Merge pull request #104 from tower/tasks/do-not-inherit-full-environment

bradhe · web-flow · commit 49a2b45cf3fb · 2025-10-02T15:57:23.000+01:00
Remove inherited environments
diff --git a/crates/tower-runtime/tests/example-apps/04-app-with-secret/README.md b/crates/tower-runtime/tests/example-apps/04-app-with-secret/README.md
diff --git a/crates/tower-runtime/tests/example-apps/04-app-with-secret/Towerfile b/crates/tower-runtime/tests/example-apps/04-app-with-secret/Towerfile
@@ -0,0 +1,3 @@
+[app]
+name = "04-app-with-secret"
+script = "./main.py"
diff --git a/crates/tower-runtime/tests/example-apps/04-app-with-secret/main.py b/crates/tower-runtime/tests/example-apps/04-app-with-secret/main.py
@@ -0,0 +1,10 @@
+import os
+
+
+def main():
+    value = os.getenv("MY_SECRET", "default_value")
+    print(f"The secret is: {value}")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/crates/tower-runtime/tests/example-apps/04-app-with-secret/pyproject.toml b/crates/tower-runtime/tests/example-apps/04-app-with-secret/pyproject.toml
@@ -0,0 +1,7 @@
+[project]
+name = "04-app-with-secret"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.12"
+dependencies = []
diff --git a/crates/tower-runtime/tests/local_test.rs b/crates/tower-runtime/tests/local_test.rs
@@ -182,3 +182,61 @@ async fn test_running_legacy_app() {
     let status = app.status().await.expect("Failed to get app status");
     assert!(status == Status::Exited, "App should be running");
 }
+
+#[tokio::test]
+async fn test_running_app_with_secret() {
+    debug!("Running 04-app-with-secret");
+    let app_dir = get_example_app_dir("04-app-with-secret");
+    let package = build_package_from_dir(&app_dir).await;
+    let (sender, mut receiver) = unbounded_channel();
+
+    let mut secrets = HashMap::new();
+    secrets.insert("MY_SECRET".to_string(), "It's in the sauce!".to_string());
+
+    // We need to create the package, which will load the app
+    let opts = StartOptions {
+        ctx: tower_telemetry::Context::new(),
+        package,
+        output_sender: sender,
+        cwd: None,
+        environment: "local".to_string(),
+        secrets: secrets,
+        parameters: HashMap::new(),
+        env_vars: HashMap::new(),
+    };
+
+    // Start the app using the LocalApp runtime
+    let app = LocalApp::start(opts).await.expect("Failed to start app");
+
+    // The status should be running
+    let status = app.status().await.expect("Failed to get app status");
+    assert!(status == Status::Running, "App should be running");
+
+    let mut count_setup = 0;
+    let mut count_stdout = 0;
+
+    while let Some(output) = receiver.recv().await {
+        match output.channel {
+            tower_runtime::Channel::Setup => {
+                // We always have some setup lines to count on.
+                count_setup += 1;
+            }
+            tower_runtime::Channel::Program => {
+                if output.line.starts_with("The secret is:") {
+                    // Indicate that we found the line.
+                    count_stdout += 1;
+
+                    // Require that the right suffix is there.
+                    assert!(output.line.ends_with("It's in the sauce!"));
+                }
+            }
+        }
+    }
+
+    assert!(count_setup > 0, "There should be some setup output");
+    assert!(count_stdout > 0, "should be more than one output");
+
+    // check the status once more, should be done.
+    let status = app.status().await.expect("Failed to get app status");
+    assert!(status == Status::Exited, "App should be running");
+}
diff --git a/crates/tower-uv/src/lib.rs b/crates/tower-uv/src/lib.rs
@@ -38,6 +38,27 @@ impl From<install::Error> for Error {
     }
 }
 
+fn normalize_env_vars(env_vars: &HashMap<String, String>) -> HashMap<String, String> {
+    #[cfg(windows)]
+    {
+        // we copy this locally so we can mutate the results.
+        let mut env_vars = env_vars.clone();
+
+        // If we are running on Windows, we need to retain the SYSTEMROOT env var because Python
+        // needs it to initialize it's random number generator. Fun fact!
+        let systemroot = std::env::var("SYSTEMROOT").unwrap_or_default();
+        env_vars.insert("SYSTEMROOT".to_string(), systemroot);
+        return env_vars;
+    }
+
+    #[cfg(not(windows))]
+    {
+        // On non-Windows platforms, we can just return the env vars as-is. We have to do this
+        // clone thing to get rid fo the lifetime issues.
+        return env_vars.clone();
+    }
+}
+
 async fn test_uv_path(path: &PathBuf) -> Result<(), Error> {
     let res = Command::new(&path)
         .arg("--color")
@@ -169,6 +190,10 @@ impl Uv {
             &self.uv_path, program, cwd
         );
 
+        // Sometimes, we need to copy some env vars out of the current environment and into the new
+        // one!
+        let env_vars = normalize_env_vars(env_vars);
+
         let mut cmd = Command::new(&self.uv_path);
         cmd.kill_on_drop(true)
             .stdin(Stdio::null())
@@ -180,6 +205,7 @@ impl Uv {
             .arg("--no-progress")
             .arg("run")
             .arg(program)
+            .env_clear()
             .envs(env_vars);
 
         #[cfg(unix)]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[app]`
	`2`	`+name = "04-app-with-secret"`
	`3`	`+script = "./main.py"`