wheel build is not hermetic

[gfrankliu]

To reproduce

mkdir test
cd test
touch test_py.py
cat << EOF > BUILD
load("@rules_python//python:pip.bzl", "compile_pip_requirements")
load("@third_party_lib//:requirements.bzl", "requirement")

compile_pip_requirements(
    name = "requirements",
    src = "requirements.in",
)

py_binary(
    name = "test_py",
    srcs = ["test_py.py"],
    deps = [requirement("pycocotools")],
)
EOF

cat <<EOF > MODULE.bazel
bazel_dep(name = "rules_python", version = "1.3.0")
python = use_extension("@rules_python//python/extensions:python.bzl", "python")
python.toolchain(
    is_default = True,
    python_version = "3.10",
)

pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
pip.parse(
    enable_implicit_namespace_pkgs = True,
    extra_pip_args = ["--no-cache-dir"],
    hub_name = "third_party_lib",
    python_version = "3.10",
    requirements_lock = "//:requirements.txt",
)
use_repo(pip, "third_party_lib")
EOF

cat <<EOF > requirements.om
pycocotools==2.0.6
EOF

touch requirements.txt
bazel run //:requirements.update
bazel build //:test_py

Now I can see my username "gfrankliu" is embedded in the wheel:

$ strings bazel-bin/test_py.runfiles/rules_python~~pip~third_party_lib_310_pycocotools/site-packages/pycocotools/_mask.cpython-310-x86_64-linux-gnu.so | grep gfrankliu

/home/gfrankliu/.cache/bazel/_bazel_gfrankliu/0c06fba63a99dbe47301a331635af967/external/rules_python~~python~python_3_10_x86_64-unknown-linux-gnu/include/python3.10/cpython/abstract.h

[aignas]

These are repository rules and are expected to be non-hermetic. Only extraction of the pre-existing wheel files is hermetic.

The plan to have hermetic builds is to move that to a build phase.