chore(deps): bump rules_java, stardoc and bazel_lib

[albertocavalcante]

Summary by CodeRabbit

• Chores
  • Updated external dependencies to newer versions for improved stability and compatibility. No changes to user-facing features.

[coderabbitai]

Walkthrough

This change updates the versions and SHA256 checksums of several external dependencies in the WORKSPACE.bazel file, specifically for rules_java, io_bazel_stardoc, and aspect_bazel_lib. No other modifications or logic changes are introduced.

Changes

File(s)	Summary
WORKSPACE.bazel	Updated versions and SHA256 checksums for rules_java, io_bazel_stardoc, and aspect_bazel_lib external repositories.

Possibly related PRs

• chore(deps): bump rules_java to 7.3.1 #76: Updates the rules_java dependency, similar to this PR but to a different version.

Poem

Hopping through the WORKSPACE file,
I nibbled on versions for a while.
Checksums crisp and URLs new,
Dependencies fresh, the build hops true!
With every upgrade, I leap with glee—
Bazel’s garden is bug-free! 🥕

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d54ef77 and 76fbc7b.

📒 Files selected for processing (1)

• WORKSPACE.bazel (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build and Test

🔇 Additional comments (3)

WORKSPACE.bazel (3)

6-11:

Details

❓ Verification inconclusive

Confirm SHA256 for rules_java 7.4.0 bump
You’ve updated rules_java to v7.4.0 and adjusted the URL/sha256. Please verify the checksum matches the release tarball.

---

🏁 Script executed:

#!/bin/bash
# Verify rules_java v7.4.0 checksum
curl -L https://github.com/bazelbuild/rules_java/releases/download/7.4.0/rules_java-7.4.0.tar.gz | sha256sum

Length of output: 656

---

🏁 Script executed:

#!/usr/bin/env bash
# Verify rules_java v7.4.0 checksum using OpenSSL
curl -L https://github.com/bazelbuild/rules_java/releases/download/7.4.0/rules_java-7.4.0.tar.gz |
  openssl dgst -sha256

Length of output: 665

---

Confirm SHA256 for rules_java 7.4.0 bump
You’ve updated rules_java to v7.4.0 in WORKSPACE.bazel (sha256 = 976ef08b49c929741f201790e59e3807c72ad81f428c8bc953cdbeff5fed15eb). Please verify that this checksum matches the official release tarball. For environments without sha256sum or openssl, you can use Python:

Compare the printed hash against
976ef08b49c929741f201790e59e3807c72ad81f428c8bc953cdbeff5fed15eb.
If the script fails, please download and verify locally.

---

🏁 Script executed:

#!/usr/bin/env bash
python3 << 'EOF'
import urllib.request, hashlib
url = "https://github.com/bazelbuild/rules_java/releases/download/7.4.0/rules_java-7.4.0.tar.gz"
h = hashlib.sha256()
with urllib.request.urlopen(url) as r:
    for chunk in iter(lambda: r.read(8192), b""):
        h.update(chunk)
print("SHA256:", h.hexdigest())
EOF

Length of output: 2591

---

Manual SHA256 Verification Required for rules_java v7.4.0
You’ve bumped rules_java to v7.4.0 in WORKSPACE.bazel (sha256 = 976ef08b49c929741f201790e59e3807c72ad81f428c8bc953cdbeff5fed15eb). Our sandbox couldn’t compute the hash automatically. Please verify locally that the checksum matches the official tarball:

curl -L https://github.com/bazelbuild/rules_java/releases/download/7.4.0/rules_java-7.4.0.tar.gz \
  | sha256sum

or, if sha256sum isn’t available:

openssl dgst -sha256 rules_java-7.4.0.tar.gz

Ensure the printed hash equals
976ef08b49c929741f201790e59e3807c72ad81f428c8bc953cdbeff5fed15eb.

---

24-30:

Details

❓ Verification inconclusive

Confirm SHA256 for io_bazel_stardoc 0.5.6 bump
You’ve bumped stardoc to v0.5.6 and updated its URLs/checksum. Please verify the SHA256 matches the archive.

