diff --git a/tools/python/BUILD b/tools/python/BUILD
index 8e410e5..40698ef 100644
--- a/tools/python/BUILD
+++ b/tools/python/BUILD
@@ -18,6 +18,19 @@
     ],
 )
 
+# This binary is intended to run the `requirements.update` target in a Docker
+# container. This is primarily intended for reproducibility. See README.md.
+sh_binary(
+    name = "update_helper",
+    srcs = ["update_helper.sh"],
+    data = [
+        "update_helper_files/Dockerfile",
+    ],
+    deps = [
+        "@bazel_tools//tools/bash/runfiles",
+    ],
+)
+
 py_runtime(
     name = "python3_runtime",
     files = [
diff --git a/tools/python/README.md b/tools/python/README.md
index cf878f7..625cb24 100644
--- a/tools/python/README.md
+++ b/tools/python/README.md
@@ -39,7 +39,7 @@
 1. Add the new package you're interested in to `tools/python/requirements.txt`.
 2. Run the lock file generation script.
 
-        bazel run //tools/python:requirements.update
+        bazel run --run_under=//tools/python:update_helper //tools/python:requirements.update
 
 
 How to make buildkite happy with new pip packages
diff --git a/tools/python/update_helper.sh b/tools/python/update_helper.sh
new file mode 100755
index 0000000..ba497ea
--- /dev/null
+++ b/tools/python/update_helper.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# --- begin runfiles.bash initialization v2 ---
+# Copy-pasted from the Bazel Bash runfiles library v2.
+set -uo pipefail; set +e; f=bazel_tools/tools/bash/runfiles/runfiles.bash
+source "${RUNFILES_DIR:-/dev/null}/$f" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "${RUNFILES_MANIFEST_FILE:-/dev/null}" | cut -f2- -d' ')" 2>/dev/null || \
+  source "$0.runfiles/$f" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "$0.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "$0.exe.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+  { echo>&2 "ERROR: cannot find $f"; exit 1; }; f=; set -e
+# --- end runfiles.bash initialization v2 ---
+
+DOCKERFILE="$(rlocation org_frc971/tools/python/update_helper_files/Dockerfile)"
+CONTEXT_DIR="$(dirname "${DOCKERFILE}")"
+CONTAINER_TAG="pip-lock:${USER}"
+
+# Build the container that has the bare minimum to run the various setup.py
+# scripts from our dependencies.
+docker build \
+  --file="${DOCKERFILE}" \
+  --tag="${CONTAINER_TAG}" \
+  "${CONTEXT_DIR}"
+
+# Run the actual update. The assumption here is that mounting the user's home
+# directory is sufficient to allow the tool to run inside the container without
+# any issues. I.e. the cache and the source tree are available in the
+# container.
+docker run \
+  --rm \
+  --tty \
+  --env BUILD_WORKSPACE_DIRECTORY="${BUILD_WORKSPACE_DIRECTORY}" \
+  --workdir "${PWD}" \
+  --volume "${HOME}:${HOME}" \
+  "${CONTAINER_TAG}" \
+  "$@"
diff --git a/tools/python/update_helper_files/Dockerfile b/tools/python/update_helper_files/Dockerfile
new file mode 100644
index 0000000..3a4d42c
--- /dev/null
+++ b/tools/python/update_helper_files/Dockerfile
@@ -0,0 +1,10 @@
+# This Dockerfile sets up a container with the minimum number of things to make
+# //tools/python:requirements.update target happy.
+
+FROM debian:12
+
+RUN apt update
+RUN DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y clang
+RUN DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y python3
+RUN DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y pkgconf
+RUN DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y libcairo2-dev