treewide: remove FHSEnv
To remove the FHSenv, we have to patch rules_python to use
/usr/bin/env to resolve the path to bash instead of hardcoding it.
Additionally, we now bring a Nix-compatible Bazel 8.
Change-Id: Id51e7748eea6dd77185f43a52fe45b5110ba4a2b
Reviewed-on: https://review.monogon.dev/c/monogon/+/4427
Tested-by: Jenkins CI
Reviewed-by: Jan Schär <jan@monogon.tech>
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Reviewed-by: Leopold Schabel <leo@monogon.tech>
diff --git a/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
new file mode 100644
index 0000000..32d5b5b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
@@ -0,0 +1,19 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+index 11a6075175..f53f0c732b 100644
+--- a/MODULE.bazel
++++ b/MODULE.bazel
+@@ -35,10 +35,10 @@ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
+ bazel_dep(name = "rules_shell", version = "0.2.0")
+
+-# Depend on apple_support first and then rules_cc so that the Xcode toolchain
+-# from apple_support wins over the generic Unix toolchain from rules_cc.
+-bazel_dep(name = "apple_support", version = "1.18.1")
++# Not Depend on apple_support first and then rules_cc so that the Xcode toolchain
++# from apple_support not wins over the generic Unix toolchain from rules_cc.
+ bazel_dep(name = "rules_cc", version = "0.0.17")
++bazel_dep(name = "apple_support", version = "1.18.1")
+
+ # repo_name needs to be used, until WORKSPACE mode is to be supported in bazel_tools
+ bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
new file mode 100644
index 0000000..a599ac3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/cpp/option_processor.cc b/src/main/cpp/option_processor.cc
+index 8f8f15685f..a7ae52d1e4 100644
+--- a/src/main/cpp/option_processor.cc
++++ b/src/main/cpp/option_processor.cc
+@@ -56,7 +56,7 @@ OptionProcessor::OptionProcessor(
+ : workspace_layout_(workspace_layout),
+ startup_options_(std::move(default_startup_options)),
+ parse_options_called_(false),
+- system_bazelrc_path_(BAZEL_SYSTEM_BAZELRC_PATH) {}
++ system_bazelrc_path_("@bazelSystemBazelRCPath@") {}
+
+ OptionProcessor::OptionProcessor(
+ const WorkspaceLayout* workspace_layout,
diff --git a/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
new file mode 100644
index 0000000..552bc3b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
@@ -0,0 +1,28 @@
+diff --git a/compile.sh b/compile.sh
+index 4712355d48..feec286704 100755
+--- a/compile.sh
++++ b/compile.sh
+@@ -76,6 +76,13 @@ bazel_build "src:bazel_nojdk${EXE_EXT}" \
+ --host_platform=@platforms//host \
+ --platforms=@platforms//host \
+ || fail "Could not build Bazel"
++
++bazel_build src/tools/execlog:parser_deploy.jar \
++ --action_env=PATH \
++ --host_platform=@platforms//host \
++ --platforms=@platforms//host \
++ || fail "Could not build parser_deploy.jar"
++
+ bazel_bin_path="$(get_bazel_bin_path)/src/bazel_nojdk${EXE_EXT}"
+ [ -e "$bazel_bin_path" ] \
+ || fail "Could not find freshly built Bazel binary at '$bazel_bin_path'"
+@@ -84,5 +91,8 @@ cp -f "$bazel_bin_path" "output/bazel${EXE_EXT}" \
+ chmod 0755 "output/bazel${EXE_EXT}"
+ BAZEL="$(pwd)/output/bazel${EXE_EXT}"
+
++cp "$(get_bazel_bin_path)/src/tools/execlog/parser_deploy.jar" output/ \
++ || fail "Could not copy 'parser_deploy.jar' to 'output/"
++
+ clear_log
+ display "Build successful! Binary is here: ${BAZEL}"
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
new file mode 100644
index 0000000..731ede8
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
@@ -0,0 +1,56 @@
+diff --git a/src/main/native/darwin/sleep_prevention_jni.cc b/src/main/native/darwin/sleep_prevention_jni.cc
+index 67c35b201e..e50a58320e 100644
+--- a/src/main/native/darwin/sleep_prevention_jni.cc
++++ b/src/main/native/darwin/sleep_prevention_jni.cc
+@@ -33,31 +33,13 @@ static int g_sleep_state_stack = 0;
+ static IOPMAssertionID g_sleep_state_assertion = kIOPMNullAssertionID;
+
+ int portable_push_disable_sleep() {
+- std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+- BAZEL_CHECK_GE(g_sleep_state_stack, 0);
+- if (g_sleep_state_stack == 0) {
+- BAZEL_CHECK_EQ(g_sleep_state_assertion, kIOPMNullAssertionID);
+- CFStringRef reasonForActivity = CFSTR("build.bazel");
+- IOReturn success = IOPMAssertionCreateWithName(
