carverauto/serviceradar

Fork 0

wip #2449

Merged

mfreeman451 merged 1 commit from refs/pull/2449/head into main

2025-11-23 14:54:51 +00:00

mfreeman451 commented

2025-11-23 14:54:13 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1981
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1981
Original created: 2025-11-23T14:54:13Z
Original updated: 2025-11-23T14:55:34Z
Original head: carverauto/serviceradar:chore/fixing_pub_pkgs
Original base: main
Original merged: 2025-11-23T14:54:51Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Other

Description

Add rpmbuild installation and Bazel cache refresh in release workflow
Disable remote execution/cache for packaging to ensure local rpmbuild availability
Switch package publishing from RBE to local execution with platform constraints
Create new linux_pkg_local platform with rules_pkg rpm compatibility gate

Diagram Walkthrough

flowchart LR
  A["Release Workflow"] -->|Install rpmbuild| B["System Setup"]
  B -->|Clean Bazel cache| C["Refresh Externals"]
  C -->|Disable remote exec| D["Local Config"]
  D -->|Use local platform| E["Publish Packages"]
  F["New linux_pkg_local Platform"] -->|Satisfies rpm gate| E

File Walkthrough

Relevant files

Configuration changes

release.yml

Configure local rpmbuild execution for package publishing

.github/workflows/release.yml

Add step to install rpmbuild and rpm2cpio packages with verification
Add step to refresh Bazel externals via bazel clean --expunge after
rpm install
Add step to disable remote executor and cache for packaging builds
Change package publishing from --config=remote to --config=no_remote
with local platform and rpmbuild availability flag

+29/-2

BUILD.bazel

Add linux_pkg_local platform for rpm packaging

build/platforms/BUILD.bazel

Add new linux_pkg_local platform targeting x86_64 Linux
Include @rules_pkg//pkg:not_compatible constraint to satisfy rules_pkg
rpm compatibility requirements
Set visibility to public for use in release workflows

