Internal change

PiperOrigin-RevId: 922850859

Author: dmitriplotnikov

.bazelrc

@@ -32,3 +32,7 @@ build:windows --google_default_credentials=true
 build:macos --remote_cache=https://storage.googleapis.com/macos-cel-python-remote-cache
 build:macos --google_default_credentials=true
 
+# Silence deprecation warnings from external dependencies (Linux and macOS)
+build:linux --cxxopt=-Wno-deprecated-declarations
+build:macos --cxxopt=-Wno-deprecated-declarations
+

release/kokoro/release_linux.cfg

@@ -3,3 +3,8 @@
 
 build_file: "cel-python/release/kokoro/release_linux.sh"
 timeout_mins: 120
+
+container_properties {
+  docker_image: "us-central1-docker.pkg.dev/kokoro-container-bakery/kokoro/ubuntu/ubuntu2204/ktcb:current"
+  docker_sibling_containers: true
+}

release/kokoro/release_linux.sh

@@ -1,14 +1,113 @@
 #!/bin/bash
 set -e
 
+
+# Avoid virtualenv/pip trying to download/upgrade tools from PyPI on host
+export VIRTUALENV_NO_DOWNLOAD=1
+export PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Pass these environment variables to the cibuildwheel Docker container
+export CIBW_ENVIRONMENT="VIRTUALENV_NO_DOWNLOAD=1 PIP_DISABLE_PIP_VERSION_CHECK=1"
+export CIBW_DEPENDENCY_VERSIONS="latest"
+
 # If running locally (not on Kokoro), authenticate with gcloud.
 if [ -z "${KOKORO_BUILD_ID}" ]; then
   if ! gcloud auth application-default print-access-token --quiet > /dev/null; then
       gcloud auth application-default login
   fi
 fi
 
-pip install -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
+# We use --no-cache-dir to force pip to download packages fresh and bypass the local
+# cache. In Kokoro/RBE sandboxed environments, writing to the default cache directory
+# (~/.cache/pip) can encounter permission/sandbox restrictions or lead to stale
+# dependency resolution. Disabling the cache ensures a reliable, reproducible install.
+pip install --no-cache-dir -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
+
+# Patch cibuildwheel at runtime to bypass the RBE stdout buffering deadlock.
+# The RBE proxy buffers the persistent container bash stdout. By appending a 4KB
+# padding line to the end of every command output, we force the proxy to flush the
+# buffer immediately. We then read and discard this padding to keep the stream clean.
+OCI_PATH=$(python3 -c "import cibuildwheel.oci_container; print(cibuildwheel.oci_container.__file__)")
+echo "Patching cibuildwheel at $OCI_PATH..."
+
+cat << 'EOF' > patch_oci.py
+import sys
+import re
+
+path = sys.argv[1]
+with open(path, 'r') as f:
+    content = f.read()
+
+# 1. Force a 4KB flush at the end of every command execution
+target_write = 'printf "%04d%s\\n" $? {end_of_message}'
+replacement_write = 'printf "%04d%s\\n%4096s\\n" $? {end_of_message} " "'
+if target_write in content:
+    content = content.replace(target_write, replacement_write)
+    print("Patched write loop.")
+
+# 2. Read and discard the 4KB padding to keep the stream clean
+target_read = """                # add the last line to output, without the footer
+                output_io.write(line[0:footer_offset])
+                output_io.flush()
+                break"""
+
+replacement_read = """                # add the last line to output, without the footer
+                output_io.write(line[0:footer_offset])
+                output_io.flush()
+                # Read and discard the 4KB padding line to clear the stream!
+                self.bash_stdout.readline()
+                break"""
+
+if target_read in content:
+    content = content.replace(target_read, replacement_read)
+    print("Patched read loop.")
+
+# 3. Patch the entire copy_into method using a unique regex
+pattern = re.compile(r'    def copy_into\(self,.*?\).*?:.*?    def copy_out', re.DOTALL)
+
+replacement_copy = """    def copy_into(self, from_path: Path, to_path: PurePath) -> None:
+        if from_path.is_dir():
+            self.call(["mkdir", "-p", to_path])
+            subprocess.run(
+                f"tar -c {self.host_tar_format} -f - . | {self.engine.name} exec -i {self.name} tar --no-same-owner -xC {shell_quote(to_path)} -f -",
+                shell=True,
+                check=True,
+                cwd=from_path,
+            )
+        else:
+            self.call(["mkdir", "-p", to_path.parent])
+            # Use native docker cp to copy the file, avoiding stdin EOF deadlocks in RBE
+            subprocess.run(
+                [
+                    self.engine.name,
+                    "cp",
+                    str(from_path),
+                    f"{self.name}:{to_path}",
+                ],
+                check=True,
+            )
+
+    def copy_out"""
+
+if pattern.search(content):
+    content = pattern.sub(replacement_copy, content)
+    print("Patched copy_into method using unique regex.")
+else:
+    print("Error: copy_into method pattern not found!")
+    sys.exit(1)
+
+with open(path, 'w') as f:
+    f.write(content)
+
+print("Successfully patched oci_container.py!")
+EOF
+
+python3 patch_oci.py "$OCI_PATH"
+rm patch_oci.py
+
+# Verify that the patched file is syntactically valid Python
+echo "Verifying patched oci_container.py syntax..."
+python3 -m py_compile "$OCI_PATH" || { echo "ERROR: Patched oci_container.py is corrupted!"; exit 1; }
 
