*: harden generated Bazel artifact workflow (#68243)

ref #68199

Author: hawkingrei

.github/workflows/check-bazel-prepare.yml

@@ -0,0 +1,42 @@
+name: Check Bazel Prepare
+on:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: check-bazel-prepare-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: Check Bazel Prepare
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 1.25
+          cache: false
+      - name: Set up Bazelisk
+        uses: bazel-contrib/setup-bazel@0.16.0
+        with:
+          bazelisk-cache: false
+          repository-cache: false
+          external-cache: false
+      - name: Check Bazel Prepare
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Avoid the TiDB CI path that assumes Jenkins-owned temp directories.
+          unset CI
+          make check-bazel-prepare

.github/workflows/generate-bazel-files.yml

@@ -42,7 +42,16 @@ jobs:
           sed -i '/ats.apps.svc/d' DEPS.bzl
           sed -i '/bazel-cache/d' WORKSPACE
           sed -i '/ats.apps.svc/d' WORKSPACE
-          make bazel_prepare
+          bazel run //:gazelle
+          bazel run //:gazelle -- update-repos -from_file=go.mod -to_macro DEPS.bzl%go_deps -build_file_proto_mode=disable -prune
+          bazel run \
+            --run_under="cd ${PWD} && " \
+            //tools/tazel:tazel
+
+          tmp_out="$(mktemp -d -t tidbbzl.XXXXXX)"
+          trap 'rm -rf "${tmp_out}"' EXIT
+          bazel run //cmd/mirror -- --mirror > "${tmp_out}/DEPS.bzl"
+          cp "${tmp_out}/DEPS.bzl" DEPS.bzl
       - name: Restore non-generated files
         shell: bash
         run: |
@@ -62,10 +71,16 @@ jobs:
             fi
 
             case "${path}" in
+              build/BUILD.bazel|build/*/BUILD.bazel)
+                ;;
+              WORKSPACE|WORKSPACE.bazel|build|build/*)
+                echo "Unsafe generated file path: ${path}" >&2
+                exit 1
+                ;;
               DEPS.bzl|*.bazel|*.bzl)
                 ;;
               *)
-                echo "Unexpected file changed by bazel_prepare: ${path}" >&2
+                echo "Unexpected generated file path: ${path}" >&2
                 exit 1
                 ;;
             esac

.github/workflows/update-bazel-files.yml

@@ -59,11 +59,10 @@ jobs:
 
           if [[ "${head_repo}" != "${REPOSITORY}" ]]; then
             echo "same_repo=false" >> "${GITHUB_OUTPUT}"
-            exit 0
+          else
+            echo "same_repo=true" >> "${GITHUB_OUTPUT}"
           fi
 
-          echo "same_repo=true" >> "${GITHUB_OUTPUT}"
-
           if [[ "${pr_head_sha}" != "${RUN_HEAD_SHA}" ]]; then
             echo "stale=true" >> "${GITHUB_OUTPUT}"
             exit 0
@@ -75,6 +74,42 @@ jobs:
         shell: bash
         run: |
           echo "Skip stale bazel update for PR #${{ steps.pr.outputs.pr_number }}."
+      - name: Download Fork Bazel Files Artifact
+        if: steps.pr.outputs.same_repo != 'true' && steps.pr.outputs.stale != 'true'
+        uses: actions/download-artifact@v4
+        with:
+          name: bazel-files
+          path: bazel-artifact
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+      - name: Report fork PR Bazel changes
+        if: steps.pr.outputs.same_repo != 'true' && steps.pr.outputs.stale != 'true'
+        shell: bash
+        env:
+          PR_NUMBER: ${{ steps.pr.outputs.pr_number }}
+          REPOSITORY: ${{ github.repository }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          set -euo pipefail
+
+          patch_path="${PWD}/bazel-artifact/bazel.patch"
+          if [[ ! -f "${patch_path}" ]]; then
+            echo "Missing bazel.patch artifact for fork PR #${PR_NUMBER}." >&2
+            exit 1
+          fi
+
+          if [[ ! -s "${patch_path}" ]]; then
+            echo "No generated Bazel changes for fork PR #${PR_NUMBER}."
+            exit 0
+          fi
+
+          {
+            echo "Generated Bazel changes cannot be committed automatically for fork PR #${PR_NUMBER}."
+            echo "Run: gh run download ${RUN_ID} --repo ${REPOSITORY} --name bazel-files --dir bazel-artifact && git apply bazel-artifact/bazel.patch"
+          } | tee -a "${GITHUB_STEP_SUMMARY}"
+
+          exit 1
       - name: Checkout PR branch
         if: steps.pr.outputs.same_repo == 'true' && steps.pr.outputs.stale != 'true'
         uses: actions/checkout@v6
@@ -101,7 +136,7 @@ jobs:
           set -euo pipefail
 
           patch_path="${PWD}/bazel-artifact/bazel.patch"
-          summary="$(git apply --summary "${patch_path}")"
+          summary="$(git -C pr apply --summary "${patch_path}")"
 
           while IFS= read -r line; do
             case "${line}" in
@@ -126,6 +161,12 @@ jobs:
                 echo "Unexpected patch path: ${path}" >&2
                 exit 1
                 ;;
+              build/BUILD.bazel|build/*/BUILD.bazel)
+                ;;
+              WORKSPACE|WORKSPACE.bazel|build|build/*)
+                echo "Unsafe patch path: ${path}" >&2
+                exit 1
+                ;;
               DEPS.bzl|*.bazel|*.bzl)
                 ;;
               *)
@@ -139,7 +180,7 @@ jobs:
               exit 1
             fi
             seen_paths["${path}"]=1
-          done < <(git apply --numstat -z "${patch_path}")
+          done < <(git -C pr apply --numstat -z "${patch_path}")
 
           git -C pr apply --check --index "${patch_path}"
           git -C pr apply --index "${patch_path}"