+11/-0

Imported from GitHub pull request. Original GitHub pull request: #1981 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1981 Original created: 2025-11-23T14:54:13Z Original updated: 2025-11-23T14:55:34Z Original head: carverauto/serviceradar:chore/fixing_pub_pkgs Original base: main Original merged: 2025-11-23T14:54:51Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Other ___ ### **Description** - Add rpmbuild installation and Bazel cache refresh in release workflow - Disable remote execution/cache for packaging to ensure local rpmbuild availability - Switch package publishing from RBE to local execution with platform constraints - Create new linux_pkg_local platform with rules_pkg rpm compatibility gate ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Release Workflow"] -->|Install rpmbuild| B["System Setup"] B -->|Clean Bazel cache| C["Refresh Externals"] C -->|Disable remote exec| D["Local Config"] D -->|Use local platform| E["Publish Packages"] F["New linux_pkg_local Platform"] -->|Satisfies rpm gate| E ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>release.yml<dd><code>Configure local rpmbuild execution for package publishing</code></dd></summary> <hr> .github/workflows/release.yml <ul><li>Add step to install rpmbuild and rpm2cpio packages with verification <li> Add step to refresh Bazel externals via <code>bazel clean --expunge</code> after rpm install <li> Add step to disable remote executor and cache for packaging builds <li> Change package publishing from <code>--config=remote</code> to <code>--config=no_remote</code> with local platform and rpmbuild availability flag</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+29/-2</a>    </td> </tr> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Add linux_pkg_local platform for rpm packaging</code>                      </dd></summary> <hr> build/platforms/BUILD.bazel <ul><li>Add new <code>linux_pkg_local</code> platform targeting x86_64 Linux <li> Include <code>@rules_pkg//pkg:not_compatible</code> constraint to satisfy rules_pkg rpm compatibility requirements <li> Set visibility to public for use in release workflows</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1981/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467e">+11/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 14:54:35 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1981#issuecomment-3568037676
Original created: 2025-11-23T14:54:35Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply chain risk Description: Installing and invoking system-wide packages with sudo in CI without pinning versions or verifying package integrity (apt-get update/install of rpm/rpm2cpio) enables supply-chain risk if the package repository is compromised or changes unexpectedly; consider pinning versions, using apt-get with signed repository configuration, or containerized, pinned images. release.yml [75-87] Referred Code `sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge`
	Build config persistence Description: Disabling remote cache/execution globally by writing .bazelrc.remote may unintentionally persist across subsequent workflow steps or jobs if the workspace is cached or artifacts are reused, potentially altering build isolation and trust assumptions; ensure the change is scoped to the job and restored/isolated. release.yml [218-223] Referred Code `cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF`
	Non-hermetic build risk Description: Forcing local execution of packaging (no remote) relies on the runner’s environment and network and may exfiltrate secrets via unpinned tools or environment differences during bazel run; prefer hermetic containers or locked toolchains to minimize environmental attack surface. release.yml [263-268] Referred Code `bazel run \ --config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing Audit Logs: Workflow steps that modify build environment (package install, cache expunge, remote toggle) add no audit-oriented logging of actor, timestamp, or outcomes beyond default GitHub Actions logs. Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: \| umask 077 cat <<'EOF' \| sed 's/^ *//' > .bazelrc.remote build --bes_results_url=https://carverauto.buildbuddy.io/invocation/ ... (clipped 178 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Limited Failure Handling: Shell steps perform installs and Bazel operations without explicit retries or contextual error messaging beyond a single rpmbuild check, which may cause opaque failures in CI environments. Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: \| umask 077 cat <<'EOF' \| sed 's/^ *//' > .bazelrc.remote build --bes_results_url=https://carverauto.buildbuddy.io/invocation/ ... (clipped 178 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1981#issuecomment-3568037676 Original created: 2025-11-23T14:54:35Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary>Supply chain risk </summary> Description: Installing and invoking system-wide packages with sudo in CI without pinning versions or verifying package integrity (apt-get update/install of rpm/rpm2cpio) enables supply-chain risk if the package repository is compromised or changes unexpectedly; consider pinning versions, using apt-get with signed repository configuration, or containerized, pinned images. <a href='https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R75-R87'>release.yml [75-87]</a> <details open><summary>Referred Code</summary> ```yaml sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge ``` </details></details></td></tr> <tr><td><details><summary>Build config persistence </summary> Description: Disabling remote cache/execution globally by writing .bazelrc.remote may unintentionally persist across subsequent workflow steps or jobs if the workspace is cached or artifacts are reused, potentially altering build isolation and trust assumptions; ensure the change is scoped to the job and restored/isolated. <a href='https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R218-R223'>release.yml [218-223]</a> <details open><summary>Referred Code</summary> ```yaml cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF ``` </details></details></td></tr> <tr><td><details><summary>Non-hermetic build risk </summary> Description: Forcing local execution of packaging (no remote) relies on the runner’s environment and network and may exfiltrate secrets via unpinned tools or environment differences during bazel run; prefer hermetic containers or locked toolchains to minimize environmental attack surface. <a href='https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R263-R268'>release.yml [263-268]</a> <details open><summary>Referred Code</summary> ```yaml bazel run \ --config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=4>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R271'>Missing Audit Logs</a>: Workflow steps that modify build environment (package install, cache expunge, remote toggle) add no audit-oriented logging of actor, timestamp, or outcomes beyond default GitHub Actions logs. <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: | umask 077 cat <<'EOF' | sed 's/^ *//' > .bazelrc.remote build --bes_results_url=https://carverauto.buildbuddy.io/invocation/ ... (clipped 178 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R271'>Limited Failure Handling</a>: Shell steps perform installs and Bazel operations without explicit retries or contextual error messaging beyond a single rpmbuild check, which may cause opaque failures in CI environments. <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. bazel clean --expunge - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: | umask 077 cat <<'EOF' | sed 's/^ *//' > .bazelrc.remote build --bes_results_url=https://carverauto.buildbuddy.io/invocation/ ... (clipped 178 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 14:55:34 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1981#issuecomment-3568038417
Original created: 2025-11-23T14:55:34Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category Suggestion Impact

High-level

Category	Suggestion	Impact
High-level	Simplify forcing local RPM builds The current method for forcing local RPM builds is overly complex. It should be simplified by using standard Bazel features like execution strategies (`--strategy==local`) or target tags (`no-remote`) instead of runtime dependency installation, cache clearing, and platform workarounds. Examples: .github/workflows/release.yml [73-87] `- name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 5 lines)` .github/workflows/release.yml [215-270] `- name: Disable remote exec/cache for packaging run: \| # Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF - name: Publish Debian and RPM packages ... (clipped 46 lines)` Solution Walkthrough: Before: `# .github/workflows/release.yml - name: Ensure rpmbuild available run: sudo apt-get install -y rpm - name: Refresh Bazel externals after rpm install run: bazel clean --expunge - name: Disable remote exec/cache for packaging run: \| cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= EOF - name: Publish Debian and RPM packages run: \| bazel run \ --config=no_remote \ --platforms=//build/platforms:linux_pkg_local \ ...` After: `# .github/workflows/release.yml - name: Ensure rpmbuild available run: sudo apt-get install -y rpm # No need for 'bazel clean --expunge' or creating '.bazelrc.remote' - name: Publish Debian and RPM packages run: \| # Assuming the mnemonic for rpmbuild actions is 'Rpmbuild' bazel run \ --config=remote \ --strategy=Rpmbuild=local \ //release:publish_packages \ ...` Suggestion importance[1-10]: 9 __ Why: This is an excellent high-level suggestion that correctly identifies the current approach as complex and brittle, and proposes more idiomatic and robust Bazel strategies (`--strategy` or `tags`) which could significantly improve the build's performance and maintainability.	High
More

