treewide: remove FHSEnv
To remove the FHSenv, we have to patch rules_python to use
/usr/bin/env to resolve the path to bash instead of hardcoding it.
Additionally, we now bring a Nix-compatible Bazel 8.
Change-Id: Id51e7748eea6dd77185f43a52fe45b5110ba4a2b
Reviewed-on: https://review.monogon.dev/c/monogon/+/4427
Tested-by: Jenkins CI
Reviewed-by: Jan Schär <jan@monogon.tech>
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Reviewed-by: Leopold Schabel <leo@monogon.tech>
diff --git a/.bazelrc b/.bazelrc
index 526492b..8555f7f 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -71,6 +71,12 @@
build --experimental_propagate_custom_flag=@@rules_go+//go/private:request_nogo
build --experimental_propagate_custom_flag=@@rules_go+//go/private:bootstrap_nogo
+# rules_python uses host python for bootstrapping.
+# Override to use a shell script for this.
+# https://github.com/bazelbuild/rules_python/issues/691
+build --@rules_python//python/config_settings:bootstrap_impl=script
+build --experimental_propagate_custom_flag=@@rules_python+//python/config_settings:bootstrap_impl
+
# No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
# anything auto-detected during analysis stage is on the host instead of the sandbox.
# Sysroot rebuild is pure Go and doesn't need it either.
diff --git a/MODULE.bazel b/MODULE.bazel
index f2e7a4e..8f0a7d2 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -89,6 +89,28 @@
version = "2.82.2.bcr.5",
)
+bazel_dep(name = "rules_python")
+single_version_override(
+ module_name = "rules_python",
+ patch_strip = 1,
+ patches = [
+ # TODO: Remove if upstream PR is merged
+ # https://github.com/bazel-contrib/rules_python/pull/3087
+ "//third_party/rules_python:use-usr-bin-env-bash.patch",
+ ],
+ version = "1.4.1",
+)
+
+bazel_dep(name = "rules_oci")
+single_version_override(
+ module_name = "rules_oci",
+ patch_strip = 1,
+ patches = [
+ "//third_party/rules_oci:use-default-shell-env.patch",
+ ],
+ version = "2.2.6",
+)
+
bazel_dep(name = "zstd", version = "1.5.7")
bazel_dep(name = "gperf", version = "3.1")
bazel_dep(name = "zlib", version = "1.3.1.bcr.6")
@@ -97,10 +119,8 @@
bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2")
bazel_dep(name = "bazel_skylib", version = "1.8.0")
bazel_dep(name = "rules_pkg", version = "1.1.0")
-bazel_dep(name = "rules_oci", version = "2.2.6")
bazel_dep(name = "aspect_bazel_lib", version = "2.19.4")
bazel_dep(name = "rules_multirun", version = "0.12.0")
-bazel_dep(name = "rules_python", version = "1.4.1")
bazel_dep(name = "rules_cc", version = "0.1.2")
bazel_dep(name = "rules_perl", version = "0.2.4")
bazel_dep(name = "rules_proto", version = "7.1.0")
@@ -136,8 +156,17 @@
register_toolchains("//build/toolchain/toolchain-bundle:all")
+# Rust config
include("//build/bazel:rust.MODULE.bazel")
+
+# Go dependencies
include("//build/bazel:go.MODULE.bazel")
+
+# OCI Config
include("//build/bazel:oci.MODULE.bazel")
+
+# Third Party dependencies
include("//build/bazel:third_party.MODULE.bazel")
+
+# Toolchain Bundle
include("//build/bazel:toolchain.MODULE.bazel")
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
index 0a27304..03a0ce4 100644
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -22,7 +22,6 @@
"https://bcr.bazel.build/modules/aspect_bazel_lib/2.19.4/source.json": "506fa924e19fd8a33d617e33a17e4fce845f9ff9acb3a2aa7cf7300650698705",
"https://bcr.bazel.build/modules/aspect_bazel_lib/2.7.2/MODULE.bazel": "780d1a6522b28f5edb7ea09630748720721dfe27690d65a2d33aa7509de77e07",
"https://bcr.bazel.build/modules/aspect_bazel_lib/2.8.1/MODULE.bazel": "812d2dd42f65dca362152101fbec418029cc8fd34cbad1a2fde905383d705838",
- "https://bcr.bazel.build/modules/bazel_features/1.1.1/MODULE.bazel": "27b8c79ef57efe08efccbd9dd6ef70d61b4798320b8d3c134fd571f78963dbcd",
"https://bcr.bazel.build/modules/bazel_features/1.10.0/MODULE.bazel": "f75e8807570484a99be90abcd52b5e1f390362c258bcb73106f4544957a48101",
"https://bcr.bazel.build/modules/bazel_features/1.11.0/MODULE.bazel": "f9382337dd5a474c3b7d334c2f83e50b6eaedc284253334cf823044a26de03e8",
"https://bcr.bazel.build/modules/bazel_features/1.15.0/MODULE.bazel": "d38ff6e517149dc509406aca0db3ad1efdd890a85e049585b7234d04238e2a4d",
@@ -101,8 +100,6 @@
"https://bcr.bazel.build/modules/platforms/1.0.0/MODULE.bazel": "f05feb42b48f1b3c225e4ccf351f367be0371411a803198ec34a389fb22aa580",
"https://bcr.bazel.build/modules/platforms/1.0.0/source.json": "f4ff1fd412e0246fd38c82328eb209130ead81d62dcd5a9e40910f867f733d96",
"https://bcr.bazel.build/modules/protobuf/21.7/MODULE.bazel": "a5a29bb89544f9b97edce05642fac225a808b5b7be74038ea3640fae2f8e66a7",
- "https://bcr.bazel.build/modules/protobuf/23.1/MODULE.bazel": "88b393b3eb4101d18129e5db51847cd40a5517a53e81216144a8c32dfeeca52a",
- "https://bcr.bazel.build/modules/protobuf/24.4/MODULE.bazel": "7bc7ce5f2abf36b3b7b7c8218d3acdebb9426aeb35c2257c96445756f970eb12",
"https://bcr.bazel.build/modules/protobuf/27.0/MODULE.bazel": "7873b60be88844a0a1d8f80b9d5d20cfbd8495a689b8763e76c6372998d3f64c",
"https://bcr.bazel.build/modules/protobuf/27.1/MODULE.bazel": "703a7b614728bb06647f965264967a8ef1c39e09e8f167b3ca0bb1fd80449c0d",
"https://bcr.bazel.build/modules/protobuf/28.3/MODULE.bazel": "2b3764bbab2e46703412bd3b859efcf0322638ed015e88432df3bb740507a1e9",
@@ -131,7 +128,6 @@
"https://bcr.bazel.build/modules/rules_cc/0.0.1/MODULE.bazel": "cb2aa0747f84c6c3a78dad4e2049c154f08ab9d166b1273835a8174940365647",
"https://bcr.bazel.build/modules/rules_cc/0.0.10/MODULE.bazel": "ec1705118f7eaedd6e118508d3d26deba2a4e76476ada7e0e3965211be012002",
"https://bcr.bazel.build/modules/rules_cc/0.0.13/MODULE.bazel": "0e8529ed7b323dad0775ff924d2ae5af7640b23553dfcd4d34344c7e7a867191",
- "https://bcr.bazel.build/modules/rules_cc/0.0.14/MODULE.bazel": "5e343a3aac88b8d7af3b1b6d2093b55c347b8eefc2e7d1442f7a02dc8fea48ac",
"https://bcr.bazel.build/modules/rules_cc/0.0.15/MODULE.bazel": "6704c35f7b4a72502ee81f61bf88706b54f06b3cbe5558ac17e2e14666cd5dcc",
"https://bcr.bazel.build/modules/rules_cc/0.0.16/MODULE.bazel": "7661303b8fc1b4d7f532e54e9d6565771fea666fbdf839e0a86affcd02defe87",
"https://bcr.bazel.build/modules/rules_cc/0.0.17/MODULE.bazel": "2ae1d8f4238ec67d7185d8861cb0a2cdf4bc608697c331b95bf990e69b62e64a",
@@ -150,15 +146,11 @@
"https://bcr.bazel.build/modules/rules_go/0.55.1/source.json": "827a740c8959c9d20616889e7746cde4dcc6ee80d25146943627ccea0736328f",
"https://bcr.bazel.build/modules/rules_java/4.0.0/MODULE.bazel": "5a78a7ae82cd1a33cef56dc578c7d2a46ed0dca12643ee45edbb8417899e6f74",
"https://bcr.bazel.build/modules/rules_java/5.3.5/MODULE.bazel": "a4ec4f2db570171e3e5eb753276ee4b389bae16b96207e9d3230895c99644b86",
- "https://bcr.bazel.build/modules/rules_java/6.0.0/MODULE.bazel": "8a43b7df601a7ec1af61d79345c17b31ea1fedc6711fd4abfd013ea612978e39",
"https://bcr.bazel.build/modules/rules_java/6.3.0/MODULE.bazel": "a97c7678c19f236a956ad260d59c86e10a463badb7eb2eda787490f4c969b963",
- "https://bcr.bazel.build/modules/rules_java/6.4.0/MODULE.bazel": "e986a9fe25aeaa84ac17ca093ef13a4637f6107375f64667a15999f77db6c8f6",
"https://bcr.bazel.build/modules/rules_java/6.5.2/MODULE.bazel": "1d440d262d0e08453fa0c4d8f699ba81609ed0e9a9a0f02cd10b3e7942e61e31",
- "https://bcr.bazel.build/modules/rules_java/7.1.0/MODULE.bazel": "30d9135a2b6561c761bd67bd4990da591e6bdc128790ce3e7afd6a3558b2fb64",
"https://bcr.bazel.build/modules/rules_java/7.10.0/MODULE.bazel": "530c3beb3067e870561739f1144329a21c851ff771cd752a49e06e3dc9c2e71a",
"https://bcr.bazel.build/modules/rules_java/7.12.2/MODULE.bazel": "579c505165ee757a4280ef83cda0150eea193eed3bef50b1004ba88b99da6de6",
"https://bcr.bazel.build/modules/rules_java/7.2.0/MODULE.bazel": "06c0334c9be61e6cef2c8c84a7800cef502063269a5af25ceb100b192453d4ab",
- "https://bcr.bazel.build/modules/rules_java/7.3.2/MODULE.bazel": "50dece891cfdf1741ea230d001aa9c14398062f2b7c066470accace78e412bc2",
"https://bcr.bazel.build/modules/rules_java/7.6.1/MODULE.bazel": "2f14b7e8a1aa2f67ae92bc69d1ec0fa8d9f827c4e17ff5e5f02e91caa3b2d0fe",
