Internal change

PiperOrigin-RevId: 922850859

Author: dmitriplotnikov

release/kokoro/release_linux.cfg

@@ -3,3 +3,8 @@
 
 build_file: "cel-python/release/kokoro/release_linux.sh"
 timeout_mins: 120
+
+container_properties {
+  docker_image: "us-central1-docker.pkg.dev/kokoro-container-bakery/kokoro/ubuntu/ubuntu2204/ktcb:current"
+  docker_privileged: true
+}

release/kokoro/release_linux.sh

@@ -1,14 +1,35 @@
 #!/bin/bash
 set -e
 
+# Dynamically install podman inside the ktcb container to run self-contained
+# builds inside /tmp and avoid shared RBE volume-mount hangs.
+echo "Installing podman..."
+apt-get update && apt-get install -y podman || true
+
+echo "Verifying podman installation..."
+podman --version || echo "podman not functional"
+
+# Configure podman to use fuse-overlayfs for nested container efficiency,
+# preventing VFS disk bloat from exhausting the RBE disk quota.
+mkdir -p /etc/containers
+cat << 'EOF' > /etc/containers/storage.conf
+[storage]
+driver = "overlay"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+
+[storage.options.overlay]
+mount_program = "/usr/bin/fuse-overlayfs"
+EOF
+
 # If running locally (not on Kokoro), authenticate with gcloud.
 if [ -z "${KOKORO_BUILD_ID}" ]; then
   if ! gcloud auth application-default print-access-token --quiet > /dev/null; then
       gcloud auth application-default login
   fi
 fi
 
-pip install -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
+pip install --no-cache-dir -U keyring keyrings.google-artifactregistry-auth twine cibuildwheel
 
 REPO_DIR=$(mktemp -d)
 echo "Created temporary directory: ${REPO_DIR}"
@@ -23,7 +44,7 @@ if [ "${DRY_RUN}" = "true" ]; then
   # Get the latest tag or fallback
   VERSION=$(git tag --sort=-v:refname 2>/dev/null | head -n 1 || true)
   if [ -z "${VERSION}" ]; then
-    VERSION="0.1.2"
+    VERSION="v0.1.2"
   fi
   popd
 else
@@ -43,6 +64,23 @@ echo "Building release for version: ${VERSION}"
 TMP_DIR=$(mktemp -d)
 echo "Build directory: ${TMP_DIR}"
 
+# Configure pip inside cibuildwheel to use Google's internal Airlock PyPI mirror,
+# since public PyPI (pypi.org) is blocked by the RBE VM's network firewall.
+# We dynamically fetch the GCE Service Account token from the GCE Metadata Server
+# to authenticate the request to the Artifact Registry repository.
+GCE_TOKEN=$(python3 -c 'import urllib.request, json; req = urllib.request.Request("http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token", headers={"Metadata-Flavor": "Google"}); print(json.loads(urllib.request.urlopen(req).read().decode())["access_token"])')
+export PIP_INDEX_URL="https://oauth2accesstoken:${GCE_TOKEN}@us-python.pkg.dev/artifact-foundry-prod/ah-3p-staging-python/simple/"
+
+# Explicitly disable keyring searches and interactive prompts in pip inside the container
+# to prevent hangs on DBus or credential-helper lookups.
+export PIP_KEYRING_PROVIDER="disabled"
+export PIP_NO_INPUT="true"
+
+export CIBW_ENVIRONMENT="PIP_INDEX_URL=$PIP_INDEX_URL PIP_KEYRING_PROVIDER=$PIP_KEYRING_PROVIDER PIP_NO_INPUT=$PIP_NO_INPUT"
+
+# Enable extremely verbose logs for cibuildwheel.
+export CIBW_BUILD_VERBOSITY=3
+
 # Add trap cleanup for TMP_DIR as well
 trap 'echo "Cleaning up temporary directories: ${REPO_DIR} ${TMP_DIR}"; rm -rf "${REPO_DIR}" "${TMP_DIR}"' EXIT
 

release/pyproject.toml

@@ -41,10 +41,11 @@ exclude = ["codelab*", "conformance*", "custom_ext*", "release*", "testing*", "w
 build = "cp311-* cp312-* cp313-* cp314-*"
 skip = "*musllinux* *win32*"
 test-command = "python {project}/cel_basic_test.py"
-build-verbosity = 1
+build-verbosity = 3
 
 [tool.cibuildwheel.linux]
 before-all = "echo 'Installing bazelisk'; curl -LO https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-amd64 && chmod +x bazelisk-linux-amd64 && mv bazelisk-linux-amd64 /usr/local/bin/bazel"
+container-engine = { name = "podman", create-args = ["--net", "host"] }
 
 [tool.cibuildwheel.macos]
 before-all = "echo 'Installing bazelisk'; brew install bazelisk"