windows support

Author: peakschris

.bazelrc

@@ -1,12 +1,15 @@
 # Bazel settings that apply to this repository.
 # Take care to document any settings that you expect users to apply.
 # Settings that apply only to CI are in .github/workflows/ci.bazelrc
+common --enable_platform_specific_config
 
 build --incompatible_strict_action_env
 build --nolegacy_external_runfiles
 common --test_env=DOCKER_HOST --action_env=DOCKER_HOST --repo_env=DOCKER_HOST
+common --test_env=APPDATA --action_env=APPDATA --repo_env=APPDATA
+common --test_env=PROGRAMDATA --action_env=PROGRAMDATA --repo_env=PROGRAMDATA
 
-# On bazel 6.4.0 these are needed to successfully fetch images.
+# On bazel 6.5.0 these are needed to successfully fetch images.
 common:needs_credential_helpers --credential_helper=public.ecr.aws=%workspace%/examples/credential_helper/auth.sh
 common:needs_credential_helpers --credential_helper=index.docker.io=%workspace%/examples/credential_helper/auth.sh
 common:needs_credential_helpers --credential_helper=docker.elastic.co=%workspace%/examples/credential_helper/auth.sh
@@ -17,6 +20,14 @@ common:needs_credential_helpers --credential_helper_cache_duration=0
 # https://bazelbuild.slack.com/archives/C014RARENH0/p1691158021917459?thread_ts=1691156601.420349&cid=C014RARENH0
 common --check_direct_dependencies=off
 
+# Symlinks are pretty much required on windows so enable by default
+startup --windows_enable_symlinks
+
+# Point tools such as coursier (used in rules_jvm_external) to Bazel's downloaded JDK
+# suggested in https://github.com/bazelbuild/rules_jvm_external/issues/445
+common --repo_env=JAVA_HOME=../bazel_tools/jdk
+common --action_env=JAVA_HOME=../bazel_tools/jdk
+
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members
 # This needs to be last statement in this

.bazelversion

@@ -1,4 +1,4 @@
-7.4.1
+7.6.1
 
 # The first line of this file is used by Bazelisk and Bazel to be sure
 # the right version of Bazel is used to build and test this repo.

.github/workflows/ci.yaml

@@ -26,9 +26,9 @@ jobs:
       - id: bazel_7
         run: echo "bazelversion=$(head -n 1 .bazelversion)" >> $GITHUB_OUTPUT
       - id: bazel_6
-        run: echo "bazelversion=6.4.0" >> $GITHUB_OUTPUT
+        run: echo "bazelversion=6.5.0" >> $GITHUB_OUTPUT
     outputs:
-      # Will look like ["<version from .bazelversion>", "6.4.0"]
+      # Will look like ["<version from .bazelversion>", "6.5.0"]
       bazelversions: ${{ toJSON(steps.*.outputs.bazelversion) }}
 
   matrix-prep-os:
@@ -43,8 +43,10 @@ jobs:
         run: echo "os=macos-13" >> $GITHUB_OUTPUT
         # Don't run MacOS if there is no TestContainers API token which is the case on forks. We need it for container tests.
         if: ${{ env.TC_CLOUD_TOKEN != '' }}
+      - id: windows
+        run: echo "os=windows" >> $GITHUB_OUTPUT
     outputs:
-      # Will look like ["ubuntu-latest", "macos-13"]
+      # Will look like ["ubuntu-latest", "macos-13", "windows"]
       os: ${{ toJSON(steps.*.outputs.os) }}
 
   test:
@@ -74,13 +76,15 @@ jobs:
           - os: macos-13
             folder: e2e/assertion
           - os: macos-13
-            bazelversion: 6.4.0
+            bazelversion: 6.5.0
+          - os: windows
+            bazelversion: 6.5.0
           - folder: .
-            bazelversion: 6.4.0
+            bazelversion: 6.5.0
           - folder: examples/dockerfile
             bzlmodEnabled: false
           - folder: examples/dockerfile
-            bazelversion: 6.4.0
+            bazelversion: 6.5.0
           # e2e/assertion is bzlmod only but it has test for both cases.
           - folder: e2e/assertion
             bzlmodEnabled: false
@@ -121,12 +125,12 @@ jobs:
         # Add --config needs_credential_helpers to add additional credential helpers
         # to fetch from registries with HTTP headers set by credential helpers.
         id: set_credential_helper_flag
-        if: matrix.bazelversion == '6.4.0' && matrix.folder == '.'
+        if: matrix.bazelversion == '6.5.0' && matrix.folder == '.'
         run: echo "credential_helper_flag=--config=needs_credential_helpers" >> $GITHUB_OUTPUT
 