"https://bcr.bazel.build/modules/rules_java/8.12.0/MODULE.bazel": "8e6590b961f2defdfc2811c089c75716cb2f06c8a4edeb9a8d85eaa64ee2a761",
"https://bcr.bazel.build/modules/rules_java/8.12.0/source.json": "cbd5d55d9d38d4008a7d00bee5b5a5a4b6031fcd4a56515c9accbcd42c7be2ba",
@@ -168,12 +160,9 @@
"https://bcr.bazel.build/modules/rules_jvm_external/4.4.2/MODULE.bazel": "a56b85e418c83eb1839819f0b515c431010160383306d13ec21959ac412d2fe7",
"https://bcr.bazel.build/modules/rules_jvm_external/5.1/MODULE.bazel": "33f6f999e03183f7d088c9be518a63467dfd0be94a11d0055fe2d210f89aa909",
"https://bcr.bazel.build/modules/rules_jvm_external/5.2/MODULE.bazel": "d9351ba35217ad0de03816ef3ed63f89d411349353077348a45348b096615036",
- "https://bcr.bazel.build/modules/rules_jvm_external/5.3/MODULE.bazel": "bf93870767689637164657731849fb887ad086739bd5d360d90007a581d5527d",
- "https://bcr.bazel.build/modules/rules_jvm_external/6.1/MODULE.bazel": "75b5fec090dbd46cf9b7d8ea08cf84a0472d92ba3585b476f44c326eda8059c4",
"https://bcr.bazel.build/modules/rules_jvm_external/6.3/MODULE.bazel": "c998e060b85f71e00de5ec552019347c8bca255062c990ac02d051bb80a38df0",
"https://bcr.bazel.build/modules/rules_jvm_external/6.7/MODULE.bazel": "e717beabc4d091ecb2c803c2d341b88590e9116b8bf7947915eeb33aab4f96dd",
"https://bcr.bazel.build/modules/rules_jvm_external/6.7/source.json": "5426f412d0a7fc6b611643376c7e4a82dec991491b9ce5cb1cfdd25fe2e92be4",
- "https://bcr.bazel.build/modules/rules_kotlin/1.9.0/MODULE.bazel": "ef85697305025e5a61f395d4eaede272a5393cee479ace6686dba707de804d59",
"https://bcr.bazel.build/modules/rules_kotlin/1.9.6/MODULE.bazel": "d269a01a18ee74d0335450b10f62c9ed81f2321d7958a2934e44272fe82dcef3",
"https://bcr.bazel.build/modules/rules_kotlin/1.9.6/source.json": "2faa4794364282db7c06600b7e5e34867a564ae91bda7cae7c29c64e9466b7d5",
"https://bcr.bazel.build/modules/rules_license/0.0.3/MODULE.bazel": "627e9ab0247f7d1e05736b59dbb1b6871373de5ad31c3011880b4133cafd4bd0",
@@ -192,7 +181,6 @@
"https://bcr.bazel.build/modules/rules_pkg/1.1.0/source.json": "fef768df13a92ce6067e1cd0cdc47560dace01354f1d921cfb1d632511f7d608",
"https://bcr.bazel.build/modules/rules_proto/4.0.0/MODULE.bazel": "a7a7b6ce9bee418c1a760b3d84f83a299ad6952f9903c67f19e4edd964894e06",
"https://bcr.bazel.build/modules/rules_proto/5.3.0-21.7/MODULE.bazel": "e8dff86b0971688790ae75528fe1813f71809b5afd57facb44dad9e8eca631b7",
- "https://bcr.bazel.build/modules/rules_proto/6.0.0-rc1/MODULE.bazel": "1e5b502e2e1a9e825eef74476a5a1ee524a92297085015a052510b09a1a09483",
"https://bcr.bazel.build/modules/rules_proto/6.0.2/MODULE.bazel": "ce916b775a62b90b61888052a416ccdda405212b6aaeb39522f7dc53431a5e73",
"https://bcr.bazel.build/modules/rules_proto/7.0.2/MODULE.bazel": "bf81793bd6d2ad89a37a40693e56c61b0ee30f7a7fdbaf3eabbf5f39de47dea2",
"https://bcr.bazel.build/modules/rules_proto/7.1.0/MODULE.bazel": "002d62d9108f75bb807cd56245d45648f38275cb3a99dcd45dfb864c5d74cb96",
@@ -203,18 +191,6 @@
"https://bcr.bazel.build/modules/rules_proto_grpc_buf/5.1.0/source.json": "4eb3add88ecb9682402a671357c2e90fd290264bed1ff50311587014de10e606",
"https://bcr.bazel.build/modules/rules_proto_grpc_doc/5.1.0/MODULE.bazel": "7a4a6d655a384ae74d2ec56faf17ab6f54936bf5f9e9ada4adffada40ba11d0f",
"https://bcr.bazel.build/modules/rules_proto_grpc_doc/5.1.0/source.json": "24c5b2c2f777824b37fdcec4b481dcb4bfa7acd41d67837d44ad81e0164a30de",
- "https://bcr.bazel.build/modules/rules_python/0.10.2/MODULE.bazel": "cc82bc96f2997baa545ab3ce73f196d040ffb8756fd2d66125a530031cd90e5f",
- "https://bcr.bazel.build/modules/rules_python/0.23.1/MODULE.bazel": "49ffccf0511cb8414de28321f5fcf2a31312b47c40cc21577144b7447f2bf300",
- "https://bcr.bazel.build/modules/rules_python/0.25.0/MODULE.bazel": "72f1506841c920a1afec76975b35312410eea3aa7b63267436bfb1dd91d2d382",
- "https://bcr.bazel.build/modules/rules_python/0.28.0/MODULE.bazel": "cba2573d870babc976664a912539b320cbaa7114cd3e8f053c720171cde331ed",
- "https://bcr.bazel.build/modules/rules_python/0.31.0/MODULE.bazel": "93a43dc47ee570e6ec9f5779b2e64c1476a6ce921c48cc9a1678a91dd5f8fd58",
- "https://bcr.bazel.build/modules/rules_python/0.33.2/MODULE.bazel": "3e036c4ad8d804a4dad897d333d8dce200d943df4827cb849840055be8d2e937",
- "https://bcr.bazel.build/modules/rules_python/0.35.0/MODULE.bazel": "c3657951764cdcdb5a7370d5e885fad5e8c1583320aad18d46f9f110d2c22755",
- "https://bcr.bazel.build/modules/rules_python/0.36.0/MODULE.bazel": "a4ce1ccea92b9106c7d16ab9ee51c6183107e78ba4a37aa65055227b80cd480c",
- "https://bcr.bazel.build/modules/rules_python/0.4.0/MODULE.bazel": "9208ee05fd48bf09ac60ed269791cf17fb343db56c8226a720fbb1cdf467166c",
- "https://bcr.bazel.build/modules/rules_python/0.40.0/MODULE.bazel": "9d1a3cd88ed7d8e39583d9ffe56ae8a244f67783ae89b60caafc9f5cf318ada7",
- "https://bcr.bazel.build/modules/rules_python/1.0.0/MODULE.bazel": "898a3d999c22caa585eb062b600f88654bf92efb204fa346fb55f6f8edffca43",
- "https://bcr.bazel.build/modules/rules_python/1.1.0/MODULE.bazel": "57e01abae22956eb96d891572490d20e07d983e0c065de0b2170cafe5053e788",
"https://bcr.bazel.build/modules/rules_python/1.4.1/MODULE.bazel": "8991ad45bdc25018301d6b7e1d3626afc3c8af8aaf4bc04f23d0b99c938b73a6",
"https://bcr.bazel.build/modules/rules_python/1.4.1/source.json": "8ec8c90c70ccacc4de8ca1b97f599e756fb59173e898ee08b733006650057c07",
"https://bcr.bazel.build/modules/rules_rust/0.61.0/MODULE.bazel": "0318a95777b9114c8740f34b60d6d68f9cfef61e2f4b52424ca626213d33787b",
@@ -235,10 +211,8 @@
"https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8",
"https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c",
"https://bcr.bazel.build/modules/stardoc/0.5.4/MODULE.bazel": "6569966df04610b8520957cb8e97cf2e9faac2c0309657c537ab51c16c18a2a4",
- "https://bcr.bazel.build/modules/stardoc/0.5.6/MODULE.bazel": "c43dabc564990eeab55e25ed61c07a1aadafe9ece96a4efabb3f8bf9063b71ef",
"https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd",
"https://bcr.bazel.build/modules/stardoc/0.7.0/MODULE.bazel": "05e3d6d30c099b6770e97da986c53bd31844d7f13d41412480ea265ac9e8079c",
- "https://bcr.bazel.build/modules/stardoc/0.7.1/MODULE.bazel": "3548faea4ee5dda5580f9af150e79d0f6aea934fc60c1cc50f4efdd9420759e7",
"https://bcr.bazel.build/modules/stardoc/0.7.2/MODULE.bazel": "fc152419aa2ea0f51c29583fab1e8c99ddefd5b3778421845606ee628629e0e5",
"https://bcr.bazel.build/modules/stardoc/0.7.2/source.json": "58b029e5e901d6802967754adf0a9056747e8176f017cfe3607c0851f4d42216",
"https://bcr.bazel.build/modules/swift_argument_parser/1.3.1.1/MODULE.bazel": "5e463fbfba7b1701d957555ed45097d7f984211330106ccd1352c6e0af0dcf91",
@@ -248,7 +222,6 @@
"https://bcr.bazel.build/modules/toolchains_protoc/0.4.1/MODULE.bazel": "05d6c16474a7a96002dd5512c444aa6965ebcf95f3e0c47001aa18269fbecec9",
"https://bcr.bazel.build/modules/toolchains_protoc/0.4.1/source.json": "474d926c8e845762faaa42e792fc66cd36794daee4c8af900f673fad0b403a8d",
"https://bcr.bazel.build/modules/upb/0.0.0-20220923-a547704/MODULE.bazel": "7298990c00040a0e2f121f6c32544bab27d4452f80d9ce51349b1a28f3005c43",
- "https://bcr.bazel.build/modules/upb/0.0.0-20230516-61a97ef/MODULE.bazel": "c0df5e35ad55e264160417fd0875932ee3c9dda63d9fccace35ac62f45e1b6f9",
"https://bcr.bazel.build/modules/yq.bzl/0.1.1/MODULE.bazel": "9039681f9bcb8958ee2c87ffc74bdafba9f4369096a2b5634b88abc0eaefa072",
"https://bcr.bazel.build/modules/yq.bzl/0.1.1/source.json": "2d2bad780a9f2b9195a4a370314d2c17ae95eaa745cefc2e12fbc49759b15aa3",
"https://bcr.bazel.build/modules/zlib/1.2.11/MODULE.bazel": "07b389abc85fdbca459b69e2ec656ae5622873af3f845e1c9d80fe179f3effa0",
diff --git a/build/bazel/go.MODULE.bazel b/build/bazel/go.MODULE.bazel
index f1e10f5..dfa5b91 100644
--- a/build/bazel/go.MODULE.bazel
+++ b/build/bazel/go.MODULE.bazel
@@ -184,6 +184,10 @@
],
},
"github.com/bytecodealliance/wasmtime-go/v14": {
+ # wasmtime brings its own BUILD files and for some reason,
+ # Bazel regenerates them in the nixos/nix container but not on
+ # NixOS. We disable replacing the existing directives to fix this.
+ "build_file_generation": "off",
"directives": [
"gazelle:go_naming_convention go_default_library",
],
diff --git a/build/bazel/toolchain.MODULE.bazel b/build/bazel/toolchain.MODULE.bazel
index f0434f5..f691078 100644
--- a/build/bazel/toolchain.MODULE.bazel
+++ b/build/bazel/toolchain.MODULE.bazel
@@ -3,17 +3,17 @@
http_archive(
name = "toolchain-bundle-x86_64-unknown-linux-musl",
build_file = "//build/toolchain/toolchain-bundle:toolchain-bundle.bzl",
- integrity = "sha256-tpbvNL5S4t2WLkcj027sghf8tEzVJFL1e5leyx8JkCI=",
+ integrity = "sha256-7wceZhsWdZLXT2KW05NmmbUCYKA+DmudjPqTO3qX29I=",
urls = [
- "https://storage.googleapis.com/monogon-infra-public/toolchain/toolchain-bundle-x86_64-unknown-linux-musl-release-25.05.ffdcefdde9a4e540d1c875767da0e382e1ccf460.tar.zst",
+ "https://storage.googleapis.com/monogon-infra-public/toolchain/9iv889bzlsg1dglkmqdnabak5ffbp2km-toolchain/toolchain-bundle-x86_64-unknown-linux-musl.tar.zst",
],
)
http_archive(
name = "toolchain-bundle-aarch64-unknown-linux-musl",
build_file = "//build/toolchain/toolchain-bundle:toolchain-bundle.bzl",
- integrity = "sha256-6caDQ8S+DGXHy2xSAhfRu5EXFLZ7NNqbtkY6o1i33F4=",
+ integrity = "sha256-7ckBNZ5186xDDsDlsUVMNIciY9nECfH70KoB/FUZKRc=",
urls = [
- "https://storage.googleapis.com/monogon-infra-public/toolchain/toolchain-bundle-aarch64-unknown-linux-musl-release-25.05.ffdcefdde9a4e540d1c875767da0e382e1ccf460.tar.zst",
+ "https://storage.googleapis.com/monogon-infra-public/toolchain/9iv889bzlsg1dglkmqdnabak5ffbp2km-toolchain/toolchain-bundle-aarch64-unknown-linux-musl.tar.zst",
],
)
diff --git a/build/toolchain/toolchain-bundle/BUILD.bazel b/build/toolchain/toolchain-bundle/BUILD.bazel
index 82437da..66de9f5 100644
--- a/build/toolchain/toolchain-bundle/BUILD.bazel
+++ b/build/toolchain/toolchain-bundle/BUILD.bazel
@@ -1,4 +1,7 @@
load("@rules_perl//perl:toolchain.bzl", "perl_toolchain")
+load("@rules_python//python:py_exec_tools_toolchain.bzl", "py_exec_tools_toolchain")
+load("@rules_python//python:py_runtime.bzl", "py_runtime")
+load("@rules_python//python:py_runtime_pair.bzl", "py_runtime_pair")
load(":toolchain.bzl", "SUPPORTED_TARGETS", "TOOLCHAINS", "toolchain_for")
package(default_visibility = ["//visibility:public"])
@@ -11,6 +14,42 @@
for name, config in TOOLCHAINS.items()
]
+[
+ [
+ py_runtime(
+ name = "rules_python_%s_python3_12_runtime" % target.tuple,
+ interpreter = "@toolchain-bundle-%s//:python3.12" % target.triple,
+ interpreter_version_info = {
+ "major": str(3),
+ "minor": str(12),
+ "micro": str(0),
+ },
+ python_version = "PY3",
+ ),
+ py_runtime_pair(
+ name = "rules_python_%s_python3_12_runtime_pair" % target.tuple,
+ py3_runtime = ":rules_python_%s_python3_12_runtime" % target.tuple,
+ ),
+ py_exec_tools_toolchain(
+ name = "rules_python_%s_python3_12_exec_tools_toolchain_impl" % target.tuple,
+ exec_interpreter = ":rules_python_%s_python3_12_runtime_pair" % target.tuple,
+ ),
+ toolchain(
+ name = "rules_python_%s_python3_12_runtime_toolchain" % target.tuple,
+ exec_compatible_with = target.constrain,
+ toolchain = ":rules_python_%s_python3_12_runtime_pair" % target.tuple,
+ toolchain_type = "@rules_python//python:toolchain_type",
+ ),
+ toolchain(
+ name = "rules_python_%s_python3_12_exec_tools_toolchain" % target.tuple,
+ exec_compatible_with = target.constrain,
+ toolchain = ":rules_python_%s_python3_12_exec_tools_toolchain_impl" % target.tuple,
+ toolchain_type = "@rules_python//python:exec_tools_toolchain_type",
+ ),
+ ]
+ for target in SUPPORTED_TARGETS
+]
+
# rules_perl wiring
[
diff --git a/build/toolchain/toolchain-bundle/toolchain-bundle.bzl b/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
index 6ac17fb..c2de9d1 100644
--- a/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
+++ b/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
@@ -4,6 +4,32 @@
"**/*",
]))
+filegroup(
+ name = "python3.12",
+ srcs = [
+ ":bin/python3.12",
+ ],
+ data = glob([
+ "lib/python3.12/**",
+ ]),
+)
+
+filegroup(
+ name = "python3.12_headers",
+ srcs = glob([
+ "include/python3.12/**",
+ ]),
+)
+
+filegroup(
+ name = "python3.12_libs",
+ srcs = glob([
+ "lib/python3.12/**",
+ ]) + [
+ ":lib/libpython3.12.a",
+ ],
+)
+
# rules_perl expects all files as src entry, this does prevent us using
# $(execpath) which is why we have another filegroup that uses this as
# data dep.
diff --git a/shell.nix b/shell.nix
index 155726c..d57734f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,56 +1,16 @@
# If you're on NixOS, use me! `nix-shell --pure`.
-{ pkgs ? (import ./third_party/nix { }), extraConf ? "" }:
-let
- wrapper = pkgs.writeScript "wrapper.sh"
- ''
- # Fancy colorful PS1 to make people notice easily they're in the Monogon Nix shell.
- PS1='\[\033]0;\u/monogon:\w\007\]'
- if type -P dircolors >/dev/null ; then
- PS1+='\[\033[01;35m\]\u/monogon\[\033[01;36m\] \w \$\[\033[00m\] '
- fi
- export PS1
+{ pkgs ? (import ./third_party/nix { }) }:
+pkgs.mkShell {
+ # Let some downstream machinery know we're on NixOS. This is used mostly to
+ # work around Bazel/NixOS interactions.
+ env.MONOGON_NIXOS="yep";
- # Use Nix-provided cert store.
- export NIX_SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
- export SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-
- # Let some downstream machinery know we're on NixOS. This is used mostly to
- # work around Bazel/NixOS interactions.
- export MONOGON_NIXOS=yep
-
- # Convince rules_go to use /bin/bash and not a NixOS store bash which has
- # no idea how to resolve other things in the nix store once PATH is
- # stripped by (host_)action_env.
- export BAZEL_SH=/bin/bash
-
- # buildFHSEnv makes /etc a tmpfs and symlinks some files from host /etc.
- # Create some additional symlinks for files we want from host /etc.
- for i in bazel.bazelrc gitconfig; do
- if [[ -e "/.host-etc/$i" ]] && [[ ! -e "/etc/$i" ]]; then
- ln -s "/.host-etc/$i" "/etc/$i"
- fi
- done
-
- ${extraConf}
-
- # Allow passing a custom command via env since nix-shell doesn't support
- # this yet: https://github.com/NixOS/nix/issues/534
- if [ ! -n "$COMMAND" ]; then
- COMMAND="bash --noprofile --norc"
- fi
- exec $COMMAND
- '';
-in
-(pkgs.buildFHSEnv {
- name = "monogon-nix";
- targetPkgs = targetPkgs: with targetPkgs; [
- bazel-unwrapped # Our custom bazel package based on upstream
- zlib # Bazel dependency
+ buildInputs = with pkgs; [
+ bazel_8 # Our custom bazel package
python3 # Workspace status script
git # Bazel expects git to be available
gnupg # our gopass integration requires gpg in the PATH
niv # For updating third_party/nix
google-cloud-sdk # Pushing containers to GCR
];
- runScript = wrapper;
-}).env
+}
diff --git a/third_party/edk2/def.bzl b/third_party/edk2/def.bzl
index 3e8c09f..b1a8bd6 100644
--- a/third_party/edk2/def.bzl
+++ b/third_party/edk2/def.bzl
@@ -16,6 +16,7 @@
]
def _edk2_impl(ctx):
+ py_runtime = ctx.toolchains["@bazel_tools//tools/python:toolchain_type"].py3_runtime
_, libuuid_gen = detect_roots(ctx.attr._libuuid[CcInfo].compilation_context.direct_public_headers)
extra_env = {
"HOSTLDFLAGS": " -L ".join(
@@ -32,6 +33,7 @@
),
"CROSS_LIB_UUID_INC": libuuid_gen.rsplit("/", 1)[0],
"CROSS_LIB_UUID": detect_root(ctx.attr._libuuid.files.to_list()).rsplit("/", 1)[0],
+ "PYTHON_COMMAND": py_runtime.interpreter.path,
}
inputs = depset(
@@ -72,7 +74,7 @@
vars = ctx.actions.declare_file("VARS.fd")
ctx.actions.run_shell(
outputs = [code, vars],
- inputs = depset(transitive = [inputs, toolchain_inputs]),
+ inputs = depset(transitive = [inputs, toolchain_inputs, py_runtime.files]),
env = merge_env(toolchain_env, extra_env),
progress_message = "Building EDK2 firmware",
mnemonic = "BuildEDK2Firmware",
@@ -135,5 +137,7 @@
),
},
fragments = ["cpp"],
- toolchains = TOOLCHAINS + use_cc_toolchain(),
+ toolchains = [
+ "@bazel_tools//tools/python:toolchain_type",
+ ] + TOOLCHAINS + use_cc_toolchain(),
)
diff --git a/third_party/nix/default.nix b/third_party/nix/default.nix
index eab83d7..726119e 100644
--- a/third_party/nix/default.nix
+++ b/third_party/nix/default.nix
@@ -9,6 +9,7 @@
util-linux-minimal = import ./pkgs/util-linux { pkgs = super; };
bazel-unwrapped = import ./pkgs/bazel { pkgs = super; };
perl = import ./pkgs/perl { pkgs = super; };
+ bazel_8 = self.callPackage ./pkgs/bazel_8/package.nix { };
python3Minimal = import ./pkgs/python3 { pkgs = super; };
bison = import ./pkgs/bison { pkgs = super; };
})
diff --git a/third_party/nix/pkgs/bazel/bazel-inner.sh b/third_party/nix/pkgs/bazel/bazel-inner.sh
deleted file mode 100755
index 7b978bc..0000000
--- a/third_party/nix/pkgs/bazel/bazel-inner.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/bash
-function get_workspace_root() {
- workspace_dir="${PWD}"
- while [[ "${workspace_dir}" != / ]]; do
- if [[ -e "${workspace_dir}/WORKSPACE" || -e "${workspace_dir}/WORKSPACE.bazel" || -e "${workspace_dir}/MODULE.bazel" ]]; then
- readonly workspace_dir
- return
- fi
- workspace_dir="$(dirname "${workspace_dir}")"
- done
- readonly workspace_dir=""
-}
-
-get_workspace_root
-readonly wrapper="${workspace_dir}/tools/bazel"
-if [ -f "${wrapper}" ]; then
- exec -a "$0" "${wrapper}" "$@"
-fi
-exec -a "$0" "${BAZEL_REAL}" "$@"
diff --git a/third_party/nix/pkgs/bazel/default.nix b/third_party/nix/pkgs/bazel/default.nix
deleted file mode 100644
index c181db3..0000000
--- a/third_party/nix/pkgs/bazel/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ pkgs }: with pkgs;
-stdenv.mkDerivation {
- name = "bazel";
- src = builtins.fetchurl {
- url = "https://github.com/bazelbuild/bazel/releases/download/8.3.1/bazel-8.3.1-linux-x86_64";
- sha256 = "0k3067d06b8160day48afskr42c41bz0qgb3pk9mjpr4hj57w90p";
- };
- unpackPhase = ''
- true
- '';
- nativeBuildInputs = [ makeWrapper ];
- buildPhase = ''
- mkdir -p $out/bin
- cp $src $out/bin/.bazel-inner
- chmod +x $out/bin/.bazel-inner
-
- cp ${./bazel-inner.sh} $out/bin/bazel
- chmod +x $out/bin/bazel
-
- # Use wrapProgram to set the actual bazel path
- wrapProgram $out/bin/bazel --set BAZEL_REAL $out/bin/.bazel-inner
- '';
- dontStrip = true;
-}
diff --git a/third_party/nix/pkgs/bazel_8/LICENSE b/third_party/nix/pkgs/bazel_8/LICENSE
new file mode 100644
index 0000000..6d47368
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2003-2025 Eelco Dolstra and the Nixpkgs/NixOS contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/third_party/nix/pkgs/bazel_8/README.md b/third_party/nix/pkgs/bazel_8/README.md
new file mode 100644
index 0000000..000f0b8
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/README.md
@@ -0,0 +1,6 @@
+# Bazel 8 Nix Package
+
+This build is based on https://github.com/NixOS/nixpkgs/pull/400941, the only
+difference being the addition of `bash` to the default shell environment. As
+soon as the PR is merged, we can replace it with a small override to inject
+bash into the dependencies.
\ No newline at end of file
diff --git a/third_party/nix/pkgs/bazel_8/bazel-execlog.sh b/third_party/nix/pkgs/bazel_8/bazel-execlog.sh
new file mode 100644
index 0000000..7a6fd6c
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/bazel-execlog.sh
@@ -0,0 +1,3 @@
+#!@runtimeShell@
+
+exec @binJava@ -jar @out@/share/parser_deploy.jar "$@"
diff --git a/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix b/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix
new file mode 100644
index 0000000..0d6b3ca
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix
@@ -0,0 +1,72 @@
+{ stdenv
+, lndir
+, lib
+,
+}:
+
+args@{ bazel
+, registry ? null
+, bazelRepoCache ? null
+, bazelVendorDeps ? null
+, startupArgs ? [ ]
+, commandArgs ? [ ]
+, bazelPreBuild ? ""
+, bazelPostBuild ? ""
+, serverJavabase ? null
+, targets
+, command
+, ...
+}:
+
+stdenv.mkDerivation (
+ {
+ preBuildPhases = [ "preBuildPhase" ];
+ preBuildPhase =
+ (lib.optionalString (bazelRepoCache != null) ''
+ # repo_cache needs to be writeable even in air-gapped builds
+ mkdir repo_cache
+ ${lndir}/bin/lndir -silent ${bazelRepoCache}/repo_cache repo_cache
+ '')
+
+ + (lib.optionalString (bazelVendorDeps != null) ''
+ mkdir vendor_dir
+ ${lndir}/bin/lndir -silent ${bazelVendorDeps}/vendor_dir vendor_dir
+
+ # pin all deps to avoid re-fetch attempts by Bazel
+ rm vendor_dir/VENDOR.bazel
+ find vendor_dir -maxdepth 1 -type d -printf "pin(\"@@%P\")\n" > vendor_dir/VENDOR.bazel
+ '')
+ # keep preBuildPhase always defined as it is listed in preBuildPhases
+ + ''
+ true
+ '';
+ buildPhase = ''
+ runHook preBuild
+
+ export HOME=$(mktemp -d)
+
+ ${bazelPreBuild}
+
+ ${bazel}/bin/bazel ${
+ lib.strings.concatStringsSep " " (
+ lib.optional (serverJavabase != null) "--server_javabase=${serverJavabase}"
+ ++ [ "--batch" ]
+ ++ startupArgs
+ )
+ } ${command} ${
+ lib.strings.concatStringsSep " " (
+ lib.optional (registry != null) "--registry=file://${registry}"
+ ++ lib.optional (bazelRepoCache != null) "--repository_cache=repo_cache"
+ ++ lib.optional (bazelVendorDeps != null) "--vendor_dir=vendor_dir"
+ ++ commandArgs
+ )
+ } ${lib.strings.concatStringsSep " " targets}
+
+ ${bazelPostBuild}
+
+ runHook postBuild
+ '';
+
+ }
+ // args
+)
diff --git a/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix b/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix
new file mode 100644
index 0000000..ee33b6e
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix
@@ -0,0 +1,164 @@
+{ callPackage
+, gnugrep
+, lib
+, autoPatchelfHook
+, stdenv
+,
+}:
+
+{ name
+, src
+, sourceRoot ? null
+, version ? null
+, targets
+, bazel
+, startupArgs ? [ ]
+, commandArgs ? [ ]
+, env ? { }
+, serverJavabase ? null
+, registry ? null
+, bazelRepoCacheFOD ? {
+ outputHash = null;
+ outputHashAlgo = "sha256";
+ }
+, bazelVendorDepsFOD ? {
+ outputHash = null;
+ outputHashAlgo = "sha256";
+ }
+, installPhase
+, buildInputs ? [ ]
+, nativeBuildInputs ? [ ]
+, autoPatchelfIgnoreMissingDeps ? null
+,
+}:
+let
+ # FOD produced by `bazel fetch`
+ # Repo cache contains content-addressed external Bazel dependencies without any patching
+ # Potentially this can be nixified via --experimental_repository_resolved_file
+ # (Note: file itself isn't reproducible because it has lots of extra info and order
+ # isn't stable too. Parsing it into nix fetch* commands isn't trivial but might be possible)
+ bazelRepoCache =
+ if bazelRepoCacheFOD.outputHash == null then
+ null
+ else
+ (callPackage ./bazelDerivation.nix { } {
+ name = "bazelRepoCache";
+ inherit (bazelRepoCacheFOD) outputHash outputHashAlgo;
+ inherit
+ src
+ version
+ sourceRoot
+ env
+ buildInputs
+ nativeBuildInputs
+ ;
+ inherit registry;
+ inherit
+ bazel
+ targets
+ startupArgs
+ serverJavabase
+ ;
+ command = "fetch";
+ outputHashMode = "recursive";
+ commandArgs = [ "--repository_cache repo_cache" ] ++ commandArgs;
+ bazelPreBuild = ''
+ mkdir repo_cache
+ '';
+ installPhase = ''
+ mkdir -p $out/repo_cache
+ cp -r --reflink=auto repo_cache/* $out/repo_cache
+ '';
+ });
+ # Stage1: FOD produced by `bazel vendor`, Stage2: eventual patchelf or other tuning
+ # Vendor deps contains unpacked&patches external dependencies, this may need Nix-specific
+ # patching to address things like
+ # - broken symlinks
+ # - symlinks or other references to absolute nix store paths which isn't allowed for FOD
+ # - autoPatchelf for externally-fetched binaries
+ #
+ # Either repo cache or vendor deps should be enough to build a given package
+ bazelVendorDeps =
+ if bazelVendorDepsFOD.outputHash == null then
+ null
+ else
+ (
+ let
+ stage1 = callPackage ./bazelDerivation.nix { } {
+ name = "bazelVendorDepsStage1";
+ inherit (bazelVendorDepsFOD) outputHash outputHashAlgo;
+ inherit
+ src
+ version
+ sourceRoot
+ env
+ buildInputs
+ nativeBuildInputs
+ ;
+ inherit registry;
+ inherit
+ bazel
+ targets
+ startupArgs
+ serverJavabase
+ ;
+ dontFixup = true;
+ command = "vendor";
+ outputHashMode = "recursive";
+ commandArgs = [ "--vendor_dir vendor_dir" ] ++ commandArgs;
+ bazelPreBuild = ''
+ mkdir vendor_dir
+ '';
+ bazelPostBuild = ''
+ # remove symlinks that point to locations under bazel_src/
+ find vendor_dir -type l -lname "$HOME/*" -exec rm '{}' \;
+ # remove symlinks to temp build directory on darwin
+ find vendor_dir -type l -lname "/private/var/tmp/*" -exec rm '{}' \;
+ # remove broken symlinks
+ find vendor_dir -xtype l -exec rm '{}' \;
+
+ # remove .marker files referencing NIX_STORE as those references aren't allowed in FOD
+ (${gnugrep}/bin/grep -rI "$NIX_STORE/" vendor_dir --files-with-matches --include="*.marker" --null || true) \
+ | xargs -0 --no-run-if-empty rm
+ '';
+ installPhase = ''
+ mkdir -p $out/vendor_dir
+ cp -r --reflink=auto vendor_dir/* $out/vendor_dir
+ '';
+
+ };
+ in
+ stdenv.mkDerivation {
+ name = "bazelVendorDeps";
+ buildInputs = lib.optional (!stdenv.hostPlatform.isDarwin) autoPatchelfHook ++ buildInputs;
+ inherit autoPatchelfIgnoreMissingDeps;
+ src = stage1;
+ installPhase = ''
+ cp -r . $out
+ '';
+ }
+ );
+
+ package = callPackage ./bazelDerivation.nix { } {
+ inherit
+ name
+ src
+ version
+ sourceRoot
+ env
+ buildInputs
+ nativeBuildInputs
+ ;
+ inherit registry bazelRepoCache bazelVendorDeps;
+ inherit
+ bazel
+ targets
+ startupArgs
+ serverJavabase
+ commandArgs
+ ;
+ inherit installPhase;
+ command = "build";
+ };
+in
+package // { passthru = { inherit bazelRepoCache bazelVendorDeps; }; }
diff --git a/third_party/nix/pkgs/bazel_8/build-support/patching.nix b/third_party/nix/pkgs/bazel_8/build-support/patching.nix
new file mode 100644
index 0000000..f43065b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/patching.nix
@@ -0,0 +1,24 @@
+{ stdenv
+,
+}:
+{
+ # If there's a need to patch external dependencies managed by Bazel
+ # one option is to configure patches on Bazel level. Bazel doesn't
+ # allow patches to be in absolute paths so this helper will produce
+ # sources patch that adds given file to given location
+ addFilePatch =
+ { path
+ , file
+ ,
+ }:
+ stdenv.mkDerivation {
+ name = "add_file.patch";
+ dontUnpack = true;
+ buildPhase = ''
+ mkdir -p $(dirname "${path}")
+ cp ${file} "${path}"
+ diff -u /dev/null "${path}" >result.patch || true # diff exit code is non-zero if there's a diff
+ '';
+ installPhase = ''cp result.patch $out'';
+ };
+}
diff --git a/third_party/nix/pkgs/bazel_8/defaultShell.nix b/third_party/nix/pkgs/bazel_8/defaultShell.nix
new file mode 100644
index 0000000..0deb516
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/defaultShell.nix
@@ -0,0 +1,41 @@
+{ lib
+, makeBinaryWrapper
+, writeShellApplication
+, bash
+, stdenv
+,
+}:
+{ defaultShellUtils }:
+let
+ defaultShellPath = lib.makeBinPath defaultShellUtils;
+
+ bashWithDefaultShellUtilsSh = writeShellApplication {
+ name = "bash";
+ runtimeInputs = defaultShellUtils;
+ # Empty PATH in Nixpkgs Bash is translated to /no-such-path
+ # On other distros empty PATH search fallback is looking in standard
+ # locations like /bin,/usr/bin
+ # For Bazel many rules rely on such search finding some common utils,
+ # so we provide them in case rules or arguments didn't specify a precise PATH
+ text = ''
+ if [[ "$PATH" == "/no-such-path" ]]; then
+ export PATH=${defaultShellPath}
+ fi
+ exec ${bash}/bin/bash "$@"
+ '';
+ };
+
+in
+{
+ inherit defaultShellUtils defaultShellPath;
+ # Script-based interpreters in shebangs aren't guaranteed to work,
+ # especially on MacOS. So let's produce a binary
+ bashWithDefaultShellUtils = stdenv.mkDerivation {
+ name = "bash";
+ src = bashWithDefaultShellUtilsSh;
+ nativeBuildInputs = [ makeBinaryWrapper ];
+ buildPhase = ''
+ makeWrapper ${bashWithDefaultShellUtilsSh}/bin/bash $out/bin/bash
+ '';
+ };
+}
diff --git a/third_party/nix/pkgs/bazel_8/examples.nix b/third_party/nix/pkgs/bazel_8/examples.nix
new file mode 100644
index 0000000..18b3647
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/examples.nix
@@ -0,0 +1,116 @@
+{ fetchFromGitHub
+, lib
+, bazel_8
+, libgcc
+, cctools
+, stdenv
+, jdk_headless
+, callPackage
+, zlib
+,
+}:
+let
+ bazelPackage = callPackage ./build-support/bazelPackage.nix { };
+ registry = fetchFromGitHub {
+ owner = "bazelbuild";
+ repo = "bazel-central-registry";
+ rev = "9342d3ec42ebafc2c06c33aa9d83b25ed984ebb1";
+ sha256 = "sha256-VT63Y8w9BawBXl5xgujG4Gv3SEGbUADGVsNPdUoDvsY=";
+ };
+ src = fetchFromGitHub {
+ owner = "bazelbuild";
+ repo = "examples";
+ rev = "568db753be213cc4be6c599e54ca64061ddbe6da";
+ sha256 = "sha256-F+iKi82uGWmJ+ICpITePdsA1SkncavSdgLkOKMr5LwM=";
+ };
+in
+{
+ java = bazelPackage {
+ inherit src registry;
+ sourceRoot = "source/java-tutorial";
+ name = "java-tutorial";
+ targets = [ "//:ProjectRunner" ];
+ bazel = bazel_8;
+ commandArgs = [
+ "--extra_toolchains=@@rules_java++toolchains+local_jdk//:all"
+ "--tool_java_runtime_version=local_jdk_21"
+ ];
+ env = {
+ JAVA_HOME = jdk_headless.home;
+ USE_BAZEL_VERSION = bazel_8.version;
+ };
+ installPhase = ''
+ mkdir $out
+ cp bazel-bin/ProjectRunner.jar $out/
+ '';
+ nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+ bazelRepoCacheFOD = {
+ outputHash = lib.attrsets.attrByPath [ stdenv.hostPlatform.system ] null {
+ x86_64-linux = "sha256-64Ze+t0UYR2qQNECWes27SjzdkP+z5eJsCAO+OR+h/o=";
+ x86_64-darwin = lib.fakeHash;
+ aarch64-linux = "sha256-vEcOTdJM2YYle3PijKwroyM7LpfyK/3k/egRKDbjsmU=";
+ aarch64-darwin = "sha256-ya85EJikYXWpjtlgNu7i0DqtACgZBsppGEv3SVoJ6JA=";
+ };
+ outputHashAlgo = "sha256";
+ };
+ };
+ cpp = bazelPackage {
+ inherit src registry;
+ sourceRoot = "source/cpp-tutorial/stage3";
+ name = "cpp-tutorial";
+ targets = [ "//main:hello-world" ];
+ bazel = bazel_8;
+ installPhase = ''
+ mkdir $out
+ cp bazel-bin/main/hello-world $out/
+ '';
+ nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+ commandArgs = lib.optionals (stdenv.hostPlatform.isDarwin) [
+ "--host_cxxopt=-xc++"
+ "--cxxopt=-xc++"
+ ];
+ env = {
+ USE_BAZEL_VERSION = bazel_8.version;
+ };
+ bazelRepoCacheFOD = {
+ outputHash =
+ {
+ x86_64-linux = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+ aarch64-linux = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+ aarch64-darwin = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+ x86_64-darwin = lib.fakeHash;
+ }.${stdenv.hostPlatform.system};
+ outputHashAlgo = "sha256";
+ };
+ };
+ rust = bazelPackage {
+ inherit src registry;
+ sourceRoot = "source/rust-examples/01-hello-world";
+ name = "rust-examples-01-hello-world";
+ targets = [ "//:bin" ];
+ bazel = bazel_8;
+ env = {
+ USE_BAZEL_VERSION = bazel_8.version;
+ };
+ installPhase = ''
+ mkdir $out
+ cp bazel-bin/bin $out/hello-world
+ '';
+ buildInputs = [
+ zlib
+ libgcc
+ ];
+ nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+ autoPatchelfIgnoreMissingDeps = [ "librustc_driver-*.so" ];
+ bazelVendorDepsFOD = {
+ outputHash =
+ {
+ aarch64-linux = "sha256-2xopm/OCg9A1LqoW1ZesQc5pF/vX0ToIj1JYMtweVR0=";
+ x86_64-linux = "sha256-v987hMC6w2Lwr/PZn2zGHhHmXzecI2koLjOmGz0Mzng=";
+ aarch64-darwin = "sha256-sS7PzLI44dX7P0PY/68YjRSDkNJ6w5BklJNsXPHuOPc=";
+ x86_64-darwin = lib.fakeHash;
+ }.${stdenv.hostPlatform.system};
+ outputHashAlgo = "sha256";
+ };
+ };
+}
diff --git a/third_party/nix/pkgs/bazel_8/package.nix b/third_party/nix/pkgs/bazel_8/package.nix
new file mode 100644
index 0000000..7a27697
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/package.nix
@@ -0,0 +1,355 @@
+{ stdenv
+, callPackage
+, # nix tooling and utilities
+ darwin
+, lib
+, fetchzip
+, fetchpatch
+, makeWrapper
+, writeTextFile
+, replaceVars
+, # native build inputs
+ runtimeShell
+, zip
+, unzip
+, bash
+, coreutils
+, which
+, gawk
+, gnused
+, gnutar
+, gnugrep
+, gzip
+, findutils
+, diffutils
+, gnupatch
+, file
+, installShellFiles
+, python3
+, # Apple dependencies
+ cctools
+, # Allow to independently override the jdks used to build and run respectively
+ jdk_headless
+, # Toggle for hacks for running bazel under buildBazelPackage:
+ # Always assume all markers valid (this is needed because we remove markers; they are non-deterministic).
+ # Also, don't clean up environment variables (so that NIX_ environment variables are passed to compilers).
+ version ? "8.3.1"
+,
+}:
+
+let
+ inherit (callPackage ./build-support/patching.nix { }) addFilePatch;
+ inherit (stdenv.hostPlatform) isDarwin isAarch64;
+
+ bazelSystem = if isDarwin then "darwin" else "linux";
+
+ # on aarch64 Darwin, `uname -m` returns "arm64"
+ bazelArch = if isDarwin && isAarch64 then "arm64" else stdenv.hostPlatform.parsed.cpu.name;
+
+ src = fetchzip {
+ url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip";
+ hash = "sha256-Hiny31S+YF7JdKjxzCyKdw3J/3OdDwsKeOkppfvWrNI=";
+ stripRoot = false;
+ };
+
+ defaultShellUtils =
+ # Keep this list conservative. For more exotic tools, prefer to use
+ # @rules_nixpkgs to pull in tools from the nix repository. Example:
+ #
+ # WORKSPACE:
+ #
+ # nixpkgs_git_repository(
+ # name = "nixpkgs",
+ # revision = "def5124ec8367efdba95a99523dd06d918cb0ae8",
+ # )
+ #
+ # # This defines an external Bazel workspace.
+ # nixpkgs_package(
+ # name = "bison",
+ # repositories = { "nixpkgs": "@nixpkgs//:default.nix" },
+ # )
+ #
+ # some/BUILD.bazel:
+ #
+ # genrule(
+ # ...
+ # cmd = "$(location @bison//:bin/bison) -other -args",
+ # tools = [
+ # ...
