diff --git a/.bazelrc b/.bazelrc
index 3c642d5f1..9a2f03564 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,5 +1,11 @@
+# Sadly, some Bazel rules we depend on have no support for bzlmod yet
+# Here is an (incomplete) list of rules known to not support bzlmod.
+# Please extend this list as you find more.
+# - rules_nixpkgs: https://github.com/tweag/rules_nixpkgs/issues/181
+common --noenable_bzlmod
+
 # Import bazelrc presets
-import %workspace%/bazel/bazelrc/bazel6.bazelrc
+import %workspace%/bazel/bazelrc/bazel7.bazelrc
 import %workspace%/bazel/bazelrc/convenience.bazelrc
 import %workspace%/bazel/bazelrc/correctness.bazelrc
 import %workspace%/bazel/bazelrc/debug.bazelrc
diff --git a/.bazelversion b/.bazelversion
index 19b860c18..66ce77b7e 100644
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-6.4.0
+7.0.0
diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel
index abbfc8767..6571b1120 100644
--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@@ -4,6 +4,10 @@ load("//bazel/toolchains:skylib_deps.bzl", "skylib_deps")
 
 skylib_deps()
 
+load("//bazel/toolchains:cc_deps.bzl", "rules_cc_deps")
+
+rules_cc_deps()
+
 # nixpkgs deps
 load("//bazel/toolchains:nixpkgs_deps.bzl", "nixpkgs_deps")
 
@@ -32,7 +36,7 @@ nixpkgs_flake_package(
     name = "bazel",
     nix_flake_file = "//:flake.nix",
     nix_flake_lock_file = "//:flake.lock",
-    package = "bazel_6",
+    package = "bazel_7",
 )
 
