.bazelrc - monogon - Gitiles

 # Enable strict_action_env (use static PATH and do not inherit environment variables).
 # This avoids unnecessary cache invalidations.
 build --incompatible_strict_action_env=true

 # Run all spawns in our own hermetic sandbox sysroot.
 build --experimental_use_hermetic_linux_sandbox
 build --action_env=MONOGON_SANDBOX_DIGEST
 import %workspace%/.bazelrc.sandbox

 # Hardwire all action envs to just use /usr/bin from the above sandbox. This is
 # necessary on NixOS Bazel builds, as they really like to inject /nix/store/*
 # paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as
 # otherwise calling gcc from /bin/gcc breaks its own resolution of subordinate
 # commands (like cc1, as, etc.).
 build --action_env=PATH=/usr/bin
 build --host_action_env=PATH=/usr/bin

 # Make all shell run actions use /bin/bash instead of whatever the host might
 # have set. Again, looking at you, Bazel-on-NixOS.
 build --shell_executable=/bin/bash

 # No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
 # anything auto-detected during analysis stage is on the host instead of the sandbox.
 # Sysroot rebuild is pure Go and doesn't need it either.
 # The flag ensures we fail early if we somehow depend on the host toolchain,
 # and do not spend unnecessary time on autodiscovery.
 build --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1

 # Use new-style C++ toolchain resolution.
 build --incompatible_enable_cc_toolchain_resolution

 # In our monorepo, we mostly ignore the host platform since we bring our own
 # execution environment. However, we still need to run a small number of tools
 # such as gazelle. We can just use rules_go's pure-Go platform. Attempting to
 # build CGO binaries for the host will fail (and does not make sense).
 # The host is lava - it could be NixOS (or even potentially macOS/Windows).
 build --host_platform=@io_bazel_rules_go//go/toolchain:linux_amd64

 # Target platform for the monorepo is currently the same as the host platform,
 # but we'll support cross-compilation at some point. Do not rely on it.
 build --platforms=//build/platforms:linux_amd64
 # Make sure our platform is picked instead of the --host_platform.
 build --extra_execution_platforms=//build/platforms:linux_amd64

 # Build resources
 startup --batch_cpu_scheduling --io_nice_level 7
 test --test_output=errors

 # selinux:
 #     build with SELinux (containerd, kubelet)
 # no_zfs,no_aufs,no_devicemapper:
 #     disable containerd features we don't need
 # providerless,dockerless:
 #     build k8s without cloud provider and docker support
 # nowasm:
 #     disable wasm plugin support in sqlc
 build --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo

 # Build with C++17.
 build --cxxopt=-std=c++17

 # Set workspace status file and stamp
 build --stamp --workspace_status_command=./build/print-workspace-status.sh

 # Load CI bazelrc if present.
 try-import %workspace%/ci.bazelrc

 # Load custom per-user settings.
 try-import %workspace%/.bazelrc.user
	# Enable strict_action_env (use static PATH and do not inherit environment variables).
	# This avoids unnecessary cache invalidations.
	build --incompatible_strict_action_env=true

	# Run all spawns in our own hermetic sandbox sysroot.
	build --experimental_use_hermetic_linux_sandbox
	build --action_env=MONOGON_SANDBOX_DIGEST
	import %workspace%/.bazelrc.sandbox

	# Hardwire all action envs to just use /usr/bin from the above sandbox. This is
	# necessary on NixOS Bazel builds, as they really like to inject /nix/store/*
	# paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as
	# otherwise calling gcc from /bin/gcc breaks its own resolution of subordinate
	# commands (like cc1, as, etc.).
	build --action_env=PATH=/usr/bin
	build --host_action_env=PATH=/usr/bin

	# Make all shell run actions use /bin/bash instead of whatever the host might
	# have set. Again, looking at you, Bazel-on-NixOS.
	build --shell_executable=/bin/bash

	# No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
	# anything auto-detected during analysis stage is on the host instead of the sandbox.
	# Sysroot rebuild is pure Go and doesn't need it either.
	# The flag ensures we fail early if we somehow depend on the host toolchain,
	# and do not spend unnecessary time on autodiscovery.
	build --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1

	# Use new-style C++ toolchain resolution.
	build --incompatible_enable_cc_toolchain_resolution

	# In our monorepo, we mostly ignore the host platform since we bring our own
	# execution environment. However, we still need to run a small number of tools
	# such as gazelle. We can just use rules_go's pure-Go platform. Attempting to
	# build CGO binaries for the host will fail (and does not make sense).
	# The host is lava - it could be NixOS (or even potentially macOS/Windows).
	build --host_platform=@io_bazel_rules_go//go/toolchain:linux_amd64

	# Target platform for the monorepo is currently the same as the host platform,
	# but we'll support cross-compilation at some point. Do not rely on it.
	build --platforms=//build/platforms:linux_amd64
	# Make sure our platform is picked instead of the --host_platform.
	build --extra_execution_platforms=//build/platforms:linux_amd64

	# Build resources
	startup --batch_cpu_scheduling --io_nice_level 7
	test --test_output=errors

	# selinux:
	# build with SELinux (containerd, kubelet)
	# no_zfs,no_aufs,no_devicemapper:
	# disable containerd features we don't need
	# providerless,dockerless:
	# build k8s without cloud provider and docker support
	# nowasm:
	# disable wasm plugin support in sqlc
	build --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo

	# Build with C++17.
	build --cxxopt=-std=c++17

	# Set workspace status file and stamp
	build --stamp --workspace_status_command=./build/print-workspace-status.sh

	# Load CI bazelrc if present.
	try-import %workspace%/ci.bazelrc

	# Load custom per-user settings.
	try-import %workspace%/.bazelrc.user