bazel: Set a sensible strict action environment.

Bazel either reuses the `PATH` from the client, or sets a hardcoded
one. The former mode in problematic for build hermeticity. But the
latter is crippled on NixOS, because the hardcoded value is
`/bin:/usr/bin`. So we set the hardcoded value to match what
`customBash` provides. This has the effect of aligning the
environments for `ctx.actions.run` and `ctx.actions.run_shell`, which
were previously distinct (bug).

1 files changed, 9 insertions, 0 deletions

diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix
index 1ccbb3173308..b59a93d37324 100644
--- a/pkgs/development/tools/build-managers/bazel/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/default.nix
@@ -96,6 +96,15 @@ stdenv.mkDerivation rec {
     sed -i -e "361 a --host_copt=\"$(echo $NIX_CFLAGS_COMPILE | sed -e 's/ /" --host_copt=\"/g')\" \\\\" scripts/bootstrap/compile.sh
     sed -i -e "361 a --linkopt=\"-Wl,$(echo $NIX_LDFLAGS | sed -e 's/ /" --linkopt=\"-Wl,/g')\" \\\\" scripts/bootstrap/compile.sh
     sed -i -e "361 a --host_linkopt=\"-Wl,$(echo $NIX_LDFLAGS | sed -e 's/ /" --host_linkopt=\"-Wl,/g')\" \\\\" scripts/bootstrap/compile.sh
+
+    # --experimental_strict_action_env (which will soon become the
+    # default, see bazelbuild/bazel#2574) hardcodes the default
+    # action environment to a value that on NixOS at least is bogus.
+    # So we hardcode it to something useful.
+    substituteInPlace \
+		  src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java \
+      --replace /bin:/usr/bin ${defaultShellPath}
+
     patchShebangs .
   '';