feat: command_line_option transition support, default windows to enable_runfiles=true by rickeylev · Pull Request #3610 · bazel-contrib/rules_python

rickeylev · 2026-02-18T01:34:48Z

In order to run a py_binary on Windows without zipping it, runfiles need to be
created. However, Bazel defaults to --enable_runfiles=false for Windows.

To fix, make py_binary set enable_runfiles=true for Windows by default. This
is chosen because supporting a runfiles-less mode is quite invasive (many changes
to bootstraps, plus improving the existing "recreate venv at runtime" logic to
recreate the entire venv).

A complication is that the //command_line_option:... targets don't actually
exist, so they can't be passed as targets to the config_settings attribute
(Bazel special cases them in other contexts). To fix, fake alias targets are
created, and the py_binary transition logic is updated to treat those fakes as
aliases for the real ones.

To allow arbitrary //command_line_option flags to be transitioned on (using the
add_transition_label() apis), the parsing logic treats any label whose package
is command_line_option as such a special aliases.

gemini-code-assist · 2026-02-18T01:35:16Z

Summary of Changes

Hello @rickeylev, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces significant enhancements to how py_binary and py_test rules interact with Bazel's configuration system, specifically by enabling them to transition on //command_line_option settings. This change provides greater flexibility in defining target configurations and improves cross-platform compatibility, particularly for Windows environments. The modifications involve new Bazel BUILD files for command_line_option aliases, updates to configuration processing logic, and refactoring of rule macros for cleaner code.

Highlights

Command Line Option Transition Support: Introduced a new command_line_option package to provide aliases for Bazel's built-in //command_line_option pseudo-targets, enabling py_binary and py_test rules to transition on these settings.
Configuration Setting Handling: Modified the apply_config_settings_attr function to specially handle command_line_option labels, ensuring they are correctly mapped to Bazel's internal configuration settings.
Windows Compatibility Improvements: Enhanced the build_data_writer.ps1 script for robust file writing on Windows by using .NET methods, addressing encoding and file locking issues. Also, improved stage2_bootstrap_template.py to handle Windows path conversions and error reporting for BUILD_DATA_FILE.
Macro Refactoring: Refactored py_binary_macro and py_test_macro to utilize a common setup function, common_executable_macro_kwargs_setup, which now also applies default configuration settings.
New Labels and Debugging: Added new labels like BUILD_RUNFILE_LINKS, ENABLE_RUNFILES, and PLATFORMS_OS_WINDOWS to common_labels.bzl, and included additional verbose print statements in python_bootstrap_template.txt for debugging runtime environment variables.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

BUILD.bazel
- Added //command_line_option:distribution to the filegroup for internal development dependencies.
command_line_option/BUILD.bazel
- Added a new BUILD file defining alias targets for build_runfile_links and enable_runfiles under the command_line_option package, along with a filegroup for distribution.
docs/api/rules_python/command_line_option/index.md
- Added new documentation for the //command_line_option package.
python/private/attributes.bzl
- Added an important note explaining the special handling of command_line_option labels in config_settings.
- Modified apply_config_settings_attr to convert command_line_option labels to their Bazel-builtin pseudo-target format.
python/private/build_data_writer.ps1
- Refactored the PowerShell script to collect all output lines into an array and write them using .NET's WriteAllLines with UTF8 without BOM, improving encoding and avoiding locking issues.
- Added logic to set file permissions to allow everyone read access to the output file.
python/private/common_labels.bzl
- Added BUILD_RUNFILE_LINKS and ENABLE_RUNFILES labels, referencing the new command_line_option aliases.
- Added PLATFORMS_OS_WINDOWS label for platform-specific selections.
python/private/py_binary_macro.bzl
- Replaced the direct call to convert_legacy_create_init_to_int with common_executable_macro_kwargs_setup.
python/private/py_executable.bzl
- Updated _create_stage1_bootstrap to use runfiles_root_path for stage2_bootstrap.
- Added add_config_setting_defaults function to apply default config_settings based on platform.
- Introduced common_executable_macro_kwargs_setup to encapsulate common macro setup logic, including convert_legacy_create_init_to_int and add_config_setting_defaults.
- Expanded the inputs and outputs for the transition to include //command_line_option:build_runfile_links and //command_line_option:enable_runfiles.
python/private/py_test_macro.bzl
- Replaced the direct call to convert_legacy_create_init_to_int with common_executable_macro_kwargs_setup.
python/private/python_bootstrap_template.txt
- Added verbose print statements for various environment variables and paths to aid debugging.
- Improved the error message when the Python binary cannot be found, including both PYTHON_BINARY and PYTHON_BINARY_ACTUAL.
python/private/stage2_bootstrap_template.py
- Added a comment noting that BUILD_DATA_FILE uses forward slashes and needs conversion for Windows.
- Modified get_build_data to handle Windows paths by replacing forward slashes with backslashes and normalizing the path.
- Updated get_build_data to open files with utf-8-sig encoding to handle Windows BOM and added detailed error notes for debugging file access issues.
- Added a comment to find_runfiles_root indicating that --enable_runfiles=false is likely set when runfiles cannot be found.
tests/bootstrap_impls/BUILD.bazel
- Loaded py_binary and py_test rules.
- Added a new py_test target named system_python_nodeps_test.
tests/bootstrap_impls/system_python_nodeps_test.py
- Added a simple Python script for testing.
tests/pypi/whl_installer/wheel_installer_test.py
- Modified the tearDown method to ignore errors when removing the wheel directory on Windows, addressing file locking issues.
tests/support/py_reconfig.bzl
- Removed the direct processing of attr.config_settings from _perform_transition_impl.
- Added //command_line_option:build_runfile_links and //command_line_option:stamp to _RECONFIG_INPUTS.

