bazel: adopt best practices for bazelrc

Options adapted from https://docs.aspect.build/guides/bazelrc

bazel: adopt best practices for bazelrc

Options adapted from https://docs.aspect.build/guides/bazelrc

.bazelrc

@@ -1,16 +1,16 @@
+# Import bazelrc presets
+import %workspace%/bazel/bazelrc/bazel6.bazelrc
+import %workspace%/bazel/bazelrc/convenience.bazelrc
+import %workspace%/bazel/bazelrc/correctness.bazelrc
+import %workspace%/bazel/bazelrc/debug.bazelrc
+import %workspace%/bazel/bazelrc/performance.bazelrc
+import %workspace%/bazel/bazelrc/cc.bazelrc
+
 # share bazel cache between checkouts of the same project
 # and keep old build caches around for longer
 common --disk_cache=~/.cache/shared_bazel_action_cache
 common --repository_cache=~/.cache/shared_bazel_repository_cache
 
-# better caching / reproducibility
-common --incompatible_strict_action_env=true
-common --experimental_output_directory_naming_scheme=diff_against_baseline
-
-# disable automatic toolchain detection for C/C++
-common --incompatible_enable_cc_toolchain_resolution
-common --action_env BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
-
 # inject version information into binaries
 common --stamp --workspace_status_command=tools/workspace_status.sh
 
@@ -32,12 +32,6 @@ build --flag_alias=container_prefix=//bazel/settings:container_prefix
 # set cli edition flag alias
 build --flag_alias=cli_edition=//bazel/settings:cli_edition
 
-# build only what is needed for tests
-test --build_tests_only
-
-# bazel config for debug builds
-common:debug --compilation_mode=dbg --strip=never
-
 # bazel configs to explicitly target a platform
 common:host --platforms @local_config_platform//:host
 common:linux_amd64 --platforms @zig_sdk//libc_aware/platform:linux_amd64_gnu.2.23

.github/actions/setup_bazel/action.yml

@@ -34,24 +34,7 @@ runs:
       run: |
         echo "::group::Configure Bazel"
         cat <<EOF >> "${WORKSPACE}/.bazeloverwriterc"
-        # general
-        common --color=yes
-        common --terminal_columns=143
-        common --build_metadata=ROLE=CI
-        common --show_progress_rate_limit=5
-        common --curses=yes
-        common --verbose_failures
-        common --announce_rc
-        # test related
-        test --show_timestamps
-        test --keep_going
-        # remote cache / execution related
-        common --bes_timeout=600s
-        common --experimental_remote_build_event_upload=minimal
-        common --experimental_remote_cache_compression
-        common --nolegacy_important_outputs
-        common --noremote_upload_local_results
-        common --remote_timeout=3600
+        import %workspace%/bazel/bazelrc/ci.bazelrc
         EOF
         echo "::endgroup::"
 
@@ -68,6 +51,14 @@ runs:
         common --bes_backend=grpcs://remote.buildbuddy.io
         common --remote_cache=grpcs://remote.buildbuddy.io
         common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
+        cquery --bes_results_url=
+        cquery --bes_backend=
+        cquery --remote_cache=
+        cquery --remote_header=
+        query --bes_results_url=
+        query --bes_backend=
+        query --remote_cache=
+        query --remote_header=
         EOF
         echo "::endgroup::"
 
@@ -93,6 +84,12 @@ runs:
         common --bes_results_url=https://app.buildbuddy.io/invocation/
         common --bes_backend=grpcs://remote.buildbuddy.io
         common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
+        cquery --bes_results_url=
+        cquery --bes_backend=
+        cquery --remote_header=
+        query --bes_results_url=
+        query --bes_backend=
+        query --remote_header=
         EOF
         echo "::endgroup::"
 

