carverauto/serviceradar

Fork 0

Chore/fixing pub pkgs #2450

Merged

mfreeman451 merged 3 commits from refs/pull/2450/head into main

2025-11-23 15:00:11 +00:00

mfreeman451 commented

2025-11-23 14:58:52 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1982
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1982
Original created: 2025-11-23T14:58:52Z
Original updated: 2025-11-23T15:00:17Z
Original head: carverauto/serviceradar:chore/fixing_pub_pkgs
Original base: main
Original merged: 2025-11-23T15:00:11Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Bug fix

Description

Add rpmbuild toolchain detection and installation in release workflow
Configure local packaging execution to ensure rpmbuild availability
Disable remote cache/exec for packaging jobs to run locally
Create new linux_pkg_local platform for rules_pkg rpm compatibility

Diagram Walkthrough

flowchart LR
  A["Release Workflow"] --> B["Install rpmbuild & rpm tools"]
  B --> C["Clean Bazel externals"]
  C --> D["Disable remote cache/exec"]
  D --> E["Run packaging locally"]
  F["New linux_pkg_local platform"] --> E
  E --> G["Publish packages"]

File Walkthrough

Relevant files

Configuration changes

release.yml

Configure local rpmbuild execution in release workflow

.github/workflows/release.yml

Added step to install rpmbuild and rpm2cpio packages with verification
Added step to refresh Bazel externals after rpm installation via bazel
clean
Added step to disable remote executor and cache for packaging builds
Modified publish_packages step to use local config instead of remote,
with explicit platform and rpmbuild availability flag

+33/-2

BUILD.bazel

Add linux_pkg_local platform for local packaging

build/platforms/BUILD.bazel

Added new linux_pkg_local platform definition for local package builds
Platform explicitly includes rules_pkg rpm compatibility constraint
Targets x86_64 Linux architecture with local execution constraints

+11/-0

Imported from GitHub pull request. Original GitHub pull request: #1982 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1982 Original created: 2025-11-23T14:58:52Z Original updated: 2025-11-23T15:00:17Z Original head: carverauto/serviceradar:chore/fixing_pub_pkgs Original base: main Original merged: 2025-11-23T15:00:11Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Bug fix ___ ### **Description** - Add rpmbuild toolchain detection and installation in release workflow - Configure local packaging execution to ensure rpmbuild availability - Disable remote cache/exec for packaging jobs to run locally - Create new linux_pkg_local platform for rules_pkg rpm compatibility ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Release Workflow"] --> B["Install rpmbuild & rpm tools"] B --> C["Clean Bazel externals"] C --> D["Disable remote cache/exec"] D --> E["Run packaging locally"] F["New linux_pkg_local platform"] --> E E --> G["Publish packages"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>release.yml<dd><code>Configure local rpmbuild execution in release workflow</code>      </dd></summary> <hr> .github/workflows/release.yml <ul><li>Added step to install rpmbuild and rpm2cpio packages with verification <li> Added step to refresh Bazel externals after rpm installation via bazel clean <li> Added step to disable remote executor and cache for packaging builds <li> Modified publish_packages step to use local config instead of remote, with explicit platform and rpmbuild availability flag</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+33/-2</a>    </td> </tr> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Add linux_pkg_local platform for local packaging</code>                  </dd></summary> <hr> build/platforms/BUILD.bazel <ul><li>Added new linux_pkg_local platform definition for local package builds <li> Platform explicitly includes rules_pkg rpm compatibility constraint <li> Targets x86_64 Linux architecture with local execution constraints</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1982/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467e">+11/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 14:59:17 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1982#issuecomment-3568041384
Original created: 2025-11-23T14:59:17Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned package install Description: Installing system packages with sudo in CI without pinning versions or verifying package integrity can lead to supply-chain risks or unexpected breakage if upstream packages change (e.g., 'apt-get install -y rpm rpm2cpio' without version pinning or checksum verification). release.yml [75-81] Referred Code `sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version`
	Build config bypass Description: Overriding Bazel remote cache/executor via a generated '.bazelrc.remote' inside CI may allow unintended configuration persistence across subsequent steps in the same workspace, potentially bypassing intended remote policies and weakening hermeticity and reproducibility. release.yml [223-226] Referred Code `build --remote_executor= build --remote_cache= build --remote_download_minimal EOF`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The newly added workflow steps perform critical build/publish actions without adding any audit logging of who triggered actions or their outcomes beyond default GitHub Actions logs, which may be acceptable but cannot be verified from this diff. Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 182 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error detail exposure: The workflow echoes tool versions and prints messages to stderr; while typical for CI, it is unclear whether any sensitive internal details could be exposed in public logs, requiring human verification. Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1982#issuecomment-3568041384 Original created: 2025-11-23T14:59:17Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary>Unpinned package install </summary> Description: Installing system packages with sudo in CI without pinning versions or verifying package integrity can lead to supply-chain risks or unexpected breakage if upstream packages change (e.g., 'apt-get install -y rpm rpm2cpio' without version pinning or checksum verification). <a href='https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R75-R81'>release.yml [75-81]</a> <details open><summary>Referred Code</summary> ```yaml sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ``` </details></details></td></tr> <tr><td><details><summary>Build config bypass</summary> Description: Overriding Bazel remote cache/executor via a generated '.bazelrc.remote' inside CI may allow unintended configuration persistence across subsequent steps in the same workspace, potentially bypassing intended remote policies and weakening hermeticity and reproducibility. <a href='https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R223-R226'>release.yml [223-226]</a> <details open><summary>Referred Code</summary> ```yaml build --remote_executor= build --remote_cache= build --remote_download_minimal EOF ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=4>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R275'>Missing audit logs</a>: The newly added workflow steps perform critical build/publish actions without adding any audit logging of who triggered actions or their outcomes beyond default GitHub Actions logs, which may be acceptable but cannot be verified from this diff. <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 182 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R91'>Error detail exposure</a>: The workflow echoes tool versions and prints messages to stderr; while typical for CI, it is unclear whether any sensitive internal details could be exposed in public logs, requiring human verification. <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 15:00:15 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1982#issuecomment-3568042288
