Internal change

PiperOrigin-RevId: 922850859

Author: dmitriplotnikov

.bazelrc

@@ -32,3 +32,7 @@ build:windows --google_default_credentials=true
 build:macos --remote_cache=https://storage.googleapis.com/macos-cel-python-remote-cache
 build:macos --google_default_credentials=true
 
+# Silence deprecation warnings from external dependencies (Linux and macOS)
+build:linux --cxxopt=-Wno-deprecated-declarations
+build:macos --cxxopt=-Wno-deprecated-declarations
+

release/kokoro/release_linux.cfg

@@ -3,3 +3,8 @@
 
 build_file: "cel-python/release/kokoro/release_linux.sh"
 timeout_mins: 120
+
+container_properties {
+  docker_image: "us-central1-docker.pkg.dev/kokoro-container-bakery/kokoro/ubuntu/ubuntu2204/ktcb:current"
+  docker_privileged: true
+}

release/kokoro/release_linux.sh

@@ -1,21 +1,53 @@
 #!/bin/bash
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 set -e
 
+# Avoid virtualenv/pip trying to download/upgrade tools from PyPI on host
+export VIRTUALENV_NO_DOWNLOAD=1
+export PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Pass these environment variables to the cibuildwheel Docker container
+export CIBW_ENVIRONMENT="VIRTUALENV_NO_DOWNLOAD=1 PIP_DISABLE_PIP_VERSION_CHECK=1"
+export CIBW_DEPENDENCY_VERSIONS="latest"
+
 # If running locally (not on Kokoro), authenticate with gcloud.
 if [ -z "${KOKORO_BUILD_ID}" ]; then
   if ! gcloud auth application-default print-access-token --quiet > /dev/null; then
       gcloud auth application-default login
   fi
 fi
 
-pip install -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
+# We use --no-cache-dir to force pip to download packages fresh and bypass the local
+# cache. In Kokoro/RBE sandboxed environments, writing to the default cache directory
+# (~/.cache/pip) can encounter permission/sandbox restrictions or lead to stale
+# dependency resolution. Disabling the cache ensures a reliable, reproducible install.
+pip install --no-cache-dir -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
+
+REPO_DIR=""
+TMP_DIR=""
+cleanup() {
+  echo "Cleaning up temporary directories..."
+  [ -n "${REPO_DIR}" ] && rm -rf "${REPO_DIR}"
+  [ -n "${TMP_DIR}" ] && rm -rf "${TMP_DIR}"
+}
+trap cleanup EXIT
 
 REPO_DIR=$(mktemp -d)
 echo "Created temporary directory: ${REPO_DIR}"
 
-# Ensure the temporary directory is removed on script exit
-trap 'echo "Cleaning up temporary directory: ${REPO_DIR}"; rm -rf "${REPO_DIR}"' EXIT
-
 if [ "${DRY_RUN}" = "true" ]; then
   echo "[DRY RUN] Using local Kokoro clone instead of cloning main."
   SRC_DIR="$(cd "$(dirname "$0")/../.." && pwd)"
@@ -43,25 +75,30 @@ echo "Building release for version: ${VERSION}"
 TMP_DIR=$(mktemp -d)
 echo "Build directory: ${TMP_DIR}"
 
-# Add trap cleanup for TMP_DIR as well
-trap 'echo "Cleaning up temporary directories: ${REPO_DIR} ${TMP_DIR}"; rm -rf "${REPO_DIR}" "${TMP_DIR}"' EXIT
-
 pushd "${TMP_DIR}"
 
 cp -r "${SRC_DIR}"/{*,.*} . 2>/dev/null || true
 cp -r "${SRC_DIR}"/release/* . 2>/dev/null || true
 rm -rf cel_expr_python/*_test.py
 
+echo "Downloading bazelisk on host..."
+curl -LO https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-amd64
+chmod +x bazelisk-linux-amd64
+
 # Check if pyproject.toml exists before running sed
 if [ -f pyproject.toml ]; then
   sed -i "" "s/\$VERSION/${VERSION}/g" pyproject.toml || sed -i "s/\$VERSION/${VERSION}/g" pyproject.toml
 fi
 
-echo "Running cibuildwheel: ${CIBWHEEL_BIN}"
+export CIBW_CONTAINER_ENGINE_EXTRA_ARGS="--network=host"
+
+echo "Running cibuildwheel..."
 # Default CIBWHEEL_BIN if not set
 if [ -z "${CIBWHEEL_BIN}" ]; then
   CIBWHEEL_BIN="python3 -m cibuildwheel"
 fi
+
+# Run cibuildwheel synchronously. Output goes directly to the console in real-time.
 ${CIBWHEEL_BIN} --platform linux --output-dir dist
 
 if [ "${DRY_RUN}" = "true" ]; then

release/pyproject.toml

@@ -38,13 +38,20 @@ where = ["."]
 exclude = ["codelab*", "conformance*", "custom_ext*", "release*", "testing*", "wheelhouse*"]
 
 [tool.cibuildwheel]
-build = "cp311-* cp312-* cp313-* cp314-*"
-skip = "*musllinux* *win32*"
+build = "cp311-*"
+#build = "cp311-* cp312-* cp313-* cp314-*"
+skip = "*musllinux* *win32* *i686*"
 test-command = "python {project}/cel_basic_test.py"
 build-verbosity = 1
 
 [tool.cibuildwheel.linux]
-before-all = "echo 'Installing bazelisk'; curl -LO https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-amd64 && chmod +x bazelisk-linux-amd64 && mv bazelisk-linux-amd64 /usr/local/bin/bazel"
+manylinux-x86_64-image = "manylinux_2_28"
+# Google's internal Kokoro/RBE network uses a secure MITM proxy that resigns HTTPS
+# traffic with an internal Google CA. Since the public manylinux container does not
+# trust this CA, git fetches for external dependencies (like @cel-cpp) will fail
+# with SSL certificate errors. We disable http.sslVerify inside the container to
+# bypass this and allow Bazel to fetch SCM dependencies through the proxy.
+before-all = "git config --global http.sslVerify false && echo 'Installing bazelisk' && cp {project}/bazelisk-linux-amd64 /usr/local/bin/bazel"
 
 [tool.cibuildwheel.macos]
 before-all = "echo 'Installing bazelisk'; brew install bazelisk"