Switch Bazel C++ toolchain to hermetic_cc_toolchain (Zig)#64
Merged
Conversation
 |
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| C & C++ |  |
May 24, 2026 3:29p.m. | Review ↗ |
| Docker | |
May 24, 2026 3:29p.m. | Review ↗ |
| Secrets | |
May 24, 2026 3:29p.m. | Review ↗ |
| Python | |
May 24, 2026 3:29p.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
snape
force-pushed
the
dev/hermetic-cc-toolchain
branch
14 times, most recently
from
592b889 to
0574b73
Compare
- Replace toolchains_llvm with hermetic_cc_toolchain (Zig) in MODULE.bazel; register @zig_sdk//libc_aware/toolchain:all and @zig_sdk//toolchain:all - Add local_config_cc/local_config_cc_toolchains via cc_configure extension to enable MSVC toolchain selection on Windows - Pin Python to 3.14.4 and remove ignore_root_user_error in MODULE.bazel - Overhaul .bazelrc: add bootstrap_impl=script; add alpine config targeting musl libc; on Linux/macOS enable force_pic and dynamic_mode=off to avoid glibc ELF interpreter dependency in Zig binaries, and set BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1; on Windows use extra_toolchains=@local_config_cc//:all to prefer MSVC over Zig; remove sandbox_add_mount_pair entries no longer needed with Zig toolchain - Tighten per-platform Bazel compiler flags: add -Werror=conversion, -mbranch-protection=standard (aarch64), -fcf-protection=full (x86-64 Linux), and updated Windows /guard:ehcont /Qspectre /sdl flags - Move _FORTIFY_SOURCE to opt-mode-only (level 3) via new linux_opt/macos_opt config_settings in conditions/BUILD.bazel - Remove -Wl,-Bsymbolic-functions, -Wl,-z,noexecheap, and -Wl,-z,separate-code from Bazel linkopts (unsupported by lld/Zig) - Fix loop variables from int to std::size_t in RVOSimulator.cc and examples to comply with -Werror=conversion - Suppress MSVC C4251 warning on private vector members in RVOSimulator.h (false positive: private members are inaccessible through DLL interface) - Exclude rvo_pc genrule from Windows builds (bash heredoc requires WSL) - Add bazel-alpine job (Alpine Linux amd64, musl libc, --config=alpine); restore bazel-arch job - Add bazel-macos-x86_64 and cmake-macos-x86_64 jobs on macos-26-intel - Add bazel-windows-arm64 and cmake-windows-arm64 jobs on windows-11-arm - Add meson-macos-x86_64 job on macos-26-intel - Add meson-windows-arm64 job on windows-11-arm - Add --features=treat_warnings_as_errors to all Bazel test invocations - Upgrade macOS runners from macos-15 to macos-26; add Homebrew download cache and brew update retry with HOMEBREW_GITHUB_API_TOKEN - Upgrade Ubuntu containers from ubuntu:24.04 to ubuntu:26.04 (CI and Dockerfile) - Switch Windows CI from choco/Invoke-WebRequest to winget for Bazel, CMake, Git, Meson, and Ninja; add winget cache; fix PATH for subsequent steps via GITHUB_PATH; enable OPENMP in cmake-windows builds - Remove redundant dnf/zypper/apt-get upgrade and pacman -u steps from Linux CI jobs - Use meson dist --no-tests across all Meson jobs; fix meson test argument order (--print-errorlogs before -C) - Reduce Meson examples test timeout from 900s to 60s; run serially (is_parallel: false) - Update QUALITY_DECLARATION.md: Bazel now tested on Alpine and Arch Linux; macOS now tested on arm64 and x86_64; Windows now tested on amd64 and arm64 Signed-off-by: Jamie Snape <snape@me.com>
snape
force-pushed
the
dev/hermetic-cc-toolchain
branch
from
0574b73 to
68cbd42
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
register @zig_sdk//libc_aware/toolchain:all and @zig_sdk//toolchain:all
to enable MSVC toolchain selection on Windows
musl libc; on Linux/macOS enable force_pic and dynamic_mode=off to avoid
glibc ELF interpreter dependency in Zig binaries, and set
BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1; on Windows use
extra_toolchains=@local_config_cc//:all to prefer MSVC over Zig; remove
sandbox_add_mount_pair entries no longer needed with Zig toolchain
-mbranch-protection=standard (aarch64), -fcf-protection=full (x86-64
Linux), and updated Windows /guard:ehcont /Qspectre /sdl flags
config_settings in conditions/BUILD.bazel
-Wl,-z,separate-code from Bazel linkopts (unsupported by lld/Zig)
to comply with -Werror=conversion
(false positive: private members are inaccessible through DLL interface)
restore bazel-arch job
cache and brew update retry with HOMEBREW_GITHUB_API_TOKEN
Dockerfile)
Git, Meson, and Ninja; add winget cache; fix PATH for subsequent steps via
GITHUB_PATH; enable OPENMP in cmake-windows builds
Linux CI jobs
order (--print-errorlogs before -C)
(is_parallel: false)
macOS now tested on arm64 and x86_64; Windows now tested on amd64 and arm64