workspace: add additional sandbox hermeticity flags
Closes monogon-dev/monogon#176
Change-Id: Icc303a235bc441585301eab4f6a68035bb0c7fee
Reviewed-on: https://review.monogon.dev/c/monogon/+/2700
Reviewed-by: Serge Bazanski <serge@monogon.tech>
Tested-by: Jenkins CI
diff --git a/third_party/bazelrc/aspect/ci.bazelrc b/third_party/bazelrc/aspect/ci.bazelrc
new file mode 100644
index 0000000..4d91ee0
--- /dev/null
+++ b/third_party/bazelrc/aspect/ci.bazelrc
@@ -0,0 +1,73 @@
+# We recommend enforcing a policy that keeps your CI from being slowed down
+# by individual test targets that should be optimized
+# or split up into multiple test targets with sharding or manually.
+# Set this flag to exclude targets that have their timeout set to eternal (>15m) from running on CI.
+# Docs: https://bazel.build/docs/user-manual#test-timeout-filters
+test --test_timeout_filters=-eternal
+
+# Set this flag to enable re-tries of failed tests on CI.
+# When any test target fails, try one or more times. This applies regardless of whether the "flaky"
+# tag appears on the target definition.
+# This is a tradeoff: legitimately failing tests will take longer to report,
+# but we can paper over flaky tests that pass most of the time.
+# The alternative is to mark every flaky test with the `flaky = True` attribute, but this requires
+# the buildcop to make frequent code edits.
+# Not recommended for local builds so that the flakiness is observed during development and thus
+# is more likely to get fixed.
+# Note that when passing after the first attempt, Bazel will give a special "FLAKY" status.
+# Docs: https://bazel.build/docs/user-manual#flaky-test-attempts
+test --flaky_test_attempts=2
+
+# Announce all announces command options read from the bazelrc file(s) when starting up at the
+# beginning of each Bazel invocation. This is very useful on CI to be able to inspect what Bazel rc
+# settings are being applied on each run.
+# Docs: https://bazel.build/docs/user-manual#announce-rc
+build --announce_rc
+
+# Add a timestamp to each message generated by Bazel specifying the time at which the message was
+# displayed.
+# Docs: https://bazel.build/docs/user-manual#show-timestamps
+build --show_timestamps
+
+# Only show progress every 60 seconds on CI.
+# We want to find a compromise between printing often enough to show that the build isn't stuck,
+# but not so often that we produce a long log file that requires a lot of scrolling.
+# https://bazel.build/reference/command-line-reference#flag--show_progress_rate_limit
+build --show_progress_rate_limit=60
+
+# Use cursor controls in screen output.
+# Docs: https://bazel.build/docs/user-manual#curses
+build --curses=yes
+
+# Use colors to highlight output on the screen. Set to `no` if your CI does not display colors.
+# Docs: https://bazel.build/docs/user-manual#color
+build --color=yes
+
+# The terminal width in columns. Configure this to override the default value based on what your CI system renders.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/runtime/UiOptions.java#L151
+build --terminal_columns=143
+
+######################################
+# Generic remote cache configuration #
+######################################
+
+# Only download remote outputs of top level targets to the local machine.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_download_toplevel
+build --remote_download_toplevel
+
+# The maximum amount of time to wait for remote execution and cache calls.
+# https://bazel.build/reference/command-line-reference#flag--remote_timeout
+build --remote_timeout=3600
+
+# Upload locally executed action results to the remote cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_upload_local_results
+build --remote_upload_local_results
+
+# Fall back to standalone local execution strategy if remote execution fails. If the grpc remote
+# cache connection fails, it will fail the build, add this so it falls back to the local cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_local_fallback
+build --remote_local_fallback
+
+# Fixes builds hanging on CI that get the TCP connection closed without sending RST packets.
+# Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
+build --grpc_keepalive_time=30s