Exclude PassUnsafeEnv from remote digest#3539
Open
njskalski wants to merge 8 commits into
Open
Conversation
added 8 commits
May 11, 2026 16:40
Adds the missing section in config.html for the new Sandbox.Remote field so that //docs/test:docs_test passes.
Make PassUnsafeEnv behave on remote execution like it does for the local cache: the real values are still passed to the executed action, but they no longer contribute to the remote action digest, so changing them does not cause remote cache misses. This generalizes the existing stamped/unstamped decoupling: results are looked up and stored under a "cache-key" action digest that omits the volatile values, while the real action (with the values present) is executed and then backfilled into the cache under the cache-key digest. Controlled by the new Remote.ExcludePassUnsafeEnvVarsFromDigest config option, which defaults to true.
Add TestPassUnsafeEnvRemoteCacheHitAcrossValues, which builds a target twice against the in-process test server with differing PassUnsafeEnv values (using separate clients with empty local caches) and asserts the second build is a remote cache hit rather than a re-execution. Adds an execution counter to the test server to verify the action is executed exactly once.
Flip the new option to be off by default, so PassUnsafeEnv values contribute to the remote action digest unless explicitly opted in. Update help text, docs, changelog and tests accordingly.
The previous change only stripped per-target pass_unsafe_env from the cache-key command. Values declared via the global [Build] PassUnsafeEnv config keyword enter the build environment through config.GetBuildEnv() and were still left in the canonical command, so changing them still caused remote cache misses. Strip both config-level and target-level PassUnsafeEnv (keeping anything also listed in PassEnv), and treat a non-empty config-level list as enough to enable the cache-key split. This matches the local cache, which excludes both from its hash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This patch enables the Remote build to be have more like local, that is to exclude Unsafe env vars from digest.
It's gated by (default disabled) setting in [Remote] section to not break current setups.