Why does depending on

pex_binary

automatically brings into a sandbox sources?

shell_command(
    name="baz",
    command="ls > /tmp/ls",
    tools=["ls"],
    execution_dependencies=[
        ":server.pex",
    ],
)

❯ cat /tmp/ls
__init__.py
core
main.py
server.pex

Is that a problem? It seems to be working as specified: https://www.pantsbuild.org/stable/docs/shell/run-shell-commands#the-shell_command-target

The

command

field is passed to

bash -c <command>

. The execution sandbox will include any files from the

dependencies

field. Any executable tools that might be used must be specified in the

tools

field, in order to be available on the

PATH

while executing the command.

Do you want

run_shell_command

?

Unlike

shell_command

, the `run_shell_command` target runs directly in your workspace, without sandboxing.

Not a real problem, but was wondering why it's not fully sandboxed. I don't think it's working as advertised, because it includes dependencies of dependencies (for pex_binary).

yeah, it is slightly surprising that it includes the "inputs" for packaged artefacts like pex_binary, in addition to the artifact itself. I think Pants currently isn't super-great about dependencies on artifacts, unfortunately