From 1b014e9e95ec926b94a525b6d34db2c6d92569a9 Mon Sep 17 00:00:00 2001 From: Austin Schuh Date: Sat, 27 Jun 2026 15:19:44 -0700 Subject: [PATCH] [bazel] Fix sandbox leaks and add support for remote execution (#9031) These were caught by building on engflow. This fixes a couple of places where paths were escaping the sandbox and resolving back to the git repo. --------- Signed-off-by: Austin Schuh --- .bazelrc | 23 ++++++++++++++++ commandsv3/BUILD.bazel | 5 +++- commandsv3/generate.bzl | 1 + hal/generate.bzl | 2 ++ shared/bazel/BUILD.bazel | 6 +++++ .../robotpy/generate_pybind_build_file.py | 26 +++---------------- wpimath/generate.bzl | 2 ++ wpiutil/generate.bzl | 2 ++ 8 files changed, 43 insertions(+), 24 deletions(-) diff --git a/.bazelrc b/.bazelrc index 571c168563..903b6ec678 100644 --- a/.bazelrc +++ b/.bazelrc @@ -38,6 +38,7 @@ build:build_buddy_bes --bes_backend=grpcs://remote.buildbuddy.io build:common_cache --remote_timeout=3600 build:common_cache --remote_cache_compression build:common_cache --experimental_remote_cache_compression_threshold=100 +common:common_cache --experimental_remote_merkle_tree_cache # Build Buddy Cache Setup build:build_buddy --config=common_cache @@ -56,6 +57,28 @@ build:remote_cache --remote_cache=grpcs://gitlib-bazel.wpi.edu common:remote_cache_readonly --noremote_upload_local_results +# Stubs for remote execution. +build:remote --strategy=TsProject=remote,sandboxed +build --strategy=CopyFile=remote,standalone +build --strategy=CopyDirectory=remote,standalone +build --strategy=CopyToDirectory=remote,standalone +# All tests have a strategy of TestRunner. Enable standalone for only tests. +# See the following for more details: +# https://github.com/bazelbuild/bazel/issues/7480 +build:linux --strategy=TestRunner=remote,sandboxed,standalone +build:macos --strategy=TestRunner=remote,sandboxed,standalone +build:linux --strategy=NpmLifecycleHook=remote,sandboxed,standalone +build:macos --strategy=NpmLifecycleHook=remote,sandboxed,standalone + +common:remote --config=common_cache +build:remote --incompatible_strict_action_env --experimental_inmemory_dotd_files --experimental_inmemory_jdeps_files --experimental_remote_merkle_tree_cache --incompatible_allow_tags_propagation +# Specify your cluster as follows: +# build:remote --remote_executor=grpcs://engflow.example.com --bes_backend=grpcs://engflow.example.com --bes_results_url=https://engflow.example.com/invocation/ +build:remote --jobs=100 +build:remote --remote_timeout=1500 +build:remote --spawn_strategy=remote,sandboxed +build:remote --grpc_keepalive_time=30s + # This config should be used locally. It downloads more than the CI version build:remote_user --config=remote_cache build:remote_user --config=remote_cache_readonly diff --git a/commandsv3/BUILD.bazel b/commandsv3/BUILD.bazel index e9e3cc9fe0..86a8a76f7a 100644 --- a/commandsv3/BUILD.bazel +++ b/commandsv3/BUILD.bazel @@ -17,7 +17,10 @@ py_binary( filegroup( name = "templates", - srcs = glob(["src/generate/main/**"]) + [ + srcs = glob([ + "src/generate/main/**", + "src/main/proto/**", + ]) + [ "//wpilibj:hid_schema", ], ) diff --git a/commandsv3/generate.bzl b/commandsv3/generate.bzl index 4c462cc341..6cccaa97be 100644 --- a/commandsv3/generate.bzl +++ b/commandsv3/generate.bzl @@ -7,6 +7,7 @@ def __generate_commandsv3_impl(ctx): args = ctx.actions.args() args.add("--output_directory", output_dir.path) args.add("--template_root", "commandsv3/src/generate") + args.add("--proto_directory", "commandsv3/src/main/proto") args.add("--protoc", ctx.executable._protoc) args.add("--quickbuf_plugin", ctx.executable._quickbuf) diff --git a/hal/generate.bzl b/hal/generate.bzl index 44ab6cd89c..ed5075d017 100644 --- a/hal/generate.bzl +++ b/hal/generate.bzl @@ -7,6 +7,8 @@ def __generate_hal_impl(ctx): args = ctx.actions.args() args.add("--output_directory", output_dir.path + "/main/native/cpp/mrc/protobuf") args.add("--nanopb", ctx.executable._nanopb_generator) + first_file = ctx.attr.proto_files.files.to_list()[0] + args.add("--proto_directory", first_file.dirname) ctx.actions.run( inputs = ctx.attr.proto_files.files.to_list(), diff --git a/shared/bazel/BUILD.bazel b/shared/bazel/BUILD.bazel index bb7e25475e..54eee116e9 100644 --- a/shared/bazel/BUILD.bazel +++ b/shared/bazel/BUILD.bazel @@ -47,6 +47,12 @@ platform( platform( name = "linux_x86_64", + exec_properties = { + "OSFamily": "Linux", + "container-image": "docker://wpilib/debian-base:trixie@sha256:4c20e850c88d9766a3aeaaf12901c9ca5e511b6ce59930046c187ce576fa1eeb", + "dockerAddCapabilities": "SYS_PTRACE", + "dockerReuse": "True", + }, flags = [ "--per_file_copt=external/.*@-Wno-pedantic,-Wno-format-nonliteral,-Wno-sign-compare,-Wno-type-limits,-Wno-maybe-uninitialized,-Wno-missing-field-initializers,-Wno-trigraphs,-Wno-attributes,-Wno-return-type,-Wno-unused-function,-Wno-format-y2k,-Wno-deprecated-declarations", "--per_file_copt=external/.*\\.cpp$,external/.*\\.cc$@-Wno-missing-requires,-Wno-volatile,-Wno-redundant-move,-Wno-class-memaccess,-Wno-ignored-qualifiers,-Wno-stringop-overflow,-Wno-extra", diff --git a/shared/bazel/rules/robotpy/generate_pybind_build_file.py b/shared/bazel/rules/robotpy/generate_pybind_build_file.py index f7d912b3c7..2772c2f4bd 100644 --- a/shared/bazel/rules/robotpy/generate_pybind_build_file.py +++ b/shared/bazel/rules/robotpy/generate_pybind_build_file.py @@ -51,24 +51,7 @@ class HeaderToDatConfig: self.yml_file = args[1].path self.defines = defines - def find_root_dir(include_root): - """ - Somewhat naive attempt to find the "root" directory of the repository, - as specified from the runfiles path - """ - if "__main__/" in include_root: - return pathlib.Path( - include_root[: include_root.find("__main__/") + len("__main__/")] - ) - elif "_main/" in include_root: - return pathlib.Path( - include_root[: include_root.find("_main/") + len("_main/")] - ) - else: - return pathlib.Path(include_root) - include_root = str(args[3]).replace("\\", "/") - root_dir = find_root_dir(include_root) if "native" in include_root: # base_include_root = pathlib.Path(*args[3].relative_to(root_dir).parts[3:]) base_include_file = args[2].relative_to(include_root) @@ -77,12 +60,9 @@ class HeaderToDatConfig: self.include_file = f"$(execpath :{fixup_native_lib_name('robotpy-native-' + base_library)}.copy_headers)/{base_include_file}" self.include_root = f"$(execpath :{fixup_native_lib_name('robotpy-native-' + base_library)}.copy_headers)" else: - if root_dir.is_absolute(): - self.include_file = args[2].relative_to(root_dir) - self.include_root = args[3].relative_to(root_dir) - else: - self.include_file = args[2] - self.include_root = args[3] + root_dir = pathlib.Path.cwd().absolute() + self.include_file = pathlib.Path(args[2]).absolute().relative_to(root_dir) + self.include_root = pathlib.Path(args[3]).absolute().relative_to(root_dir) # type casters = 4 # dat file = 5 # d file = 6 diff --git a/wpimath/generate.bzl b/wpimath/generate.bzl index aed7a26bba..006cba36d6 100644 --- a/wpimath/generate.bzl +++ b/wpimath/generate.bzl @@ -6,6 +6,8 @@ def __generate_wpimath_impl(ctx): args = ctx.actions.args() args.add("--output_directory", output_dir.path) + args.add("--template_root", "wpimath/src/generate") + args.add("--proto_directory", "wpimath/src/main/proto") args.add("--protoc", ctx.executable._protoc) args.add("--quickbuf_plugin", ctx.executable._quickbuf) args.add("--nanopb_generator", ctx.executable._nanopb_generator) diff --git a/wpiutil/generate.bzl b/wpiutil/generate.bzl index 97a1bf0c95..9283c291c9 100644 --- a/wpiutil/generate.bzl +++ b/wpiutil/generate.bzl @@ -7,6 +7,8 @@ def __generate_wpiutil_impl(ctx): args = ctx.actions.args() args.add("--output_directory", output_dir.path) args.add("--nanopb", ctx.executable._nanopb_generator) + first_file = ctx.attr.proto_files.files.to_list()[0] + args.add("--proto_directory", first_file.dirname) ctx.actions.run( inputs = ctx.attr.proto_files.files,