|  | # Set compilation mode (-c) to debug when running with --config debug. | 
|  | build:dbg --compilation_mode=dbg | 
|  |  | 
|  | # Enable strict_action_env (use static PATH and do not inherit environment variables). | 
|  | # This avoids unnecessary cache invalidations. | 
|  | build --incompatible_strict_action_env=true | 
|  |  | 
|  | # Run all spawns in our own hermetic sandbox sysroot. | 
|  | build --experimental_use_hermetic_linux_sandbox | 
|  | build --action_env=MONOGON_SANDBOX_DIGEST | 
|  | import %workspace%/.bazelrc.sandbox | 
|  |  | 
|  | # Hardwire all action envs to just use /usr/bin from the above sandbox. This is | 
|  | # necessary on NixOS Bazel builds, as they really like to inject /nix/store/* | 
|  | # paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as | 
|  | # otherwise calling gcc from /bin/gcc breaks its own resolution of subordinate | 
|  | # commands (like cc1, as, etc.). | 
|  | build --action_env=PATH=/usr/bin | 
|  | build --host_action_env=PATH=/usr/bin | 
|  |  | 
|  | # Make all shell run actions use /bin/bash instead of whatever the host might | 
|  | # have set. Again, looking at you, Bazel-on-NixOS. | 
|  | build --shell_executable=/bin/bash | 
|  |  | 
|  | # No local CPP toolchain resolution. In our sandbox root, it doesn't make sense - | 
|  | # anything auto-detected during analysis stage is on the host instead of the sandbox. | 
|  | # Sysroot rebuild is pure Go and doesn't need it either. | 
|  | # The flag ensures we fail early if we somehow depend on the host toolchain, | 
|  | # and do not spend unnecessary time on autodiscovery. | 
|  | build --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 | 
|  |  | 
|  | # Use new-style C++ toolchain resolution. | 
|  | build --incompatible_enable_cc_toolchain_resolution | 
|  |  | 
|  | # In our monorepo, we mostly ignore the host platform since we bring our own | 
|  | # execution environment. However, we still need to run a small number of tools | 
|  | # such as gazelle. We can just use rules_go's pure-Go platform. Attempting to | 
|  | # build CGO binaries for the host will fail (and does not make sense). | 
|  | # The host is lava - it could be NixOS (or even potentially macOS/Windows). | 
|  | build --host_platform=@io_bazel_rules_go//go/toolchain:linux_amd64 | 
|  |  | 
|  | # Target platform for the monorepo is currently the same as the host platform, | 
|  | # but we'll support cross-compilation at some point. Do not rely on it. | 
|  | build --platforms=//build/platforms:linux_amd64 | 
|  | # Make sure our platform is picked instead of the --host_platform. | 
|  | build --extra_execution_platforms=//build/platforms:linux_amd64 | 
|  |  | 
|  | # Build resources | 
|  | startup --batch_cpu_scheduling --io_nice_level 7 | 
|  | test --test_output=errors | 
|  |  | 
|  | # selinux: | 
|  | #     build with SELinux (containerd, kubelet) | 
|  | # no_zfs,no_aufs,no_devicemapper: | 
|  | #     disable containerd features we don't need | 
|  | # providerless,dockerless: | 
|  | #     build k8s without cloud provider and docker support | 
|  | # nowasm: | 
|  | #     disable wasm plugin support in sqlc | 
|  | build --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo | 
|  |  | 
|  | # kvm_debug: | 
|  | #     prevent stackoverflows for gvisor | 
|  | build:dbg --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo,kvm_debug | 
|  |  | 
|  | # Build with C++17. | 
|  | build --cxxopt=-std=c++17 | 
|  |  | 
|  | # Set workspace status file and stamp | 
|  | build --stamp --workspace_status_command=./build/print-workspace-status.py | 
|  |  | 
|  | # Load CI bazelrc if present. | 
|  | try-import %workspace%/ci.bazelrc | 
|  |  | 
|  | # Load custom per-user settings. | 
|  | try-import %workspace%/.bazelrc.user |