 REPO_DIR=$(mktemp -d)
 echo "Created temporary directory: ${REPO_DIR}"
@@ -43,26 +142,139 @@ echo "Building release for version: ${VERSION}"
 TMP_DIR=$(mktemp -d)
 echo "Build directory: ${TMP_DIR}"
 
-# Add trap cleanup for TMP_DIR as well
-trap 'echo "Cleaning up temporary directories: ${REPO_DIR} ${TMP_DIR}"; rm -rf "${REPO_DIR}" "${TMP_DIR}"' EXIT
+# Define a comprehensive cleanup function that always dumps logs on failure
+cleanup() {
+  echo "=== CLEANUP TRIGGERED ==="
+  if [ -f cibuildwheel.log ]; then
+    echo "=== LAST 200 LINES OF CIBUILDWHEEL LOG ==="
+    tail -n 200 cibuildwheel.log
+  fi
+  echo "Cleaning up temporary directories: ${REPO_DIR} ${TMP_DIR}"
+  rm -rf "${REPO_DIR}" "${TMP_DIR}"
+}
+trap cleanup EXIT
 
 pushd "${TMP_DIR}"
 
 cp -r "${SRC_DIR}"/{*,.*} . 2>/dev/null || true
 cp -r "${SRC_DIR}"/release/* . 2>/dev/null || true
 rm -rf cel_expr_python/*_test.py
 
+echo "Downloading bazelisk on host..."
+curl -LO https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-amd64
+chmod +x bazelisk-linux-amd64
+
 # Check if pyproject.toml exists before running sed
 if [ -f pyproject.toml ]; then
   sed -i "" "s/\$VERSION/${VERSION}/g" pyproject.toml || sed -i "s/\$VERSION/${VERSION}/g" pyproject.toml
 fi
 
