fix(ci): eliminate Bazel download dependency on releases.bazel.build #96
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add GitHub-hosted Bazel binary mirror via BAZELISK_BASE_URL - Add tools/bazel/SHA256SUMS for binary integrity verification - Hard-fail on checksum mismatch (deterministic via readlink -f) - Hard-fail if releases.bazel.build detected in Bazelisk debug logs - Add Bazelisk binary cache for speed optimization - Scope: Linux-only (ubuntu-latest) This fixes TLS cert expiry failures by hosting Bazel on GitHub infrastructure instead of depending on releases.bazel.build. Requires: Create GitHub Release 'bazel-binaries-v1' with bazel-7.1.0-linux-x86_64
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Find exact bazel-7.1.0-linux-x86_64 in Bazelisk cache, not launcher - Fix grep to ignore comment lines in SHA256SUMS - Hard-fail if expected SHA empty or binary not found - Verify download came from GitHub mirror if any download occurred
- Add detailed cache contents output for debugging - Search for bazel binary by size (>1MB) to skip wrapper scripts - Show clear error message when GitHub Release mirror is missing - Include bazelisk debug log in error output
BAZELISK_BASE_URL appends /{VERSION}/{FILENAME} but GitHub Releases
uses flat asset paths. Switch to FORMAT_URL with pattern bazel-%v-%o-%m
to generate correct URL: .../bazel-7.1.0-linux-x86_64
Validates GitHub Release asset exists BEFORE invoking Bazelisk. This separates: - Provisioning errors (Release not created) - clear actionable message - Tooling errors (Bazel/Bazelisk failure) - only after asset verified Uses curl HEAD request to check HTTP status code.
- Add .bazelrc with --registry pointing to GitHub raw BCR mirror - Add build:ci config for CI-specific settings - Update CI to use --config=ci for all bazel commands - Keeps --lockfile_mode=error for strict enforcement
Quality invariant: 'lockfile matches repo state' - no registry access needed. Changes: - Replace 'bazel mod deps --config=ci' with 'git diff --exit-code MODULE.bazel.lock' - Simplify .bazelrc (remove registry overrides, keep --lockfile_mode=error) - Remove --config=ci from bazel commands (not needed for registry bypass) This eliminates TLS cert failures on bcr.bazel.build while maintaining strict lockfile enforcement. Developers run 'bazel mod deps --lockfile_mode=update' locally and commit the result.
- .bazelrc: Use 'common:ci' for registry override (applies to all commands) - CI: Add --config=ci to all bazel invocations - CI: Add BCR guard that fails if bcr.bazel.build is accessed - Registry: https://raw.githubusercontent.com/bazelbuild/bazel-central-registry/main/ This ensures bazel build/query/fetch all use the GitHub BCR mirror.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes TLS cert expiry failures by hosting Bazel on GitHub infrastructure instead of depending on releases.bazel.build.
Requires: Create GitHub Release 'bazel-binaries-v1' with bazel-7.1.0-linux-x86_64