Skip to content

bazel: Automate bins version/hash updates in release workflow #3292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 2 commits into from
Closed

bazel: Automate bins version/hash updates in release workflow #3292

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 29, 2025
edited
Loading

The release workflow already updates actions hashes automatically during preparation. Bazel packages depend on published bins artifacts (glint, sysroots, sanitizer libs) but their hashes in versions.bzl were updated manually.

Changes

  • Added "Prepare bazel" step to _release.yml

    • Triggers on bazel releases unless explicitly excluded via release-no-prepare
    • Mirrors the pattern used for actions preparation

  • Hash update automation

    • Uses existing bazel build //:deps to convert VERSIONS dict to JSON
    • Downloads artifacts from the current bins_release version tag
    • Computes SHA256 for glint binaries (amd64/arm64), msan/tsan libraries, and 8 sysroot variants
    • Updates hashes using jq for nested dictionary manipulation
    • Converts back to Starlark format

Implementation

Leverages existing bazel infrastructure with jq for clean JSON manipulation:

# Build deps target to get VERSIONS as JSON
bazel build //:deps

# Fetch artifact and compute hash
compute_sha256() {
    local url="https://github.com/${GITHUB_REPO}/releases/download/${RELEASE_TAG}/$1"
    curl -sL "${url}" | sha256sum | cut -d' ' -f1
}

# Update JSON using jq for nested structures
jq --arg new_hash "${NEW_HASH}" \
   '.sysroot_hashes["2.31"].base.amd64 = $new_hash' \
   bazel-bin/deps.json > /tmp/versions_updated.json

# Convert back to Starlark format
jq -r 'to_entries | .[] | "    \"\(.key)\": " + (.value | @json) + ","' \
   /tmp/versions_updated.json > versions.bzl

Supports prepare-only workflow for updating hashes during development without creating a release.

Original prompt

so weve successfully implemented a rudimentary release creation wf in this repo

i just added a preparatory step for actions - to update the hashes for other in-repo actions

im thinking now about the bazel case - in that case it deps on the bins being published - or rather it wants its bins versions/hashes to be up to date

you have helped me a few times before to do this (#3252 being the most recent pr to do it)

i have done it many times by hand - fwiw

i want to just bake this into the release process - like with actions - it should always happen before a release (unless explicitely excluded) and its also useful to be able to run the prep step and create a pr to just update to what a release would do during dev cycle

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@netlify
Copy link

netlify bot commented Dec 29, 2025
edited
Loading

Deploy Preview for nifty-bassi-e26446 ready!

Name Link
🔨 Latest commit 2b21119
🔍 Latest deploy log https://app.netlify.com/projects/nifty-bassi-e26446/deploys/6952fd4f6be7d1000854ff65
😎 Deploy Preview https://deploy-preview-3292--nifty-bassi-e26446.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI changed the title [WIP] Add step to update Bazel bin versions before release bazel: Automate bins version/hash updates in release workflow Dec 29, 2025
Copilot AI requested a review from phlax December 29, 2025 21:08
@phlax phlax force-pushed the copilot/update-bazel-bin-versions branch from 34ca4b6 to 0dfbe7c Compare December 29, 2025 21:55
@phlax
Copy link
Member

phlax commented Dec 29, 2025

@copilot looks way to over complicated to me - if its in bazel and we are happy to use bazel then we can get that data as json anyway - the main BUILD file has

json_data(
name = "deps",
data = VERSIONS,
)

jq(
name = "dependency_versions",
srcs = [":deps"],
out = "dependency_shas.json",
filter = """
with_entries(select(.value | objects and .type == "github_archive") | .value |= {repo, sha256, url, version})
""",
visibility = ["//visibility:public"],
)

so probs we can either use that directly or something v similar

Copy link
Contributor Author

Copilot AI commented Dec 29, 2025
edited
Loading

@copilot looks way to over complicated to me - if its in bazel and we are happy to use bazel then we can get that data as json anyway - the main BUILD file has

json_data(...

Simplified in commit 2b21119. Now using bazel build //:deps to get VERSIONS as JSON, then jq to update the nested values, and converting back to Starlark. Much cleaner than the sed/awk parsing.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • www.googleapis.com
    • Triggering command: /usr/local/bin/bazel bazel shutdown (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@phlax phlax closed this Jan 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phlax phlax Awaiting requested review from phlax

Assignees

@phlax phlax

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phlax