Add a feature for flipping the isolation bit

Author: arrdem

py/private/py_venv/py_venv.bzl

@@ -133,6 +133,10 @@ def _py_venv_base_impl(ctx):
                 py_toolchain.interpreter_version_info.major,
                 py_toolchain.interpreter_version_info.minor,
             ),
+            "--include-system-site-packages=" + ({
+                True: "true",
+                False: "false"
+            }[ctx.attr.include_system_site_packages]),
         ] + (["--debug"] if ctx.attr.debug else []),
         inputs = rfs.merge_all([
             ctx.runfiles(files = [
@@ -294,6 +298,24 @@ A collision can occur when multiple packages providing the same file are install
     "debug": attr.bool(
         default = False,
     ),
+    "include_system_site_packages": attr.bool(
+        default = True,
+        doc = """`pyvenv.cfg` feature flag for the `include-system-site-packages` key.
+
+When `True`, the user's site directory AND the interpreter's site directory will
+be included into the runtime pythonpath.
+
+When `False`, only the virtualenv's site directory and the interpreter's core
+libraries will be included into the runtime pythonpath.
+
+`False` is obviously preferable as it increases hermeticity, but the choice of
+`False` cases for instance a `pip` or `setuptools` bundled into the interpreter
+to be unusable. Many libraries assume these packages will always be available
+and may not reliably declare their dependencies such that Bazel will satisfy
+them, so choosing isolation could expose packaging errors.
+
+"""
+    ),
 })
 
 _attrs.update(**_py_library.attrs)

py/tools/py/src/pyvenv.cfg.tmpl

@@ -1,6 +1,6 @@
 home = ./bin/python3
 implementation = CPython
 version_info = {{MAJOR}}.{{MINOR}}.{{PATCH}}
-include-system-site-packages = true
+include-system-site-packages = {{INCLUDE_SYSTEM_SITE}}
 relocatable = true
 {{INTERPRETER}}

py/tools/py/src/venv.rs

@@ -210,6 +210,7 @@ pub fn create_empty_venv<'a>(
     env_file: &Option<PathBuf>,
     venv_shim: &Option<PathBuf>,
     debug: bool,
+    include_system_site_packages: bool,
 ) -> miette::Result<Virtualenv> {
     let build_dir = current_dir().into_diagnostic()?;
     let home_dir = &build_dir.join(location.to_path_buf());
@@ -265,7 +266,11 @@ aspect_runfiles_repo = {1}
             .replace("{{MAJOR}}", &venv.version_info.major.to_string())
             .replace("{{MINOR}}", &venv.version_info.minor.to_string())
             .replace("{{PATCH}}", &venv.version_info.patch.to_string())
-            .replace("{{INTERPRETER}}", interpreter_cfg_snippet),
+            .replace("{{INTERPRETER}}", interpreter_cfg_snippet)
+            .replace(
+                "{{INCLUDE_SYSTEM_SITE}}",
+                &include_system_site_packages.to_string(),
+            ),
     )
     .into_diagnostic()?;
 

py/tools/venv_bin/src/main.rs

@@ -1,5 +1,6 @@
 use std::path::PathBuf;
 
+use clap::ArgAction;
 use clap::Parser;
 use miette::miette;
 use miette::Context;
@@ -90,6 +91,16 @@ struct VenvArgs {
 
     #[arg(long, default_value_t = false)]
     debug: bool,
+
+    #[clap(
+        long,
+        default_missing_value("true"),
+        default_value("true"),
+        num_args(0..=1),
+        require_equals(true),
+        action = ArgAction::Set,
+    )]
+    include_system_site_packages: bool,
 }
 
 fn venv_cmd_handler(args: VenvArgs) -> miette::Result<()> {
@@ -119,6 +130,7 @@ fn venv_cmd_handler(args: VenvArgs) -> miette::Result<()> {
                 &args.env_file,
                 &args.venv_shim,
                 args.debug,
+                args.include_system_site_packages,
             )?;
 
             py::venv::populate_venv_with_copies(
@@ -147,6 +159,7 @@ fn venv_cmd_handler(args: VenvArgs) -> miette::Result<()> {
                 &args.env_file,
                 &args.venv_shim,
                 args.debug,
+                args.include_system_site_packages,
             )?;
 
             py::venv::populate_venv_with_pth(