 nixpkgs_flake_package(
diff --git a/bazel/bazelrc/bazel6.bazelrc b/bazel/bazelrc/bazel7.bazelrc
similarity index 77%
rename from bazel/bazelrc/bazel6.bazelrc
rename to bazel/bazelrc/bazel7.bazelrc
index 11a1c67fa..212c26e7d 100644
--- a/bazel/bazelrc/bazel6.bazelrc
+++ b/bazel/bazelrc/bazel7.bazelrc
@@ -9,7 +9,3 @@ query --noexperimental_check_external_repository_files
 # build.
 # Docs: https://bazel.build/reference/command-line-reference#flag--reuse_sandbox_directories
 build --reuse_sandbox_directories
-
-# Avoid this flag being enabled by remote_download_minimal or remote_download_toplevel
-# See https://meroton.com/blog/bazel-6-errors-build-without-the-bytes/
-build --noexperimental_action_cache_store_output_metadata
diff --git a/bazel/bazelrc/correctness.bazelrc b/bazel/bazelrc/correctness.bazelrc
index 6c7934609..61a469071 100644
--- a/bazel/bazelrc/correctness.bazelrc
+++ b/bazel/bazelrc/correctness.bazelrc
@@ -44,3 +44,16 @@ query --experimental_allow_tags_propagation
 # https://github.com/bazelbuild/bazel/issues/10076.
 # Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_default_to_explicit_init_py
 build --incompatible_default_to_explicit_init_py
+
+# Set default value of `allow_empty` to `False` in `glob()`. This prevents a common mistake when
+# attempting to use `glob()` to match files in a subdirectory that is opaque to the current package
+# because it contains a BUILD file. See https://github.com/bazelbuild/bazel/issues/8195.
+# Docs: https://bazel.build/reference/command-line-reference#flag--incompatible_disallow_empty_glob
+common --incompatible_disallow_empty_glob
+
+# Always download coverage files for tests from the remote cache. By default, coverage files are not
+# downloaded on test result cache hits when --remote_download_minimal is enabled, making it impossible
+# to generate a full coverage report.
+# Docs: https://bazel.build/reference/command-line-reference#flag--experimental_fetch_all_coverage_outputs
+# detching remote cache results
+test --experimental_fetch_all_coverage_outputs
diff --git a/bazel/toolchains/cc_deps.bzl b/bazel/toolchains/cc_deps.bzl
new file mode 100644
index 000000000..cdda9821c
--- /dev/null
+++ b/bazel/toolchains/cc_deps.bzl
@@ -0,0 +1,15 @@
+"""bazel rules_cc"""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def rules_cc_deps():
+    http_archive(
+        name = "rules_cc",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/2037875b9a4456dce4a79d112a8ae885bbc4aad968e6587dca6e64f3a0900cdf",
+            "https://github.com/bazelbuild/rules_cc/releases/download/0.0.9/rules_cc-0.0.9.tar.gz",
+        ],
+        sha256 = "2037875b9a4456dce4a79d112a8ae885bbc4aad968e6587dca6e64f3a0900cdf",
+        strip_prefix = "rules_cc-0.0.9",
+        type = "tar.gz",
+    )
diff --git a/bazel/toolchains/nixpkgs_deps.bzl b/bazel/toolchains/nixpkgs_deps.bzl
index 350b64d1d..8ce9949d7 100644
--- a/bazel/toolchains/nixpkgs_deps.bzl
+++ b/bazel/toolchains/nixpkgs_deps.bzl
@@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def nixpkgs_deps():
     http_archive(
         name = "io_tweag_rules_nixpkgs",
-        sha256 = "cf84628af3e4698acb200c005c4acf1dddaf5e7b9f839eeca78d983db2e874fb",
-        strip_prefix = "rules_nixpkgs-2c767691d12b66a92f231bccb06bcf9f7477b962",
+        sha256 = "d4a8c10121ec7494402a0ae8c1a896ced20d4bef4485b107e37f5331716c3626",
+        strip_prefix = "rules_nixpkgs-244ae504d3f25534f6d3877ede4ee50e744a5234",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/cf84628af3e4698acb200c005c4acf1dddaf5e7b9f839eeca78d983db2e874fb",
-            "https://github.com/tweag/rules_nixpkgs/archive/2c767691d12b66a92f231bccb06bcf9f7477b962.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/d4a8c10121ec7494402a0ae8c1a896ced20d4bef4485b107e37f5331716c3626",
+            "https://github.com/tweag/rules_nixpkgs/archive/244ae504d3f25534f6d3877ede4ee50e744a5234.tar.gz",
         ],
         type = "tar.gz",
     )
diff --git a/flake.lock b/flake.lock
index 440d3176a..59e778edd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1706173671,
-        "narHash": "sha256-lciR7kQUK2FCAYuszyd7zyRRmTaXVeoZsCyK6QFpGdk=",
+        "lastModified": 1707939175,
+        "narHash": "sha256-D1xan0lgxbmXDyzVqXTiSYHLmAMrMRdD+alKzEO/p3w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4fddc9be4eaf195d631333908f2a454b03628ee5",
+        "rev": "f7e8132daca31b1e3859ac0fb49741754375ac3d",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index d329b468e..437359123 100644
--- a/flake.nix
+++ b/flake.nix
@@ -75,7 +75,7 @@
 
       packages.awscli2 = pkgsUnstable.awscli2;
 
-      packages.bazel_6 = pkgsUnstable.bazel_6;
+      packages.bazel_7 = pkgsUnstable.bazel_7;
 
       packages.createrepo_c = pkgsUnstable.createrepo_c;
 
diff --git a/image/initrd/BUILD.bazel b/image/initrd/BUILD.bazel
index 682c9d70e..6301d6cb5 100644
--- a/image/initrd/BUILD.bazel
+++ b/image/initrd/BUILD.bazel
@@ -6,7 +6,6 @@ mkosi_image(
         "mkosi.postinst",
     ] + glob([
         "mkosi.skeleton/**",
-        "reposdir/**",
     ]),
     outs = [
         "image",
diff --git a/internal/attestation/azure/snp/BUILD.bazel b/internal/attestation/azure/snp/BUILD.bazel
index 43cdd1afa..abb300961 100644
--- a/internal/attestation/azure/snp/BUILD.bazel
+++ b/internal/attestation/azure/snp/BUILD.bazel
@@ -39,7 +39,6 @@ go_test(
         "issuer_test.go",
         "validator_test.go",
     ],
-    data = glob(["testdata/**"]),
     embed = [":snp"],
     # keep
     gotags = select({
diff --git a/nix/shells/default.nix b/nix/shells/default.nix
index e7cb25bcb..ba787e2b4 100644
--- a/nix/shells/default.nix
+++ b/nix/shells/default.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.mkShell {
   nativeBuildInputs = with pkgs; [
-    bazel_6
+    bazel_7
     git
   ];
 }