+- kIOPMAssertionTypeNoIdleSleep, kIOPMAssertionLevelOn, reasonForActivity,
+- &g_sleep_state_assertion);
+- BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+- }
+- g_sleep_state_stack += 1;
+- return 0;
++ // Unreliable, disable for now
++ return -1;
+ }
+
+ int portable_pop_disable_sleep() {
+- std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+- BAZEL_CHECK_GT(g_sleep_state_stack, 0);
+- g_sleep_state_stack -= 1;
+- if (g_sleep_state_stack == 0) {
+- BAZEL_CHECK_NE(g_sleep_state_assertion, kIOPMNullAssertionID);
+- IOReturn success = IOPMAssertionRelease(g_sleep_state_assertion);
+- BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+- g_sleep_state_assertion = kIOPMNullAssertionID;
+- }
+- return 0;
++ // Unreliable, disable for now
++ return -1;
+ }
+
+ } // namespace blaze_jni
+diff --git a/src/main/native/darwin/system_suspension_monitor_jni.cc b/src/main/native/darwin/system_suspension_monitor_jni.cc
+index 3483aa7935..51782986ec 100644
+--- a/src/main/native/darwin/system_suspension_monitor_jni.cc
++++ b/src/main/native/darwin/system_suspension_monitor_jni.cc
+@@ -83,10 +83,7 @@ void portable_start_suspend_monitoring() {
+ // Register to receive system sleep notifications.
+ // Testing needs to be done manually. Use the logging to verify
+ // that sleeps are being caught here.
+- suspend_state.connect_port = IORegisterForSystemPower(
+- &suspend_state, ¬ifyPortRef, SleepCallBack, ¬ifierObject);
+- BAZEL_CHECK_NE(suspend_state.connect_port, MACH_PORT_NULL);
+- IONotificationPortSetDispatchQueue(notifyPortRef, queue);
++ // XXX: Unreliable, disable for now
+
+ // Register to deal with SIGCONT.
+ // We register for SIGCONT because we can't catch SIGSTOP.
diff --git a/third_party/nix/pkgs/bazel_8/patches/default_bash.patch b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
new file mode 100644
index 0000000..a43a9f0
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a982b782e1..d49b047074 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -89,13 +89,13 @@ public class BazelRuleClassProvider {
+ public boolean useStrictActionEnv;
+ }
+
+- private static final PathFragment FALLBACK_SHELL = PathFragment.create("/bin/bash");
++ private static final PathFragment FALLBACK_SHELL = PathFragment.create("@defaultBash@");
+
+ public static final ImmutableMap<OS, PathFragment> SHELL_EXECUTABLE =
+ ImmutableMap.<OS, PathFragment>builder()
+ .put(OS.WINDOWS, PathFragment.create("c:/msys64/usr/bin/bash.exe"))
+- .put(OS.FREEBSD, PathFragment.create("/usr/local/bin/bash"))
+- .put(OS.OPENBSD, PathFragment.create("/usr/local/bin/bash"))
++ .put(OS.FREEBSD, PathFragment.create("@defaultBash@"))
++ .put(OS.OPENBSD, PathFragment.create("@defaultBash@"))
+ .put(OS.UNKNOWN, FALLBACK_SHELL)
+ .buildOrThrow();
+
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
new file mode 100644
index 0000000..bf0aad9
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
@@ -0,0 +1,24 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+--- MODULE.bazel
++++ MODULE.bazel
+@@ -24,12 +24,20 @@
+ bazel_dep(name = "zstd-jni", version = "1.5.6-9")
+ bazel_dep(name = "blake3", version = "1.5.1.bcr.1")
+ bazel_dep(name = "zlib", version = "1.3.1.bcr.5")
+ bazel_dep(name = "rules_java", version = "8.12.0")
++single_version_override(
++ module_name = "rules_java",
++ patches = ["//third_party:rules_java.patch"],
++)
+ bazel_dep(name = "rules_graalvm", version = "0.11.1")
+ bazel_dep(name = "rules_proto", version = "7.0.2")
+ bazel_dep(name = "rules_jvm_external", version = "6.0")
+ bazel_dep(name = "rules_python", version = "0.40.0")
++single_version_override(
++ module_name = "rules_python",
++ patches = ["//third_party:rules_python.patch"],
++)
+ bazel_dep(name = "rules_testing", version = "0.6.0")
+ bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
+ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
diff --git a/third_party/nix/pkgs/bazel_8/patches/env_bash.patch b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
new file mode 100644
index 0000000..cc20d10
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..920c1019d2 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..2c614af6c2 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
new file mode 100644
index 0000000..c3af229
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
@@ -0,0 +1,26 @@
