Accept removal of "sandboxfs" support in Bazel 7

As of Bazel version 7.0.0, it no longer accepts the "--experimental_use_sandboxfs" command-line flag, precluding use of the "sandboxfs" tool to work around kustomize's intolerance for symbolic links pointing at files outside of the dominating kustomization root. Note that this technique is no longer viable, and stop relying on it in our CI workflow.
seh · Dec 26, 2023 · 7fde844 · 7fde844
1 parent f70c16a
commit 7fde844
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 14 deletions.
diff --git a/.github/actions/build-test/action.yaml b/.github/actions/build-test/action.yaml
@@ -14,21 +14,9 @@ runs:
         ~/.cache/bazelisk
         ~/.cache/bazel
       key: ${{ runner.os }}-${{ env.cache-name }}
-  - name: Install FUSE
-    run: sudo apt install libfuse2
-    shell: bash
-  - name: Install sandboxfs
-    run: |
-      f='./sandboxfs.tar.gz'
-      curl --location --output "${f}" --silent \
-        https://github.com/bazelbuild/sandboxfs/releases/download/sandboxfs-0.2.0/sandboxfs-0.2.0-20200420-linux-x86_64.tgz
-      sudo tar xzv -C /usr/local -f "${f}"
-      rm "${f}"
-    shell: bash
   - name: Build all Bazel targets
     run: |
       bazel build \
-        --experimental_use_sandboxfs \
         //...
     shell: bash
   - name: Test all Bazel targets
@@ -37,7 +25,6 @@ runs:
     # https://github.com/bazelbuild/bazel/issues/7470#issuecomment-764591831.
     run: |
       bazel test \
-        --experimental_use_sandboxfs \
         --strategy TestRunner=processwrapper-sandbox \
         --test_output=errors \
         //...

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -12,7 +12,7 @@ jobs:
       with:
         # See https://github.com/bazelbuild/buildtools/blob/master/WARNINGS.md.
         warnings: -function-docstring,-module-docstring
-        buildifier_version: 6.1.0
+        buildifier_version: 6.4.0
   build-test:
     runs-on: ubuntu-latest
     steps:

diff --git a/README.rst b/README.rst
@@ -379,6 +379,8 @@ There are three ways around this problem:
 
 * Use a Bazel sandboxing_ implementation that doesn't rely on symbolic links, such as its `sandboxfs <https://docs.bazel.build/versions/master/sandboxing.html#sandboxfs_>`__ FUSE file system. With the :tool:`sandboxfs` tool installed, pass the :cmdflag:`--experimental_use_sandboxfs` `flag <https://docs.bazel.build/versions/master/command-line-reference.html#flag--experimental_use_sandboxfs>`__ to :command:`bazel build`, :command:`bazel test`, or :command:`bazel run`.
 
+  **NB:** As of Bazel version 7.0.0, per `commit b6e2693f83a7ece37c902416de26a3807b541ceb <https://github.com/bazelbuild/bazel/commit/b6e2693f83a7ece37c902416de26a3807b541ceb>`__, the :cmdflag:`--experimental_use_sandboxfs` flag is no longer available. Bazel no longer supports use of the :tool:`sandboxfs` tool. See :tool:`kustomize` `issue 5216 <https://github.com/kubernetes-sigs/kustomize/issues/5216>`__ for an alternate proposed workaround, which is implemented but not merged.
+
 .. _disable sandboxing:
 
 * Disable Bazel sandboxing_ entirely by omitting :value:`sandboxed` from the values supplied via its :cmdflag:`--spawn_strategy` `flag <https://docs.bazel.build/versions/master/command-line-reference.html#flag--spawn_strategy>`__. With sandboxing disabled, Bazel will present the input files to :tool:`kustomize` as regular files. So long as those files lie within the :term:`kustomization` root, the :value:`LoadRestrictionsRootOnly` load restrictor will not intervene.