Simplify forcing local RPM builds

The current method for forcing local RPM builds is overly complex. It should be
simplified by using standard Bazel features like execution strategies
(--strategy==local) or target tags (no-remote) instead of runtime dependency
installation, cache clearing, and platform workarounds.

Examples:

.github/workflows/release.yml [73-87]

      - name: Ensure rpmbuild available for rules_pkg toolchain
        run: |
          sudo apt-get update -y
          sudo apt-get install -y rpm rpm2cpio
          if ! command -v rpmbuild >/dev/null 2>&1; then
            echo "rpmbuild not found after install" >&2
            exit 1
          fi
          rpmbuild --version


 ... (clipped 5 lines)

.github/workflows/release.yml [215-270]

      - name: Disable remote exec/cache for packaging
        run: |
          # Clear remote settings so packaging runs entirely on the runner.
          cat > .bazelrc.remote <<'EOF'
          build --remote_executor=
          build --remote_cache=
          build --remote_download_minimal
          EOF

      - name: Publish Debian and RPM packages

 ... (clipped 46 lines)

Solution Walkthrough:

Before:

# .github/workflows/release.yml

- name: Ensure rpmbuild available
  run: sudo apt-get install -y rpm

- name: Refresh Bazel externals after rpm install
  run: bazel clean --expunge
  
- name: Disable remote exec/cache for packaging
  run: |
    cat > .bazelrc.remote <<'EOF'
    build --remote_executor=
    build --remote_cache=
    EOF

- name: Publish Debian and RPM packages
  run: |
    bazel run \
      --config=no_remote \
      --platforms=//build/platforms:linux_pkg_local \
      ...

After:

# .github/workflows/release.yml

- name: Ensure rpmbuild available
  run: sudo apt-get install -y rpm
  
# No need for 'bazel clean --expunge' or creating '.bazelrc.remote'

- name: Publish Debian and RPM packages
  run: |
    # Assuming the mnemonic for rpmbuild actions is 'Rpmbuild'
    bazel run \
      --config=remote \
      --strategy=Rpmbuild=local \
      //release:publish_packages \
      ...

Suggestion importance[1-10]: 9

Why: This is an excellent high-level suggestion that correctly identifies the current approach as complex and brittle, and proposes more idiomatic and robust Bazel strategies (--strategy or tags) which could significantly improve the build's performance and maintainability.

High

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1981#issuecomment-3568038417 Original created: 2025-11-23T14:55:34Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Simplify forcing local RPM builds</summary> ___ **The current method for forcing local RPM builds is overly complex. It should be simplified by using standard Bazel features like execution strategies (<code>--strategy=<mnemonic>=local</code>) or target tags (<code>no-remote</code>) instead of runtime dependency installation, cache clearing, and platform workarounds.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R87">.github/workflows/release.yml [73-87]</a> </summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 5 lines) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1981/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R215-R270">.github/workflows/release.yml [215-270]</a> </summary> ```yaml - name: Disable remote exec/cache for packaging run: | # Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF - name: Publish Debian and RPM packages ... (clipped 46 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # .github/workflows/release.yml - name: Ensure rpmbuild available run: sudo apt-get install -y rpm - name: Refresh Bazel externals after rpm install run: bazel clean --expunge - name: Disable remote exec/cache for packaging run: | cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= EOF - name: Publish Debian and RPM packages run: | bazel run \ --config=no_remote \ --platforms=//build/platforms:linux_pkg_local \ ... ``` #### After: ```yaml # .github/workflows/release.yml - name: Ensure rpmbuild available run: sudo apt-get install -y rpm # No need for 'bazel clean --expunge' or creating '.bazelrc.remote' - name: Publish Debian and RPM packages run: | # Assuming the mnemonic for rpmbuild actions is 'Rpmbuild' bazel run \ --config=remote \ --strategy=Rpmbuild=local \ //release:publish_packages \ ... ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This is an excellent high-level suggestion that correctly identifies the current approach as complex and brittle, and proposes more idiomatic and robust Bazel strategies (`--strategy` or `tags`) which could significantly improve the build's performance and maintainability. </details></details></td><td align=center>High </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>