bazel/bazelrc/bazel6.bazelrc

@@ -0,0 +1,15 @@
+# Speed up all builds by not checking if external repository files have been modified.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/bazel/repository/RepositoryOptions.java#L244
+build --noexperimental_check_external_repository_files
+fetch --noexperimental_check_external_repository_files
+query --noexperimental_check_external_repository_files
+
+# Directories used by sandboxed non-worker execution may be reused to avoid unnecessary setup costs.
+# Save time on Sandbox creation and deletion when many of the same kind of action run during the
+# build.
+# Docs: https://bazel.build/reference/command-line-reference#flag--reuse_sandbox_directories
+build --reuse_sandbox_directories
+
+# Avoid this flag being enabled by remote_download_minimal or remote_download_toplevel
+# See https://meroton.com/blog/bazel-6-errors-build-without-the-bytes/
+build --noexperimental_action_cache_store_output_metadata

bazel/bazelrc/cc.bazelrc

@@ -0,0 +1,3 @@
+# disable automatic toolchain detection for C/C++
+common --incompatible_enable_cc_toolchain_resolution
+common --action_env BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1

bazel/bazelrc/ci.bazelrc

@@ -0,0 +1,82 @@
+# We recommend enforcing a policy that keeps your CI from being slowed down
+# by individual test targets that should be optimized
+# or split up into multiple test targets with sharding or manually.
+# Set this flag to exclude targets that have their timeout set to eternal (>15m) from running on CI.
+# Docs: https://bazel.build/docs/user-manual#test-timeout-filters
+test --test_timeout_filters=-eternal
+
+# Announce all announces command options read from the bazelrc file(s) when starting up at the
+# beginning of each Bazel invocation. This is very useful on CI to be able to inspect what Bazel rc
+# settings are being applied on each run.
+# Docs: https://bazel.build/docs/user-manual#announce-rc
+common --announce_rc
+
+# Add a timestamp to each message generated by Bazel specifying the time at which the message was
+# displayed.
+# Docs: https://bazel.build/docs/user-manual#show-timestamps
+build --show_timestamps
+
+# Only show progress every 15 seconds on CI.
+# We want to find a compromise between printing often enough to show that the build isn't stuck,
+# but not so often that we produce a long log file that requires a lot of scrolling.
+# https://bazel.build/reference/command-line-reference#flag--show_progress_rate_limit
+common --show_progress_rate_limit=15
+
+# Use cursor controls in screen output.
+# Docs: https://bazel.build/docs/user-manual#curses
+common --curses=yes
+
+# Use colors to highlight output on the screen. Set to `no` if your CI does not display colors.
+# Docs: https://bazel.build/docs/user-manual#color
+common --color=yes
+
+# The terminal width in columns. Configure this to override the default value based on what your CI system renders.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/runtime/UiOptions.java#L151
+build --terminal_columns=143
+
+######################################
+# Generic remote cache configuration #
+######################################
+
+# Only download remote outputs of top level targets to the local machine.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_download_toplevel
+# TODO(malt3): find out why this is not working
+# build --remote_download_toplevel
+
+# The maximum amount of time to wait for remote execution and cache calls.
+# https://bazel.build/reference/command-line-reference#flag--remote_timeout
+build --remote_timeout=3600
+
+# Upload locally executed action results to the remote cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_upload_local_results
+# TODO(malt3): find out why this is not working
+# build --remote_upload_local_results
+
+# Fall back to standalone local execution strategy if remote execution fails. If the grpc remote
+# cache connection fails, it will fail the build, add this so it falls back to the local cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--remote_local_fallback
+build --remote_local_fallback
+
+# Fixes builds hanging on CI that get the TCP connection closed without sending RST packets.
+# Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
+build --grpc_keepalive_time=30s
+
+
+######################################
+# Edgeless specific                  #
+######################################
+
+# Ensure runs in CI are tagged as such.
+common --build_metadata=ROLE=CI
+
+# show verbose failure messages in CI.
+common --verbose_failures
+
+# extend time available to upload build events
+common --bes_timeout=600s
+
+# options to limit the amount of data uploaded/downloaded to/from the remote cache
+common --experimental_remote_build_event_upload=minimal
+common --experimental_remote_cache_compression
+common --nolegacy_important_outputs
+common --noremote_upload_local_results

