.bazelrc - monogon - Gitiles

 # Import Aspect bazelrc presets
 import %workspace%/third_party/bazelrc/aspect/bazel7.bazelrc
 import %workspace%/third_party/bazelrc/aspect/convenience.bazelrc
 import %workspace%/third_party/bazelrc/aspect/correctness.bazelrc
 import %workspace%/third_party/bazelrc/aspect/performance.bazelrc

 # Actually make the lock file a lock file by not updating it without any
 # request to do so.
 common --lockfile_mode=error

 # Allow empty globs as there are a lot until we replace our rust toolchain and
 # qemu BUILD files.
 common --noincompatible_disallow_empty_glob

 # Don't warn about too high test timeout as these can vary a lot.
 test --notest_verbose_timeout_warnings

 # Set compilation mode (-c) to debug when running with --config dbg.
 build:dbg --compilation_mode=dbg

 # Run all spawns in our own hermetic sandbox sysroot.
 build --experimental_use_hermetic_linux_sandbox
 build --sandbox_fake_hostname
 build --sandbox_fake_username
 build --action_env=MONOGON_SANDBOX_DIGEST
 import %workspace%/.bazelrc.sandbox

 # Enable revised output directory hash suffix computation
 build --experimental_output_directory_naming_scheme=diff_against_dynamic_baseline
 build --experimental_exec_configuration_distinguisher=off

 # Hardwire all action envs to just use /usr/bin from the above sandbox. This is
 # necessary on NixOS Bazel builds, as they really like to inject /nix/store/*
 # paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as
 # otherwise calling gcc from /bin/gcc breaks its own resolution of subordinate
 # commands (like cc1, as, etc.).
 build --action_env=PATH=/usr/bin
 build --host_action_env=PATH=/usr/bin

 # Make all shell run actions use /bin/bash instead of whatever the host might
 # have set. Again, looking at you, Bazel-on-NixOS.
 build --shell_executable=/bin/bash

 # No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
 # anything auto-detected during analysis stage is on the host instead of the sandbox.
 # Sysroot rebuild is pure Go and doesn't need it either.
 # The flag ensures we fail early if we somehow depend on the host toolchain,
 # and do not spend unnecessary time on autodiscovery.
 build --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1

 # Use new-style C++ toolchain resolution.
 build --incompatible_enable_cc_toolchain_resolution

 # In our monorepo, we mostly ignore the host platform since we bring our own
 # execution environment. However, we still need to run a small number of tools
 # such as gazelle. We can just use rules_go's pure-Go platform. Attempting to
 # build CGO binaries for the host will fail (and does not make sense).
 # The host is lava - it could be NixOS (or even potentially macOS/Windows).
 build --host_platform=@io_bazel_rules_go//go/toolchain:linux_amd64

 # Target platform for the monorepo is currently the same as the host platform,
 # but we'll support cross-compilation at some point. Do not rely on it.
 build --platforms=//build/platforms:linux_amd64
 # Make sure our platform is picked instead of the --host_platform.
 build --extra_execution_platforms=//build/platforms:linux_amd64

 # Build resources
 startup --batch_cpu_scheduling --io_nice_level 7
 test --test_output=errors

 # selinux:
 #     build with SELinux (containerd, kubelet)
 # no_zfs,no_aufs,no_devicemapper:
 #     disable containerd features we don't need
 # providerless,dockerless:
 #     build k8s without cloud provider and docker support
 # nowasm:
 #     disable wasm plugin support in sqlc
 # nobtrfs,nozfs,notapestats,norapl:
 #     disable node_exporter features we don't need
 build --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo,nobtrfs,nozfs,notapestats,norapl

 # kvm_debug:
 #     prevent stackoverflows for gvisor
 build:dbg --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo,nobtrfs,nozfs,notapestats,norapl,kvm_debug

 # Build with C++17.
 build --cxxopt=-std=c++17

 # Set workspace status file and stamp
 build --stamp --workspace_status_command=./build/print-workspace-status.py

 test --experimental_allow_tags_propagation
 # Assume a 10k IOPS device (average NVMe) and 64GiB of RAM for test scheduling.
 test --local_resources=iops=10000 --local_resources=ram=64000