Activity

The pull request is currently marked as 'DO NOT MERGE' and is awaiting changes from pull request test: add system_python_nodeps_test #3609.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request introduces support for //command_line_option transitions in py_binary and py_test rules, providing more flexible configurations. However, a critical security issue was identified in the PowerShell script (build_data_writer.ps1) used to write build data on Windows, as it explicitly grants global read access to the output file. This violates the principle of least privilege and requires remediation. Additionally, consider adding documentation for the new feature and a minor refactoring for improved code conciseness.

python/private/build_data_writer.ps1

command_line_option/BUILD.bazel

python/private/py_executable.bzl

…into feat.command_line_option.transition

…l-contrib#3008) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.4.0 to 2.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.5.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h1>Security issues</h1> <p>urllib3 2.5.0 fixes two moderate security issues:</p> <ul> <li>Pool managers now properly control redirects when <code>retries</code> is passed — CVE-2025-50181 reported by <a href="https://github.com/sandumjacob"><code>@sandumjacob</code></a> (5.3 Medium, GHSA-pq67-6m6q-mj2v)</li> <li>Redirects are now controlled by urllib3 in the Node.js runtime — CVE-2025-50182 (5.3 Medium, GHSA-48p4-8xcf-vxj5)</li> </ul> <h1>Features</h1> <ul> <li>Added support for the <code>compression.zstd</code> module that is new in Python 3.14. See <a href="https://peps.python.org/pep-0784/">PEP 784</a> for more information. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3610">#3610</a>)</li> <li>Added support for version 0.5 of <code>hatch-vcs</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/3612">#3612</a>)</li> </ul> <h1>Bugfixes</h1> <ul> <li>Raised exception for <code>HTTPResponse.shutdown</code> on a connection already released to the pool. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3581">#3581</a>)</li> <li>Fixed incorrect <code>CONNECT</code> statement when using an IPv6 proxy with <code>connection_from_host</code>. Previously would not be wrapped in <code>[]</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3615">#3615</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.5.0 (2025-06-18)</h1> <h2>Features</h2> <ul> <li>Added support for the <code>compression.zstd</code> module that is new in Python 3.14. See <code>PEP 784 <https://peps.python.org/pep-0784/></code>_ for more information. (<code>[bazel-contrib#3610](urllib3/urllib3#3610) <https://github.com/urllib3/urllib3/issues/3610></code>__)</li> <li>Added support for version 0.5 of <code>hatch-vcs</code> (<code>[bazel-contrib#3612](urllib3/urllib3#3612) <https://github.com/urllib3/urllib3/issues/3612></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a security issue where restricting the maximum number of followed redirects at the <code>urllib3.PoolManager</code> level via the <code>retries</code> parameter did not work.</li> <li>Made the Node.js runtime respect redirect parameters such as <code>retries</code> and <code>redirects</code>.</li> <li>Raised exception for <code>HTTPResponse.shutdown</code> on a connection already released to the pool. (<code>[bazel-contrib#3581](urllib3/urllib3#3581) <https://github.com/urllib3/urllib3/issues/3581></code>__)</li> <li>Fixed incorrect <code>CONNECT</code> statement when using an IPv6 proxy with <code>connection_from_host</code>. Previously would not be wrapped in <code>[]</code>. (<code>[bazel-contrib#3615](urllib3/urllib3#3615) <https://github.com/urllib3/urllib3/issues/3615></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/aaab4eccc10c965897540b21e15f11859d0b62e7"><code>aaab4ec</code></a> Release 2.5.0</li> <li><a href="https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f"><code>7eb4a2a</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857"><code>f05b132</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/d03fe327a71d09728512217149f269763671f296"><code>d03fe32</code></a> Fix HTTP tunneling with IPv6 in older Python versions</li> <li><a href="https://github.com/urllib3/urllib3/commit/11661e9bb4278e43d081f47a516e287a928c2206"><code>11661e9</code></a> Bump github/codeql-action from 3.28.0 to 3.29.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3624">#3624</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/6a0ecc6b16fe30f721021b44a81d19615098c71e"><code>6a0ecc6</code></a> Update v2 migration guide to 2.4.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3621">#3621</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8e32e60d9024c05bc6f7adda08bdf6c539d0b0d4"><code>8e32e60</code></a> Raise exception for shutdown on a connection already released to the pool (<a href="https://redirect.github.com/urllib3/urllib3/issues/3">#3</a>...</li> <li><a href="https://github.com/urllib3/urllib3/commit/9996e0fbf90b77083ad3c73737a6c6395703faa9"><code>9996e0f</code></a> Fix emscripten CI for Chrome 137+ (<a href="https://redirect.github.com/urllib3/urllib3/issues/3599">#3599</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4fd1a99a59725faf0efc946ce3b6bc9a194420af"><code>4fd1a99</code></a> Bump RECENT_DATE (<a href="https://redirect.github.com/urllib3/urllib3/issues/3617">#3617</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/c4b5917e911a90c8bf279448df8952a682294135"><code>c4b5917</code></a> Add support for the new <code>compression.zstd</code> module in Python 3.14 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3611">#3611</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.4.0...2.5.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=pip&previous-version=2.4.0&new-version=2.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bazel-contrib/rules_python/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#3042) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.4.0 to 2.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.5.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h1>Security issues</h1> <p>urllib3 2.5.0 fixes two moderate security issues:</p> <ul> <li>Pool managers now properly control redirects when <code>retries</code> is passed — CVE-2025-50181 reported by <a href="https://github.com/sandumjacob"><code>@sandumjacob</code></a> (5.3 Medium, GHSA-pq67-6m6q-mj2v)</li> <li>Redirects are now controlled by urllib3 in the Node.js runtime — CVE-2025-50182 (5.3 Medium, GHSA-48p4-8xcf-vxj5)</li> </ul> <h1>Features</h1> <ul> <li>Added support for the <code>compression.zstd</code> module that is new in Python 3.14. See <a href="https://peps.python.org/pep-0784/">PEP 784</a> for more information. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3610">#3610</a>)</li> <li>Added support for version 0.5 of <code>hatch-vcs</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/3612">#3612</a>)</li> </ul> <h1>Bugfixes</h1> <ul> <li>Raised exception for <code>HTTPResponse.shutdown</code> on a connection already released to the pool. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3581">#3581</a>)</li> <li>Fixed incorrect <code>CONNECT</code> statement when using an IPv6 proxy with <code>connection_from_host</code>. Previously would not be wrapped in <code>[]</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3615">#3615</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.5.0 (2025-06-18)</h1> <h2>Features</h2> <ul> <li>Added support for the <code>compression.zstd</code> module that is new in Python 3.14. See <code>PEP 784 <https://peps.python.org/pep-0784/></code>_ for more information. (<code>[bazel-contrib#3610](urllib3/urllib3#3610) <https://github.com/urllib3/urllib3/issues/3610></code>__)</li> <li>Added support for version 0.5 of <code>hatch-vcs</code> (<code>[bazel-contrib#3612](urllib3/urllib3#3612) <https://github.com/urllib3/urllib3/issues/3612></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a security issue where restricting the maximum number of followed redirects at the <code>urllib3.PoolManager</code> level via the <code>retries</code> parameter did not work.</li> <li>Made the Node.js runtime respect redirect parameters such as <code>retries</code> and <code>redirects</code>.</li> <li>Raised exception for <code>HTTPResponse.shutdown</code> on a connection already released to the pool. (<code>[bazel-contrib#3581](urllib3/urllib3#3581) <https://github.com/urllib3/urllib3/issues/3581></code>__)</li> <li>Fixed incorrect <code>CONNECT</code> statement when using an IPv6 proxy with <code>connection_from_host</code>. Previously would not be wrapped in <code>[]</code>. (<code>[bazel-contrib#3615](urllib3/urllib3#3615) <https://github.com/urllib3/urllib3/issues/3615></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/aaab4eccc10c965897540b21e15f11859d0b62e7"><code>aaab4ec</code></a> Release 2.5.0</li> <li><a href="https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f"><code>7eb4a2a</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857"><code>f05b132</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/d03fe327a71d09728512217149f269763671f296"><code>d03fe32</code></a> Fix HTTP tunneling with IPv6 in older Python versions</li> <li><a href="https://github.com/urllib3/urllib3/commit/11661e9bb4278e43d081f47a516e287a928c2206"><code>11661e9</code></a> Bump github/codeql-action from 3.28.0 to 3.29.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3624">#3624</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/6a0ecc6b16fe30f721021b44a81d19615098c71e"><code>6a0ecc6</code></a> Update v2 migration guide to 2.4.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3621">#3621</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8e32e60d9024c05bc6f7adda08bdf6c539d0b0d4"><code>8e32e60</code></a> Raise exception for shutdown on a connection already released to the pool (<a href="https://redirect.github.com/urllib3/urllib3/issues/3">#3</a>...</li> <li><a href="https://github.com/urllib3/urllib3/commit/9996e0fbf90b77083ad3c73737a6c6395703faa9"><code>9996e0f</code></a> Fix emscripten CI for Chrome 137+ (<a href="https://redirect.github.com/urllib3/urllib3/issues/3599">#3599</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4fd1a99a59725faf0efc946ce3b6bc9a194420af"><code>4fd1a99</code></a> Bump RECENT_DATE (<a href="https://redirect.github.com/urllib3/urllib3/issues/3617">#3617</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/c4b5917e911a90c8bf279448df8952a682294135"><code>c4b5917</code></a> Add support for the new <code>compression.zstd</code> module in Python 3.14 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3611">#3611</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.4.0...2.5.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=pip&previous-version=2.4.0&new-version=2.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/bazel-contrib/rules_python/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

What does this PR do? Bump rules_python from 1.8.5 to 1.9.0 in isolation, as a prerequisite for bumping rules_foreign_cc to a commit that requires its transitive deps to be up-to-date. Motivation rules_python 1.9.0 defaults py_binary to enable_runfiles=true on Windows (bazel-contrib/rules_python#3610), whereas Bazel itself defaults to false. This changes how the pkg_install-generated py_binary creates its runfiles tree on Windows and exposed a breakage in the combined rules_foreign_cc + rules_python bump. Isolating the rules_python bump here makes it easier to verify and fix any fallout before stacking the rules_foreign_cc change on top. Describe how you validated your changes CI.

### What does this PR do? Bump rules_python from 1.8.5 to 1.9.0 in isolation, as a prerequisite for bumping rules_foreign_cc to a commit that requires its transitive deps to be up-to-date. Fix a Windows breakage in compliance/package_licenses.bzl exposed by the bump. ### Motivation rules_python 1.9.0 enables runfiles on Windows for py_binary (bazel-contrib/rules_python#3610). Where 1.8.5 pointed RUNFILES_DIR at the build-time runfiles directory, 1.9.0 makes bazel run copy the runfiles into a fresh temp directory. Bazel skips empty directories in that copy. package_licenses unconditionally included the offers_dir tree artifact in pkg_files. ship_source_offer is not declared by any dep, so offers_dir is always empty. On Linux and macOS bazel run uses symlinks, so an empty tree is harmless. On Windows the directory is absent from the temp copy, and pkg_install's copytree call fails with FileNotFoundError. The fix excludes offers_dir on Windows. The problem is still present in the latest rules_pkg main (bazelbuild/rules_pkg#1046 is unrelated). ### Describe how you validated your changes Reproduced the failure locally on a Windows VM with rules_python 1.9.0, confirmed the fix resolves it.

