From d92d1c86a5ddab828c3fce65d3f04b7ea733a9fe Mon Sep 17 00:00:00 2001 From: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> Date: Tue, 3 Mar 2026 16:18:25 +0200 Subject: [PATCH 1/4] locking: enforce Bzlmod lockfile consistency - add reusable lockfile check workflow - track MODULE.bazel.lock (remove from .gitignore) - enforce --lockfile_mode=error in CI and scripts Addresses eclipse-score/score#2628 --- .github/workflows/build.yml | 2 +- .github/workflows/bzlmod-lock.yml | 26 ++++++++++++++++++++++++++ .github/workflows/code_coverage.yml | 10 ++++++---- .github/workflows/copyright.yml | 2 +- .github/workflows/format.yml | 2 +- .github/workflows/license_check.yml | 1 + .github/workflows/test_and_docs.yml | 6 +++--- .gitignore | 1 - 8 files changed, 39 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/bzlmod-lock.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9473b108..2b8b0c47 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,4 +46,4 @@ jobs: - name: Build with Bazel run: | - bazel build --config x86_64-linux //src/... //examples/... + bazel build --lockfile_mode=error --config x86_64-linux //src/... //examples/... diff --git a/.github/workflows/bzlmod-lock.yml b/.github/workflows/bzlmod-lock.yml new file mode 100644 index 00000000..eebb3df6 --- /dev/null +++ b/.github/workflows/bzlmod-lock.yml @@ -0,0 +1,26 @@ +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* +name: Bzlmod Lockfile Check +on: + pull_request: + types: [opened, reopened, synchronize] + merge_group: + types: [checks_requested] + push: + branches: + - main +jobs: + bzlmod-lock: + uses: eclipse-score/cicd-workflows/.github/workflows/bzlmod-lock-check.yml@main + with: + working-directory: . diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index e237dbc7..8fc4ba55 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -45,6 +45,7 @@ jobs: - name: Run Bazel Coverage run: | bazel coverage \ + --lockfile_mode=error \ --test_output=errors \ --nocache_test_results \ --config=x86_64-linux \ @@ -53,7 +54,7 @@ jobs: - name: Generate HTML Coverage Report shell: bash run: | - genhtml "$(bazel info output_path)/_coverage/_coverage_report.dat" \ + genhtml "$(bazel info --lockfile_mode=error output_path)/_coverage/_coverage_report.dat" \ -o=cpp_coverage \ --show-details \ --legend \ @@ -84,19 +85,20 @@ jobs: run: | set -euo pipefail bazel test \ + --lockfile_mode=error \ --config=x86_64-linux \ --config=ferrocene-coverage \ --nocache_test_results \ - $(bazel query 'kind(rust_test, //src/...) except attr("tags", "loom", //src/...)') + $(bazel query --lockfile_mode=error 'kind(rust_test, //src/...) except attr("tags", "loom", //src/...)') - name: Generate Ferrocene coverage reports run: | set -euo pipefail - bazel run //:rust_coverage -- --min-line-coverage 66 + bazel run --lockfile_mode=error //:rust_coverage -- --min-line-coverage 66 - name: Locate coverage artifacts run: | - echo "COVERAGE_DIR=$(bazel info bazel-bin)/coverage/rust-tests" >> "${GITHUB_ENV}" + echo "COVERAGE_DIR=$(bazel info --lockfile_mode=error bazel-bin)/coverage/rust-tests" >> "${GITHUB_ENV}" - name: Upload coverage HTML uses: actions/upload-artifact@v4 diff --git a/.github/workflows/copyright.yml b/.github/workflows/copyright.yml index 08ef3767..4ee6d734 100644 --- a/.github/workflows/copyright.yml +++ b/.github/workflows/copyright.yml @@ -21,4 +21,4 @@ jobs: copyright-check: uses: eclipse-score/cicd-workflows/.github/workflows/copyright.yml@main with: - bazel-target: "run //:copyright.check" + bazel-target: "run --lockfile_mode=error //:copyright.check" diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index adb88769..35cbc74e 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -24,4 +24,4 @@ jobs: formatting-check: uses: eclipse-score/cicd-workflows/.github/workflows/format.yml@main with: - bazel-target: "test //:format.check" # optional, this is the default + bazel-target: "test --lockfile_mode=error //:format.check" # optional, this is the default diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index aba7f99d..21589ea6 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -28,5 +28,6 @@ jobs: uses: eclipse-score/cicd-workflows/.github/workflows/license-check.yml@main with: repo-url: "${{ github.server_url }}/${{ github.repository }}" + bazel-target: "run --lockfile_mode=error //:license-check" secrets: dash-api-token: ${{ secrets.ECLIPSE_GITLAB_API_TOKEN }} diff --git a/.github/workflows/test_and_docs.yml b/.github/workflows/test_and_docs.yml index ebc99890..64bcf220 100644 --- a/.github/workflows/test_and_docs.yml +++ b/.github/workflows/test_and_docs.yml @@ -37,14 +37,14 @@ jobs: pull-requests: write contents: read with: - bazel-docs-verify-target: "//:docs_check" + bazel-docs-verify-target: "--lockfile_mode=error //:docs_check" run-tests: uses: eclipse-score/cicd-workflows/.github/workflows/tests.yml@main permissions: contents: read pull-requests: read with: - bazel-target: 'test //src/... //tests/... --config=x86_64-linux' + bazel-target: 'test --lockfile_mode=error //src/... //tests/... --config=x86_64-linux' upload-name: 'bazel-testlogs' packages: 'fakechroot' build-docs: @@ -59,6 +59,6 @@ jobs: with: # the bazel-target depends on your repo specific docs_targets configuration (e.g. "suffix") - bazel-target: "//:docs -- --github_user=${{ github.repository_owner }} --github_repo=${{ github.event.repository.name }}" + bazel-target: "--lockfile_mode=error //:docs -- --github_user=${{ github.repository_owner }} --github_repo=${{ github.event.repository.name }}" retention-days: 3 tests-report-artifact: bazel-testlogs diff --git a/.gitignore b/.gitignore index 9dab2c36..9cbd4655 100644 --- a/.gitignore +++ b/.gitignore @@ -34,7 +34,6 @@ # Bazel bazel-* -MODULE.bazel.lock user.bazelrc # Ruff From 0c162c5e94ebba099118132850ff9decd3284bbb Mon Sep 17 00:00:00 2001 From: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> Date: Thu, 5 Mar 2026 10:14:35 +0200 Subject: [PATCH 2/4] lock: don't use on info and query Doens't make sense to be so rigurous an all bazel commands Signed-off-by: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> --- .github/workflows/code_coverage.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index 8fc4ba55..8d3d60b5 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -54,7 +54,7 @@ jobs: - name: Generate HTML Coverage Report shell: bash run: | - genhtml "$(bazel info --lockfile_mode=error output_path)/_coverage/_coverage_report.dat" \ + genhtml "$(bazel info output_path)/_coverage/_coverage_report.dat" \ -o=cpp_coverage \ --show-details \ --legend \ @@ -89,7 +89,7 @@ jobs: --config=x86_64-linux \ --config=ferrocene-coverage \ --nocache_test_results \ - $(bazel query --lockfile_mode=error 'kind(rust_test, //src/...) except attr("tags", "loom", //src/...)') + $(bazel query 'kind(rust_test, //src/...) except attr("tags", "loom", //src/...)') - name: Generate Ferrocene coverage reports run: | @@ -98,7 +98,7 @@ jobs: - name: Locate coverage artifacts run: | - echo "COVERAGE_DIR=$(bazel info --lockfile_mode=error bazel-bin)/coverage/rust-tests" >> "${GITHUB_ENV}" + echo "COVERAGE_DIR=$(bazel info bazel-bin)/coverage/rust-tests" >> "${GITHUB_ENV}" - name: Upload coverage HTML uses: actions/upload-artifact@v4 From 138afdb8db33cb1fc95d9e8fb705f15d15d159a6 Mon Sep 17 00:00:00 2001 From: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> Date: Thu, 5 Mar 2026 11:19:34 +0200 Subject: [PATCH 3/4] lockfile: fixed ran bazel mod tidy Signed-off-by: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> --- MODULE.bazel | 1 - 1 file changed, 1 deletion(-) diff --git a/MODULE.bazel b/MODULE.bazel index 707fdada..568a8a41 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -116,7 +116,6 @@ python.toolchain( is_default = True, python_version = PYTHON_VERSION, ) -use_repo(python) pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip", dev_dependency = True) pip.parse( From edf70f6812d8313d5b55302951e28e15829a08c1 Mon Sep 17 00:00:00 2001 From: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> Date: Thu, 5 Mar 2026 12:50:14 +0200 Subject: [PATCH 4/4] fix: Potential fix for code scanning alert no. 13 Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Dan Calavrezo <195309321+dcalavrezo-qorix@users.noreply.github.com> --- .github/workflows/bzlmod-lock.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/bzlmod-lock.yml b/.github/workflows/bzlmod-lock.yml index eebb3df6..d973742b 100644 --- a/.github/workflows/bzlmod-lock.yml +++ b/.github/workflows/bzlmod-lock.yml @@ -11,6 +11,8 @@ # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* name: Bzlmod Lockfile Check +permissions: + contents: read on: pull_request: types: [opened, reopened, synchronize]