+ # "@bison//:bin/bison",
+ # ],
+ # )
+ [
+ coreutils
+ diffutils
+ file
+ findutils
+ gawk
+ gnugrep
+ gnupatch
+ gnused
+ gnutar
+ gzip
+ unzip
+ which
+ zip
+ bash
+ ];
+ defaultShell = callPackage ./defaultShell.nix { } { inherit defaultShellUtils; };
+
+ commandArgs =
+ [
+ "--nobuild_python_zip"
+ "--features=-module_maps"
+ "--host_features=-module_maps"
+ "--announce_rc"
+ "--verbose_failures"
+ "--curses=no"
+ ]
+ ++ lib.optionals (isDarwin) [
+ "--macos_sdk_version=${stdenv.hostPlatform.darwinMinVersion}"
+ "--cxxopt=-isystem"
+ "--cxxopt=${lib.getDev stdenv.cc.libcxx}/include/c++/v1"
+ "--host_cxxopt=-isystem"
+ "--host_cxxopt=${lib.getDev stdenv.cc.libcxx}/include/c++/v1"
+ "--copt=-isystem"
+ "--copt=${lib.getDev darwin.libresolv}/include"
+ "--host_copt=-isystem"
+ "--host_copt=${lib.getDev darwin.libresolv}/include"
+ ];
+
+in
+stdenv.mkDerivation rec {
+ pname = "bazel";
+ inherit version src;
+
+ darwinPatches = [
+ # Bazel integrates with apple IOKit to inhibit and track system sleep.
+ # Inside the darwin sandbox, these API calls are blocked, and bazel
+ # crashes. It seems possible to allow these APIs inside the sandbox, but it
+ # feels simpler to patch bazel not to use it at all. So our bazel is
+ # incapable of preventing system sleep, which is a small price to pay to
+ # guarantee that it will always run in any nix context.
+ #
+ # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses
+ # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the
+ # sandbox.
+ #
+ # If you want to investigate the sandbox profile path,
+ # IORegisterForSystemPower can be allowed with
+ #
+ # propagatedSandboxProfile = ''
+ # (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+ # '';
+ #
+ # I do not know yet how to allow IOPMAssertion{CreateWithName,Release}
+ ./patches/darwin_sleep.patch
+
+ # Fix DARWIN_XCODE_LOCATOR_COMPILE_COMMAND by removing multi-arch support.
+ # Nixpkgs toolcahins do not support that (yet?) and get confused.
+ # Also add an explicit /usr/bin prefix that will be patched below.
+ (replaceVars ./patches/xcode.patch {
+ usrBinEnv = "${coreutils}/bin/env";
+ clangDarwin = "${stdenv.cc}/bin/clang";
+ codesign = "${darwin.sigtool}/bin/codesign";
+ })
+
+ # Revert preference for apple_support over rules_cc toolchain for now
+ # will need to figure out how to build with apple_support toolchain later
+ ./patches/apple_cc_toolchain.patch
+
+ # On Darwin, the last argument to gcc is coming up as an empty string. i.e: ''
+ # This is breaking the build of any C target. This patch removes the last
+ # argument if it's found to be an empty string.
+ ./patches/trim-last-argument-to-gcc-if-empty.patch
+
+ # fdopen() compilation fix
+ (fetchpatch {
+ url = "https://github.com/madler/zlib/commit/4bd9a71f3539b5ce47f0c67ab5e01f3196dc8ef9.patch";
+ hash = "sha256-wlZY0/XqND5Fk+SJkUCUj7XhGVwUJw/VqVGAlDdqOhs=";
+ stripLen = 1;
+ extraPrefix = "third_party/zlib/";
+ })
+ ];
+
+ patches = lib.optionals isDarwin darwinPatches ++ [
+ # patch that propagates rules_* patches below
+ # patches need to be within source root and can't be absolute paths in Nix store
+ # so rules_* patches are injected via addFilePatch
+ ./patches/deps_patches.patch
+ (addFilePatch {
+ path = "b/third_party/rules_python.patch";
+ file = replaceVars ./patches/rules_python.patch {
+ usrBinEnv = "${coreutils}/bin/env";
+ };
+ })
+ (addFilePatch {
+ path = "b/third_party/rules_java.patch";
+ file = replaceVars ./patches/rules_java.patch {
+ defaultBash = "${defaultShell.bashWithDefaultShellUtils}/bin/bash";
+ };
+ })
+ # Suggested for upstream in https://github.com/bazelbuild/bazel/pull/25936
+ ./patches/build_execlog_parser.patch
+ # Part of suggestion for upstream in https://github.com/bazelbuild/bazel/pull/25934
+ ./patches/env_bash.patch
+ # Suggested for upstream in https://github.com/bazelbuild/bazel/pull/25935
+ ./patches/gen_completion.patch
+
+ # --experimental_strict_action_env (which may one day become the default
+ # see bazelbuild/bazel#2574) hardcodes the default
+ # action environment to a non hermetic value (e.g. "/usr/local/bin").
+ # This is non hermetic on non-nixos systems. On NixOS, bazel cannot find the required binaries.
+ # So we are replacing this bazel paths by defaultShellPath,
+ # improving hermeticity and making it work in nixos.
+ (replaceVars ./patches/strict_action_env.patch {
+ strictActionEnvPatch = defaultShell.defaultShellPath;
+ })
+
+ (replaceVars ./patches/default_bash.patch {
+ defaultBash = "${defaultShell.bashWithDefaultShellUtils}/bin/bash";
+ })
+
+ (replaceVars ./patches/md5sum.patch {
+ md5sum = "${coreutils}/bin/md5sum";
+ })
+
+ # Nix build sandbox can configure custom PATH but doesn't have
+ # /usr/bin/env which is unfortunate https://github.com/NixOS/nixpkgs/issues/6227
+ # and we need to do a silly patch
+ (replaceVars ./patches/usr_bin_env.patch {
+ usrBinEnv = "${coreutils}/bin/env";
+ })
+
+ # Provide default JRE for Bazel process by setting --server_javabase=
+ # in a new default system bazelrc file
+ (replaceVars ./patches/bazel_rc.patch {
+ bazelSystemBazelRCPath = replaceVars ./system.bazelrc {
+ serverJavabase = jdk_headless;
+ };
+ })
+ ];
+
+ meta = with lib; {
+ homepage = "https://github.com/bazelbuild/bazel/";
+ description = "Build tool that builds code quickly and reliably";
+ sourceProvenance = with sourceTypes; [
+ fromSource
+ binaryBytecode # source bundles dependencies as jars
+ ];
+ license = licenses.asl20;
+ teams = [ lib.teams.bazel ];
+ mainProgram = "bazel";
+ platforms = lib.platforms.linux ++ lib.platforms.darwin;
+ };
+
+ nativeBuildInputs =
+ [
+ makeWrapper
+ jdk_headless
+ python3
+ unzip
+ which
+
+ # Shell completion
+ installShellFiles
+ python3.pkgs.absl-py # Needed to build fish completion
+ ]
+ # Needed for execlog
+ ++ lib.optional (!stdenv.hostPlatform.isDarwin) stdenv.cc
+ ++ lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+
+ buildPhase = ''
+ runHook preBuild
+ export HOME=$(mktemp -d)
+
+ # If EMBED_LABEL isn't set, it'd be auto-detected from CHANGELOG.md
+ # and `git rev-parse --short HEAD` which would result in
+ # "3.7.0- (@non-git)" due to non-git build and incomplete changelog.
+ # Actual bazel releases use scripts/release/common.sh which is based
+ # on branch/tag information which we don't have with tarball releases.
+ # Note that .bazelversion is always correct and is based on bazel-*
+ # executable name, version checks should work fine
+ export EMBED_LABEL="${version}"
+
+ echo "Stage 1 - Running bazel bootstrap script"
+ export EXTRA_BAZEL_ARGS="${lib.strings.concatStringsSep " " commandArgs}"
+
+ ${bash}/bin/bash ./compile.sh
+
+ # XXX: get rid of this, or move it to another stage.
+ # It is plain annoying when builds fail.
+ echo "Stage 2 - Generate bazel completions"
+ ${bash}/bin/bash ./scripts/generate_bash_completion.sh \
+ --bazel=./output/bazel \
+ --output=./output/bazel-complete.bash \
+ --prepend=./scripts/bazel-complete-header.bash \
+ --prepend=./scripts/bazel-complete-template.bash
+ ${python3}/bin/python3 ./scripts/generate_fish_completion.py \
+ --bazel=./output/bazel \
+ --output=./output/bazel-complete.fish
+
+ runHook postBuild
+ '';
+
+ installPhase = ''
+ runHook preInstall
+
+ # Bazel binary contains zip archive, which contains text files and a jar
+ # both of which can have store references that might be obscured to Nix
+ # builder in packaged form, so we unpack and extract those references
+
+ # Note: grep isn't necessarily 100% accurate, other approaches could be
+ # to disassemble Jar (slow) or hardcode known references
+ mkdir -p $out/nix-support
+ INSTALL_BASE=$(./output/bazel --batch info install_base)
+ find "$INSTALL_BASE" -type f -exec \
+ ${gnugrep}/bin/grep --text --only-matching --no-filename "$NIX_STORE/[^/]*" '{}' \; \
+ | sort -u >> $out/nix-support/depends
+
+ mkdir -p $out/bin
+
+ # official wrapper scripts that searches for $WORKSPACE_ROOT/tools/bazel if
+ # it can’t find something in tools, it calls
+ # $out/bin/bazel-{version}-{os_arch} The binary _must_ exist with this
+ # naming if your project contains a .bazelversion file.
+ cp ./scripts/packages/bazel.sh $out/bin/bazel
+ versioned_bazel="$out/bin/bazel-${version}-${bazelSystem}-${bazelArch}"
+ mv ./output/bazel "$versioned_bazel"
+ wrapProgram "$versioned_bazel" --suffix PATH : ${defaultShell.defaultShellPath}
+
+ mkdir $out/share
+ cp ./output/parser_deploy.jar $out/share/parser_deploy.jar
+ substitute ${./bazel-execlog.sh} $out/bin/bazel-execlog \
+ --subst-var out \
+ --subst-var-by runtimeShell ${runtimeShell} \
+ --subst-var-by javaBin ${jdk_headless}/bin/java
+ chmod +x $out/bin/bazel-execlog
+
+ # shell completion files
+ installShellCompletion --bash \
+ --name bazel.bash \
+ ./output/bazel-complete.bash
+ installShellCompletion --zsh \
+ --name _bazel \
+ ./scripts/zsh_completion/_bazel
+ installShellCompletion --fish \
+ --name bazel.fish \
+ ./output/bazel-complete.fish
+ '';
+
+ postFixup =
+ # verify that bazel binary still works post-fixup
+ ''
+ USE_BAZEL_VERSION=${version} $out/bin/bazel --batch info release
+ '';
+
+ # Bazel binary includes zip archive at the end that `strip` would end up discarding
+ stripExclude = [ "bin/.bazel-${version}-*-wrapped" ];
+
+ passthru = {
+ tests = {
+ inherit (callPackage ./examples.nix { }) cpp java rust;
+ };
+ };
+}
diff --git a/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
new file mode 100644
index 0000000..32d5b5b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
@@ -0,0 +1,19 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+index 11a6075175..f53f0c732b 100644
+--- a/MODULE.bazel
++++ b/MODULE.bazel
+@@ -35,10 +35,10 @@ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
+ bazel_dep(name = "rules_shell", version = "0.2.0")
+
+-# Depend on apple_support first and then rules_cc so that the Xcode toolchain
+-# from apple_support wins over the generic Unix toolchain from rules_cc.