bazel/bazelrc/convenience.bazelrc

@@ -0,0 +1,28 @@
+# Attempt to build & test every target whose prerequisites were successfully built.
+# Docs: https://bazel.build/docs/user-manual#keep-going
+build --keep_going
+
+# Output test errors to stderr so users don't have to `cat` or open test failure log files when test
+# fail. This makes the log noiser in exchange for reducing the time-to-feedback on test failures for
+# users.
+# Docs: https://bazel.build/docs/user-manual#test-output
+test --test_output=errors
+
+# Show the output files created by builds that requested more than one target. This helps users
+# locate the build outputs in more cases
+# Docs: https://bazel.build/docs/user-manual#show-result
+build --show_result=20
+
+# Bazel picks up host-OS-specific config lines from bazelrc files. For example, if the host OS is
+# Linux and you run bazel build, Bazel picks up lines starting with build:linux. Supported OS
+# identifiers are `linux`, `macos`, `windows`, `freebsd`, and `openbsd`. Enabling this flag is
+# equivalent to using `--config=linux` on Linux, `--config=windows` on Windows, etc.
+# Docs: https://bazel.build/reference/command-line-reference#flag--enable_platform_specific_config
+common --enable_platform_specific_config
+
+# Output a heap dump if an OOM is thrown during a Bazel invocation
+# (including OOMs due to `--experimental_oom_more_eagerly_threshold`).
+# The dump will be written to `<output_base>/<invocation_id>.heapdump.hprof`.
+# You may need to configure CI to capture this artifact and upload for later use.
+# Docs: https://bazel.build/reference/command-line-reference#flag--heap_dump_on_oom
+common --heap_dump_on_oom

bazel/bazelrc/correctness.bazelrc

@@ -0,0 +1,46 @@
+# Don't allow network access for build actions in the sandbox.
+# Ensures that you don't accidentally make non-hermetic actions/tests which depend on remote
+# services.
+# Developers should tag targets with `tags=["requires-network"]` to opt-out of the enforcement.
+# Docs: https://bazel.build/reference/command-line-reference#flag--sandbox_default_allow_network
+build --sandbox_default_allow_network=false
+
+# Allow the Bazel server to check directory sources for changes. Ensures that the Bazel server
+# notices when a directory changes, if you have a directory listed in the srcs of some target.
+# Recommended when using
+# [copy_directory](https://github.com/aspect-build/bazel-lib/blob/main/docs/copy_directory.md) and
+# [rules_js](https://github.com/aspect-build/rules_js) since npm package are source directories
+# inputs to copy_directory actions.
+# Docs: https://bazel.build/reference/command-line-reference#flag--host_jvm_args
+startup --host_jvm_args=-DBAZEL_TRACK_SOURCE_DIRECTORIES=1
+
+# Allow exclusive tests to run in the sandbox. Fixes a bug where Bazel doesn't enable sandboxing for
+# tests with `tags=["exclusive"]`.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_exclusive_test_sandboxed
+test --incompatible_exclusive_test_sandboxed
+
+# Use a static value for `PATH` and does not inherit `LD_LIBRARY_PATH`. Doesn't let environment
+# variables like `PATH` sneak into the build, which can cause massive cache misses when they change.
+# Use `--action_env=ENV_VARIABLE` if you want to inherit specific environment variables from the
+# client, but note that doing so can prevent cross-user caching if a shared cache is used.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_strict_action_env
+build --incompatible_strict_action_env
+
+# Propagate tags from a target declaration to the actions' execution requirements.
+# Ensures that tags applied in your BUILD file, like `tags=["no-remote"]`
+# get propagated to actions created by the rule.
+# Without this option, you rely on rules authors to manually check the tags you passed
+# and apply relevant ones to the actions they create.
+# See https://github.com/bazelbuild/bazel/issues/8830 for details.
+# Docs: https://bazel.build/reference/command-line-reference#flag--experimental_allow_tags_propagation
+build --experimental_allow_tags_propagation
+fetch --experimental_allow_tags_propagation
+query --experimental_allow_tags_propagation
+
+# Do not automatically create `__init__.py` files in the runfiles of Python targets. Fixes the wrong
+# default that comes from Google's internal monorepo by using `__init__.py` to delimit a Python
+# package. Precisely, when a `py_binary` or `py_test` target has `legacy_create_init` set to `auto (the
+# default), it is treated as false if and only if this flag is set. See
+# https://github.com/bazelbuild/bazel/issues/10076.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_default_to_explicit_init_py
+build --incompatible_default_to_explicit_init_py

