Skip to content

Don't write to runfiles #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Don't write to runfiles #634

wants to merge 1 commit into from

Conversation

jadenPete
Copy link

py_binary targets create virtual environments in runfiles. This can be problematic in remote execution contexts (we're seeing errors in Buildfarm with certain sandboxing options enabled) because runfiles are often read-only on those environments. This is a safety measure—action inputs are sometimes symbolically linked or shared between actions to reduce unnecessary I/O, and a py_binary can be the executable of an action.

This PR updates py/private/run.tmpl.sh to create the virtual environment in a /tmp subdirectory. This directory is randomly generated, which should minimize the likelihood of actions stepping on each other's toes. If more separation is needed, each action can get its own /tmp directory with --incompatible_sandbox_hermetic_tmp,

Changes are visible to end-users: no

I don't think users should rely on the virtual environment being in one place or another, but if they are, this does constitute a visible change.

  • Searched for relevant documentation and updated as needed: N/A
  • Breaking change (forces users to change their own code or config): N/A
  • Suggested release notes appear below: N/A

Test plan

  • Covered by existing test cases
  • New test cases added
  • Manual testing; please provide instructions so we can reproduce:
    • This isn't reproducable, but we've tested this change extensively in our monorepo with thousands of rules_py-backed actions

@CLAassistant
Copy link

CLAassistant commented Aug 29, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@aspect-workflows Aspect Workflows
Copy link

aspect-workflows bot commented Aug 29, 2025
edited
Loading

Test

Buildkite build #383 is running...

@jadenPete
fix(runfiles): Don't write to runfiles
14d536b 
In remote execution contexts, runfiles aren't always writable.
@jadenPete jadenPete force-pushed the jpeterson-do-not-write-to-runfiles branch from 51b2d75 to 14d536b Compare August 29, 2025 15:24
@arrdem
Copy link
Collaborator

arrdem commented Sep 9, 2025

Hey @jadenPete, thanks for the PR.

As-is this isn't a change I can consider. You've introduced least very much not obviously correct if not breaking change or at to how imports are processed, and the scope of impact from changing where the dynamically built venvs get laid out too is impossible to assess. We have some users who rely on the current behavior, and there are a number of potential downsides to generating a copy of the venv per process instance as this does.

It seems to me that the new py_venv_* machinery likely addresses the problem of allowing for reentrant binaries better than simply solving the copy collision problem.

I'd be willing to integrate a version of this change which made the destination dir controlled either by an environment variable at runtime, a feature flag at build time or both. But I don't think unilaterally changing it is a great idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jadenPete @CLAassistant @arrdem