Original created: 2025-11-23T15:00:15Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use a container for packaging Instead of installing `rpmbuild` on the CI runner, run the packaging step in a Docker container with `rpmbuild` pre-installed. This improves reproducibility and simplifies the workflow by removing environment setup steps. Examples: .github/workflows/release.yml [73-274] `- name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 192 lines)` Solution Walkthrough: Before: `# .github/workflows/release.yml jobs: release: steps: - name: Ensure rpmbuild available run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio ... - name: Refresh Bazel externals run: bazel clean --expunge - name: Disable remote exec/cache for packaging run: \| cat > .bazelrc.remote ... - name: Publish Debian and RPM packages run: \| bazel run --config=no_remote --platforms=//build/platforms:linux_pkg_local ...` After: `# .github/workflows/release.yml jobs: release: # Run the job in a container with all tools pre-installed container: image: your-org/build-image:with-rpmbuild steps: - name: Checkout ... # No more 'apt-get install', 'bazel clean', or disabling remote cache. - name: Publish Debian and RPM packages run: \| # Bazel runs inside the container, rpmbuild is available. # The complex platform and config flags might be simplified or removed. bazel run //release:publish_packages ...` Suggestion importance[1-10]: 8 __ Why: The suggestion proposes a superior architectural pattern for CI by using a container, which improves reproducibility and avoids modifying the runner's state, directly addressing the core changes in the PR.	Medium
General	Use explicit flags to disable remote Replace the non-standard `--config=no_remote` flag with explicit `--remote_executor=` and `--remote_cache=` flags in the `bazel run` command to clearly disable remote execution. .github/workflows/release.yml [266-274] `# Build and upload packages locally so rpmbuild is guaranteed to be present on the runner. bazel run \ - --config=no_remote \ + --remote_executor= \ + --remote_cache= \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}"` Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that `--config=no_remote` is non-standard and proposes replacing it with explicit flags, which makes the command self-contained, clearer, and removes redundancy with the `.bazelrc.remote` file creation.	Medium
General	Pass Bazel flags directly instead Remove the step that creates `.bazelrc.remote` and instead pass the Bazel configuration flags directly to the `bazel run` command to avoid side effects. .github/workflows/release.yml [219-226] `-- name: Disable remote exec/cache for packaging - run: \| - # Clear remote settings so packaging runs entirely on the runner. - cat > .bazelrc.remote <<'EOF' - build --remote_executor= - build --remote_cache= - build --remote_download_minimal - EOF +# This step can be removed. The flags will be added to the 'Publish Debian and RPM packages' step.` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that creating a `.bazelrc.remote` file can have unintended side effects on subsequent steps, and passing flags directly to the command is a more robust and maintainable approach.	Medium
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1982#issuecomment-3568042288 Original created: 2025-11-23T15:00:15Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Use a container for packaging</summary> ___ **Instead of installing <code>rpmbuild</code> on the CI runner, run the packaging step in a Docker container with <code>rpmbuild</code> pre-installed. This improves reproducibility and simplifies the workflow by removing environment setup steps.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R274">.github/workflows/release.yml [73-274]</a> </summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 192 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # .github/workflows/release.yml jobs: release: steps: - name: Ensure rpmbuild available run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio ... - name: Refresh Bazel externals run: bazel clean --expunge - name: Disable remote exec/cache for packaging run: | cat > .bazelrc.remote ... - name: Publish Debian and RPM packages run: | bazel run --config=no_remote --platforms=//build/platforms:linux_pkg_local ... ``` #### After: ```yaml # .github/workflows/release.yml jobs: release: # Run the job in a container with all tools pre-installed container: image: your-org/build-image:with-rpmbuild steps: - name: Checkout ... # No more 'apt-get install', 'bazel clean', or disabling remote cache. - name: Publish Debian and RPM packages run: | # Bazel runs inside the container, rpmbuild is available. # The complex platform and config flags might be simplified or removed. bazel run //release:publish_packages ... ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion proposes a superior architectural pattern for CI by using a container, which improves reproducibility and avoids modifying the runner's state, directly addressing the core changes in the PR. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>General</td> <td> <details><summary>Use explicit flags to disable remote</summary> ___ **Replace the non-standard <code>--config=no_remote</code> flag with explicit <code>--remote_executor=</code> and <code>--remote_cache=</code> flags in the <code>bazel run</code> command to clearly disable remote execution.** [.github/workflows/release.yml [266-274]](https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R266-R274) ```diff # Build and upload packages locally so rpmbuild is guaranteed to be present on the runner. bazel run \ - --config=no_remote \ + --remote_executor= \ + --remote_cache= \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies that `--config=no_remote` is non-standard and proposes replacing it with explicit flags, which makes the command self-contained, clearer, and removes redundancy with the `.bazelrc.remote` file creation. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Pass Bazel flags directly instead</summary> ___ **Remove the step that creates <code>.bazelrc.remote</code> and instead pass the Bazel configuration flags directly to the <code>bazel run</code> command to avoid side effects.** [.github/workflows/release.yml [219-226]](https://github.com/carverauto/serviceradar/pull/1982/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R219-R226) ```diff -- name: Disable remote exec/cache for packaging - run: | - # Clear remote settings so packaging runs entirely on the runner. - cat > .bazelrc.remote <<'EOF' - build --remote_executor= - build --remote_cache= - build --remote_download_minimal - EOF +# This step can be removed. The flags will be added to the 'Publish Debian and RPM packages' step. ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies that creating a `.bazelrc.remote` file can have unintended side effects on subsequent steps, and passing flags directly to the command is a more robust and maintainable approach. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>