Clear PIP_INDEX_URL at the end of the build (#1694)

premun · web-flow · commit 268fe29b6ed8 · 2026-06-24T11:50:58.000Z
diff --git a/src/almalinux/10/helix/amd64/Dockerfile b/src/almalinux/10/helix/amd64/Dockerfile
@@ -50,3 +50,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/almalinux/9/helix/amd64/Dockerfile b/src/almalinux/9/helix/amd64/Dockerfile
@@ -54,3 +54,6 @@ RUN python3 -m venv $VIRTUAL_ENV \
     && ${VIRTUAL_ENV}/bin/pip install --upgrade pip setuptools
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/alpine/3.23/amd64/Dockerfile b/src/alpine/3.23/amd64/Dockerfile
@@ -81,3 +81,6 @@ RUN azureEnv="/usr/local/share/azure-cli-env" \
 
 # Add label for bring your own node in azure devops
 LABEL "com.azure.dev.pipelines.agent.handler.node.path"="/usr/bin/node"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/alpine/3.23/helix/Dockerfile b/src/alpine/3.23/helix/Dockerfile
@@ -58,3 +58,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/alpine/3.24/amd64/Dockerfile b/src/alpine/3.24/amd64/Dockerfile
@@ -81,3 +81,6 @@ RUN azureEnv="/usr/local/share/azure-cli-env" \
 
 # Add label for bring your own node in azure devops
 LABEL "com.azure.dev.pipelines.agent.handler.node.path"="/usr/bin/node"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/alpine/3.24/helix/Dockerfile b/src/alpine/3.24/helix/Dockerfile
@@ -58,3 +58,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/alpine/edge/helix/Dockerfile b/src/alpine/edge/helix/Dockerfile
@@ -58,3 +58,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/helix/Dockerfile b/src/azurelinux/3.0/helix/Dockerfile
@@ -55,3 +55,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/net10.0/crossdeps-builder/amd64/Dockerfile b/src/azurelinux/3.0/net10.0/crossdeps-builder/amd64/Dockerfile
@@ -118,3 +118,6 @@ ENV PATH="/opt/llvm/bin:$PATH"
 # Obtain arcade scripts used to build rootfs
 RUN git config --global user.email builder@dotnet-buildtools-prereqs-docker && \
     git clone --depth 1 --single-branch https://github.com/dotnet/arcade /scripts
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/net11.0/crossdeps-builder/amd64/Dockerfile b/src/azurelinux/3.0/net11.0/crossdeps-builder/amd64/Dockerfile
@@ -115,3 +115,6 @@ ENV PATH="/opt/llvm/bin:$PATH"
 # Obtain arcade scripts used to build rootfs
 RUN git config --global user.email builder@dotnet-buildtools-prereqs-docker && \
     git clone --depth 1 --single-branch https://github.com/dotnet/arcade /scripts
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/net8.0/crossdeps-builder/amd64/Dockerfile b/src/azurelinux/3.0/net8.0/crossdeps-builder/amd64/Dockerfile
@@ -118,3 +118,6 @@ ENV PATH="/opt/llvm/bin:$PATH"
 # Obtain arcade scripts used to build rootfs
 RUN git config --global user.email builder@dotnet-buildtools-prereqs-docker && \
     git clone --depth 1 --single-branch https://github.com/dotnet/arcade /scripts
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/net8.0/source-build-test/amd64/Dockerfile b/src/azurelinux/3.0/net8.0/source-build-test/amd64/Dockerfile
@@ -39,4 +39,7 @@ RUN tdnf update -y \
 
 # Setup a script which executes scancode in the virtual environment
 COPY ./run-scancode.sh /usr/local/bin/scancode
-RUN chmod +x /usr/local/bin/scancode
+RUN chmod +x /usr/local/bin/scancode
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/3.0/net9.0/crossdeps-builder/amd64/Dockerfile b/src/azurelinux/3.0/net9.0/crossdeps-builder/amd64/Dockerfile
@@ -118,3 +118,6 @@ ENV PATH="/opt/llvm/bin:$PATH"
 # Obtain arcade scripts used to build rootfs
 RUN git config --global user.email builder@dotnet-buildtools-prereqs-docker && \
     git clone --depth 1 --single-branch https://github.com/dotnet/arcade /scripts
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/azurelinux/4.0/helix/Dockerfile b/src/azurelinux/4.0/helix/Dockerfile
@@ -60,3 +60,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/centos-stream/10/helix/Dockerfile b/src/centos-stream/10/helix/Dockerfile
@@ -67,3 +67,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/centos-stream/9/helix/amd64/Dockerfile b/src/centos-stream/9/helix/amd64/Dockerfile
@@ -60,3 +60,6 @@ RUN python -m venv $VIRTUAL_ENV && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/centos-stream/9/mlnet/helix/amd64/Dockerfile b/src/centos-stream/9/mlnet/helix/amd64/Dockerfile
@@ -105,3 +105,6 @@ RUN python -m venv $VIRTUAL_ENV && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/debian/12/helix/amd64/Dockerfile b/src/debian/12/helix/amd64/Dockerfile
@@ -80,3 +80,6 @@ RUN python3 -m venv $VIRTUAL_ENV \
     && ${VIRTUAL_ENV}/bin/pip install --upgrade pip setuptools
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/debian/12/helix/arm32v7/Dockerfile b/src/debian/12/helix/arm32v7/Dockerfile
@@ -89,3 +89,6 @@ RUN python3 -m venv $VIRTUAL_ENV \
     && ${VIRTUAL_ENV}/bin/pip install --upgrade pip setuptools
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/debian/12/helix/arm64v8/Dockerfile b/src/debian/12/helix/arm64v8/Dockerfile
@@ -79,3 +79,6 @@ RUN python3 -m venv $VIRTUAL_ENV \
     && ${VIRTUAL_ENV}/bin/pip install --upgrade pip setuptools
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/debian/13/helix/Dockerfile b/src/debian/13/helix/Dockerfile
@@ -86,3 +86,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/fedora/42/helix/amd64/Dockerfile b/src/fedora/42/helix/amd64/Dockerfile
@@ -78,3 +78,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/fedora/43/helix/amd64/Dockerfile b/src/fedora/43/helix/amd64/Dockerfile
@@ -80,3 +80,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/fedora/44/helix/amd64/Dockerfile b/src/fedora/44/helix/amd64/Dockerfile
@@ -80,3 +80,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/fedora/45/helix/amd64/Dockerfile b/src/fedora/45/helix/amd64/Dockerfile
@@ -93,3 +93,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3.14 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/fedora/rawhide/helix/amd64/Dockerfile b/src/fedora/rawhide/helix/amd64/Dockerfile
@@ -93,3 +93,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3.14 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/nanoserver/1809/helix/amd64/Dockerfile b/src/nanoserver/1809/helix/amd64/Dockerfile
@@ -100,3 +100,6 @@ RUN pwsh -Command " `
         Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\corerun.exe' -Value 2 -Name DumpCount -Force"
 
 WORKDIR C:\\Work
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/opensuse/16.0/helix/amd64/Dockerfile b/src/opensuse/16.0/helix/amd64/Dockerfile
@@ -62,3 +62,6 @@ RUN python -m venv $VIRTUAL_ENV && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/ubuntu/22.04/helix/Dockerfile b/src/ubuntu/22.04/helix/Dockerfile
@@ -69,3 +69,6 @@ RUN python -m venv /home/helixbot/.vsts-env && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/ubuntu/22.04/mlnet/helix/amd64/Dockerfile b/src/ubuntu/22.04/mlnet/helix/amd64/Dockerfile
@@ -28,3 +28,6 @@ RUN python -m venv $VIRTUAL_ENV && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/ubuntu/24.04/helix/Dockerfile b/src/ubuntu/24.04/helix/Dockerfile
@@ -94,3 +94,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/ubuntu/24.04/helix/android/amd64/Dockerfile b/src/ubuntu/24.04/helix/android/amd64/Dockerfile
@@ -96,3 +96,6 @@ RUN /usr/sbin/adduser --disabled-password --gecos '' --uid 1000 --shell /bin/bas
 
 USER helixbot
 
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
+
diff --git a/src/ubuntu/26.04/helix/Dockerfile b/src/ubuntu/26.04/helix/Dockerfile
@@ -100,3 +100,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 RUN python3 -m venv $VIRTUAL_ENV
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
 COPY --from=venv --chown=helixbot /venv $VIRTUAL_ENV
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/windowsservercore/ltsc2019/helix/amd64/Dockerfile b/src/windowsservercore/ltsc2019/helix/amd64/Dockerfile
@@ -84,3 +84,6 @@ RUN powershell -Command " `
         Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\corerun.exe' -Value 2 -Name DumpCount -Force"
 
 WORKDIR C:\\Work
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/windowsservercore/ltsc2022/helix/amd64/Dockerfile b/src/windowsservercore/ltsc2022/helix/amd64/Dockerfile
@@ -84,3 +84,6 @@ RUN powershell -Command " `
         Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\corerun.exe' -Value 2 -Name DumpCount -Force"
 
 WORKDIR C:\\Work
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
diff --git a/src/windowsservercore/ltsc2025/helix/amd64/Dockerfile b/src/windowsservercore/ltsc2025/helix/amd64/Dockerfile
@@ -84,3 +84,6 @@ RUN powershell -Command " `
         Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\corerun.exe' -Value 2 -Name DumpCount -Force"
 
 WORKDIR C:\\Work
+
+# Clear PIP_INDEX_URL since it contains a short-lived token that should not persist in the final image
+ENV PIP_INDEX_URL=