       - name: Setup crane for credential helpers to use
         uses: imjasonh/setup-crane@v0.3
-        if: matrix.bazelversion == '6.4.0' && matrix.folder == '.'
+        if: matrix.bazelversion == '6.5.0' && matrix.folder == '.'
         with:
           version: "v0.19.1"
 

MODULE.bazel

@@ -2,13 +2,15 @@
 
 module(
     name = "rules_oci",
+    bazel_compatibility = [">=6.5.0"],
     compatibility_level = 1,
 )
 
-bazel_dep(name = "aspect_bazel_lib", version = "2.7.2")
+bazel_dep(name = "aspect_bazel_lib", version = "2.21.0")
 bazel_dep(name = "bazel_features", version = "1.10.0")
 bazel_dep(name = "bazel_skylib", version = "1.5.0")
 bazel_dep(name = "platforms", version = "0.0.8")
+bazel_dep(name = "tar.bzl", version = "0.5.5")
 
 oci = use_extension("//oci:extensions.bzl", "oci")
 oci.toolchains()

cosign/private/attest.bzl

@@ -1,5 +1,8 @@
 "Implementation details for attest rule"
 
+load("@aspect_bazel_lib//lib:paths.bzl", "BASH_RLOCATION_FUNCTION", "to_rlocation_path")
+load("@aspect_bazel_lib//lib:windows_utils.bzl", "create_windows_native_launcher_script")
+
 _DOC = """Attest an oci_image using cosign binary at a remote registry.
 
 ```starlark
@@ -52,8 +55,17 @@ _attrs = {
         Digests and tags are not allowed. If this attribute is not set, the repository must be passed at runtime via the `--repository` flag.
     """),
     "_attest_sh_tpl": attr.label(default = "attest.sh.tpl", allow_single_file = True),
+    "_runfiles": attr.label(default = "@bazel_tools//tools/bash/runfiles"),
 }
 
+def _windows_host(ctx):
+    """Returns true if the host platform is windows.
+    
+    The typical approach using ctx.target_platform_has_constraint does not work for transitioned
+    build targets. We need to know the host platform, not the target platform.
+    """
+    return ctx.configuration.host_path_separator == ";"
+
 def _cosign_attest_impl(ctx):
     cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
     jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
@@ -63,31 +75,34 @@ def _cosign_attest_impl(ctx):
 
     fixed_args = [
         "--predicate",
-        ctx.file.predicate.short_path,
+        to_rlocation_path(ctx, ctx.file.predicate),
         "--type",
         ctx.attr.type,
     ]
     if ctx.attr.repository:
         fixed_args.extend(["--repository", ctx.attr.repository])
 
-    executable = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
+    bash_launcher = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
     ctx.actions.expand_template(
         template = ctx.file._attest_sh_tpl,
-        output = executable,
+        output = bash_launcher,
         is_executable = True,
         substitutions = {
-            "{{cosign_path}}": cosign.cosign_info.binary.short_path,
-            "{{jq_path}}": jq.jqinfo.bin.short_path,
-            "{{image_dir}}": ctx.file.image.short_path,
+            "{{BASH_RLOCATION_FUNCTION}}": BASH_RLOCATION_FUNCTION,
+            "{{cosign_path}}": to_rlocation_path(ctx, cosign.cosign_info.binary),
+            "{{jq_path}}": to_rlocation_path(ctx, jq.jqinfo.bin),
+            "{{image_dir}}": to_rlocation_path(ctx, ctx.file.image),
             "{{fixed_args}}": " ".join(fixed_args),
             "{{type}}": ctx.attr.type,
         },
     )
 
