Skip to content

Propagate SSL/proxy environment to pip and uv subprocesses#7012

Merged
pdelagrave merged 6 commits intomainfrom
fix/propagate-env-to-pip-uv
Mar 25, 2026
Merged

Propagate SSL/proxy environment to pip and uv subprocesses#7012
pdelagrave merged 6 commits intomainfrom
fix/propagate-env-to-pip-uv

Conversation

@pdelagrave
Copy link
Copy Markdown
Contributor

@pdelagrave pdelagrave commented Mar 17, 2026
edited
Loading

Problem

The environment map configured via PythonRewriteRpc.builder().environment() (containing SSL_CERT_FILE, proxy vars, etc.) was applied to the RPC server process but not to:

  1. The pip bootstrap subprocess in bootstrapOpenrewrite()
  2. uv subprocesses spawned via UvExecutor (used by DependencyWorkspace, UvLockRegeneration, etc.)

This caused pip install openrewrite and uv commands to fail behind corporate proxies with SSL inspection, because the subprocesses never received SSL_CERT_FILE, PIP_CERT, or proxy configuration.

WARNING: Retrying after connection broken by 'SSLError(SSLCertVerificationError(1,
  '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate'))': /simple/openrewrite/

fixes: https://github.com/moderneinc/customer-requests/issues/1891

Solution

  • Apply the environment map to the pip ProcessBuilder in bootstrapOpenrewrite()
  • Add an environment parameter to UvExecutor.run() and thread it explicitly through DependencyWorkspace, UvLockRegeneration, SetupCfgParser, and RequirementsTxtParser via method/constructor parameters
  • In PythonRewriteRpc, pass commandEnv to parseManifest() parsers and createSetupPyMarker() so all downstream subprocess calls inherit SSL/proxy configuration
  • Backward-compatible overloads with empty maps for all public APIs

Companion CLI PR: https://github.com/moderneinc/moderne-cli/pull/3520

@pdelagrave pdelagrave self-assigned this Mar 17, 2026
@github-project-automation github-project-automation bot moved this to In Progress in OpenRewrite Mar 17, 2026
@pdelagrave
Propagate SSL/proxy environment to pip and uv subprocesses
e78d1e6 
The environment map configured via PythonRewriteRpc.builder().environment()
was applied to the RPC server process but not to the pip bootstrap subprocess
(bootstrapOpenrewrite) or uv subprocesses (via UvExecutor). This caused pip
install and uv commands to fail behind corporate proxies with SSL inspection,
since they never received SSL_CERT_FILE, PIP_CERT, or proxy configuration.

- Apply environment to the pip ProcessBuilder in bootstrapOpenrewrite()
- Add environment parameter to UvExecutor.run() and thread it through
  DependencyWorkspace, UvLockRegeneration, SetupCfgParser, and
  RequirementsTxtParser via explicit method/constructor parameters
- In PythonRewriteRpc, pass commandEnv to parseManifest() parsers and
  createSetupPyMarker() so all downstream subprocess calls inherit
  SSL/proxy configuration
- Backward-compatible overloads with empty maps for all public APIs
@pdelagrave pdelagrave force-pushed the fix/propagate-env-to-pip-uv branch from 818a677 to e78d1e6 Compare March 17, 2026 20:06
jkschneider
jkschneider reviewed Mar 24, 2026
View reviewed changes
rewrite-python/src/main/java/org/openrewrite/python/internal/UvLockRegeneration.java
@@ -67,6 +69,21 @@ public static Result regenerate(String pyprojectContent) {
* @return a result containing the new lock file content, or an error message
*/
public static Result regenerate(String pyprojectContent, @Nullable String existingLockContent) {
Copy link
Copy Markdown
Member

@jkschneider jkschneider Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as above. AIs tends to want to leave things for backwards compatibility, but if leaving it opens us up for bugs, better to remove aggressively.

Copy link
Copy Markdown
Contributor Author

@pdelagrave pdelagrave Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other one was unused so I removed it, this one is still being used.

@pdelagrave pdelagrave merged commit 8dd7a28 into main Mar 25, 2026
1 check passed
@pdelagrave pdelagrave deleted the fix/propagate-env-to-pip-uv branch March 25, 2026 20:25
@github-project-automation github-project-automation bot moved this from In Progress to Done in OpenRewrite Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkschneider jkschneider jkschneider left review comments

Assignees

@pdelagrave pdelagrave

Labels

None yet

Projects

OpenRewrite
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pdelagrave @jkschneider