[bazel] Move rules_rust to bzlmod

[shs96c]

User description

Bazel 9 is coming out soon, and that drops support for workspace-based builds. Preempt this by moving rules_rust into the module file.

---

PR Type

Enhancement

---

Description

• Migrate rules_rust from WORKSPACE to MODULE.bazel for Bazel 9 compatibility

• Update multiple Bazel dependency versions to latest stable releases

• Configure Rust toolchain and crate universe extensions via bzlmod

• Remove legacy workspace-based Rust configuration and dependencies

---

Diagram Walkthrough

flowchart LR
  A["WORKSPACE<br/>rules_rust config"] -->|"Remove legacy<br/>workspace setup"| B["MODULE.bazel<br/>bzlmod extensions"]
  C["Old Rust<br/>dependencies"] -->|"Update versions"| D["New dependency<br/>versions"]
  B -->|"Configure"| E["Rust toolchain<br/>v1.89.0"]
  B -->|"Configure"| F["Crate universe<br/>extensions"]

Loading

File Walkthrough

Relevant files

Configuration changes

MODULE.bazel Add rules_rust and configure Rust extensions                          MODULE.bazel Add rules_rust v0.67.0 as a bazel_dep Update multiple dependency versions (aspect_bazel_lib, bazel_features, bazel_skylib, buildifier_prebuilt, platforms, rules_cc) Configure Rust toolchain extension with version 1.89.0 Configure crate universe extension to load Cargo.lock and manifests +19/-6    WORKSPACE Remove legacy workspace-based Rust configuration                  WORKSPACE Remove entire rules_rust http_archive definition Remove rules_rust_dependencies() and rust_register_toolchains() calls Remove crates_repository() configuration Remove crate_repositories() and cargo_dependencies() loading +0/-31

---

[qodo-merge-pro]

PR Compliance Guide 🔍

(Compliance updated until commit 8856014)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No auditing: The added Bazel module and Rust toolchain/crate configuration do not introduce or modify any application logic that could demonstrate audit logging of critical actions, so compliance cannot be verified from this diff. Referred Code rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo( name = "crates", cargo_lockfile = "//rust:Cargo.lock", lockfile = "//rust:Cargo.Bazel.lock", manifests = ["//rust:Cargo.toml"], ) use_repo(crate, "crates") Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: The changes are Bazel module dependency and extension configuration without runtime error handling code, so robustness and edge case handling cannot be assessed from this diff. Referred Code rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo( name = "crates", cargo_lockfile = "//rust:Cargo.lock", lockfile = "//rust:Cargo.Bazel.lock", manifests = ["//rust:Cargo.toml"], ) use_repo(crate, "crates") Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: The diff only adjusts Bazel dependencies and toolchain setup and does not include user-facing error messages, so secure error handling cannot be confirmed. Referred Code rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo( name = "crates", cargo_lockfile = "//rust:Cargo.lock", lockfile = "//rust:Cargo.Bazel.lock", manifests = ["//rust:Cargo.toml"], ) use_repo(crate, "crates") Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Logging unknown: No logging statements are introduced in the added Bazel configuration, so adherence to secure logging practices cannot be determined from this diff. Referred Code rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo( name = "crates", cargo_lockfile = "//rust:Cargo.lock", lockfile = "//rust:Cargo.Bazel.lock", manifests = ["//rust:Cargo.toml"], ) use_repo(crate, "crates") Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No inputs here: The changes configure Bazel modules and Rust toolchains without handling external inputs or data, so input validation and secure data handling cannot be assessed from this diff. Referred Code rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo( name = "crates", cargo_lockfile = "//rust:Cargo.lock", lockfile = "//rust:Cargo.Bazel.lock", manifests = ["//rust:Cargo.toml"], ) use_repo(crate, "crates") Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit edf3fcb

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Non-applicable Scope: The added lines configure Bazel modules and Rust toolchains without introducing runtime actions or logging surfaces, so audit trail compliance cannot be evaluated from this infrastructure-only change. Referred Code bazel_dep(name = "aspect_bazel_lib", version = "2.14.0") bazel_dep(name = "aspect_rules_esbuild", version = "0.21.0") bazel_dep(name = "aspect_rules_js", version = "2.3.7") bazel_dep(name = "aspect_rules_ts", version = "3.6.0") bazel_dep(name = "bazel_features", version = "1.32.0") bazel_dep(name = "bazel_skylib", version = "1.8.2") bazel_dep(name = "buildifier_prebuilt", version = "7.3.1") bazel_dep(name = "contrib_rules_jvm", version = "0.27.0") bazel_dep(name = "platforms", version = "1.0.0") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.8", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") bazel_dep(name = "rules_java", version = "8.7.1") bazel_dep(name = "rules_jvm_external", version = "6.8") bazel_dep(name = "rules_multitool", version = "1.3.0") bazel_dep(name = "rules_nodejs", version = "6.3.2") ... (clipped 357 lines)
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Infra-only Change: The new lines only declare Bazel dependencies and extensions (e.g., rules_rust and crates) and do not implement runtime logic where error handling would appear, so compliance cannot be determined. Referred Code bazel_dep(name = "rules_rust", version = "0.67.0") # Until `rules_jvm_external` 6.8 ships single_version_override( module_name = "rules_jvm_external", patch_strip = 1, patches = ["//java:rules_jvm_external_javadoc.patch"], ) multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool") multitool.hub(lockfile = "//:multitool.lock.json") use_repo(multitool, "multitool") linter = use_extension("@apple_rules_lint//lint:extensions.bzl", "linter") linter.configure( name = "java-spotbugs", config = "//java:spotbugs-config", ) linter.configure( name = "rust-rustfmt", config = "//rust:enable-rustfmt", ... (clipped 331 lines)
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No User Errors: The change removes WORKSPACE-based rules_rust setup and adds no user-facing error surfaces, so secure error handling cannot be assessed from the diff. Referred Code rules_closure_dependencies( omit_rules_java = True, omit_rules_proto = True, omit_rules_python = True, ) rules_closure_toolchains()
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Build Config Only: The additions are Bazel module and rules_rust configuration without external input handling or data processing paths, so validation and data handling security cannot be evaluated here. Referred Code bazel_dep(name = "aspect_bazel_lib", version = "2.14.0") bazel_dep(name = "aspect_rules_esbuild", version = "0.21.0") bazel_dep(name = "aspect_rules_js", version = "2.3.7") bazel_dep(name = "aspect_rules_ts", version = "3.6.0") bazel_dep(name = "bazel_features", version = "1.32.0") bazel_dep(name = "bazel_skylib", version = "1.8.2") bazel_dep(name = "buildifier_prebuilt", version = "7.3.1") bazel_dep(name = "contrib_rules_jvm", version = "0.27.0") bazel_dep(name = "platforms", version = "1.0.0") # Required for the closure rules bazel_dep(name = "protobuf", version = "29.2", dev_dependency = True, repo_name = "com_google_protobuf") # Required for rules_rust to import the crates properly bazel_dep(name = "rules_cc", version = "0.2.8", dev_dependency = True) bazel_dep(name = "rules_dotnet", version = "0.17.5") bazel_dep(name = "rules_java", version = "8.7.1") bazel_dep(name = "rules_jvm_external", version = "6.8") bazel_dep(name = "rules_multitool", version = "1.3.0") bazel_dep(name = "rules_nodejs", version = "6.3.2") ... (clipped 357 lines)

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Confirm resolution of previous build blocker The suggestion requests confirmation that a previously documented Windows build issue with rules_rust and bzlmod has been resolved, as the workaround for it is being removed in this PR. Examples: WORKSPACE [24-54] Solution Walkthrough: Before: # WORKSPACE # rules_rust fails to compile zstd on Windows when used with Bzlmod # so we keep it in WORKSPACE for now http_archive( name = "rules_rust", integrity = "sha256-YrnH/f8jCpEqGAU+keNqauc+QSde9egtcFXqPtJuee4=", urls = ["https://github.com/bazelbuild/rules_rust/releases/download/0.65.0/rules_rust-0.65.0.tar.gz"], ) load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains") rules_rust_dependencies() rust_register_toolchains(versions = ["1.89.0"]) ... After: # WORKSPACE # ... (rules_rust setup is removed) # MODULE.bazel module(name = "selenium") bazel_dep(name = "rules_rust", version = "0.67.0") rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain(versions = ["1.89.0"]) crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") crate.from_cargo(...) use_repo(crate, "crates") Suggestion importance[1-10]: 9 __ Why: This suggestion highlights a critical risk of re-introducing a known Windows build failure, as the PR removes a workaround without confirming the underlying issue is resolved.	High
Learned best practice	Validate Cargo file presence Add basic existence checks for Cargo files and a helpful error to avoid confusing resolution failures when files are missing or paths change. MODULE.bazel [374-380] crate = use_extension("@rules_rust//crate_universe:extensions.bzl", "crate") +_cargo_lock = "//rust:Cargo.lock" +_bazel_lock = "//rust:Cargo.Bazel.lock" +_manifest = "//rust:Cargo.toml" +# Basic validation to surface clearer errors early +if not native.glob([_cargo_lock[2:]]): # strip leading // for glob + fail("crate_universe: missing Cargo.lock at %s" % _cargo_lock) +if not native.glob([_manifest[2:]]): + fail("crate_universe: missing Cargo.toml at %s" % _manifest) crate.from_cargo( name = "crates", - cargo_lockfile = "//rust:Cargo.lock", - lockfile = "//rust:Cargo.Bazel.lock", - manifests = ["//rust:Cargo.toml"], + cargo_lockfile = _cargo_lock, + lockfile = _bazel_lock, + manifests = [_manifest], ) Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Guard external I/O operations (registry/network-based repo resolution) with targeted validation and fallbacks.	Low
Update