Skip to content

Propagate SSL/proxy environment to pip and uv subprocesses#7012

Open
pdelagrave wants to merge 1 commit intomainfrom
fix/propagate-env-to-pip-uv
Open

Propagate SSL/proxy environment to pip and uv subprocesses#7012
pdelagrave wants to merge 1 commit intomainfrom
fix/propagate-env-to-pip-uv

Conversation

@pdelagrave
Copy link
Contributor

@pdelagrave pdelagrave commented Mar 17, 2026
edited
Loading

Problem

The environment map configured via PythonRewriteRpc.builder().environment() (containing SSL_CERT_FILE, proxy vars, etc.) was applied to the RPC server process but not to:

  1. The pip bootstrap subprocess in bootstrapOpenrewrite()
  2. uv subprocesses spawned via UvExecutor (used by DependencyWorkspace, UvLockRegeneration, etc.)

This caused pip install openrewrite and uv commands to fail behind corporate proxies with SSL inspection, because the subprocesses never received SSL_CERT_FILE, PIP_CERT, or proxy configuration.

WARNING: Retrying after connection broken by 'SSLError(SSLCertVerificationError(1,
  '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate'))': /simple/openrewrite/

fixes: https://github.com/moderneinc/customer-requests/issues/1891

Solution

  • Apply the environment map to the pip ProcessBuilder in bootstrapOpenrewrite()
  • Add an environment parameter to UvExecutor.run() and thread it explicitly through DependencyWorkspace, UvLockRegeneration, SetupCfgParser, and RequirementsTxtParser via method/constructor parameters
  • In PythonRewriteRpc, pass commandEnv to parseManifest() parsers and createSetupPyMarker() so all downstream subprocess calls inherit SSL/proxy configuration
  • Backward-compatible overloads with empty maps for all public APIs

Companion CLI PR: https://github.com/moderneinc/moderne-cli/pull/3520

@pdelagrave pdelagrave self-assigned this Mar 17, 2026
@github-project-automation github-project-automation bot moved this to In Progress in OpenRewrite Mar 17, 2026
@pdelagrave
Propagate SSL/proxy environment to pip and uv subprocesses
e78d1e6 
The environment map configured via PythonRewriteRpc.builder().environment()
was applied to the RPC server process but not to the pip bootstrap subprocess
(bootstrapOpenrewrite) or uv subprocesses (via UvExecutor). This caused pip
install and uv commands to fail behind corporate proxies with SSL inspection,
since they never received SSL_CERT_FILE, PIP_CERT, or proxy configuration.

- Apply environment to the pip ProcessBuilder in bootstrapOpenrewrite()
- Add environment parameter to UvExecutor.run() and thread it through
  DependencyWorkspace, UvLockRegeneration, SetupCfgParser, and
  RequirementsTxtParser via explicit method/constructor parameters
- In PythonRewriteRpc, pass commandEnv to parseManifest() parsers and
  createSetupPyMarker() so all downstream subprocess calls inherit
  SSL/proxy configuration
- Backward-compatible overloads with empty maps for all public APIs
@pdelagrave pdelagrave force-pushed the fix/propagate-env-to-pip-uv branch from 818a677 to e78d1e6 Compare March 17, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pdelagrave pdelagrave

Labels

None yet

Projects

OpenRewrite
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdelagrave