requirements_test: make uv pip compile work in Claude Code containers via auth proxy#814
Open
agentydragon-agent wants to merge 2 commits intoagentydragon:develfrom
Conversation
…Code sessions The uv pip compile action in the requirements lock rule fails in Claude Code containers because DNS is blocked — all egress must go through the session auth proxy (localhost:18081). Three-part fix: 1. Patch rules_python lock.bzl to inherit --action_env The lock() rule hardcodes env = ctx.attr.env in ctx.actions.run_shell(), which prevents --action_env from reaching the action. The patch changes it to dicts.add(ctx.configuration.default_shell_env, ctx.attr.env), so --action_env values are included while explicit lock rule env overrides take precedence. Applies via single_version_override in MODULE.bazel. 2. Add --strategy=PyRequirementsLockUv=local to session bazelrc template Forces the lock action to run locally (not on RBE) in Claude Code sessions, where the auth proxy is available. In CI/RBE, the lock rule uses exec_properties dockerNetwork:bridge for direct internet access instead. 3. Add --action_env proxy vars to session bazelrc template Sets https_proxy=http://127.0.0.1:18081 and SSL_CERT_FILE to the session CA bundle with explicit values. The lock rule (patched) inherits these via default_shell_env. UV_NATIVE_TLS=1 (already in lock rule env) makes uv use OpenSSL to respect SSL_CERT_FILE. Also regenerates requirements_bazel.txt (was stale, causing test failures). https://claude.ai/code/session_01Hfvcxxg9i18tP2NYzqbXpw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rules_pythonlock rule to inherit--action_env(viadicts.add(ctx.configuration.default_shell_env, ctx.attr.env)) — without this patch, the lock rule's explicitenv = ctx.attr.envprevents--action_envfrom reaching the actionPyRequirementsLockUvactions to run locally (not RBE) in Claude Code sessions via--strategy=PyRequirementsLockUv=localinbazelrc.makohttps_proxy=http://127.0.0.1:18081andSSL_CERT_FILEas explicit--action_envvalues inbazelrc.mako, routing uv through the session auth proxyrequirements_bazel.txt(was stale, causing the test to fail)Design: Claude Code sessions force the lock action local (where auth proxy is available); CI/RBE uses
exec_properties dockerNetwork:bridgefor direct internet access — the two code paths are independent.Test plan
bazel test //:requirements_test --config=nolintpasses locally in Claude Code containerbazel build //:requirementsruns as1 localaction (confirming--strategy=PyRequirementsLockUv=localworks)https://claude.ai/code/session_01Hfvcxxg9i18tP2NYzqbXpw