protobuf
protobuf copied to clipboard
protocolbuffers
chore: show a validation action
Rough sketch of a way to check whether protoc is an "authentic" release from the protobuf team.
We create a single validation action, and then forward the validation output group through proto_library to ensure all users should hit it.
Next steps to make it real:
- instead of just checking
protoc --versionand then failing, we should checksum protoc and verify against the expected hash
demo:
alexeagle@aspect-build protobuf % USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto --norun_validations
INFO: Analyzed target //rust/test:parent_proto (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //rust/test:parent_proto up-to-date:
bazel-bin/rust/test/parent_proto-descriptor-set.proto.bin
INFO: Elapsed time: 0.210s, Critical Path: 0.00s
INFO: 1 process: 1 action cache hit, 1 internal.
INFO: Build completed successfully, 1 total action
alexeagle@aspect-build protobuf % USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto
INFO: Analyzed target //rust/test:parent_proto (0 packages loaded, 0 targets configured).
ERROR: /Users/alexeagle/Projects/protobuf/bazel/private/BUILD:5:20: Action bazel/private/validation_output.txt failed: (Exit 1): bash failed: error executing Action command (from target //bazel/private:authenticity_check) /bin/bash -c ... (remaining 1 argument skipped)
Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
libprotoc 33.0-dev
protoc came from an untrusted source, we do not support this. To suppress this warning run with --norun_validations
Target //rust/test:parent_proto failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 0.136s, Critical Path: 0.02s
INFO: 2 processes: 1 action cache hit, 2 internal.
I wasn't able to reproduce the output above. I get:
$ USE_BAZEL_VERSION=8.x bazel build rust/test:parent_proto --norun_validations
Starting local Bazel server (8.4.2) and connecting to it...
WARNING: For repository 'rules_cc', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'bazel_skylib', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_java', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_shell', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'googletest', the root module requires module version [email protected], but got [email protected] in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
ERROR: /usr/local/google/home/haberman/jj/protobuf/rust/test/BUILD:36:14: in proto_library rule //rust/test:parent_proto:
Traceback (most recent call last):
File "/usr/local/google/home/haberman/jj/protobuf/bazel/private/proto_library_rule.bzl", line 116, column 24, in _proto_library_impl
OutputGroupInfo(_validation = depset([ctx.attr._authenticity_check[OutputGroupInfo]._validation])),
Error in OutputGroupInfo: for 'output group '_validation'', got a depset of 'depset', expected a depset of 'File'
ERROR: /usr/local/google/home/haberman/jj/protobuf/rust/test/BUILD:36:14: Analysis of target '//rust/test:parent_proto' (config: 209a934) failed
ERROR: Analysis of target '//rust/test:parent_proto' failed; build aborted
INFO: Elapsed time: 3.645s, Critical Path: 0.03s
INFO: 1 process: 1 internal.
ERROR: Build did NOT complete successfully
(Sorry if this is due to my slow review -- perhaps something bitrotted in the meantime).