-    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.predicate])
+    executable = create_windows_native_launcher_script(ctx, bash_launcher) if _windows_host(ctx) else bash_launcher
+    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.predicate, bash_launcher])
     runfiles = runfiles.merge(ctx.attr.image[DefaultInfo].default_runfiles)
     runfiles = runfiles.merge(jq.default.default_runfiles)
     runfiles = runfiles.merge(cosign.default.default_runfiles)
+    runfiles = runfiles.merge(ctx.attr._runfiles.default_runfiles)
 
     return DefaultInfo(executable = executable, runfiles = runfiles)
 
@@ -97,6 +112,7 @@ cosign_attest = rule(
     doc = _DOC,
     executable = True,
     toolchains = [
+        "@bazel_tools//tools/sh:toolchain_type",
         "@rules_oci//cosign:toolchain_type",
         "@aspect_bazel_lib//lib:jq_toolchain_type",
     ],

cosign/private/attest.sh.tpl

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly COSIGN="{{cosign_path}}"
-readonly JQ="{{jq_path}}"
-readonly IMAGE_DIR="{{image_dir}}"
+{{BASH_RLOCATION_FUNCTION}}
+
+readonly COSIGN="$(rlocation "{{cosign_path}}")"
+readonly JQ="$(rlocation "{{jq_path}}")"
+readonly IMAGE_DIR="$(rlocation "{{image_dir}}")"
 readonly DIGEST=$("${JQ}" -r '.manifests[].digest' "${IMAGE_DIR}/index.json")
 readonly FIXED_ARGS=({{fixed_args}})
 
@@ -15,11 +17,14 @@ fi
 
 REPOSITORY=""
 ARGS=()
+PREDICATE=""
 
 while (( $# > 0 )); do
     case "$1" in
     --repository) shift; REPOSITORY="$1"; shift ;;
     (--repository=*) REPOSITORY="${1#--repository=}"; shift ;;
+    --predicate) shift; PREDICATE="$(rlocation "$1")"; shift ;;
+    (--predicate=*) PREDICATE="$(rlocation "${1#--predicate=}")"; shift ;;
     *) ARGS+=( "$1" ); shift ;;
     esac
 done
@@ -29,5 +34,5 @@ if [[ -z "${REPOSITORY}" ]]; then
     exit 1
 fi
 
-exec "${COSIGN}" attest "${REPOSITORY}@${DIGEST}" ${ARGS[@]+"${ARGS[@]}"}
+exec "${COSIGN}" attest "${REPOSITORY}@${DIGEST}" --predicate "${PREDICATE}" ${ARGS[@]+"${ARGS[@]}"}
 

cosign/private/sign.bzl

@@ -1,5 +1,8 @@
 "Implementation details for sign rule"
 
+load("@aspect_bazel_lib//lib:paths.bzl", "BASH_RLOCATION_FUNCTION", "to_rlocation_path")
+load("@aspect_bazel_lib//lib:windows_utils.bzl", "create_windows_native_launcher_script")
+
 _DOC = """Sign an oci_image using cosign binary at a remote registry.
 
 It signs the image by its digest determined beforehand.
@@ -48,37 +51,49 @@ _attrs = {
         Digests and tags are not allowed. If this attribute is not set, the repository must be passed at runtime via the `--repository` flag.
     """),
     "_sign_sh_tpl": attr.label(default = "sign.sh.tpl", allow_single_file = True),
+    "_runfiles": attr.label(default = "@bazel_tools//tools/bash/runfiles"),
 }
 
+def _windows_host(ctx):
+    """Returns true if the host platform is windows.
+    
+    The typical approach using ctx.target_platform_has_constraint does not work for transitioned
+    build targets. We need to know the host platform, not the target platform.
+    """
+    return ctx.configuration.host_path_separator == ";"
+
 def _cosign_sign_impl(ctx):
     cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
     jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
 
     if ctx.attr.repository and (ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1):
