windows support

.bazelrc

@@ -1,12 +1,15 @@
 # Bazel settings that apply to this repository.
 # Take care to document any settings that you expect users to apply.
 # Settings that apply only to CI are in .github/workflows/ci.bazelrc
+common --enable_platform_specific_config
 
 build --incompatible_strict_action_env
 build --nolegacy_external_runfiles
 common --test_env=DOCKER_HOST --action_env=DOCKER_HOST --repo_env=DOCKER_HOST
+common:windows --test_env=APPDATA --action_env=APPDATA --repo_env=APPDATA
+common:windows --test_env=PROGRAMDATA --action_env=PROGRAMDATA --repo_env=PROGRAMDATA
 
-# On bazel 6.4.0 these are needed to successfully fetch images.
+# On bazel 6.5.0 these are needed to successfully fetch images.
 common:needs_credential_helpers --credential_helper=public.ecr.aws=%workspace%/examples/credential_helper/auth.sh
 common:needs_credential_helpers --credential_helper=index.docker.io=%workspace%/examples/credential_helper/auth.sh
 common:needs_credential_helpers --credential_helper=docker.elastic.co=%workspace%/examples/credential_helper/auth.sh
@@ -17,6 +20,14 @@ common:needs_credential_helpers --credential_helper_cache_duration=0
 # https://bazelbuild.slack.com/archives/C014RARENH0/p1691158021917459?thread_ts=1691156601.420349&cid=C014RARENH0
 common --check_direct_dependencies=off
 
+# Symlinks are pretty much required on windows so enable by default
+startup --windows_enable_symlinks
+
+# Point tools such as coursier (used in rules_jvm_external) to Bazel's downloaded JDK
+# suggested in https://github.com/bazelbuild/rules_jvm_external/issues/445
+common --repo_env=JAVA_HOME=../bazel_tools/jdk
+common --action_env=JAVA_HOME=../bazel_tools/jdk
+
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members
 # This needs to be last statement in this

.bazelversion

@@ -1,4 +1,4 @@
-7.4.1
+7.6.1
 
 # The first line of this file is used by Bazelisk and Bazel to be sure
 # the right version of Bazel is used to build and test this repo.

.bcr/presubmit.yml

@@ -2,8 +2,7 @@ bcr_test_module:
   module_path: "e2e/smoke"
   matrix:
     bazel: ["6.x", "7.x"]
-    # TODO(#97): add windows
-    platform: ["debian10", "ubuntu2004"]
+    platform: ["debian10", "ubuntu2004", "windows"]
   tasks:
     test_linux:
       name: "Run test module"
@@ -19,3 +18,9 @@ bcr_test_module:
         - "//..."
         # This test requires a docker daemon, not available on BCR CI
         - "-//:test"
+    test_windows:
+      name: "Run test module"
+      bazel: ${{ bazel }}
+      platform: windows
+      test_targets:
+        - "//..."

.github/workflows/ci.yaml

@@ -18,82 +18,93 @@ concurrency:
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
 jobs:
-  matrix-prep-bazelversion:
-    # Prepares the 'bazelversion' axis of the test matrix
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - id: bazel_7
-        run: echo "bazelversion=$(head -n 1 .bazelversion)" >> $GITHUB_OUTPUT
-      - id: bazel_6
-        run: echo "bazelversion=6.4.0" >> $GITHUB_OUTPUT
-    outputs:
-      # Will look like ["<version from .bazelversion>", "6.4.0"]
-      bazelversions: ${{ toJSON(steps.*.outputs.bazelversion) }}
-
-  matrix-prep-os:
-    # Prepares the 'os' axis of the test matrix
+  matrix-prep:
     runs-on: ubuntu-latest
     env:
       TC_CLOUD_TOKEN: ${{ secrets.TC_CLOUD_TOKEN }}
     steps:
+      - uses: actions/checkout@v4
+      - id: bazel-version
+        name: Prepare 'bazel-version' matrix axis
+        run: |
+          v=$(head -n 1 .bazelversion)
+          m=${v::1}
+          a=(
+            "major:$m, version:\"$v\""
+            "major:6, version:\"6.5.0\""
+          )
+          printf -v j '{%s},' "${a[@]}"
+          echo "res=[${j%,}]" | tee -a $GITHUB_OUTPUT
       - id: linux
-        run: echo "os=ubuntu-latest" >> $GITHUB_OUTPUT
+        run: echo "os=ubuntu" >> $GITHUB_OUTPUT
       - id: macos
-        run: echo "os=macos-13" >> $GITHUB_OUTPUT
+        run: echo "os=macos" >> $GITHUB_OUTPUT
         # Don't run MacOS if there is no TestContainers API token which is the case on forks. We need it for container tests.
         if: ${{ env.TC_CLOUD_TOKEN != '' }}
+      - id: windows
+        run: echo "os=windows" >> $GITHUB_OUTPUT
     outputs:
-      # Will look like ["ubuntu-latest", "macos-13"]
+      bazel-version: ${{ steps.bazel-version.outputs.res }}
+      # Will look like ["ubuntu", "macos", "windows"]
       os: ${{ toJSON(steps.*.outputs.os) }}
 
