cicd-workflows/.github/workflows/bzlmod-lock-check.yml at 64f0f621446af7e420a4755243955ec33f8c8590 · eclipse-score/cicd-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# *******************************************************************************
# Copyright (c) 2025 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Verifies that MODULE.bazel and MODULE.bazel.lock are consistent and up to date.
#
# Two checks run in parallel:
#   bzlmod-tidy-check     — runs `bazel mod tidy` and fails if it would change any file
#   bzlmod-lockfile-check — runs `bazel mod deps --lockfile_mode=error` and fails if the
#                           lockfile does not match the resolved dependency graph
#
# Recommended alternative: run these checks locally via pre-commit so issues are caught
# before they reach CI. Add the following to your .pre-commit-config.yaml:
#
#   - repo: local
#     hooks:
#       - id: bzlmod-tidy
#         name: bazel mod tidy
#         entry: bazel mod tidy
#         language: system
#         pass_filenames: false
#       - id: bzlmod-lockfile
#         name: bazel mod deps lockfile check
#         entry: bazel mod deps --lockfile_mode=error
#         language: system
#         pass_filenames: false
#
# Security note: this workflow refuses to run on pull_request_target. That event has
# write access to repository secrets while checking out fork code, making it unsafe
# to execute Bazel on untrusted input. Use pull_request or schedule instead.

name: Bazel Bzlmod Lockfile Check

on:
  workflow_call:
    inputs:
      working-directory:
        description: "Directory containing MODULE.bazel and MODULE.bazel.lock"
        required: false
        default: "."
        type: string

jobs:
  bzlmod-tidy-check:
    runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }}
    steps:
      - name: Refuse to run on pull_request_target
        if: github.event_name == 'pull_request_target'
        run: |
          echo "This workflow must not be called from pull_request_target."
          echo "That event has write access to repo secrets while checking out fork code,"
          echo "making it unsafe to run bazel on untrusted input."
          echo "Use pull_request or schedule instead."
          exit 1

      - name: Checkout repository
        uses: actions/checkout@v4.2.2

      - name: Setup Bazel with shared caching
        uses: eclipse-score/cicd-actions/setup-bazel-cache@setup-bazel-cache/v0.0.0
        with:
          unique-cache-name: ${{ github.workflow }}-${{ github.job }}

  bzlmod-lockfile-check:
    runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }}
    steps:
      - name: Refuse to run on pull_request_target
        if: github.event_name == 'pull_request_target'
        run: |
          echo "This workflow must not be called from pull_request_target."
          echo "That event has write access to repo secrets while checking out fork code,"
          echo "making it unsafe to run bazel on untrusted input."
          echo "Use pull_request or schedule instead."
          exit 1

      - name: Checkout repository
        uses: actions/checkout@v4.2.2

      - name: Setup Bazel with shared caching
        uses: eclipse-score/cicd-actions/setup-bazel-cache@setup-bazel-cache/v0.0.0
        with:
          unique-cache-name: ${{ github.workflow }}-${{ github.job }}

      - name: Verify MODULE.bazel and MODULE.bazel.lock exist
        working-directory: ${{ inputs.working-directory }}
        run: |
          if [ ! -f "MODULE.bazel" ]; then
            echo "MODULE.bazel not found in $PWD"
            exit 1
          fi

          if [ ! -f "MODULE.bazel.lock" ]; then
            echo "MODULE.bazel.lock is missing. Run: bazel mod tidy"
            exit 1
          fi

      - name: Check lockfile is up to date
        working-directory: ${{ inputs.working-directory }}
        run: bazel mod deps --lockfile_mode=error