### What does this PR do? Bump rules_python from 1.8.5 to 1.9.0 in isolation, as a prerequisite for bumping rules_foreign_cc to a commit that requires its transitive deps to be up-to-date. Fix Windows breakages in compliance/package_licenses.bzl and deps/openssl.BUILD.bazel exposed by the bump. ### Motivation rules_python 1.9.0 enables runfiles on Windows for py_binary (bazel-contrib/rules_python#3610). Where 1.8.5 pointed RUNFILES_DIR at the build-time runfiles directory, 1.9.0 makes bazel run copy the runfiles into a fresh temp directory. Bazel skips empty directories in that copy. package_licenses unconditionally included the offers_dir tree artifact in pkg_files. ship_source_offer is not declared by any dep, so offers_dir is always empty. On Linux and macOS bazel run uses symlinks, so an empty tree is harmless. On Windows the directory is absent from the temp copy, and pkg_install's copytree call fails with FileNotFoundError. The fix excludes offers_dir on Windows. The problem is still present in the latest rules_pkg main (bazelbuild/rules_pkg#1046 is unrelated). The openssl FIPS build on Windows declares out_data_dirs = ["ssl", "lib/ossl-modules", "lib/engines-3"]. ssl/ is empty because --openssldir is set to an absolute path (C:/Program Files/…) outside the Bazel sandbox, so install_ssldirs writes there and leaves the sandbox copy empty. lib/ossl-modules/ and lib/engines-3/ are not installed on Windows FIPS (the FIPS provider comes from @openssl_fips). The fix drops these from out_data_dirs on Windows FIPS via the existing fips_windows config_setting. ### Describe how you validated your changes Reproduced both failures locally on a Windows VM with rules_python 1.9.0, confirmed both fixes resolve them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

### What does this PR do? Bump `rules_python` from 1.8.5 to 1.9.0 in isolation, as a prerequisite for bumping `rules_foreign_cc` to a commit that requires its transitive deps to be up-to-date (#48071). This requires to fix Windows breakages exposed by the bump: ``` The following shell command exited with status 1: $ bazelisk run --//:install_dir=C:/opt/datadog-agent --//packages/agent:flavor=base -- //packages/install_dir:install Output: (nothing) Error: [...] INFO: Running command line: C:/bzl/bazel/bv4fleb2/execroot/_main/bazel-out/x64_windows-fastbuild-ST-591ff087943d/bin/packages/install_dir/install.exe INFO: Installing to C:/opt/datadog-agent Traceback (most recent call last): [...] File "C:\Users\ContainerAdministrator\AppData\Local\Temp\Bazel.runfiles_heizzvq5\runfiles\rules_python++python+python_3_12_x86_64-pc-windows-msvc\Lib\shutil.py", line 598, in copytree with os.scandir(src) as itr: ^^^^^^^^^^^^^^^ FileNotFoundError: [WinError 3] The system cannot find the path specified: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\Bazel.runfiles_heizzvq5\\runfiles/_main/packages/install_dir/sources' ``` ([example](https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1524102425#L1688)) ``` The following shell command exited with status 1: $ bazelisk run --//packages/agent:flavor=fips -- @openssl//:install --destdir=C:/opt/datadog-agent Output: (nothing) Error: [...] INFO: Running command line: C:/bzl/bazel/bv4fleb2/execroot/_main/bazel-out/x64_windows-fastbuild-ST-591ff087943d/bin/external/+_repo_rules+openssl/install.exe <args omitted> INFO: Installing to C:/opt/datadog-agent Traceback (most recent call last): [...] File "C:\Users\ContainerAdministrator\AppData\Local\Temp\Bazel.runfiles_5r0pk0mf\runfiles\rules_python++python+python_3_12_x86_64-pc-windows-msvc\Lib\shutil.py", line 598, in copytree with os.scandir(src) as itr: ^^^^^^^^^^^^^^^ FileNotFoundError: [WinError 3] The system cannot find the path specified: 'C:\\Users\\ContainerAdministrator\\AppData\\Local\\Temp\\Bazel.runfiles_5r0pk0mf\\runfiles/+_repo_rules+openssl/openssl/ssl' ``` ([example](https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1524399502#L484)) ### Motivation `rules_python` 1.9.0 enables runfiles on Windows (👍) for `py_binary` (bazel-contrib/rules_python#3610) so, where 1.8.5 pointed `RUNFILES_DIR` at the build-time runfiles directory, 1.9.0 makes `bazel run` copy the runfiles into a fresh temp directory **where Bazel would skip empty directories**, logically leading `pkg_install`'s `copytree` to fail with above `FileNotFoundError` cases. Bug (TODOs) surfaced: 1. `package_licenses` unconditionally included the `offers_dir` tree artifact in `pkg_files` but, since **`ship_source_offer` is not declared by any dep (work in progress?), `offers_dir` is always empty**: - on Linux and macOS `bazel run` uses symlinks, so an empty tree is useless but harmless, - on Windows the directory is absent from the temp copy => `FileNotFoundError`. **The fix consists in excluding `offers_dir` on ~Windows~ _all platforms_ until the work is resumed.** 2. the openssl FIPS build on Windows declares `out_data_dirs = ["ssl", "lib/ossl-modules", "lib/engines-3"]`, but `ssl/` is empty because `--openssldir` is set to an absolute path (`C:/Program Files/…`) **outside the Bazel sandbox**, so `install_ssldirs` writes there and leaves the sandbox copy empty => `FileNotFoundError`. **The fix drops `ssl/` from `out_data_dirs` on Windows FIPS** via the existing `fips_windows` config setting. ### Describe how you validated your changes Reproduced the failures locally on a Windows VM with rules_python 1.9.0, confirmed the fixes resolve them. Co-authored-by: regis.desgroppes <regis.desgroppes@datadoghq.com>

