chore: add hermiticity CI check and finalize hermetic builds

Add CI workflow to verify hermiticity on every PR and complete
hermetic build configuration for all Go tools.

- ci: add hermiticity-check job with execution log analysis
- build: enable pure Go builds (CGO disabled) for all tools
- build: update MODULE.bazel.lock for rules_cc fork
- docs: remove draft status and update RFC with implementation details

All Go binaries now use pure="on" for hermetic builds without
CGO dependencies, preventing system linker detection.

Author: avrabe

.github/workflows/ci.yml

@@ -36,10 +36,46 @@ jobs:
           # Show warnings but don't fail the CI
           bazel run //:buildifier -- --lint=warn --mode=check -r . || true
 
+  hermiticity-check:
+    name: Hermiticity Check
+    runs-on: ubuntu-latest
+    needs: lint
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Bazelisk
+        run: |
+          curl -LO https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64
+          chmod +x bazelisk-linux-amd64
+          sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
+
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Build with Execution Log
+        run: |
+          echo "🔍 Building with execution logging to analyze hermiticity..."
+          bazel build --execution_log_json_file=/tmp/exec.json //examples/go_component:calculator_component
+
+      - name: Analyze Hermiticity
+        run: |
+          echo "📊 Analyzing build hermiticity..."
+          python3 tools/hermetic_test/analyze_exec_log.py /tmp/exec.json
+
+      - name: Upload Execution Log (on failure)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: hermiticity-execution-log
+          path: /tmp/exec.json
+
   test-linux:
     name: Test on ubuntu-latest
     runs-on: ubuntu-latest
-    needs: lint # Run tests only after lint passes
+    needs: [lint, hermiticity-check]
 
     services:
       registry:
@@ -148,7 +184,7 @@ jobs:
   test-macos:
     name: Test on macos-latest
     runs-on: macos-latest
-    needs: lint # Run tests only after lint passes
+    needs: [lint, hermiticity-check]
 
     steps:
       - uses: actions/checkout@v5
@@ -261,7 +297,7 @@ jobs:
   bcr-docker-test:
     name: BCR Docker Environment Test
     runs-on: ubuntu-latest
-    needs: lint # Run in parallel with regular tests
+    needs: [lint, hermiticity-check]
 
     steps:
       - uses: actions/checkout@v5
@@ -433,7 +469,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    needs: [test-linux, test-macos, integration, bcr-docker-test]
+    needs: [test-linux, test-macos, integration, bcr-docker-test, hermiticity-check]
     if: github.ref == 'refs/heads/main'
 
     steps:

MODULE.bazel.lock

@@ -1,7 +1,5 @@
 # RFC: Add Optional Auto-Detection Control to rules_cc cc_configure Extension
 
-## Status: DRAFT
-
 ## Target: [bazelbuild/rules_cc](https://github.com/bazelbuild/rules_cc)
 
 ## Summary
@@ -222,21 +220,20 @@ Consider making `auto_detect = False` the default in a major version (2.0.0), wi
 
 ## Proof of Concept
 
-A working implementation will be available at:
+Working implementation:
 - Fork: https://github.com/avrabe/rules_cc
-- Branch: `feature/optional-auto-detect` (to be created)
-- PR: [To be submitted to bazelbuild/rules_cc]
+- Branch: `feature/optional-cc-toolchain-auto-detect`
+- Commit: `7215331f9e53f80070dc01c4a95a0f9c53ea477b`
+- RFC Issue: https://github.com/avrabe/rules_cc/issues/1
 
 ## Next Steps
 
-1. Get feedback from rules_cc maintainers
+1. Gather feedback from rules_cc maintainers
 2. Refine API based on feedback
-3. Implement proof-of-concept
-4. Submit PR with tests and documentation
-5. Iterate based on code review
+3. Submit PR to bazelbuild/rules_cc
+4. Iterate based on code review
 
 ---
 
-**Author**: [Your name/handle]
-**Date**: 2025-10-12
-**Discussion**: [Link to GitHub issue when created]
+**Date**: 2025-10-13
+**Discussion**: https://github.com/avrabe/rules_cc/issues/1

docs/RFC_RULES_CC_AUTO_DETECT.md

@@ -6,5 +6,6 @@ go_binary(
         "comprehensive_schemas.go",
         "main.go",
     ],
+    pure = "on",  # Disable CGO for hermetic builds
     visibility = ["//visibility:public"],
 )

tools/generate_schemas/BUILD.bazel

@@ -3,5 +3,6 @@ load("@rules_go//go:def.bzl", "go_binary")
 go_binary(
     name = "wac_deps",
     srcs = ["main.go"],
+    pure = "on",  # Disable CGO for hermetic builds
     visibility = ["//visibility:public"],
 )

tools/wac_deps/BUILD.bazel

@@ -3,5 +3,6 @@ load("@rules_go//go:def.bzl", "go_binary")
 go_binary(
     name = "wit_dependency_analyzer",
     srcs = ["main.go"],
+    pure = "on",  # Disable CGO for hermetic builds
     visibility = ["//visibility:public"],
 )

tools/wit_dependency_analyzer/BUILD.bazel

@@ -3,5 +3,6 @@ load("@rules_go//go:def.bzl", "go_binary")
 go_binary(
     name = "wit_structure",
     srcs = ["main.go"],
+    pure = "on",  # Disable CGO for hermetic builds
     visibility = ["//visibility:public"],
 )