bazel-ios · chenj-hub · Jul 3, 2023 · Jul 6, 2023 · Jul 12, 2023 · Jul 12, 2023
diff --git a/.bazelci/presubmit.yml b/.bazelci/presubmit.yml
@@ -41,6 +41,8 @@ tasks:
     name: "Unit Tests"
     build_targets:
     - "..."
+    build_flags:
+    - "--build_tag_filters=-container"
     test_flags:
     - "--test_tag_filters=-integration,-redis"
     test_targets:
@@ -49,13 +51,18 @@ tasks:
     name: "Unit Tests"
     build_targets:
     - "..."
+    build_flags:
+    - "--build_tag_filters=-container"
     test_flags:
     - "--test_tag_filters=-integration,-redis"
     test_targets:
     - "..."
   macos:
     name: "Unit Tests"
+    environment:
+      USE_BAZEL_VERSION: 17be878292730359c9c90efdceabed26126df7ae
     build_flags:
+    - "--cxxopt=-std=c++14"
     - "--build_tag_filters=-container"
     build_targets:
     - "..."
@@ -66,10 +73,11 @@ tasks:
   windows:
     name: "Unit Tests"
     build_flags:
-    - "--build_tag_filters=-container,-audit"
+    - "--build_tag_filters=-container"
     build_targets:
     - "..."
     test_flags:
+    - "--@rules_jvm_external//settings:stamp_manifest=False"
     - "--test_tag_filters=-integration,-redis"
     test_targets:
     - "..."

diff --git a/.bazelci/run_server_test.sh b/.bazelci/run_server_test.sh
@@ -8,11 +8,11 @@ bazel build //src/main/java/build/buildfarm:buildfarm-shard-worker
 bazel build //src/main/java/build/buildfarm:buildfarm-server
 
 # Start a single worker
-bazel run //src/main/java/build/buildfarm:buildfarm-shard-worker $(pwd)/examples/config.minimal.yml > server.log 2>&1 &
+bazel run //src/main/java/build/buildfarm:buildfarm-shard-worker $(pwd)/examples/config.minimal.yml > worker.log 2>&1 &
 echo "Started buildfarm-shard-worker..."
 
 # Start a single server
-bazel run //src/main/java/build/buildfarm:buildfarm-server $(pwd)/examples/config.minimal.yml > worker.log 2>&1 &
+bazel run //src/main/java/build/buildfarm:buildfarm-server $(pwd)/examples/config.minimal.yml > server.log 2>&1 &
 echo "Started buildfarm-server..."
 
 echo "Wait for startup to finish..."

diff --git a/.bazelrc b/.bazelrc
@@ -1,3 +1,9 @@
+build --java_language_version=17
+build --java_runtime_version=remotejdk_17
+
+build --tool_java_language_version=17
+build --tool_java_runtime_version=remotejdk_17
+
 common --enable_platform_specific_config
 
