Hello I'm currently looking into pantsbuild to replace our current build system. The current software is built using custom a "compiler", so I'm using the

adhoc_tool

rule to build. However the compiler also needs credentials provided through environment variables, which can be provided using

extra_env_vars

, however this parameter seems to also affect the cache, and thus greatly diminishing the benefit of pantsbuild. Is there any way I can provide credentials through environment variables to

adhoc_tool

without having it affect the cache digest?

How are you calling adhoc_tool? Can we see part of the build file? Have you tried messing with the cache_scope? Not sure if that would work - but I wonder if it would separate your results from the inputs a bit https://www.pantsbuild.org/stable/reference/targets/adhoc_tool#cache_scope

Hmm, I had a look at the

cache_scope

, though I don't see how it would help, if anything it'd do the opposite? Making the cache-scope smaller.

Is it correctly cached if you don't change the extra env var - and keep the same one?

Yes

Yeah, as these run Pants processes, the behaviour you're seeing is exactly what I would have expected

Environment variables are part of the cache key by design. (The Pants execution model is modeled on the Google-defined Remote Execution API and env vars are in the cache key there.)

I meant ambiently, like system credentials - however, we strip environments by default. Does

workspace_environment

strip or maintain env vars from the system?

It would have the same behavior as local environment does for env vars.

yeah, or wherever else - or the compiler would have to break out of the sandbox/read a .env which can't change as part of an input digest

This problem is very similar to https://github.com/pantsbuild/pants/pull/21852, https://github.com/pantsbuild/pants/pull/21852, etc.

Yeah, also could be a bit confusing at least. Rule of least surprise for me falls over - as I would expect to invalidate a cache if an env var passed in gets modified. So yeah, it would have to be something separate

So the more general issue here is do we ever support diverging from REAPI for local executions in a way that would be semantically different cache-wise for REAPI stuff.)

I was thinking workspace environment, specifically because it bypasses the hermetic sandbox already

The handling of the cache key is handled in Rust code by the

Process

intrinsic rules, so plugins are not going to change that in Python alone.

I meant like, pointing the compiler at a file in the workspace environment, bypassing Process kinda thing

That might work. Have a file with

export FOO=BAR

stuff in it and source the file by name and make sure the file is not a dependency of the relevant target.

Yeah, basically that - my use case was MUCH weirder, but fundamentally could end up with the same result

Forgive me for my lack of understanding here but, if the argument why this would "never" be possible is because it would break hermeticity, and wouldn't work with REAPI. Wouldn't using a

~/.netrc

file outside the sandbox do the same, just being less transparent about it? As technically, something truely sandboxed, I wouldn't expect to be able to access

~/.netrc

?

Well

.netrc

would not work with REAPI because a local

.netrc

would not work with a remote build execution since it is not installed there. And sending a

.netrc

over REAPI means it is part of the input root for a remote execution request and thus part of the cache key.

So what is the recommended WoW with credentials? While the env vars will work, I'd rather avoid the situation where the entire cache gets invalidated because a credential expired. I have different types, some which technically last forever, other credentials which only last for a couple of hours.

There had been some work to solve a similar issue to this for Python indices: https://github.com/pantsbuild/pants/pull/21852 and https://github.com/pantsbuild/pants/pull/21853. That work was dropped for business reasons. @ripe-gigabyte-88964 revived the work in a different form with https://github.com/pantsbuild/pants/pull/22370. But those would be for Python indices, and did not contemplate exposing UX in

adhoc_tool

et al. for having environment variables which did not contribute to the cache key. As I mentioned before, this would need to be a change in how Pants executes processes. You would need a way to supply environment variables to the local executor which did not contribute to the cache key which is the hash of most of the

Process

dataclass internally in the rules engine. (Note that description is excluded for example from comparisons.) https://github.com/pantsbuild/pants/blob/4abf65d0b989d8c10d995f204076f4e6e25ae87f/src/python/pants/engine/process.py#L106 And designing this needs to take into account how the engine de-duplicates execution requests and only computes the result once per session and/or stores it in the local cache. So it is not just a simple matter of making the

env

field on

Process

not take part in comparisons.

I have not had any issues with the python indices, as it seems pantsbuild allows pip to pick up

~/.netrc

. Whilst the hack you propose may work, I don't see feasible, it's a very complicated solution, to solve a problem which I think the build tool itself should have support for. While running remote execution is not a priority for me today, It is something I would like to use, how does that work? Surely it will not use my local

~/.netrc

file? does the remote server need to have that file configured? I cannot believe this to be a "new problem"?

I am on parental leave and have very little computer time but I'll try to look at it during naptime the after the weekend :)