commit 6c851e2f8270e2a08077a5d35cc5d7869e2c9188
author Tim Windelschmidt <tim@monogon.tech> Thu Jan 11 15:23:48 2024 +0100
committer Tim Windelschmidt <tim@monogon.tech> Wed Feb 28 13:35:30 2024 +0000
tree debb29dddd190d930e45a7a29cc960eba88206e5
parent 7006cafc58cbff6765726447d84df1cd1531d346

workspace: add additional sandbox hermeticity flags

Closes monogon-dev/monogon#176

Change-Id: Icc303a235bc441585301eab4f6a68035bb0c7fee
Reviewed-on: https://review.monogon.dev/c/monogon/+/2700
Reviewed-by: Serge Bazanski <serge@monogon.tech>
Tested-by: Jenkins CI

.bazelrc

diff --git a/.bazelrc b/.bazelrc
index 562553d..b4de786 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,15 +1,30 @@
+# Import Aspect bazelrc presets
+import %workspace%/third_party/bazelrc/aspect/bazel7.bazelrc
+import %workspace%/third_party/bazelrc/aspect/convenience.bazelrc
+import %workspace%/third_party/bazelrc/aspect/correctness.bazelrc
+import %workspace%/third_party/bazelrc/aspect/performance.bazelrc
+
+# Allow empty globs as there are a lot until we replace our rust toolchain and
+# qemu BUILD files.
+common --noincompatible_disallow_empty_glob
+
+# Don't warn about too high test timeout as these can vary a lot.
+test --notest_verbose_timeout_warnings
+
 # Set compilation mode (-c) to debug when running with --config debug.
 build:dbg --compilation_mode=dbg
 
-# Enable strict_action_env (use static PATH and do not inherit environment variables).
-# This avoids unnecessary cache invalidations.
-build --incompatible_strict_action_env=true
-
 # Run all spawns in our own hermetic sandbox sysroot.
 build --experimental_use_hermetic_linux_sandbox
+build --sandbox_fake_hostname
+build --sandbox_fake_username
 build --action_env=MONOGON_SANDBOX_DIGEST
 import %workspace%/.bazelrc.sandbox
 
+# Enable revised output directory hash suffix computation
+build --experimental_output_directory_naming_scheme=diff_against_dynamic_baseline
+build --experimental_exec_configuration_distinguisher=off
+
 # Hardwire all action envs to just use /usr/bin from the above sandbox. This is
 # necessary on NixOS Bazel builds, as they really like to inject /nix/store/*
 # paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as
@@ -71,8 +86,5 @@
 # Set workspace status file and stamp
 build --stamp --workspace_status_command=./build/print-workspace-status.py
 
-# Load CI bazelrc if present.
-try-import %workspace%/ci.bazelrc
-
 # Load custom per-user settings.
 try-import %workspace%/.bazelrc.user