Add Bazel RBE lane

.bazelignore

@@ -0,0 +1,8 @@
+.git
+.local
+.tools
+.worktrees
+bazel-bin
+bazel-keep
+bazel-out
+bazel-testlogs

.bazelrc

@@ -0,0 +1,39 @@
+common --enable_bzlmod
+common --announce_rc
+
+build --experimental_convenience_symlinks=ignore
+build --color=yes
+build --curses=yes
+build --show_timestamps
+build --test_output=errors
+build --keep_going
+
+test --test_output=errors
+
+# Deploy-owned Google Cloud remote execution.
+#
+# evalops/deploy owns the matching GCP API/IAM/worker-pool contract in
+# infrastructure/gcp/stacks/60-bazel-remote-execution.
+#
+# The active dev backend is self-hosted Buildfarm on GCE. CI runs on the
+# colocated repo-scoped runner and uses the local Buildfarm listener directly.
+# Developers can run scripts/run-bazel-rbe.sh to open the SSH/IAP tunnel before
+# invoking the same remote config locally.
+build:remote-gcp-dev --remote_executor=grpc://127.0.0.1:8980
+build:remote-gcp-dev --remote_timeout=3600
+build:remote-gcp-dev --remote_download_toplevel
+build:remote-gcp-dev --platforms=@rules_go//go/toolchain:linux_amd64_cgo
+build:remote-gcp-dev --extra_execution_platforms=@rules_go//go/toolchain:linux_amd64_cgo
+build:remote-gcp-dev --extra_toolchains=//bazel/toolchains/cc:linux_amd64_gcc_toolchain
+build:remote-gcp-dev --spawn_strategy=remote
+build:remote-gcp-dev --strategy=GoCompilePkg=remote
+build:remote-gcp-dev --strategy=GoLink=remote
+build:remote-gcp-dev --strategy=GoTest=remote
+build:remote-gcp-dev --strategy=Genrule=remote
+build:remote-gcp-dev --features=-supports_start_end_lib
+build:remote-gcp-dev --host_features=-supports_start_end_lib
+build:remote-gcp-dev --jobs=32
+
+build:remote-gcp --config=remote-gcp-dev
+
+try-import %workspace%/.bazelrc.user

.bazelversion

@@ -0,0 +1 @@
+9.1.0

.github/actionlint.yaml

@@ -0,0 +1,4 @@
+self-hosted-runner:
+  labels:
+    - blacksmith-4vcpu-ubuntu-2404
+    - evalops-keep-rbe

.github/workflows/bazel-rbe.yml

@@ -0,0 +1,79 @@
+name: Bazel RBE
+
+on:
+  pull_request:
+    paths:
+      - .bazelignore
+      - .bazelrc
+      - .bazelversion
+      - .github/actionlint.yaml
+      - .github/workflows/bazel-rbe.yml
+      - BUILD.bazel
+      - MODULE.bazel
+      - MODULE.bazel.lock
+      - bazel/**
+      - "**/*.go"
+      - go.mod
+      - go.sum
+      - Makefile
+      - scripts/run-bazel-rbe.sh
+  push:
+    branches:
+      - main
+    paths:
+      - .bazelignore
+      - .bazelrc
+      - .bazelversion
+      - .github/actionlint.yaml
+      - .github/workflows/bazel-rbe.yml
+      - BUILD.bazel
+      - MODULE.bazel
+      - MODULE.bazel.lock
+      - bazel/**
+      - "**/*.go"
+      - go.mod
+      - go.sum
+      - Makefile
+      - scripts/run-bazel-rbe.sh
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke:
+    if: github.event_name == 'workflow_dispatch' || vars.BAZEL_RBE_ENABLED == 'true'
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+      - evalops-keep-rbe
+    timeout-minutes: 25
+    env:
+      BAZEL_RBE_USE_EXISTING_TUNNEL: "true"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Bazel tools
+        env:
+          GOFLAGS: -mod=mod
+        run: |
+          go install github.com/bazelbuild/bazelisk@latest
+          go install github.com/bazelbuild/buildtools/buildifier@latest
+
+      - name: Verify generated Bazel graph
+        run: make bazel-check
+
+      - name: Run Buildfarm smoke tests
+        run: make bazel-rbe-smoke

.gitignore

@@ -8,6 +8,10 @@ app/venv/
 
 # Go build artifacts
 agent/attestor-agent
+bazel-bin
+bazel-keep
+bazel-out
+bazel-testlogs
 
 # Security scan artifacts
 *.sarif

BUILD.bazel

@@ -0,0 +1,6 @@
+load("@gazelle//:def.bzl", "gazelle")
+
+# gazelle:prefix github.com/EvalOps/keep
+# gazelle:build_file_name BUILD.bazel
+# gazelle:proto disable_global
+gazelle(name = "gazelle")

MODULE.bazel

@@ -0,0 +1,24 @@
+module(
+    name = "evalops_keep",
+    version = "0.0.0",
+)
+
+bazel_dep(name = "gazelle", version = "0.50.0")
+bazel_dep(name = "platforms", version = "1.1.0")
+bazel_dep(name = "rules_cc", version = "0.2.18")
+bazel_dep(name = "rules_go", version = "0.60.0")
+
+go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
+go_sdk.download(version = "1.26.3")
+
+cc_configure = use_extension("@rules_cc//cc:extensions.bzl", "cc_configure_extension")
+use_repo(cc_configure, "local_config_cc", "local_config_cc_toolchains")
+
+register_toolchains(
+    "//bazel/toolchains/cc:linux_amd64_gcc_toolchain",
+    "@local_config_cc_toolchains//:all",
+)
+
+go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
+go_deps.from_file(go_mod = "//:go.mod")
+use_repo(go_deps, "com_github_aws_aws_sdk_go_v2", "com_github_aws_aws_sdk_go_v2_config", "com_github_aws_aws_sdk_go_v2_service_ssm", "com_github_azure_azure_sdk_for_go_sdk_azcore", "com_github_azure_azure_sdk_for_go_sdk_azidentity", "com_github_azure_azure_sdk_for_go_sdk_security_keyvault_azsecrets", "com_github_cenkalti_backoff_v4", "com_github_go_chi_chi_v5", "com_github_golang_migrate_migrate_v4", "com_github_hashicorp_vault_api", "com_github_jackc_pgx_v5", "com_github_prometheus_client_golang", "com_github_rs_zerolog", "com_tailscale", "io_opentelemetry_go_contrib_instrumentation_net_http_otelhttp", "io_opentelemetry_go_otel", "io_opentelemetry_go_otel_exporters_otlp_otlptrace_otlptracehttp", "io_opentelemetry_go_otel_sdk", "io_opentelemetry_go_otel_trace")