+-bazel_dep(name = "apple_support", version = "1.18.1")
++# Not Depend on apple_support first and then rules_cc so that the Xcode toolchain
++# from apple_support not wins over the generic Unix toolchain from rules_cc.
+ bazel_dep(name = "rules_cc", version = "0.0.17")
++bazel_dep(name = "apple_support", version = "1.18.1")
+
+ # repo_name needs to be used, until WORKSPACE mode is to be supported in bazel_tools
+ bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
new file mode 100644
index 0000000..a599ac3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/cpp/option_processor.cc b/src/main/cpp/option_processor.cc
+index 8f8f15685f..a7ae52d1e4 100644
+--- a/src/main/cpp/option_processor.cc
++++ b/src/main/cpp/option_processor.cc
+@@ -56,7 +56,7 @@ OptionProcessor::OptionProcessor(
+ : workspace_layout_(workspace_layout),
+ startup_options_(std::move(default_startup_options)),
+ parse_options_called_(false),
+- system_bazelrc_path_(BAZEL_SYSTEM_BAZELRC_PATH) {}
++ system_bazelrc_path_("@bazelSystemBazelRCPath@") {}
+
+ OptionProcessor::OptionProcessor(
+ const WorkspaceLayout* workspace_layout,
diff --git a/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
new file mode 100644
index 0000000..552bc3b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
@@ -0,0 +1,28 @@
+diff --git a/compile.sh b/compile.sh
+index 4712355d48..feec286704 100755
+--- a/compile.sh
++++ b/compile.sh
+@@ -76,6 +76,13 @@ bazel_build "src:bazel_nojdk${EXE_EXT}" \
+ --host_platform=@platforms//host \
+ --platforms=@platforms//host \
+ || fail "Could not build Bazel"
++
++bazel_build src/tools/execlog:parser_deploy.jar \
++ --action_env=PATH \
++ --host_platform=@platforms//host \
++ --platforms=@platforms//host \
++ || fail "Could not build parser_deploy.jar"
++
+ bazel_bin_path="$(get_bazel_bin_path)/src/bazel_nojdk${EXE_EXT}"
+ [ -e "$bazel_bin_path" ] \
+ || fail "Could not find freshly built Bazel binary at '$bazel_bin_path'"
+@@ -84,5 +91,8 @@ cp -f "$bazel_bin_path" "output/bazel${EXE_EXT}" \
+ chmod 0755 "output/bazel${EXE_EXT}"
+ BAZEL="$(pwd)/output/bazel${EXE_EXT}"
+
++cp "$(get_bazel_bin_path)/src/tools/execlog/parser_deploy.jar" output/ \
++ || fail "Could not copy 'parser_deploy.jar' to 'output/"
++
+ clear_log
+ display "Build successful! Binary is here: ${BAZEL}"
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
new file mode 100644
index 0000000..731ede8
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
@@ -0,0 +1,56 @@
+diff --git a/src/main/native/darwin/sleep_prevention_jni.cc b/src/main/native/darwin/sleep_prevention_jni.cc
+index 67c35b201e..e50a58320e 100644
+--- a/src/main/native/darwin/sleep_prevention_jni.cc
++++ b/src/main/native/darwin/sleep_prevention_jni.cc
+@@ -33,31 +33,13 @@ static int g_sleep_state_stack = 0;
+ static IOPMAssertionID g_sleep_state_assertion = kIOPMNullAssertionID;
+
+ int portable_push_disable_sleep() {
+- std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+- BAZEL_CHECK_GE(g_sleep_state_stack, 0);
+- if (g_sleep_state_stack == 0) {
+- BAZEL_CHECK_EQ(g_sleep_state_assertion, kIOPMNullAssertionID);
+- CFStringRef reasonForActivity = CFSTR("build.bazel");
+- IOReturn success = IOPMAssertionCreateWithName(
+- kIOPMAssertionTypeNoIdleSleep, kIOPMAssertionLevelOn, reasonForActivity,
+- &g_sleep_state_assertion);
+- BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+- }
+- g_sleep_state_stack += 1;
+- return 0;
++ // Unreliable, disable for now
++ return -1;
+ }
+
+ int portable_pop_disable_sleep() {
+- std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+- BAZEL_CHECK_GT(g_sleep_state_stack, 0);
+- g_sleep_state_stack -= 1;
+- if (g_sleep_state_stack == 0) {
+- BAZEL_CHECK_NE(g_sleep_state_assertion, kIOPMNullAssertionID);
+- IOReturn success = IOPMAssertionRelease(g_sleep_state_assertion);
+- BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+- g_sleep_state_assertion = kIOPMNullAssertionID;
+- }
+- return 0;
++ // Unreliable, disable for now
++ return -1;
+ }
+
+ } // namespace blaze_jni
+diff --git a/src/main/native/darwin/system_suspension_monitor_jni.cc b/src/main/native/darwin/system_suspension_monitor_jni.cc
+index 3483aa7935..51782986ec 100644
+--- a/src/main/native/darwin/system_suspension_monitor_jni.cc
++++ b/src/main/native/darwin/system_suspension_monitor_jni.cc
+@@ -83,10 +83,7 @@ void portable_start_suspend_monitoring() {
+ // Register to receive system sleep notifications.
+ // Testing needs to be done manually. Use the logging to verify
+ // that sleeps are being caught here.
+- suspend_state.connect_port = IORegisterForSystemPower(
+- &suspend_state, ¬ifyPortRef, SleepCallBack, ¬ifierObject);
+- BAZEL_CHECK_NE(suspend_state.connect_port, MACH_PORT_NULL);
+- IONotificationPortSetDispatchQueue(notifyPortRef, queue);
++ // XXX: Unreliable, disable for now
+
+ // Register to deal with SIGCONT.
+ // We register for SIGCONT because we can't catch SIGSTOP.
diff --git a/third_party/nix/pkgs/bazel_8/patches/default_bash.patch b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
new file mode 100644
index 0000000..a43a9f0
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a982b782e1..d49b047074 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -89,13 +89,13 @@ public class BazelRuleClassProvider {
+ public boolean useStrictActionEnv;
+ }
+
+- private static final PathFragment FALLBACK_SHELL = PathFragment.create("/bin/bash");
++ private static final PathFragment FALLBACK_SHELL = PathFragment.create("@defaultBash@");
+
+ public static final ImmutableMap<OS, PathFragment> SHELL_EXECUTABLE =
+ ImmutableMap.<OS, PathFragment>builder()
+ .put(OS.WINDOWS, PathFragment.create("c:/msys64/usr/bin/bash.exe"))
+- .put(OS.FREEBSD, PathFragment.create("/usr/local/bin/bash"))
+- .put(OS.OPENBSD, PathFragment.create("/usr/local/bin/bash"))
++ .put(OS.FREEBSD, PathFragment.create("@defaultBash@"))
++ .put(OS.OPENBSD, PathFragment.create("@defaultBash@"))
+ .put(OS.UNKNOWN, FALLBACK_SHELL)
+ .buildOrThrow();
+
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
new file mode 100644
index 0000000..bf0aad9
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
@@ -0,0 +1,24 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+--- MODULE.bazel
++++ MODULE.bazel
+@@ -24,12 +24,20 @@
+ bazel_dep(name = "zstd-jni", version = "1.5.6-9")
+ bazel_dep(name = "blake3", version = "1.5.1.bcr.1")
+ bazel_dep(name = "zlib", version = "1.3.1.bcr.5")
+ bazel_dep(name = "rules_java", version = "8.12.0")
++single_version_override(
++ module_name = "rules_java",
++ patches = ["//third_party:rules_java.patch"],
++)
+ bazel_dep(name = "rules_graalvm", version = "0.11.1")
+ bazel_dep(name = "rules_proto", version = "7.0.2")
+ bazel_dep(name = "rules_jvm_external", version = "6.0")
+ bazel_dep(name = "rules_python", version = "0.40.0")
++single_version_override(
++ module_name = "rules_python",
++ patches = ["//third_party:rules_python.patch"],
++)
+ bazel_dep(name = "rules_testing", version = "0.6.0")
+ bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
+ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
diff --git a/third_party/nix/pkgs/bazel_8/patches/env_bash.patch b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
new file mode 100644
index 0000000..cc20d10
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..920c1019d2 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..2c614af6c2 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
new file mode 100644
index 0000000..c3af229
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
@@ -0,0 +1,26 @@
+diff --git a/scripts/generate_bash_completion.sh b/scripts/generate_bash_completion.sh
+index 778810570c..84d2d49a0d 100755
+--- a/scripts/generate_bash_completion.sh
++++ b/scripts/generate_bash_completion.sh
+@@ -68,7 +68,7 @@ mkdir "${tempdir}/root"
+
+ server_javabase_flag=
+ [ -z "${javabase}" ] || server_javabase_flag="--server_javabase=${javabase}"
+-"${bazel}" --output_user_root="${tempdir}/root" ${server_javabase_flag} \
++"${bazel}" --batch --output_user_root="${tempdir}/root" ${server_javabase_flag} \
+ help completion >>"${tempdir}/output"
+
+ [ -z "${append}" ] || cat ${append} >>"${tempdir}/output"
+diff --git a/scripts/generate_fish_completion.py b/scripts/generate_fish_completion.py
+index bafe28979f..a941d8f7f9 100644
+--- a/scripts/generate_fish_completion.py
++++ b/scripts/generate_fish_completion.py
+@@ -102,7 +102,7 @@ class BazelCompletionWriter(object):
+
+ def _get_bazel_output(self, args):
+ return subprocess.check_output(
+- (self._bazel, '--output_user_root={}'.format(self._output_user_root)) +
++ (self._bazel, '--batch', '--output_user_root={}'.format(self._output_user_root)) +
+ tuple(args),
+ universal_newlines=True)
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/md5sum.patch b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
new file mode 100644
index 0000000..fc49581
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
@@ -0,0 +1,22 @@
+diff --git a/src/BUILD b/src/BUILD
+index f61b90738a..2c3a54d36c 100644
+--- a/src/BUILD
++++ b/src/BUILD
+@@ -38,12 +38,12 @@ md5_cmd = "set -e -o pipefail && %s $(SRCS) | %s | %s > $@"
+ }) + embedded_tools_target,
+ outs = ["install_base_key" + suffix],
+ cmd = select({
+- "//src/conditions:darwin": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
+- "//src/conditions:freebsd": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
++ "//src/conditions:darwin": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
++ "//src/conditions:freebsd": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+ # We avoid using the `head` tool's `-c` option, since it does not exist
+ # on OpenBSD.
