From c8f8639ba5ca6f1e3a752595a965caf0479a8dc8 Mon Sep 17 00:00:00 2001
From: Sam Gammon <s@mg.sv>
Date: Thu, 11 Jan 2024 18:42:04 -0800
Subject: [PATCH] feat: new bazel tools

---
 .github/workflows/bazel.yml | 180 +++++++++++++++++++++---------------
 1 file changed, 103 insertions(+), 77 deletions(-)

diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
index 696dca2d..5d04d8ba 100644
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -3,6 +3,13 @@ name: "Build: Bazel"
 on:
   workflow_call:
     inputs:
+      ## Job label
+      label:
+        description: "Label"
+        default: "Bazel"
+        required: false
+        type: string
+
       ## Bazel command to run.
       command:
         description: "Command to run"
@@ -29,46 +36,6 @@ on:
         required: false
         type: string
 
-      ## Whether to install a regular JDK.
-      install_jvm:
-        description: "Install OpenJDK"
-        required: false
-        type: boolean
-        default: true
-
-      ## JVM version to use.
-      jvm:
-        description: "JVM Version"
-        required: false
-        type: string
-
-      ## JVM distribution.
-      jvm_dist:
-        description: "JVM Variant"
-        required: false
-        type: string
-        default: 'adopt-hotspot'
-
-      ## Whether to install GraalVM.
-      install_gvm:
-        description: "Install GraalVM"
-        required: false
-        type: boolean
-        default: false
-
-      ## GVM version to use.
-      gvm:
-        description: "GVM Version"
-        required: false
-        type: string
-
-      ## GVM components to install.
-      gvm_components:
-        description: "GVM Components"
-        required: false
-        type: string
-        default: 'native-image,js'
-
       ## Whether to cache using Actions.
       cache_action:
         description: "Action cache"
@@ -97,23 +64,59 @@ on:
         type: boolean
         default: true
 
-    secrets:
-      GDS_TOKEN:
-        description: "GDS token"
+      ## Whether to generate and publish provenance info.
+      provenance:
+        description: "Provenance"
         required: false
-      SONAR_TOKEN:
-        description: "Sonar token"
+        type: boolean
+        default: false
+
+      ## Bazel version to force
+      version:
+        description: "Bazel version"
+        required: false
+        type: string
+        default: ""
+
+      ## Bazel outputs for provenance and artifacts
+      outputs:
+        description: "Outputs list"
+        required: false
+        type: string
+        default: ""
+
+      ## Artifact name.
+      artifact:
+        description: "Artifact name"
+        required: false
+        type: string
+        default: ""
+
+      ## Artifact retention days.
+      retention:
+        description: "Artifact retention (days)"
+        required: false
+        type: number
+        default: 7
+
+      ## Artifact compression level,
+      compression:
+        description: "Artifact compression level"
+        required: false
+        type: number
+        default: 6
+        description: "No-outputs-found action"
+        default: "warn"
+        type: string
         required: false
+
+    secrets:
       BUILDLESS_APIKEY:
         description: "Buildless API key"
         required: false
-
-env:
-  GVM_VERSION: ${{ inputs.gvm || vars.GVM_VERSION || '22.3.1' }}
-  JVM_VERSION: ${{ inputs.jvm || vars.JVM_VERSION || '19' }}
-  JVM_DIST: ${{ inputs.jvm_dist || vars.JVM_DIST || 'adopt-hotspot' }}
-  BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
-  CACHE_ENDPOINT: https://global.less.build/cache/generic/
+      BUILDBUDDY_APIKEY:
+        description: "BuildBuddy API key"
+        required: false
 
 permissions:
   contents: read
@@ -121,13 +124,15 @@ permissions:
 jobs:
   ## Build with Bazel
   build-bazel:
-    name: "Bazel"
+    name: ${{ inputs.label }}
     runs-on: ${{ inputs.runner || vars.RUNNER || vars.RUNNER_AMD64 || vars.RUNNER_DEFAULT || 'ubuntu-latest' }}
     permissions:
       contents: "read"
       id-token: "write"
       checks: "write"
       pull-requests: "read"
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -136,36 +141,57 @@ jobs:
       - name: "Setup: Checkout"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: "Setup: Cache"
-        uses: buildjet/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3
+        uses: buildless/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3
         if: inputs.cache_action
         with:
           path: |
             ~/.cache/bazel
-          key: bazelbuild-${{ hashFiles('WORKSPACE', 'WORKSPACE.bazel', 'MODULE.bazel', 'WORKSPACE.bzlmod') }}
-          restore-keys: bazelbuild
-      - name: "Setup: JDK ${{ env.JVM_VERSION }}"
-        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
-        if: inputs.install_jvm
-        with:
-          distribution: ${{ env.JVM_DIST }}
-          java-version: ${{ env.JVM_VERSION }}
-      - name: "Setup: GraalVM"
-        uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5
-        if: inputs.install_gvm
-        with:
-          components: ${{ inputs.gvm_components }}
-          version: ${{ env.GVM_VERSION }}
-          java-version: ${{ env.JVM_VERSION }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          gds-token: ${{ secrets.GDS_TOKEN }}
+          key: bazelbuild-${{ github.ref }}-${{ hashFiles('WORKSPACE', 'WORKSPACE.bazel', 'MODULE.bazel', 'WORKSPACE.bzlmod') }}
+          restore-keys:
+            bazelbuild-${{ github.ref }}
+            bazelbuild-
+      - name: "Setup: Bazel"
+        uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0
       - name: "Setup: Bazelisk"
         uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0
+      - name: "Setup: Buildless"
+        if: secrets.BUILDLESS_APIKEY != ""
+        run: echo "build --remote_cache_header=x-api-key=${{ secrets.BUILDLESS_APIKEY }}" >> local.bazelrc
+      - name: "Setup: BuildBuddy"
+        if: secrets.BUILDBUDDY_APIKEY != ""
+        run: echo "build --remote_header=x-buildbuddy-api-key=${{ secrets.BUILDBUDDY_APIKEY }}" >> local.bazelrc
+      - name: "Setup: Bazel Version"
+        if: inputs.version != ""
+        run: echo "${{ inputs.version }}" > .bazelversion
       - name: "Build: Bazel"
         id: bazelbuild
-        env:
-          CI: true
-          TEST_EXCEPTIONS: true
-          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: bazel ${{ inputs.command }} ${{ inputs.flags }} ${{ inputs.targets }}
+      - name: "Build: Artifacts"
+        if: inputs.artifacts && inputs.artifact != ''
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: ${{ inputs.artifact }}
+          path: ${{ inputs.outputs }}
+          retention-days: ${{ inputs.retention }}
+          compression-level: ${{ inputs.compression }}
+          if-no-files-found: warn
+      - name: "Build: Provenance Subjects"
+        id: hash
+        if: inputs.provenance && inputs.outputs != ''
         run: |
-          bazel ${{ inputs.command }} ${{ inputs.flags }} ${{ inputs.targets }}
+          set -euo pipefail
+          sha256sum ${{ inputs.outputs }} > checksums
+          echo "hashes=$(cat checksums | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  ## Provenance builder.
+  provenance:
+    needs: [build]
+    if: inputs.provenance
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: ${{ inputs.push }}