   test:
-    # The type of runner that the job will run on
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}-latest
     needs:
-      - matrix-prep-bazelversion
-      - matrix-prep-os
-
+      - matrix-prep
     strategy:
       fail-fast: false
       matrix:
-        os: ${{ fromJSON(needs.matrix-prep-os.outputs.os) }}
-        bazelversion: ${{ fromJSON(needs.matrix-prep-bazelversion.outputs.bazelversions) }}
+        bazel-version: ${{ fromJSON(needs.matrix-prep.outputs.bazel-version) }}
+        bzlmod: [1, 0]
+        os: ${{ fromJSON(needs.matrix-prep.outputs.os) }}
         folder:
           - .
           - e2e/wasm
           - e2e/smoke
           - e2e/assertion
           - examples/dockerfile
 
-        bzlmodEnabled: [true, false]
         exclude:
-          # macos is expensive (billed at 10X) so don't test these
-          - os: macos-13
-            folder: e2e/wasm
-          - os: macos-13
-            folder: e2e/assertion
-          - os: macos-13
-            bazelversion: 6.4.0
+          # Don't test MacOS and Windows against secondary bazel version to minimize minutes (billed at 10X and 2X respectively)
+          # https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions#included-storage-and-minutes
+          - os: macos
+            bazel-version:
+              major: 6
+          - os: windows
+            bazel-version:
+              major: 6
+          # Root workspace. Requires bzlmod and bazel 7+. Ubuntu-bazel-7 is tested on Buildkite using Aspect Workflows
           - folder: .
-            bazelversion: 6.4.0
+            bzlmod: 0
+          - folder: .
+            bazel-version:
+              major: 6
+          - folder: .
+            bazel-version:
+              major: 7
+            os: ubuntu
+          # examples/dockerfile. Requires bzlmod and bazel 7+. Skip windows (todo: buildx not supported)
           - folder: examples/dockerfile
-            bzlmodEnabled: false
+            bzlmod: 0
           - folder: examples/dockerfile
-            bazelversion: 6.4.0
-          # e2e/assertion is bzlmod only but it has test for both cases.
+            bazel-version:
+              major: 6
+          - folder: examples/dockerfile
+            os: windows
+          # e2e/assertion. Requires bzlmod. Skip macos (save CI minutes). Skip windows (BATS tests don't work reliably)
+          - folder: e2e/assertion
+            bzlmod: 0
           - folder: e2e/assertion
-            bzlmodEnabled: false
-          # TODO: fix
+            os: macos
+          # e2e/wasm. Requires workspace (todo: bzlmod). Skip macos (save CI minutes). Skip windows (todo: configure WASM C++ toolchains on Windows)
           - folder: e2e/wasm
-            bzlmodEnabled: true
-          # Don't test the root module with WORKSPACE at all
-          - folder: .
-            bzlmodEnabled: false
-          # This is tested on Buildkite using Aspect Workflows
-          - bazelversion: 7.4.1
-            folder: .
-            os: ubuntu-latest
+            bzlmod: 1
+          - folder: e2e/wasm
+            os: macos
+          - folder: e2e/wasm
+            os: windows
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -103,9 +114,9 @@ jobs:
         with:
           path: |
             ~/.cache/bazel-repo
-          key: bazel-cache-${{ matrix.os }}-${{ matrix.folder }}-${{ matrix.bazelversion }}-${{ hashFiles('**/BUILD.bazel', '**/*.bzl', 'WORKSPACE', 'WORKSPACE.bzlmod','MODULE.bzl') }}
+          key: bazel-cache-${{ matrix.os }}-${{ matrix.folder }}-${{ matrix.bazel-version }}-${{ hashFiles('**/BUILD.bazel', '**/*.bzl', 'WORKSPACE', 'WORKSPACE.bzlmod','MODULE.bzl') }}
           restore-keys: |
-            bazel-cache-${{ matrix.os }}-${{ matrix.folder }}-${{ matrix.bazelversion }}
+            bazel-cache-${{ matrix.os }}-${{ matrix.folder }}-${{ matrix.bazel-version }}
             bazel-cache-${{ matrix.os }}-${{ matrix.folder }}
             bazel-cache-${{ matrix.os }}
             bazel-cache-
@@ -114,44 +125,46 @@ jobs:
         # Store the --enable_bzlmod flag that we add to the test command below
         # only when we're running bzlmod in our test matrix.
         id: set_bzlmod_flag
-        if: matrix.bzlmodEnabled
+        if: matrix.bzlmod == '1'
         run: echo "bzlmod_flag=--enable_bzlmod" >> $GITHUB_OUTPUT
 
       - name: Set credential helpers flag
         # Add --config needs_credential_helpers to add additional credential helpers
         # to fetch from registries with HTTP headers set by credential helpers.
         id: set_credential_helper_flag
-        if: matrix.bazelversion == '6.4.0' && matrix.folder == '.'
+        if: matrix.bazel-version == '6.5.0' && matrix.folder == '.'
         run: echo "credential_helper_flag=--config=needs_credential_helpers" >> $GITHUB_OUTPUT
 
       - name: Setup crane for credential helpers to use
         uses: imjasonh/setup-crane@v0.3
-        if: matrix.bazelversion == '6.4.0' && matrix.folder == '.'
+        if: matrix.bazel-version == '6.5.0' && matrix.folder == '.'
         with:
           version: "v0.19.1"
 
       - name: Configure Bazel version
         working-directory: ${{ matrix.folder }}
-        run: echo "${{ matrix.bazelversion }}" > .bazelversion
+        run: echo "${{ matrix.bazel-version.version }}" > .bazelversion
 
       - name: Configure TestContainers cloud
-        if: ${{ matrix.os == 'macos-13' }}
+        if: ${{ matrix.os == 'macos' }}
         uses: atomicjar/testcontainers-cloud-setup-action@main
         with:
           wait: true
           token: ${{ secrets.TC_CLOUD_TOKEN }}
 
-      - run: man xargs
+      # this causes windows failure; why is this here?
+      # - run: man xargs
 
       - name: Configure Remote Docker Host
-        if: ${{ matrix.os == 'macos-13' }}
+        if: ${{ matrix.os == 'macos' }}
         run: |
           echo "DOCKER_HOST=$(grep 'tc.host' ~/.testcontainers.properties | cut -d '=' -f2 | xargs)" >> $GITHUB_ENV
           curl -fsSL https://download.docker.com/mac/static/stable/x86_64/docker-23.0.0.tgz | tar -xOvf - docker/docker > /usr/local/bin/docker
           chmod +x /usr/local/bin/docker
 
       - name: bazel test //...
         working-directory: ${{ matrix.folder }}
+        shell: bash
         run: |
           bazel \
           --bazelrc=$GITHUB_WORKSPACE/.github/workflows/ci.bazelrc \

MODULE.bazel

@@ -2,13 +2,17 @@
 
 module(
     name = "rules_oci",
+    # align with https://github.com/bazel-contrib/bazel-lib/pull/1160
+    bazel_compatibility = [">=6.5.0"],
     compatibility_level = 1,
 )
 
-bazel_dep(name = "aspect_bazel_lib", version = "2.7.2")
+bazel_dep(name = "aspect_bazel_lib", version = "2.21.2")
 bazel_dep(name = "bazel_features", version = "1.10.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "platforms", version = "0.0.8")
+bazel_dep(name = "tar.bzl", version = "0.5.6")
+bazel_dep(name = "jq.bzl", version = "0.4.0")
 
 oci = use_extension("//oci:extensions.bzl", "oci")
 oci.toolchains()
@@ -23,10 +27,11 @@ use_repo(zstd, "zstd_toolchains")
 
 register_toolchains("@zstd_toolchains//:all")
 
-bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
-bazel_lib.jq()
-bazel_lib.tar()
-use_repo(bazel_lib, "bsd_tar_toolchains", "jq_toolchains")
+jq_toolchains = use_extension("@jq.bzl//jq:extensions.bzl", "toolchains")
+use_repo(jq_toolchains, "jq_toolchains")
+
+tar_toolchains = use_extension("@tar.bzl//tar:extensions.bzl", "toolchains")
+use_repo(tar_toolchains, "bsd_tar_toolchains")
 
 # Dev dependencies
 

cosign/private/attest.bzl

@@ -1,5 +1,9 @@
 "Implementation details for attest rule"
 
+load("@aspect_bazel_lib//lib:paths.bzl", "BASH_RLOCATION_FUNCTION", "to_rlocation_path")
+load("@aspect_bazel_lib//lib:windows_utils.bzl", "create_windows_native_launcher_script")
+load("//oci/private:util.bzl", "is_windows_exec", "IS_EXEC_PLATFORM_WINDOWS_ATTRS")
+
 _DOC = """Attest an oci_image using cosign binary at a remote registry.
 
 ```starlark
@@ -52,42 +56,46 @@ _attrs = {
         Digests and tags are not allowed. If this attribute is not set, the repository must be passed at runtime via the `--repository` flag.
     """),
     "_attest_sh_tpl": attr.label(default = "attest.sh.tpl", allow_single_file = True),
-}
+    "_runfiles": attr.label(default = "@bazel_tools//tools/bash/runfiles"),
+} | IS_EXEC_PLATFORM_WINDOWS_ATTRS
 
 def _cosign_attest_impl(ctx):
     cosign = ctx.toolchains["@rules_oci//cosign:toolchain_type"]
-    jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
+    jq = ctx.toolchains["@jq.bzl//jq/toolchain:type"]
 
     if ctx.attr.repository and (ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1):
         fail("repository attribute should not contain digest or tag.")
 
     fixed_args = [
         "--predicate",
-        ctx.file.predicate.short_path,
+        to_rlocation_path(ctx, ctx.file.predicate),
         "--type",
         ctx.attr.type,
     ]
     if ctx.attr.repository:
         fixed_args.extend(["--repository", ctx.attr.repository])
 
-    executable = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
+    bash_launcher = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
     ctx.actions.expand_template(
         template = ctx.file._attest_sh_tpl,
-        output = executable,
+        output = bash_launcher,
         is_executable = True,
         substitutions = {
-            "{{cosign_path}}": cosign.cosign_info.binary.short_path,
-            "{{jq_path}}": jq.jqinfo.bin.short_path,
-            "{{image_dir}}": ctx.file.image.short_path,
+            "{{BASH_RLOCATION_FUNCTION}}": BASH_RLOCATION_FUNCTION,
+            "{{cosign_path}}": to_rlocation_path(ctx, cosign.cosign_info.binary),
+            "{{jq_path}}": to_rlocation_path(ctx, jq.jqinfo.bin),
+            "{{image_dir}}": to_rlocation_path(ctx, ctx.file.image),
             "{{fixed_args}}": " ".join(fixed_args),
             "{{type}}": ctx.attr.type,
         },
     )
 
-    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.predicate])
+    executable = create_windows_native_launcher_script(ctx, bash_launcher) if is_windows_exec(ctx) else bash_launcher
+    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.predicate, bash_launcher])
     runfiles = runfiles.merge(ctx.attr.image[DefaultInfo].default_runfiles)
     runfiles = runfiles.merge(jq.default.default_runfiles)
     runfiles = runfiles.merge(cosign.default.default_runfiles)
+    runfiles = runfiles.merge(ctx.attr._runfiles.default_runfiles)
 
     return DefaultInfo(executable = executable, runfiles = runfiles)
 
@@ -97,7 +105,8 @@ cosign_attest = rule(
     doc = _DOC,
     executable = True,
     toolchains = [
+        "@bazel_tools//tools/sh:toolchain_type",
         "@rules_oci//cosign:toolchain_type",
-        "@aspect_bazel_lib//lib:jq_toolchain_type",
+        "@jq.bzl//jq/toolchain:type",
     ],
 )