fix: establish hermetic environment for docs-site Node.js subprocesses

avrabe · avrabe · commit 5ab084b812e3 · 2025-08-23T17:19:12.000+02:00
Remove use_default_shell_env and set up controlled hermetic environment
that includes node binary in PATH for npm subprocesses (like Sharp package
post-install scripts). This eliminates system environment contamination
while ensuring npm dependencies can find the hermetic node binary.

Key changes:
- Remove use_default_shell_env = True
- Set up minimal npm_env with hermetic PATH
- Include node binary directory for subprocess access
- Add npm cache configuration for isolation

This resolves the "sh: node: command not found" errors in docs-site builds
while maintaining hermetic isolation principles.
diff --git a/docs-site/docs_build.bzl b/docs-site/docs_build.bzl
@@ -70,6 +70,19 @@ def main():
         # Resolve npm binary to absolute path before changing directory
         npm_abs_path = os.path.abspath(npm_binary)
         
+        # Set up PATH to include hermetic node binary for npm subprocesses
+        node_bin_dir = os.path.dirname(npm_abs_path)
+        current_path = os.environ.get("PATH", "")
+        hermetic_path = f"{node_bin_dir}:{current_path}" if current_path else node_bin_dir
+        
+        # Set up minimal hermetic environment for npm
+        npm_env = {
+            "PATH": hermetic_path,
+            "NODE_PATH": "",  # Clear any existing NODE_PATH
+            "npm_config_cache": os.path.join(work_dir, ".npm-cache"),
+            "npm_config_progress": "false",
+        }
+        
         # Change to workspace for npm operations
         original_cwd = os.getcwd()
         os.chdir(work_dir)
@@ -81,7 +94,8 @@ def main():
                 [npm_abs_path, "install", "--no-audit", "--no-fund"],
                 capture_output=True,
                 text=True,
-                timeout=300  # 5 minute timeout
+                timeout=300,  # 5 minute timeout
+                env=npm_env
             )
 
             if result.returncode != 0:
@@ -96,7 +110,8 @@ def main():
                 [npm_abs_path, "run", "build"],
                 capture_output=True,
                 text=True,
-                timeout=300  # 5 minute timeout
+                timeout=300,  # 5 minute timeout
+                env=npm_env
             )
 
             if result.returncode != 0:
@@ -158,7 +173,6 @@ if __name__ == "__main__":
         execution_requirements = {
             "local": "1",  # npm install needs network
         },
-        use_default_shell_env = True,
     )
 
     return [