rickeylev requested review from aignas and groodt as code owners February 18, 2026 01:34

rickeylev mentioned this pull request Feb 18, 2026

fix: better bootstrap manifest handling #3611

Closed

gemini-code-assist bot reviewed Feb 18, 2026

View reviewed changes

python/private/build_data_writer.ps1 Show resolved Hide resolved

command_line_option/BUILD.bazel Outdated Show resolved Hide resolved

python/private/py_executable.bzl Show resolved Hide resolved

rickeylev changed the title ~~feat: command_line_option transition support~~ feat: command_line_option transition support, default windows to enable_runfiles=true Feb 18, 2026

rickeylev force-pushed the feat.command_line_option.transition branch from 23c21b1 to 4187c31 Compare February 18, 2026 02:31

rickeylev added 2 commits February 17, 2026 19:00

feat: command_line_option transition support

f6d820b

update changelog

0386a70

rickeylev force-pushed the feat.command_line_option.transition branch from 4187c31 to a297813 Compare February 18, 2026 03:00

rickeylev enabled auto-merge February 18, 2026 03:05

rickeylev disabled auto-merge February 18, 2026 03:05

update docs

9cd82dc

rickeylev force-pushed the feat.command_line_option.transition branch from a297813 to 9cd82dc Compare February 18, 2026 03:09

rickeylev added 2 commits February 17, 2026 22:26

make test compatible with windows+enable_runfiles

f6ba00f

make function private

4dc88a7

aignas approved these changes Feb 19, 2026

View reviewed changes

rickeylev added 11 commits February 20, 2026 20:34

fix pip_repository_annotations example

f38fd61

fix test logic

418c1b4

try making check windows specific

e58b0f8

update changelog, add features.bzl

81dd6f8

add special INHERIT value, update docs

692c203

Merge branch 'main' of https://github.com/bazel-contrib/rules_python …

10de3cd

…into feat.command_line_option.transition

fix doc typo

6e4f18a

cleanup

9ae6d42

rename clo_package to generic targets

81fa5fc

format

b9de6d7

add some more doc

a003c3b

rickeylev added this pull request to the merge queue Feb 21, 2026

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 21, 2026

rickeylev added this pull request to the merge queue Feb 21, 2026

Merged via the queue into bazel-contrib:main with commit c805941 Feb 21, 2026
4 checks passed

rickeylev deleted the feat.command_line_option.transition branch February 21, 2026 18:05

rdesgroppes mentioned this pull request Mar 19, 2026

Bump rules_python to 1.9.0 and fix misuses spotted on Windows DataDog/datadog-agent#48082

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: command_line_option transition support, default windows to enable_runfiles=true#3610

feat: command_line_option transition support, default windows to enable_runfiles=true#3610
rickeylev merged 16 commits intobazel-contrib:mainfrom
rickeylev:feat.command_line_option.transition

rickeylev commented Feb 18, 2026 •

edited

Loading

Uh oh!

gemini-code-assist bot commented Feb 18, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

rickeylev commented Feb 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gemini-code-assist bot commented Feb 18, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

rickeylev commented Feb 18, 2026 •

edited

Loading