run subshells in bundletool_experimental using subprocess API by aaronsky · Pull Request #2866 · bazelbuild/rules_apple

aaronsky · 2026-01-19T00:50:12Z

use subprocess.check_call instead of os.system to support stronger
security guarantees and block environment variables from the running
environment from affecting subprocesses. Fixes usage of rules_apple
when using rules_python 1.7.0+.

Fixes bazelbuild#2843 use `subprocess.check_call` instead of `os.system` to support stronger security guarantees and block environment variables from the running environment from affecting subprocesses. Fixes usage of rules_apple when using rules_python 1.7.0+.

aaronsky added 2 commits January 18, 2026 19:45

put raised codesign error back the way it was

141dbde

aaronsky marked this pull request as ready for review January 19, 2026 01:20

aaronsky requested review from adincebic, brentleyjones, keith, luispadron and mattrobmattrob as code owners January 19, 2026 01:20

aaronsky enabled auto-merge (squash) January 19, 2026 01:20

luispadron approved these changes Jan 21, 2026

View reviewed changes

aaronsky merged commit 64855d1 into bazelbuild:main Jan 21, 2026
8 checks passed

aaronsky mentioned this pull request Mar 7, 2026

Runfiles import issues with rules_python 1.7.0 #2844

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

run subshells in bundletool_experimental using subprocess API#2866

run subshells in bundletool_experimental using subprocess API#2866
aaronsky merged 2 commits intobazelbuild:mainfrom
aaronsky:aaronsky/fix-2843

aaronsky commented Jan 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

aaronsky commented Jan 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants