-
Notifications
You must be signed in to change notification settings - Fork 114
/
.bazelrc
142 lines (117 loc) · 6.64 KB
/
.bazelrc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Bazel defaults.
# Should not be needed after Bazel 7.0 is released.
common --incompatible_enable_cc_toolchain_resolution
# Build C++ targets using C++17.
# <https://stackoverflow.com/questions/40260242/how-to-set-c-standard-version-when-build-with-bazel>
common --cxxopt=-std=c++17
# Fix Abseil "C++ versions less than C++14 are not supported".
# <https://github.com/protocolbuffers/protobuf/issues/12393#issuecomment-1504349780>
common --host_cxxopt=-std=c++17
# Required for cargo_build_script support before Bazel 7
# See: "Build script env is overridden by use_default_shell_env in Bazel 6"
# https://github.com/bazelbuild/rules_rust/issues/2665
common --incompatible_merge_fixed_and_default_shell_env
# Use nightly rustc by default
common --@rules_rust//rust/toolchain/channel=nightly
# Use a custom workspace status command so that the git revision is included in
# stamped binaries.
common --workspace_status_command=bazel/workspace_status_command.sh
# Prevents repeated setup-teardown of sandboxes for targets that are frequently
# reused. This speeds up builds significantly in some cases, like when using a
# toolchain with a hermetic sysroot, like we do.
# See: https://github.com/bazelbuild/bazel/issues/16138
# For a good summary of potential issues, ask Gemini a question like:
# "Is there any reason I shouldn't enable --reuse_sandbox_directories" by default?
common --reuse_sandbox_directories
# https://github.com/bazelbuild/bazel/issues/9342
# --experimental_check_desugar_deps (on by default) breaks Android builds.
common --noexperimental_check_desugar_deps
# Set the rustc --sysroot flag to one generated by the toolchains. This is needed to support
# rebuilding the standard libraries for stage 0 and the restricted kernel wrapper.
common --@rules_rust//rust/settings:toolchain_generated_sysroot=True
# Setup clippy aspect to run clippy automatically on all rust targets
# See: https://bazelbuild.github.io/rules_rust/rust_clippy.html
build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
build:clippy --output_groups=+clippy_checks
# Setup rustfmt aspect to run automatically on all rust targets
# https://bazelbuild.github.io/rules_rust/rust_fmt.html
build:rustfmt --aspects=@rules_rust//rust:defs.bzl%rustfmt_aspect
build:rustfmt --output_groups=+rustfmt_checks
build:rustfmt --@rules_rust//:rustfmt.toml=//:.rustfmt.toml
# Required for bazel_clang_tidy to operate as expected
build:clang-tidy --aspects @bazel_clang_tidy//clang_tidy:clang_tidy.bzl%clang_tidy_aspect
build:clang-tidy --output_groups=report
# Optionally override the .clang-tidy config file target
build:clang-tidy --@bazel_clang_tidy//:clang_tidy_config=//:clang_tidy_config
# CI specific config. This config should be safe to use from any presubmit and postsubmit jobs.
# Fail immediately if the Bazel server lock cannot be acquired so that we can notice this in CI
# and avoid attempting to parallelize steps that are actually serialized by Bazel.
build:ci --block_for_lock=false
# Useful to determine how long individual steps are taking in CI.
build:ci --show_timestamps
# Always use optimization.
build:ci --compilation_mode opt
# Strip debug information from linked results.
build:ci --linkopt=-Wl,--strip-all
# --show_result leads to all of the built packages being logged at the
# end, so we can visually verify that CI tasks are building everything we want.
build:ci --show_result=1000000
# --noshow_progress and --curses=no prevent a lot of progress bar noise in the CI logs.
build:ci --noshow_progress
build:ci --curses=no
# Inline CI failures, since log files are hard to access in this enviroment
build:ci --verbose_failures
# Always show test errors in CI
test --test_output=errors
# Show stdout/stderr in test output in CI
test --test_arg=--nocapture
# The unsafe-fast-presubmit config should only be used in presubmits steps that do not produce
# binaries that need to be released or trusted (e.g. TEE applications). This is because it enables
# using a remote cache, which in general may not be considered trustworthy.
# Inherit from the ci config.
build:unsafe-fast-presubmit --config=ci
build:unsafe-fast-presubmit --remote_cache=https://storage.googleapis.com/oak-bazel-cache
build:unsafe-fast-presubmit --remote_upload_local_results=true
build:unsafe-fast-presubmit --google_default_credentials=true
# Many of these flags were discovered by looking for `build:asan` examples internally.
build:asan --strip=never
build:asan --copt -fsanitize=address
build:asan --copt -DADDRESS_SANITIZER=1
build:asan --copt -O1
build:asan --copt -g3
build:asan --copt -fno-optimize-sibling-calls
build:asan --copt -fno-omit-frame-pointer
build:asan --compilation_mode=dbg
build:asan --linkopt -fsanitize=address
# The other options trigger a maybe-uninitialized error when compiling protobuf; this prevents it.
build:asan --copt -Wno-error=maybe-uninitialized
# The flags improve symbolication and rust stack trace expansion
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Zsanitizer=address
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cdebuginfo=full
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Ccodegen-units=1
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Clink-dead-code
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cpasses=sancov-module
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cllvm-args=-sanitizer-coverage-level=4
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cllvm-args=-sanitizer-coverage-pc-table
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cllvm-args=-sanitizer-coverage-inline-8bit-counters
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cllvm-args=-sanitizer-coverage-trace-compares
build:asan --@rules_rust//rust/settings:extra_rustc_flag=-Cllvm-args=-sanitizer-coverage-stack-depth
# Use a custom local bazelrc if present.
#
# To set up remote cache write credentials:
# - navigate to https://pantheon.corp.google.com/iam-admin/serviceaccounts?project=oak-ci
# - click on "Create Service Account"
# + use your @google.com username as the service account name (e.g. "tzn")
# + leave the service account ID as is (e.g. "tzn-110")
# + leave the service account description empty
# - grant the "Storage Object Admin" role to the newly created account
# - click on "Create Key", then select "JSON"
# - save the generated key as the file referenced below, within the project directory
# + make sure to not check it in to git, check your `.gitignore` configuration
# - create a .local.bazelrc file in the repo root containing the following:
#
# ```
# build:unsafe-fast-presubmit --google_credentials=./.oak_remote_cache_key.json
# build:unsafe-fast-presubmit --remote_upload_local_results=true
# ```
try-import ./.local.bazelrc