         fail("repository attribute should not contain digest or tag.")
 
-    executable = ctx.actions.declare_file("cosign_sign_{}.sh".format(ctx.label.name))
+    bash_launcher = ctx.actions.declare_file("cosign_sign_{}.sh".format(ctx.label.name))
 
     fixed_args = []
     if ctx.attr.repository:
         fixed_args.extend(["--repository", ctx.attr.repository])
 
     ctx.actions.expand_template(
         template = ctx.file._sign_sh_tpl,
-        output = executable,
+        output = bash_launcher,
         is_executable = True,
         substitutions = {
-            "{{cosign_path}}": cosign.cosign_info.binary.short_path,
-            "{{jq_path}}": jq.jqinfo.bin.short_path,
-            "{{image_dir}}": ctx.file.image.short_path,
+            "{{BASH_RLOCATION_FUNCTION}}": BASH_RLOCATION_FUNCTION,
+            "{{cosign_path}}": to_rlocation_path(ctx, cosign.cosign_info.binary),
+            "{{jq_path}}": to_rlocation_path(ctx, jq.jqinfo.bin),
+            "{{image_dir}}": to_rlocation_path(ctx, ctx.file.image),
             "{{fixed_args}}": " ".join(fixed_args),
         },
     )
 
-    runfiles = ctx.runfiles(files = [ctx.file.image])
+    executable = create_windows_native_launcher_script(ctx, bash_launcher) if _windows_host(ctx) else bash_launcher
+    runfiles = ctx.runfiles(files = [ctx.file.image, bash_launcher])
     runfiles = runfiles.merge(ctx.attr.image[DefaultInfo].default_runfiles)
     runfiles = runfiles.merge(jq.default.default_runfiles)
     runfiles = runfiles.merge(cosign.default.default_runfiles)
+    runfiles = runfiles.merge(ctx.attr._runfiles.default_runfiles)
 
     return DefaultInfo(executable = executable, runfiles = runfiles)
 
@@ -88,6 +103,7 @@ cosign_sign = rule(
     doc = _DOC,
     executable = True,
     toolchains = [
+        "@bazel_tools//tools/sh:toolchain_type",
         "@rules_oci//cosign:toolchain_type",
         "@aspect_bazel_lib//lib:jq_toolchain_type",
     ],

cosign/private/sign.sh.tpl

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly COSIGN="{{cosign_path}}"
-readonly JQ="{{jq_path}}"
-readonly IMAGE_DIR="{{image_dir}}"
+{{BASH_RLOCATION_FUNCTION}}
+
+readonly COSIGN="$(rlocation "{{cosign_path}}")"
+readonly JQ="$(rlocation "{{jq_path}}")"
+readonly IMAGE_DIR="$(rlocation "{{image_dir}}")"
 readonly DIGEST=$("${JQ}" -r '.manifests[].digest' "${IMAGE_DIR}/index.json")
 readonly FIXED_ARGS=({{fixed_args}})
 

cosign/private/versions.bzl

@@ -9,6 +9,8 @@ COSIGN_VERSIONS = {
         "linux-arm64": "sha256-sIjWdvDAEjuMNI4Y1CHPlmAg7cSXekhhFaEmQ96pmj8=",
         "linux-ppc64le": "sha256-IaAWkdvfyzUbTpTM9QGk6HNyLPX+b2epc172bstBlB0=",
         "linux-s390x": "sha256-1yzyiRkNKMacuVxeMhOaoZgf/KCoQyfImgErsfOoBR0=",
+        "windows-amd64": "sha256-9/Jy1WxYCw7Jb1m/6fiOxfQrbhld8AnONBdCjg4N6tE=",
+        "windows-arm64": "sha256-Adj8SzLWM8E5KqJkrtIlPB4ML7CSFvjizCabs7i7SbU=",
     },
     "v2.0.2": {
         "darwin-amd64": "sha256-D1HL4ZoxW5GehwQvBIUzGCFyLst/ziLMG4gO1IM/yLA=",

cosign/repositories.bzl

@@ -20,6 +20,8 @@ def _cosign_repo_impl(repository_ctx):
         version = repository_ctx.attr.cosign_version,
         platform = platform,
     )
+    if ("windows" in repository_ctx.attr.platform):
+        url += ".exe"
     repository_ctx.download(
         url = url,
         output = "cosign",