+- "//src/conditions:openbsd": md5_cmd % ("/bin/md5", "/bin/md5", "dd bs=32 count=1"),
+- "//conditions:default": md5_cmd % ("md5sum", "md5sum", "head -c 32"),
++ "//src/conditions:openbsd": md5_cmd % ("@md5sum@", "@md5sum@", "dd bs=32 count=1"),
++ "//conditions:default": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+ }),
+ ) for suffix, embedded_tools_target in {
+ "_jdk_allmodules": [":embedded_tools_jdk_allmodules"],
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_java.patch b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
new file mode 100644
index 0000000..ba2fd2f
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
@@ -0,0 +1,11 @@
+diff --git java/bazel/rules/java_stub_template.txt java/bazel/rules/java_stub_template.txt
+index 115b46e..56d2ff7 100644
+--- java/bazel/rules/java_stub_template.txt
++++ java/bazel/rules/java_stub_template.txt
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@defaultBash@
+ # Copyright 2014 The Bazel Authors. All rights reserved.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_python.patch b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
new file mode 100644
index 0000000..a63f44e
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
@@ -0,0 +1,14 @@
+diff --git python/private/runtime_env_toolchain.bzl python/private/runtime_env_toolchain.bzl
+--- python/private/runtime_env_toolchain.bzl
++++ python/private/runtime_env_toolchain.bzl
+@@ -42,7 +42,7 @@
+ name = "_runtime_env_py3_runtime",
+ interpreter = "//python/private:runtime_env_toolchain_interpreter.sh",
+ python_version = "PY3",
+- stub_shebang = "#!/usr/bin/env python3",
++ stub_shebang = "#!@usrBinEnv@ python3",
+ visibility = ["//visibility:private"],
+ tags = ["manual"],
+ )
+
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
new file mode 100644
index 0000000..1402c20
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a70b5559bc..10bdffe961 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -466,7 +466,7 @@ public class BazelRuleClassProvider {
+ // Note that --action_env does not propagate to the host config, so it is not a viable
+ // workaround when a genrule is itself built in the host config (e.g. nested genrules). See
+ // #8536.
+- return "/bin:/usr/bin:/usr/local/bin";
++ return "@strictActionEnvPatch@";
+ }
+
+ String newPath = "";
diff --git a/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
new file mode 100644
index 0000000..b93b252
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
@@ -0,0 +1,37 @@
+From 177b4720d6fbaa7fdd17e5e11b2c79ac8f246786 Mon Sep 17 00:00:00 2001
+From: "Wael M. Nasreddine" <wael.nasreddine@gmail.com>
+Date: Thu, 27 Jun 2019 21:08:51 -0700
+Subject: [PATCH] Trim last argument to gcc if empty, on Darwin
+
+On Darwin, the last argument to GCC is coming up as an empty string.
+This is breaking the build of proto_library targets. However, I was not
+able to reproduce with the example cpp project[0].
+
+This commit removes the last argument if it's an empty string. This is
+not a problem on Linux.
+
+[0]: https://github.com/bazelbuild/examples/tree/master/cpp-tutorial/stage3
+---
+ tools/cpp/osx_cc_wrapper.sh.tpl | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/cpp/osx_cc_wrapper.sh.tpl b/tools/cpp/osx_cc_wrapper.sh.tpl
+index 4c85cd9b6b..6c611e3d25 100644
+--- a/tools/cpp/osx_cc_wrapper.sh.tpl
++++ b/tools/cpp/osx_cc_wrapper.sh.tpl
+@@ -53,7 +53,11 @@ done
+ %{env}
+
+ # Call the C++ compiler
+-%{cc} "$@"
++if [[ ${*: -1} = "" ]]; then
++ %{cc} "${@:0:$#}"
++else
++ %{cc} "$@"
++fi
+
+ function get_library_path() {
+ for libdir in ${LIB_DIRS}; do
+--
+2.19.2
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
new file mode 100644
index 0000000..0718b75
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
@@ -0,0 +1,32 @@
+diff --git a/src/zip_builtins.sh b/src/zip_builtins.sh
+index d78ca5526a..c7d8f251cc 100755
+--- a/src/zip_builtins.sh
++++ b/src/zip_builtins.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+
+ # Copyright 2020 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..4b1c221784 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..65fef20988 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
diff --git a/third_party/nix/pkgs/bazel_8/patches/xcode.patch b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
new file mode 100644
index 0000000..52931a3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
@@ -0,0 +1,31 @@
+diff --git a/scripts/bootstrap/compile.sh b/scripts/bootstrap/compile.sh
+index 1bad14cba7..d312fe08bb 100755
+--- a/scripts/bootstrap/compile.sh
++++ b/scripts/bootstrap/compile.sh
+@@ -402,7 +402,7 @@ cp $OUTPUT_DIR/libblaze.jar ${ARCHIVE_DIR}
+ # TODO(b/28965185): Remove when xcode-locator is no longer required in embedded_binaries.
+ log "Compiling xcode-locator..."
+ if [[ $PLATFORM == "darwin" ]]; then
+- run /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
++ run @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
+ else
+ cp tools/osx/xcode_locator_stub.sh ${ARCHIVE_DIR}/xcode-locator
+ fi
+diff --git a/tools/osx/BUILD b/tools/osx/BUILD
+index 0358fb0ffe..1e6eae1f33 100644
+--- a/tools/osx/BUILD
++++ b/tools/osx/BUILD
+@@ -27,9 +27,9 @@ exports_files([
+ ])
+
+ DARWIN_XCODE_LOCATOR_COMPILE_COMMAND = """
+- /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
+- -framework Foundation -arch arm64 -arch x86_64 -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
+- env -i codesign --identifier $@ --force --sign - $@
++ @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
++ -framework Foundation -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
++ @usrBinEnv@ @codesign@ --identifier $@ --force --sign - $@
+ """
+
+ genrule(
+
diff --git a/third_party/nix/pkgs/bazel_8/system.bazelrc b/third_party/nix/pkgs/bazel_8/system.bazelrc
new file mode 100644
index 0000000..6684e33
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/system.bazelrc
@@ -0,0 +1,4 @@
+startup --server_javabase=@serverJavabase@
+
+# load default location for the system wide configuration
+try-import /etc/bazel.bazelrc
diff --git a/third_party/nix/pkgs/bazel/BUILD.bazel b/third_party/rules_oci/BUILD.bazel
similarity index 100%
rename from third_party/nix/pkgs/bazel/BUILD.bazel
rename to third_party/rules_oci/BUILD.bazel
diff --git a/third_party/rules_oci/use-default-shell-env.patch b/third_party/rules_oci/use-default-shell-env.patch
new file mode 100644
index 0000000..f69c543
--- /dev/null
+++ b/third_party/rules_oci/use-default-shell-env.patch
@@ -0,0 +1,64 @@
+We have to set use_default_shell_env to find bash via /usr/bin/env,
+as without it we don't have PATH available. The old behavior is fine
+for NixOS as their /usr/bin/env tries to use /run/current-system/sw/bin/bash
+which exist on NixOS, but not in our CI or any other nixos/nix container.
+
+diff --git a/oci/private/image.bzl b/oci/private/image.bzl
+--- a/oci/private/image.bzl
++++ b/oci/private/image.bzl
+@@ -131,8 +131,9 @@
+ regctl.regctl_info.binary,
+ ],
+ mnemonic = "OCIDescriptor",
+ progress_message = "OCI Descriptor %{input}",
++ use_default_shell_env = True,
+ )
+ return descriptor
+
+ def _oci_image_impl(ctx):
+@@ -263,8 +264,9 @@
+ mnemonic = "OCIImage",
+ progress_message = "OCI Image %{label}",
+ resource_set = resource_set(ctx.attr),
+ toolchain = None,
++ use_default_shell_env = True,
+ )
+
+ return [
+ DefaultInfo(
+diff --git a/oci/private/image_index.bzl b/oci/private/image_index.bzl
+--- a/oci/private/image_index.bzl
++++ b/oci/private/image_index.bzl
+@@ -129,8 +129,9 @@
+ tools = [jq.jqinfo.bin, coreutils.coreutils_info.bin],
+ mnemonic = "OCIIndex",
+ progress_message = "OCI Index %{label}",
+ toolchain = None,
++ use_default_shell_env = True,
+ )
+
+ return DefaultInfo(files = depset([output]))
+
+diff --git a/oci/private/load.bzl b/oci/private/load.bzl
+--- a/oci/private/load.bzl
++++ b/oci/private/load.bzl
+@@ -179,8 +179,9 @@
+ jq.jqinfo.bin,
+ coreutils.coreutils_info.bin,
+ ],
+ mnemonic = "OCITarballManifest",
++ use_default_shell_env = True,
+ )
+
+ # This action produces a large output and should rarely be used as it puts load on the cache.
+ # It will only run if the "tarball" output_group is explicitly requested
+@@ -195,8 +196,9 @@
+ inputs = tar_inputs,
+ outputs = [tarball],
+ arguments = [tar_args],
+ mnemonic = "OCITarball",
++ use_default_shell_env = True,
+ )
+
+ # Create an executable runner script that will create the tarball at runtime,
+ # as opposed to at build to avoid uploading large artifacts to remote cache.
diff --git a/third_party/nix/pkgs/bazel/BUILD.bazel b/third_party/rules_python/BUILD.bazel
similarity index 100%
copy from third_party/nix/pkgs/bazel/BUILD.bazel
copy to third_party/rules_python/BUILD.bazel
diff --git a/third_party/rules_python/use-usr-bin-env-bash.patch b/third_party/rules_python/use-usr-bin-env-bash.patch
new file mode 100644
index 0000000..71a39cf
--- /dev/null
+++ b/third_party/rules_python/use-usr-bin-env-bash.patch
@@ -0,0 +1,12 @@
+The build environment is not guaranteed to have /bin/bash, especially on NixOS
+or in our CI runner. Use /usr/bin/env to resolve it from PATH.
+diff --git a/python/private/stage1_bootstrap_template.sh b/python/private/stage1_bootstrap_template.sh
+--- a/python/private/stage1_bootstrap_template.sh
++++ b/python/private/stage1_bootstrap_template.sh
+@@ -1,5 +1,5 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+
+ set -e
+
+ if [[ -n "${RULES_PYTHON_BOOTSTRAP_VERBOSE:-}" ]]; then
diff --git a/tools/bazel b/tools/bazel
index 78e4624..0f235c3 100755
--- a/tools/bazel
+++ b/tools/bazel
@@ -34,9 +34,8 @@
# Jump to project root since bwrap hangs if we aren't there
cd "${DIR}/../"
- export COMMAND="bazel $*"
export PWD="$OLDPWD"
- exec nix-shell
+ exec nix-shell --command "bazel $*"
fi
prechecks() {