 # Load custom per-user settings.
 try-import %workspace%/.bazelrc.user
	# Import Aspect bazelrc presets
	import %workspace%/third_party/bazelrc/aspect/bazel7.bazelrc
	import %workspace%/third_party/bazelrc/aspect/convenience.bazelrc
	import %workspace%/third_party/bazelrc/aspect/correctness.bazelrc
	import %workspace%/third_party/bazelrc/aspect/performance.bazelrc

	# Actually make the lock file a lock file by not updating it without any
	# request to do so.
	common --lockfile_mode=error

	# Allow empty globs as there are a lot until we replace our rust toolchain and
	# qemu BUILD files.
	common --noincompatible_disallow_empty_glob

	# Don't warn about too high test timeout as these can vary a lot.
	test --notest_verbose_timeout_warnings

	# Set compilation mode (-c) to debug when running with --config dbg.
	build:dbg --compilation_mode=dbg

	# Run all spawns in our own hermetic sandbox sysroot.
	build --experimental_use_hermetic_linux_sandbox
	build --sandbox_fake_hostname
	build --sandbox_fake_username
	build --action_env=MONOGON_SANDBOX_DIGEST
	import %workspace%/.bazelrc.sandbox

	# Enable revised output directory hash suffix computation
	build --experimental_output_directory_naming_scheme=diff_against_dynamic_baseline
	build --experimental_exec_configuration_distinguisher=off

	# Hardwire all action envs to just use /usr/bin from the above sandbox. This is
	# necessary on NixOS Bazel builds, as they really like to inject /nix/store/*
	# paths otherwise. We also explicitly set it to /usr/bin only (no /bin) as
	# otherwise calling gcc from /bin/gcc breaks its own resolution of subordinate
	# commands (like cc1, as, etc.).
	build --action_env=PATH=/usr/bin
	build --host_action_env=PATH=/usr/bin

	# Make all shell run actions use /bin/bash instead of whatever the host might
	# have set. Again, looking at you, Bazel-on-NixOS.
	build --shell_executable=/bin/bash

	# No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
	# anything auto-detected during analysis stage is on the host instead of the sandbox.
	# Sysroot rebuild is pure Go and doesn't need it either.
	# The flag ensures we fail early if we somehow depend on the host toolchain,
	# and do not spend unnecessary time on autodiscovery.
	build --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1

	# Use new-style C++ toolchain resolution.
	build --incompatible_enable_cc_toolchain_resolution

	# In our monorepo, we mostly ignore the host platform since we bring our own
	# execution environment. However, we still need to run a small number of tools
	# such as gazelle. We can just use rules_go's pure-Go platform. Attempting to
	# build CGO binaries for the host will fail (and does not make sense).
	# The host is lava - it could be NixOS (or even potentially macOS/Windows).
	build --host_platform=@io_bazel_rules_go//go/toolchain:linux_amd64

	# Target platform for the monorepo is currently the same as the host platform,
	# but we'll support cross-compilation at some point. Do not rely on it.
	build --platforms=//build/platforms:linux_amd64
	# Make sure our platform is picked instead of the --host_platform.
	build --extra_execution_platforms=//build/platforms:linux_amd64

	# Build resources
	startup --batch_cpu_scheduling --io_nice_level 7
	test --test_output=errors

	# selinux:
	# build with SELinux (containerd, kubelet)
	# no_zfs,no_aufs,no_devicemapper:
	# disable containerd features we don't need
	# providerless,dockerless:
	# build k8s without cloud provider and docker support
	# nowasm:
	# disable wasm plugin support in sqlc
	# nobtrfs,nozfs,notapestats,norapl:
	# disable node_exporter features we don't need
	build --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo,nobtrfs,nozfs,notapestats,norapl

	# kvm_debug:
	# prevent stackoverflows for gvisor
	build:dbg --@io_bazel_rules_go//go/config:tags=selinux,seccomp,no_zfs,no_aufs,no_devicemapper,providerless,dockerless,nowasm,netgo,osusergo,nobtrfs,nozfs,notapestats,norapl,kvm_debug

	# Build with C++17.
	build --cxxopt=-std=c++17

	# Set workspace status file and stamp
	build --stamp --workspace_status_command=./build/print-workspace-status.py

	test --experimental_allow_tags_propagation
	# Assume a 10k IOPS device (average NVMe) and 64GiB of RAM for test scheduling.
	test --local_resources=iops=10000 --local_resources=ram=64000

	# Load custom per-user settings.
	try-import %workspace%/.bazelrc.user