+export CIBW_CONTAINER_ENGINE_EXTRA_ARGS="--network=host"
+
 echo "Running cibuildwheel: ${CIBWHEEL_BIN}"
 # Default CIBWHEEL_BIN if not set
 if [ -z "${CIBWHEEL_BIN}" ]; then
   CIBWHEEL_BIN="python3 -m cibuildwheel"
 fi
-${CIBWHEEL_BIN} --platform linux --output-dir dist
+
+echo "Installing diagnostic tools (psmisc, strace) on host..."
+# We try to install them, but don't fail the build if we can't (e.g. if no sudo or apt)
+sudo apt-get update && sudo apt-get install -y psmisc strace || echo "Failed to install diagnostic tools, proceeding anyway..."
+
+echo "Running cibuildwheel in background..."
+${CIBWHEEL_BIN} --platform linux --output-dir dist > cibuildwheel.log 2>&1 &
+CIBW_PID=$!
+
+echo "Started cibuildwheel in background with PID $CIBW_PID"
+
+# Poll the log file waiting for the hang
+# We look for the "mkdir -p" line followed by no activity for 60 seconds.
+TIMEOUT=900 # 15 minutes total timeout
+ELAPSED=0
+LAST_SIZE=0
+STUCK_COUNT=0
+HANG_DETECTED=false
+
+while kill -0 $CIBW_PID 2>/dev/null; do
+    if [ -f cibuildwheel.log ]; then
+        # Check if the log contains the test setup line
+        if grep -q "mkdir -p" cibuildwheel.log; then
+            CURRENT_SIZE=$(stat -c%s cibuildwheel.log)
+            if [ "$CURRENT_SIZE" -eq "$LAST_SIZE" ]; then
+                # Log size hasn't changed. If this persists for 60 seconds, we assume it is stuck.
+                STUCK_COUNT=$((STUCK_COUNT + 10))
+                echo "Log size unchanged for ${STUCK_COUNT}s at mkdir -p..."
+                if [ $STUCK_COUNT -ge 60 ]; then
+                    HANG_DETECTED=true
+                    break
+                fi
+            else
+                STUCK_COUNT=0
+                LAST_SIZE=$CURRENT_SIZE
+            fi
+        fi
+    fi
+    
+    sleep 10
+    ELAPSED=$((ELAPSED + 10))
+    if [ $ELAPSED -ge $TIMEOUT ]; then
+        echo "Timeout waiting for build to complete."
+        break
+    fi
+done
+
+if [ "$HANG_DETECTED" = "true" ]; then
+    echo "===================================================="
+    echo "!!! DETECTED HANG AT mkdir -p !!! STARTING DIAGNOSTICS"
+    echo "===================================================="
+    
+    echo "=== HOST PROCESSES ==="
+    ps aux
+    
+    echo "=== PROCESS TREE ==="
+    pstree -p -a || echo "pstree not available"
+    
+    echo "=== DOCKER CONTAINERS ==="
+    docker ps -a
+    
+    CONTAINER_ID=$(docker ps -q | head -n 1)
+    if [ -n "$CONTAINER_ID" ]; then
+        echo "=== CONTAINER PROCESSES ($CONTAINER_ID) ==="
+        docker exec "$CONTAINER_ID" ps aux
+        
+        echo "=== CONTAINER LSOF ==="
+        docker exec "$CONTAINER_ID" lsof || echo "lsof not available"
+        
+        echo "=== CONTAINER DOCKER INSPECT ==="
+        docker inspect "$CONTAINER_ID"
+        
+        echo "=== STRACE DOCKER PROCESSES ==="
+        DOCKER_PID=$(pgrep -f "docker start|docker exec" | head -n 1)
+        if [ -n "$DOCKER_PID" ]; then
+            echo "Stracing host docker process $DOCKER_PID for 15 seconds..."
+            timeout 15 strace -p "$DOCKER_PID" -f || true
+        fi
+    else
+        echo "No active docker container found!"
+    fi
+    
+    echo "=== LAST 100 LINES OF CIBUILDWHEEL LOG ==="
+    tail -n 100 cibuildwheel.log
+    
+    echo "Diagnostics complete. Killing cibuildwheel."
+    kill -9 $CIBW_PID
+    exit 99
+fi
+
+# If it didn't hang, wait for it to finish and print the log
+wait $CIBW_PID
+RC=$?
+echo "=== CIBUILDWHEEL LOG ==="
+cat cibuildwheel.log
+if [ $RC -ne 0 ]; then
+    echo "cibuildwheel failed with exit code $RC"
+    exit $RC
+fi
 
 if [ "${DRY_RUN}" = "true" ]; then
   echo "[DRY RUN] Skipping upload to PyPI exit gate."

release/pyproject.toml

@@ -38,13 +38,21 @@ where = ["."]
 exclude = ["codelab*", "conformance*", "custom_ext*", "release*", "testing*", "wheelhouse*"]
 
 [tool.cibuildwheel]
-build = "cp311-* cp312-* cp313-* cp314-*"
-skip = "*musllinux* *win32*"
+build = "cp311-*"
+#build = "cp311-* cp312-* cp313-* cp314-*"
+skip = "*musllinux* *win32* *i686*"
 test-command = "python {project}/cel_basic_test.py"
 build-verbosity = 1
 
 [tool.cibuildwheel.linux]
-before-all = "echo 'Installing bazelisk'; curl -LO https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-amd64 && chmod +x bazelisk-linux-amd64 && mv bazelisk-linux-amd64 /usr/local/bin/bazel"
+manylinux-x86_64-image = "manylinux_2_28"
+container-engine = "docker; disable_host_mount: True"
+# Google's internal Kokoro/RBE network uses a secure MITM proxy that resigns HTTPS
+# traffic with an internal Google CA. Since the public manylinux container does not
+# trust this CA, git fetches for external dependencies (like @cel-cpp) will fail
+# with SSL certificate errors. We disable http.sslVerify inside the container to
+# bypass this and allow Bazel to fetch SCM dependencies through the proxy.
+before-all = "git config --global http.sslVerify false && echo 'Installing bazelisk' && cp {project}/bazelisk-linux-amd64 /usr/local/bin/bazel"
 
 [tool.cibuildwheel.macos]
 before-all = "echo 'Installing bazelisk'; brew install bazelisk"