+diff --git a/scripts/generate_bash_completion.sh b/scripts/generate_bash_completion.sh
+index 778810570c..84d2d49a0d 100755
+--- a/scripts/generate_bash_completion.sh
++++ b/scripts/generate_bash_completion.sh
+@@ -68,7 +68,7 @@ mkdir "${tempdir}/root"
+
+ server_javabase_flag=
+ [ -z "${javabase}" ] || server_javabase_flag="--server_javabase=${javabase}"
+-"${bazel}" --output_user_root="${tempdir}/root" ${server_javabase_flag} \
++"${bazel}" --batch --output_user_root="${tempdir}/root" ${server_javabase_flag} \
+ help completion >>"${tempdir}/output"
+
+ [ -z "${append}" ] || cat ${append} >>"${tempdir}/output"
+diff --git a/scripts/generate_fish_completion.py b/scripts/generate_fish_completion.py
+index bafe28979f..a941d8f7f9 100644
+--- a/scripts/generate_fish_completion.py
++++ b/scripts/generate_fish_completion.py
+@@ -102,7 +102,7 @@ class BazelCompletionWriter(object):
+
+ def _get_bazel_output(self, args):
+ return subprocess.check_output(
+- (self._bazel, '--output_user_root={}'.format(self._output_user_root)) +
++ (self._bazel, '--batch', '--output_user_root={}'.format(self._output_user_root)) +
+ tuple(args),
+ universal_newlines=True)
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/md5sum.patch b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
new file mode 100644
index 0000000..fc49581
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
@@ -0,0 +1,22 @@
+diff --git a/src/BUILD b/src/BUILD
+index f61b90738a..2c3a54d36c 100644
+--- a/src/BUILD
++++ b/src/BUILD
+@@ -38,12 +38,12 @@ md5_cmd = "set -e -o pipefail && %s $(SRCS) | %s | %s > $@"
+ }) + embedded_tools_target,
+ outs = ["install_base_key" + suffix],
+ cmd = select({
+- "//src/conditions:darwin": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
+- "//src/conditions:freebsd": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
++ "//src/conditions:darwin": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
++ "//src/conditions:freebsd": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+ # We avoid using the `head` tool's `-c` option, since it does not exist
+ # on OpenBSD.
+- "//src/conditions:openbsd": md5_cmd % ("/bin/md5", "/bin/md5", "dd bs=32 count=1"),
+- "//conditions:default": md5_cmd % ("md5sum", "md5sum", "head -c 32"),
++ "//src/conditions:openbsd": md5_cmd % ("@md5sum@", "@md5sum@", "dd bs=32 count=1"),
++ "//conditions:default": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+ }),
+ ) for suffix, embedded_tools_target in {
+ "_jdk_allmodules": [":embedded_tools_jdk_allmodules"],
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_java.patch b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
new file mode 100644
index 0000000..ba2fd2f
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
@@ -0,0 +1,11 @@
+diff --git java/bazel/rules/java_stub_template.txt java/bazel/rules/java_stub_template.txt
+index 115b46e..56d2ff7 100644
+--- java/bazel/rules/java_stub_template.txt
++++ java/bazel/rules/java_stub_template.txt
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@defaultBash@
+ # Copyright 2014 The Bazel Authors. All rights reserved.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_python.patch b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
new file mode 100644
index 0000000..a63f44e
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
@@ -0,0 +1,14 @@
+diff --git python/private/runtime_env_toolchain.bzl python/private/runtime_env_toolchain.bzl
+--- python/private/runtime_env_toolchain.bzl
++++ python/private/runtime_env_toolchain.bzl
+@@ -42,7 +42,7 @@
+ name = "_runtime_env_py3_runtime",
+ interpreter = "//python/private:runtime_env_toolchain_interpreter.sh",
+ python_version = "PY3",
+- stub_shebang = "#!/usr/bin/env python3",
++ stub_shebang = "#!@usrBinEnv@ python3",
+ visibility = ["//visibility:private"],
+ tags = ["manual"],
+ )
+
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
new file mode 100644
index 0000000..1402c20
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a70b5559bc..10bdffe961 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -466,7 +466,7 @@ public class BazelRuleClassProvider {
+ // Note that --action_env does not propagate to the host config, so it is not a viable
+ // workaround when a genrule is itself built in the host config (e.g. nested genrules). See
+ // #8536.
+- return "/bin:/usr/bin:/usr/local/bin";
++ return "@strictActionEnvPatch@";
+ }
+
+ String newPath = "";
diff --git a/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
new file mode 100644
index 0000000..b93b252
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
@@ -0,0 +1,37 @@
+From 177b4720d6fbaa7fdd17e5e11b2c79ac8f246786 Mon Sep 17 00:00:00 2001
+From: "Wael M. Nasreddine" <wael.nasreddine@gmail.com>
+Date: Thu, 27 Jun 2019 21:08:51 -0700
+Subject: [PATCH] Trim last argument to gcc if empty, on Darwin
+
+On Darwin, the last argument to GCC is coming up as an empty string.
+This is breaking the build of proto_library targets. However, I was not
+able to reproduce with the example cpp project[0].
+
+This commit removes the last argument if it's an empty string. This is
+not a problem on Linux.
+
+[0]: https://github.com/bazelbuild/examples/tree/master/cpp-tutorial/stage3
+---
+ tools/cpp/osx_cc_wrapper.sh.tpl | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/cpp/osx_cc_wrapper.sh.tpl b/tools/cpp/osx_cc_wrapper.sh.tpl
+index 4c85cd9b6b..6c611e3d25 100644
+--- a/tools/cpp/osx_cc_wrapper.sh.tpl
++++ b/tools/cpp/osx_cc_wrapper.sh.tpl
+@@ -53,7 +53,11 @@ done
+ %{env}
+
+ # Call the C++ compiler
+-%{cc} "$@"
++if [[ ${*: -1} = "" ]]; then
++ %{cc} "${@:0:$#}"
++else
++ %{cc} "$@"
++fi
+
+ function get_library_path() {
+ for libdir in ${LIB_DIRS}; do
+--
+2.19.2
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
new file mode 100644
index 0000000..0718b75
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
@@ -0,0 +1,32 @@
+diff --git a/src/zip_builtins.sh b/src/zip_builtins.sh
+index d78ca5526a..c7d8f251cc 100755
+--- a/src/zip_builtins.sh
++++ b/src/zip_builtins.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+
+ # Copyright 2020 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..4b1c221784 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..65fef20988 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
diff --git a/third_party/nix/pkgs/bazel_8/patches/xcode.patch b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
new file mode 100644
index 0000000..52931a3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
@@ -0,0 +1,31 @@
+diff --git a/scripts/bootstrap/compile.sh b/scripts/bootstrap/compile.sh
+index 1bad14cba7..d312fe08bb 100755
+--- a/scripts/bootstrap/compile.sh
++++ b/scripts/bootstrap/compile.sh
+@@ -402,7 +402,7 @@ cp $OUTPUT_DIR/libblaze.jar ${ARCHIVE_DIR}
+ # TODO(b/28965185): Remove when xcode-locator is no longer required in embedded_binaries.
+ log "Compiling xcode-locator..."
+ if [[ $PLATFORM == "darwin" ]]; then
+- run /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
++ run @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
+ else
+ cp tools/osx/xcode_locator_stub.sh ${ARCHIVE_DIR}/xcode-locator
+ fi
+diff --git a/tools/osx/BUILD b/tools/osx/BUILD
+index 0358fb0ffe..1e6eae1f33 100644
+--- a/tools/osx/BUILD
++++ b/tools/osx/BUILD
+@@ -27,9 +27,9 @@ exports_files([
+ ])
+
+ DARWIN_XCODE_LOCATOR_COMPILE_COMMAND = """
+- /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
+- -framework Foundation -arch arm64 -arch x86_64 -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
+- env -i codesign --identifier $@ --force --sign - $@
++ @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
++ -framework Foundation -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
++ @usrBinEnv@ @codesign@ --identifier $@ --force --sign - $@
+ """
+
+ genrule(
+