 build:fuse --define=fuse=true
@@ -14,3 +20,8 @@ test --test_tag_filters=-redis,-integration
 # Ensure buildfarm is compatible with future versions of bazel.
 # https://buildkite.com/bazel/bazelisk-plus-incompatible-flags
 common --incompatible_disallow_empty_glob
+
+common --enable_bzlmod
+
+# Support protobuf on macOS with Xcode 15.x
+common:macos --host_cxxopt=-std=c++14 --cxxopt=-std=c++14
diff --git a/.bazelversion b/.bazelversion
@@ -1 +1 @@
-6.1.2
+6.4.0
diff --git a/.github/workflows/buildfarm-helm-chart-lint.yml b/.github/workflows/buildfarm-helm-chart-lint.yml
@@ -0,0 +1,24 @@
+---
+name: Lint Helm Chart
+
+on:
+  push:
+    paths:
+      - kubernetes/helm-charts/buildfarm/**
+
+env:
+  CHART_ROOT: kubernetes/helm-charts/buildfarm
+
+jobs:
+  lint:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: helm-lint
+        name: Lint Helm Chart
+        run: |-
+          set -ex
+          helm dep up "${CHART_ROOT}"
+          helm lint "${CHART_ROOT}"
diff --git a/.github/workflows/buildfarm-helm-chart-publish.yml b/.github/workflows/buildfarm-helm-chart-publish.yml
@@ -0,0 +1,42 @@
+---
+name: Package and Publish Helm Chart
+
+on:
+  push:
+    tags:
+      - 'helm/*'
+
+env:
+  GH_TOKEN: ${{ github.token }}
+  CHART_ROOT: kubernetes/helm-charts/buildfarm
+
+jobs:
+  build:
+    name: Lint, Package, and Release BuildFarm Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: get-chart-ver
+        name: Extracting Helm Chart Version from Tag
+        run: |
+          set -ex
+          echo "chart_ver=$(echo $GITHUB_REF | cut -d / -f 4)" >> $GITHUB_OUTPUT
+      - id: set-chart-yaml-version
+        name: Etching Helm Chart Version into Chart.yaml for Packaging
+        run: |
+          set -ex
+          echo setting Chart version to \
+            "${{ steps.get-chart-ver.outputs.chart_ver }}" \
+            in ${CHART_ROOT}/Chart.yaml
+          yq -i \
+            '.version |= "${{ steps.get-chart-ver.outputs.chart_ver }}"' \
+            ${CHART_ROOT}/Chart.yaml
+      - id: helm-lint-package-release
+        name: Helm Chart Lint, Package, and Release
+        run: |-
+          set -ex
+          helm dep up "${CHART_ROOT}"
+          helm lint "${CHART_ROOT}"
+          helm package "${CHART_ROOT}"
+          gh release create "${{ github.ref_name }}" *.tgz
diff --git a/.github/workflows/buildfarm-images-build-and-deploy.yml b/.github/workflows/buildfarm-images-build-and-deploy.yml
@@ -0,0 +1,31 @@
+name: Build and Push Latest Buildfarm Images
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    if: github.repository == 'bazelbuild/bazel-buildfarm'
+    name: Build Buildfarm Images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: bazelbuild/setup-bazelisk@v2
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Login to Bazelbuild Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.BAZELBUILD_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.BAZELBUILD_DOCKERHUB_TOKEN }}
+
+      - name: Build Server Image
+        id: buildAndPushServerImage
+        run: bazel run public_push_buildfarm-server --define release_version=latest
+
+      - name: Build Worker Image
+        id: buildAndPushWorkerImage
+        run: bazel run public_push_buildfarm-worker --define release_version=latest
diff --git a/.github/workflows/buildfarm-release-build-and-deploy.yml b/.github/workflows/buildfarm-release-build-and-deploy.yml
@@ -0,0 +1,30 @@
+name: Build and Push Buildfarm Releases
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    if: github.repository == 'bazelbuild/bazel-buildfarm'
+    name: Build Buildfarm Images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: bazelbuild/setup-bazelisk@v2
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Login to Bazelbuild Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.BAZELBUILD_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.BAZELBUILD_DOCKERHUB_TOKEN }}
+
+      - name: Build Server Image
+        id: buildAndPushServerImage
+        run: bazel run public_push_buildfarm-server --define release_version=${{ github.event.release.tag_name }}
+
+      - name: Build Worker Image
+        id: buildAndPushWorkerImage
+        run: bazel run public_push_buildfarm-worker --define release_version=${{ github.event.release.tag_name }}
diff --git a/.github/workflows/buildfarm-worker-base-build-and-deploy.yml b/.github/workflows/buildfarm-worker-base-build-and-deploy.yml
@@ -0,0 +1,39 @@
+name: Build and Push Base Buildfarm Worker Images
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - ci/base-worker-image/jammy/Dockerfile
+      - ci/base-worker-image/mantic/Dockerfile
+jobs:
+  build:
+    if: github.repository == 'bazelbuild/bazel-buildfarm'
+    name: Build Base Buildfarm Worker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Login to Bazelbuild Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.BAZELBUILD_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.BAZELBUILD_DOCKERHUB_TOKEN }}
+
+      - name: Build Jammy Docker image
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          file: ./ci/base-worker-image/jammy/Dockerfile
+          push: true
+          tags: bazelbuild/buildfarm-worker-base:jammy
+
+      - name: Build Mantic Docker image
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          file: ./ci/base-worker-image/mantic/Dockerfile
+          push: true
+          tags: bazelbuild/buildfarm-worker-base:mantic
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -20,7 +20,7 @@ jobs:
             ${{ runner.os }}-gems-
 
       # Use GitHub Deploy Action to build and deploy to Github
-      - uses: jeffreytse/jekyll-deploy-action@v0.4.0
+      - uses: jeffreytse/jekyll-deploy-action@v0.5.0
         with:
           provider: 'github'
           token: ${{ secrets.GH_TOKEN }} # It's your Personal Access Token(PAT)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -0,0 +1,68 @@
+name: Scorecards supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: "23 2 * * 5"
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1
+        with:
+          sarif_file: results.sarif
diff --git a/AUTHORS b/AUTHORS
@@ -9,3 +9,4 @@
 Uber Technologies Inc.
 Aurora Innovation, Inc.
 VMware, Inc.
+Salesforce, Inc.