---

🏁 Script executed:

#!/bin/bash
# Verify stardoc v0.5.6 checksum
curl -L https://github.com/bazelbuild/stardoc/releases/download/0.5.6/stardoc-0.5.6.tar.gz | sha256sum

Length of output: 650

---

Let’s re-run the checksum verification using Python (since sha256sum isn’t available in the sandbox):

---

🏁 Script executed:

#!/bin/bash
# Re-verify stardoc v0.5.6 SHA256 using Python
curl -sL https://github.com/bazelbuild/stardoc/releases/download/0.5.6/stardoc-0.5.6.tar.gz \
  | python3 - << 'EOF'
import hashlib, sys
print(hashlib.sha256(sys.stdin.buffer.read()).hexdigest())
EOF

Length of output: 170

---

Manual SHA256 verification required for io_bazel_stardoc v0.5.6
The sandbox download failed (the hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is the empty‐input digest). Please run locally:

curl -L https://github.com/bazelbuild/stardoc/releases/download/0.5.6/stardoc-0.5.6.tar.gz | sha256sum

and confirm that it matches the sha256 in WORKSPACE.bazel.

---

37-41:

Details

❓ Verification inconclusive

Confirm SHA256 and strip_prefix for aspect_bazel_lib 2.17.1 bump
You’ve upgraded bazel-lib to v2.17.1 with updated URL/sha256 and strip_prefix. Ensure the checksum is correct and the strip_prefix matches the top‐level directory in the tarball.

---

🏁 Script executed:

#!/bin/bash
# Verify aspect_bazel_lib v2.17.1 checksum
curl -L https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz | sha256sum
# Confirm strip_prefix
curl -L https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz | tar tzf - | head -n1

Length of output: 1282

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

URL="https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz"

echo "Computing SHA256 with openssl:"
curl -fsSL "$URL" | openssl dgst -sha256

echo "Verifying strip_prefix:"
curl -fsSL "$URL" | tar tzf - | head -n1

Length of output: 467

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

URL="https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz"

echo "Computing SHA256 digest via Python:"
curl -fsSL "$URL" | python3 - << 'EOF'
import hashlib, sys
h = hashlib.sha256()
for chunk in iter(lambda: sys.stdin.buffer.read(8192), b''):
    h.update(chunk)
print(h.hexdigest())
EOF

echo "Verifying strip_prefix:"
curl -fsSL "$URL" | tar tzf - | head -n1

Length of output: 433

---

Confirm SHA256 and strip_prefix for aspect_bazel_lib v2.17.1 bump
Automated checksum validation in this environment failed (missing tools). Please manually verify that the SHA256 matches e5131e44db23459bd1ed04635f2ae5436bc83f5e38629e07b75c0bf206f09245 and that the top-level directory in the tarball is bazel-lib-2.17.1/.

Suggested commands:

curl -L https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz \
  | sha256sum

curl -L https://github.com/bazel-contrib/bazel-lib/releases/download/v2.17.1/bazel-lib-v2.17.1.tar.gz \
  | tar tzf - | head -n1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[greptile-apps]

PR Summary

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here: https://app.greptile.com/review/github.

_{1 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile}

[gemini-code-assist]

Hello @albertocavalcante, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello! Gemini here, providing a summary of this pull request to help everyone get up to speed quickly. This PR, authored by @albertocavalcante, is focused on performing routine dependency updates within the WORKSPACE.bazel file. Specifically, it bumps the versions of rules_java, stardoc, and aspect_bazel_lib to their latest versions and updates the corresponding SHA256 hashes and URLs.

Highlights

• Dependency Update: rules_java: The rules_java dependency is updated from version 7.3.1 to 7.4.0. This involves updating the sha256 hash and the download URL in the http_archive definition.
• Dependency Update: stardoc: The io_bazel_stardoc dependency, used for documentation generation, is updated from version 0.5.0 to 0.5.6. This includes updating the sha256 hash and the download URLs.
• Dependency Update: aspect_bazel_lib: The aspect_bazel_lib dependency is updated from version 2.14.0 to 2.17.1. This requires updating the sha256 hash, the download URL, and the strip_prefix value to match the new version.

Changelog

• WORKSPACE.bazel
  • Updated rules_java from 7.3.1 to 7.4.0 (lines 7-9)
  • Updated io_bazel_stardoc from 0.5.0 to 0.5.6 (lines 25-28)
  • Updated aspect_bazel_lib from 2.14.0 to 2.17.1, including updating strip_prefix (lines 38-40)

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates several Bazel dependencies: rules_java, stardoc, and bazel_lib. Dependency updates are important for keeping the build system modern and secure, but they also require careful verification.

