Before contributing to the Bazel Central Registry, check the BCR policies to learn how the BCR is maintained.
To contribute a new module or a new version to an existing module, you can clone the BCR repository and run the interactive helper script:
git clone https://github.com/bazelbuild/bazel-central-registry.git
cd bazel-central-registry
bazel run //tools:add_moduleThe script will generate all require changes based on your input, please review, modify and commit the change, then send a PR to the BCR repository.
If you are the project owner, you can set up the Publish to BCR Github App for your repository to automatically send a PR to the BCR when cutting a new release.
When manually editing files you may find bazel run -- //tools:update_integrity foomod useful to update the integrity hashes in foomod's source.json file.
The tool also accepts a --version option to update the source.json of a specific version of the module (instead of latest).
Every module version must pass the BCR presubmit before getting merged. The presubmit validates the correctness and consistency of module information, then runs build and test targets specified in the presubmit.yml file. The BCR presubmit is driven by the bcr_presubmit.py script on Bazel CI.
Most of presubmit validations are implemented in ./tools/bcr_validation.py. So you can also run the following command to validate a module locally:
python3 tools/bcr_validation.py --check=foo@1.0.0Validations performed in the scripts are:
- Verify the module version exists in the
metadata.jsonof the module. - Verify the source archive URL matches the source repository specified in
metadata.json. - Verify the source archive URL is stable if it comes from GitHub. (See this discussion)
- Verify the integrity values of the source archive and patch files (if any) are correct.
- Verify the checked-in MODULE.bazel file matches the one in the extracted and patched source tree.
- Check if the module is new or the
presubmit.ymlfile is changed compared to the last version, if so a BCR maintainer review will be required to run jobs specified inpresubmit.yml.
Additional validations implemented in the bcr_presubmit.py script:
- The checked-in MODULE.bazel, source.json, patches files are not modified in the PR.
- The files outside of
modules/directory are not modified in the pull request if the PR is adding a new module version.
The modules in the BCR are meant to be used as dependencies of other Bazel modules. You can specify the targets you want to expose for your dependents in the presubmit.yml file, and the BCR presubmit will verify those targets can be built correctly when used as dependencies of a simple anonymous module.
For example, in zlib@1.2.13's presubmit.yml:
matrix:
platform:
- centos7
- debian10
- ubuntu2004
- macos
- windows
bazel: [6.x, 7.x]
tasks:
verify_targets:
name: Verify build targets
platform: ${{ platform }}
bazel: ${{ bazel }}
build_targets:
- '@zlib//:zlib'In the presubmit, a simple anonymous module will be created with MODULE.bazel:
bazel_dep(name="zlib", version="1.2.13")Then the presubmit will verify building @zlib//:zlib succeeds on all specified platforms.
While you can also specify test_targets, it may not always work since test targets can require additional dev dependencies that are not available when your project is not the root module.
Note that the task config syntax follows Bazel CI's specifications.
It's highly recommended to specify a test module that includes example usages of your module, which will help verify the basic APIs and functionalities of your module work correctly.
A test module is located in a subdirectory of the extracted and patched source tree of the target module (the module you want to check in). You can specify the tasks in the presubmit.yml file under bcr_test_module. A MODULE.bazel file should be in the test module directory, and it can depend on the target module with local_path_override. With the test module, you can introduce additional dependencies for testing without affecting the target module.
For example, in rules_jvm_external@4.4.1's presubmit.yml file:
bcr_test_module:
module_path: examples/bzlmod
matrix:
platform:
- centos7
- debian10
- ubuntu2004
- macos
- windows
bazel: [6.x, 7.x]
tasks:
run_test_module:
name: Run test module
platform: ${{ platform }}
bazel: ${{ bazel }}
build_targets:
- //java/src/com/github/rules_jvm_external/examples/bzlmod:bzlmod_exampleIn rules_jvm_external's example/bzlmod/MODULE.bazel:
bazel_dep(name = "rules_jvm_external")
local_path_override(
module_name = "rules_jvm_external",
path = "../..",
)Note that the task config syntax also follows Bazel CI's specifications, but just one level deeper under bcr_test_module and you have to specify the subdirectory of the test module via module_path.
If a module version is discovered with security vulnerabilities or for any reason should no longer be used, you can yank the module version by adding it to the yanked map in metadata.json and provide a reason.
For example, in zlib's metadata.json:
"yanked_versions": {
"1.2.11": "CVE-2018-25032 (https://github.com/advisories/GHSA-jc36-42cf-vqwj)",
"1.2.12": "CVE-2022-37434 (https://github.com/advisories/GHSA-cfmr-vrgj-vqwv)"
}A Bzlmod user's build will start to fail if the yanked version is in the resolved dependency graph, and the yanked reason will be presented in the error message. The user can choose to upgrade the dependency or they can bypass the check by specifying the --allow_yanked_versions flag or the BZLMOD_ALLOW_YANKED_VERSIONS environment variable. Check the documentation to learn how to use them.
Bazel has a diverse ecosystem and projects using various versioning schemes, check Bzlmod's version specification. If you need to update a module with only patch file changes, you can add .bcr.<N> suffix to the version number.
If for any reason, you think a module or a version of a module should be removed from the Bazel Central Registry, please file a bug and reach out to BCR maintainers at bcr-maintainers@bazel.build.