bazel/bazelrc/debug.bazelrc

@@ -0,0 +1,22 @@
+############################################################
+# Use `bazel test --config=debug` to enable these settings #
+############################################################
+
+# Stream stdout/stderr output from each test in real-time.
+# Docs: https://bazel.build/docs/user-manual#test-output
+test:debug --test_output=streamed
+
+# Run one test at a time.
+# Docs: https://bazel.build/reference/command-line-reference#flag--test_strategy
+test:debug --test_strategy=exclusive
+
+# Prevent long running tests from timing out.
+# Docs: https://bazel.build/docs/user-manual#test-timeout
+test:debug --test_timeout=9999
+
+# Always run tests even if they have cached results.
+# Docs: https://bazel.build/docs/user-manual#cache-test-results
+test:debug --nocache_test_results
+
+# enable debug symbols and disable stripping
+common:debug --compilation_mode=dbg --strip=never

bazel/bazelrc/performance.bazelrc

@@ -0,0 +1,43 @@
+# Speed up all builds by not checking if output files have been modified. Lets you make changes to
+# the output tree without triggering a build for local debugging. For example, you can modify
+# [rules_js](https://github.com/aspect-build/rules_js) 3rd party npm packages in the output tree
+# when local debugging.
+# Docs: https://github.com/bazelbuild/bazel/blob/1af61b21df99edc2fc66939cdf14449c2661f873/src/main/java/com/google/devtools/build/lib/pkgcache/PackageOptions.java#L185
+build --noexperimental_check_output_files
+fetch --noexperimental_check_output_files
+query --noexperimental_check_output_files
+
+# Don't apply `--noremote_upload_local_results` and `--noremote_accept_cached` to the disk cache.
+# If you have both `--noremote_upload_local_results` and `--disk_cache`, then this fixes a bug where
+# Bazel doesn't write to the local disk cache as it treats as a remote cache.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_remote_results_ignore_disk
+build --incompatible_remote_results_ignore_disk
+
+# Directories used by sandboxed non-worker execution may be reused to avoid unnecessary setup costs.
+# Save time on Sandbox creation and deletion when many of the same kind of action run during the
+# build.
+# No longer experimental in Bazel 6: https://github.com/bazelbuild/bazel/commit/c1a95501a5611878e5cc43a3cc531f2b9e47835b
+# Docs: https://bazel.build/reference/command-line-reference#flag--reuse_sandbox_directories
+build --experimental_reuse_sandbox_directories
+
+# Do not build runfiles symlink forests for external repositories under
+# `.runfiles/wsname/external/repo` (in addition to `.runfiles/repo`). This reduces runfiles &
+# sandbox creation times & prevents accidentally depending on this feature which may flip to off by
+# default in the future. Note, some rules may fail under this flag, please file issues with the rule
+# author.
+# Docs: https://bazel.build/reference/command-line-reference#flag--legacy_external_runfiles
+build --nolegacy_external_runfiles
+
+# Some actions are always IO-intensive but require little compute. It's wasteful to put the output
+# in the remote cache, it just saturates the network and fills the cache storage causing earlier
+# evictions. It's also not worth sending them for remote execution.
+# For actions like PackageTar it's usually faster to just re-run the work locally every time.
+# You'll have to look at an execution log to figure out what other action mnemonics you care about.
+# In some cases you may need to patch rulesets to add a mnemonic to actions that don't have one.
+# https://bazel.build/reference/command-line-reference#flag--modify_execution_info
+build --modify_execution_info=PackageTar=+no-remote,OCIImage=+no-remote
+
+# build only what is needed for tests
+test --build_tests_only
+
+common --experimental_output_directory_naming_scheme=diff_against_baseline