My main concerns revolve around ensuring the correctness of the new SHAs, verifying the new strip_prefix for aspect_bazel_lib, and addressing a potentially critical breaking change introduced by rules_java 7.4.0 regarding toolchain_type. Thorough testing is also essential after these updates.

Summary of Findings

• Critical: rules_java Breaking Change: The update to rules_java 7.4.0 requires a change in how Java toolchains are typed (@rules_java//java:toolchain_type instead of @bazel_tools//tools/jdk:toolchain_type). This will likely break the current build as BUILD.bazel uses the old type. This needs to be addressed.
• Critical: SHA256 Verification: All updated SHA256 checksums for rules_java, stardoc, and aspect_bazel_lib must be verified against the downloaded artifacts to ensure integrity and prevent supply chain attacks. This was highlighted in review comments.
• Critical: aspect_bazel_lib strip_prefix Verification: The strip_prefix for aspect_bazel_lib needs to be confirmed to match the archive structure of the new version. This was highlighted in a review comment.
• High: Testing: It's crucial to thoroughly test the project (build and all tests) with these new dependency versions to catch any regressions or compatibility issues beyond the identified rules_java breaking change.
• Medium: Changelog Review: Reviewing the changelogs for rules_java (7.3.1 to 7.4.0), stardoc (0.5.0 to 0.5.6), and aspect_bazel_lib (2.14.0 to 2.17.1) is recommended to be aware of any other notable changes, features, or deprecations.
• Medium: Security Audit: It's advisable to check if these new dependency versions have any known security vulnerabilities.
• Low: PR Description Enhancement (Process Improvement): For future dependency bump PRs, consider including links to release notes, confirmation of SHA verification, and a summary of testing performed in the PR description. This greatly helps reviewers. (Not commented on directly due to review settings).

Merge Readiness

This pull request updates critical build dependencies. Due to the identified critical issues, particularly the breaking change in rules_java and the need for SHA256/strip_prefix verification, I recommend that these changes not be merged until these points are fully addressed and verified.

Specifically:

1. The rules_java toolchain type incompatibility must be resolved (likely requiring changes in BUILD.bazel) and tested.
2. All SHA256 checksums and the strip_prefix for aspect_bazel_lib must be confirmed as correct.
3. The project should build successfully and all tests should pass with these updated dependencies.

As an AI, I am not authorized to approve pull requests. Please ensure these concerns are addressed and further reviewed before merging.

[gemini-code-assist]

Updating rules_java to 7.4.0 is a good step. However, there are a couple of critical points to address:

1. SHA256 Verification: Has the new SHA256 (976ef08b49c929741f201790e59e3807c72ad81f428c8bc953cdbeff5fed15eb) for rules_java 7.4.0 been verified against the artifact downloaded from the updated URL? This is crucial for security and integrity.

2. Breaking Change: rules_java 7.4.0 introduces a significant change:

   Java toolchains are now configured using toolchain type @rules_java//java:toolchain_type instead of @bazel_tools//tools/jdk:toolchain_type.
   (Source: rules_java 7.4.0 Release Notes)

   Our project's BUILD.bazel file (line 21) currently defines default_remotejdk_11_toolchain using @bazel_tools//tools/jdk:toolchain_type. This update to rules_java will likely break the build unless BUILD.bazel is also updated to use @rules_java//java:toolchain_type.

Could you please confirm that the SHA256 is correct and outline how the breaking change regarding toolchain_type will be addressed? Has this been tested with the necessary changes in BUILD.bazel?

[gemini-code-assist]

For the stardoc update to version 0.5.6:

Has the new SHA256 (dfbc364aaec143df5e6c52faf1f1166775a5b4408243f445f44b661cfdc3134f) been verified against the artifacts downloaded from the updated URLs? Ensuring the checksum matches the downloaded content is vital.

[gemini-code-assist]

Regarding the aspect_bazel_lib update to version 2.17.1:

1. SHA256 Verification: Has the new SHA256 (e5131e44db23459bd1ed04635f2ae5436bc83f5e38629e07b75c0bf206f09245) been verified against the artifact from the new URL?
2. Strip Prefix: The strip_prefix has been updated to bazel-lib-2.17.1. Has it been confirmed that this matches the directory structure within the downloaded bazel-lib-v2.17.1.tar.gz archive?

These checks are important for the correct integration of the dependency.