -145,6 +146,17 @@ stdenv.mkDerivation rec {
    # This is breaking the build of any C target. This patch removes the last
    # argument if it's found to be an empty string.
    ./trim-last-argument-to-gcc-if-empty.patch
+
+    # --experimental_strict_action_env (which may one day become the default
+    # see bazelbuild/bazel#2574) hardcodes the default
+    # action environment to a non hermetic value (e.g. "/usr/local/bin").
+    # This is non hermetic on non-nixos systems. On NixOS, bazel cannot find the required binaries.
+    # So we are replacing this bazel paths by defaultShellPath,
+    # improving hermeticity and making it work in nixos.
+    (substituteAll {
+      src = ./strict_action_env.patch;
+      strictActionEnvPatch = defaultShellPath;
+    })
  ] ++ lib.optional enableNixHacks ./nix-hacks.patch;


@ -390,14 +402,6 @@ stdenv.mkDerivation rec {
          -e "/\$command \\\\$/a --host_java_toolchain='${javaToolchain}' \\\\" \
          -i scripts/bootstrap/compile.sh

-      # --experimental_strict_action_env (which will soon become the
-      # default, see bazelbuild/bazel#2574) hardcodes the default
-      # action environment to a value that on NixOS at least is bogus.
-      # So we hardcode it to something useful.
-      substituteInPlace \
-        src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java \
-        --replace /bin:/usr/bin ${defaultShellPath}
-
      # This is necessary to avoid:
      # "error: no visible @interface for 'NSDictionary' declares the selector
      # 'initWithContentsOfURL:error:'"
--- a/pkgs/development/tools/build-managers/bazel/strict_action_env.patch
+++ b/pkgs/development/tools/build-managers/bazel/strict_action_env.patch
@ -0,0 +1,13 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a70b5559bc..10bdffe961 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -466,7 +466,7 @@ public class BazelRuleClassProvider {
+       // Note that --action_env does not propagate to the host config, so it is not a viable
+       // workaround when a genrule is itself built in the host config (e.g. nested genrules). See
+       // #8536.
+-      return "/bin:/usr/bin:/usr/local/bin";
+      return "@strictActionEnvPatch@";
+     }
+
+     String newPath = "";