-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Runfile and java artifact support for Bazel Builder (#2362)
cc: @mihaimaruseac This will provide support for artifacts that also need runfiles. Users can use a flag, `needs-runfiles`, to also package the artifact alongside the runfiles Bazel generates if the user deems it as necessary. Also, support for Java artifacts is made available by packaging the JARs to be standalone through a format in Bazel called `_deploy.jar`. Alongside the `_deploy.jar`, there will be a modified `run-script` that allows the users that download the artifact to run the run-script by using a flag called `local_javabin`, where they put the path to their own java bin such that it is utilized by the run-script. This run-script is generated by Bazel from a template and later modified in the `build.sh` in the internal part of the builder to add this flag for the users. More information is available on the readme. Java targets will automatically be converted to their `_deploy.jar` with this. Three flags are used for users that have java targets: `includes-java`: if true then adds an additional flag to build command as well as rule for local java repo in WORKSPACE in order to utilize the `--singlejar` capability of run-script for `_deploy.jar` such that the remote jdk does not need to be included in runfiles. Doing it like this prevents massive bloat when attesting. `user-java-distribution` and `user-java-version`: let the user specify the exact java they want to use to build When users run the run-script they will include an additional flag `local_javabin` which they will set to their local javabin that the run-script will utilize to run the `_deploy.jar` A combination of `bazel query` and `bazel cquery` were used to resolved edge cases with the implementation. --------- Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Ian Lewis <[email protected]> Signed-off-by: laurentsimon <[email protected]> Signed-off-by: laurentsimon <[email protected]> Co-authored-by: Ian Lewis <[email protected]> Co-authored-by: laurentsimon <[email protected]>
- Loading branch information
1 parent
205e9bc
commit ba8a119
Showing
4 changed files
with
260 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,8 @@ workflow the "Bazel builder" from now on. | |
- [Development status](#development-status) | ||
- [Generating Provenance](#generating-provenance) | ||
- [Getting Started](#getting-started) | ||
- [Runfile Support](#runfile-support) | ||
- [Java Artifact Support (and Caveats)](#java-artifact-support-and-caveats) | ||
- [Referencing the Bazel builder](#referencing-the-bazel-builder) | ||
- [Private Repositories](#private-repositories) | ||
- [Supported Triggers](#supported-triggers) | ||
|
@@ -93,12 +95,72 @@ jobs: | |
The `targets` are a set of space separated build targets to be built. Each target must include the `//` workspace root identifier and package target identifier (`:your_target`). Because of this each target should be of the form `//path/from/root/to/target:your_target`. | ||
|
||
Targets can also be referred to with general glob patterns such as `//src/...` or `//src/internal:all`. Note however, that support for artifacts that | ||
require runfiles is still currently in development and not available at this time. Progress for runfile support is currently being tracked [here](https:/slsa-framework/slsa-github-generator/issues/2332). | ||
Targets can also be referred to with general glob patterns such as `//src/...` or `//src/internal:all`. Generic glob patterns that have an intersection are allowed as well. | ||
|
||
Once the targets are built, the Bazel builder creates a folder for the artifacts | ||
and another for the provenance attestations which are uploaded as artifacts to the workflow run. | ||
|
||
### Runfile Support | ||
|
||
If the artifact(s) built need the runfiles generated along with it to function properly, then they can be added with the artifact in the attestation. In the following resuable workflow call, the flag `needs-runfiles` will be set to `true` | ||
in order to package the artifacts with their runfiles. | ||
|
||
```yaml | ||
jobs: | ||
build: | ||
permissions: | ||
id-token: write # For signing | ||
contents: read # For repo checkout. | ||
actions: read # For getting workflow run info. | ||
if: startsWith(github.ref, 'refs/tags/') | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
with: | ||
targets: "//src:fib //src:hello" | ||
flags: "--strip=always" | ||
needs-runfiles: true | ||
``` | ||
|
||
In the artifact folder that gets uploaded to Github, with `needs-runfiles` set to true, there will be a folder for each artifact which contains the artifact and the folder of its runfiles. | ||
With the `needs-runfiles` flag set to true, each target specified in the workflow call will be packaged with their respective runfiles. | ||
|
||
### Java Artifact Support (and Caveats) | ||
|
||
If the targets being built includes Java targets, then the flag `includes-java` must be set to true. Additionally, if a specific distribution and version of Java is needed, | ||
that can be designated through the `user-java-distribution` and `user-java-version` flags. Note that the default Java distribution is Oracle and default Java version is 17. | ||
For more info on configuring the Java distribution and version go [here](https:/actions/setup-java). This flag usage can be seen in the following resuable workflow call: | ||
|
||
```yaml | ||
jobs: | ||
build: | ||
permissions: | ||
id-token: write # For signing | ||
contents: read # For repo checkout. | ||
actions: read # For getting workflow run info. | ||
if: startsWith(github.ref, 'refs/tags/') | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
with: | ||
targets: "//src:fib //src:hello" | ||
flags: "--strip=always" | ||
includes-java: true | ||
user-java-distribution: "oracle" | ||
user-java-version: "17" | ||
``` | ||
|
||
Each Java target will be outputed in its own directory inside the artifact folder that gets uploaded. Inside each respective artifact directory will be a JAR that can be ran on its own using the run-script that is | ||
packaged with it. For instance if there is a Java target named Main it would be uploaded as its own directory with tree looking like the following: | ||
|
||
├── Main <br /> | ||
│ ├── Main # This is the run-script <br /> | ||
│ └── Main_deploy.jar <br /> | ||
|
||
Each Java target, whether specified as in the targets input as a `_deploy.jar` or not, will be built as a [_deploy.jar](https://bazel.build/reference/be/java) which contains all classes found by classloader and native libraries for dependencies. | ||
Since the artifact is built on a Github Runner, the run-script has the VM's Java bin path hardcoded in. However, the run-script has been modified to include an additional flag, `--local_javabin` to change the Java Bin path to the user's. To run the JAR using | ||
the run-script the `--singlejar` flag must be specified to signal to the run-script that the JAR is a `_deploy.jar`. Additionally, `--local_javabin` must be set to the path of the user's Java Bin to run it. Therefore running the JAR would look like the following: | ||
|
||
`./Main --singlejar --local_javabin="path/to/user/bin/java"` | ||
|
||
Note that Java targets do not need to have the `needs-runfiles` flag to be true in order to create the _deploy.jar and run-script for it. | ||
|
||
### Referencing the Bazel builder | ||
|
||
At present, the builder **MUST** be referenced by a tag of the form `@vX.Y.Z`, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters