carverauto/serviceradar

Fork 0

buildbuddy updates #2228

Merged

mfreeman451 merged 4 commits from refs/pull/2228/head into main

2025-09-19 02:34:01 +00:00

mfreeman451 commented

2025-09-19 02:27:13 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1648
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1648
Original created: 2025-09-19T02:27:13Z
Original updated: 2025-09-19T02:34:04Z
Original head: carverauto/serviceradar:updates/go_vendoring
Original base: main
Original merged: 2025-09-19T02:34:01Z by @mfreeman451

PR Type

Enhancement

Description

Add BuildBuddy remote execution configuration
Configure toolchain dependencies and overrides
Enable remote build capabilities with timeout settings

Diagram Walkthrough

flowchart LR
  A["Local Build"] --> B["Remote Config"]
  B --> C["BuildBuddy Executor"]
  C --> D["Remote Toolchain"]
  D --> E["Cross-platform Build"]

File Walkthrough

Relevant files

Configuration changes

.bazelrc

Configure BuildBuddy remote execution settings

.bazelrc

Add remote execution profile with BuildBuddy executor
Configure platform and toolchain settings for remote builds
Set Java version requirements and build metadata
Add remote timeout and strict action environment

+18/-0

Dependencies

MODULE.bazel

Add BuildBuddy toolchain dependencies

MODULE.bazel

Add BuildBuddy toolchain dependency with archive override
Configure toolchain extension and repository mapping
Set specific commit hash and integrity for toolchain

+21/-0

Imported from GitHub pull request. Original GitHub pull request: #1648 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1648 Original created: 2025-09-19T02:27:13Z Original updated: 2025-09-19T02:34:04Z Original head: carverauto/serviceradar:updates/go_vendoring Original base: main Original merged: 2025-09-19T02:34:01Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add BuildBuddy remote execution configuration - Configure toolchain dependencies and overrides - Enable remote build capabilities with timeout settings ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Local Build"] --> B["Remote Config"] B --> C["BuildBuddy Executor"] C --> D["Remote Toolchain"] D --> E["Cross-platform Build"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>.bazelrc</strong><dd><code>Configure BuildBuddy remote execution settings</code>                      </dd></summary> <hr> .bazelrc <ul><li>Add remote execution profile with BuildBuddy executor<br> <li> Configure platform and toolchain settings for remote builds<br> <li> Set Java version requirements and build metadata<br> <li> Add remote timeout and strict action environment</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832f">+18/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>MODULE.bazel</strong><dd><code>Add BuildBuddy toolchain dependencies</code>                                        </dd></summary> <hr> MODULE.bazel <ul><li>Add BuildBuddy toolchain dependency with archive override<br> <li> Configure toolchain extension and repository mapping<br> <li> Set specific commit hash and integrity for toolchain</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1648/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+21/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-09-19 02:27:41 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1648#issuecomment-3310287980
Original created: 2025-09-19T02:27:41Z

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns

Sensitive information exposure:
The build metadata includes git@github.com:carverauto/serviceradar.git. If BuildBuddy or other systems surface build metadata publicly or to multi-tenant logs, this could reveal internal repo location. Validate visibility settings or consider using a non-sensitive URL or omitting this metadata.

⚡ Recommended focus areas for review

Config Robustness

The remote execution settings hardcode BuildBuddy toolchain targets and Java 11; verify these align with all target platforms and do not conflict with existing toolchains or local builds when using --config=remote.

# Remote execution profile (opt-in via --config=remote).
build:remote --remote_executor=grpcs://remote.buildbuddy.io
build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64
build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64
build:remote --extra_execution_platforms=@buildbuddy_toolchain//:platform_linux_x86_64
build:remote --crosstool_top=@buildbuddy_toolchain//:toolchain
build:remote --extra_toolchains=@buildbuddy_toolchain//:cc_toolchain
build:remote --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
build:remote --java_language_version=11
build:remote --tool_java_language_version=11
build:remote --java_runtime_version=remotejdk_11
build:remote --tool_java_runtime_version=remotejdk_11
build:remote --define=EXECUTOR=remote
build:remote --incompatible_strict_action_env
build:remote --remote_timeout=10m

Pin Integrity

The archive_override pins a specific commit and integrity for BuildBuddy toolchains; ensure the sha256 and strip_prefix match the tarball and that repo_name mapping aligns with references in .bazelrc (e.g., @buildbuddy_toolchain).

archive_override(
    module_name = "toolchains_buildbuddy",
    integrity = "sha256-e6gcgLHmJHvxCNNbCSQ4OrX8FbGn8TiS7XSVphM1ZU8=",
    strip_prefix = "buildbuddy-toolchain-badf8034b2952ec613970a27f24fb140be7eaf73",
    urls = [
        "https://github.com/buildbuddy-io/buildbuddy-toolchain/archive/badf8034b2952ec613970a27f24fb140be7eaf73.tar.gz",
    ],
)

bazel_dep(
    name = "toolchains_buildbuddy",
    repo_name = "io_buildbuddy_buildbuddy_toolchain",
    version = "0.0.1",
)

buildbuddy_toolchain_ext = use_extension(
    "@io_buildbuddy_buildbuddy_toolchain//:extensions.bzl",
    "buildbuddy",
)
use_repo(buildbuddy_toolchain_ext, "buildbuddy_toolchain")

Metadata Exposure

The build metadata embeds the repository SSH URL; confirm this is intended for all environments and won’t leak in publicly accessible build metadata or analytics.

build --build_metadata=REPO_URL=git@github.com:carverauto/serviceradar.git

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1648#issuecomment-3310287980 Original created: 2025-09-19T02:27:41Z --- ## PR Reviewer Guide 🔍 Here are some key observations to aid the review process: <table> <tr><td>⏱️ <strong>Estimated effort to review</strong>: 2 🔵🔵⚪⚪⚪</td></tr> <tr><td>🧪 <strong>No relevant tests</strong></td></tr> <tr><td>🔒 <strong>Security concerns</strong><br><br> <strong>Sensitive information exposure:</strong><br> The build metadata includes `git@github.com:carverauto/serviceradar.git`. If BuildBuddy or other systems surface build metadata publicly or to multi-tenant logs, this could reveal internal repo location. Validate visibility settings or consider using a non-sensitive URL or omitting this metadata.</td></tr> <tr><td>⚡ <strong>Recommended focus areas for review</strong><br><br> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR33-R48'><strong>Config Robustness</strong></a> The remote execution settings hardcode BuildBuddy toolchain targets and Java 11; verify these align with all target platforms and do not conflict with existing toolchains or local builds when using --config=remote. </summary> ```txt # Remote execution profile (opt-in via --config=remote). build:remote --remote_executor=grpcs://remote.buildbuddy.io build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --extra_execution_platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --crosstool_top=@buildbuddy_toolchain//:toolchain build:remote --extra_toolchains=@buildbuddy_toolchain//:cc_toolchain build:remote --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 build:remote --java_language_version=11 build:remote --tool_java_language_version=11 build:remote --java_runtime_version=remotejdk_11 build:remote --tool_java_runtime_version=remotejdk_11 build:remote --define=EXECUTOR=remote build:remote --incompatible_strict_action_env build:remote --remote_timeout=10m ``` </details> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1648/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdcR29-R49'><strong>Pin Integrity</strong></a> The archive_override pins a specific commit and integrity for BuildBuddy toolchains; ensure the sha256 and strip_prefix match the tarball and that repo_name mapping aligns with references in .bazelrc (e.g., @buildbuddy_toolchain). </summary> ```txt archive_override( module_name = "toolchains_buildbuddy", integrity = "sha256-e6gcgLHmJHvxCNNbCSQ4OrX8FbGn8TiS7XSVphM1ZU8=", strip_prefix = "buildbuddy-toolchain-badf8034b2952ec613970a27f24fb140be7eaf73", urls = [ "https://github.com/buildbuddy-io/buildbuddy-toolchain/archive/badf8034b2952ec613970a27f24fb140be7eaf73.tar.gz", ], ) bazel_dep( name = "toolchains_buildbuddy", repo_name = "io_buildbuddy_buildbuddy_toolchain", version = "0.0.1", ) buildbuddy_toolchain_ext = use_extension( "@io_buildbuddy_buildbuddy_toolchain//:extensions.bzl", "buildbuddy", ) use_repo(buildbuddy_toolchain_ext, "buildbuddy_toolchain") ``` </details> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR49-R49'><strong>Metadata Exposure</strong></a> The build metadata embeds the repository SSH URL; confirm this is intended for all environments and won’t leak in publicly accessible build metadata or analytics. </summary> ```txt build --build_metadata=REPO_URL=git@github.com:carverauto/serviceradar.git ``` </details> </td></tr> </table>

qodo-code-review[bot] commented

2025-09-19 02:28:46 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1648#issuecomment-3310289619
Original created: 2025-09-19T02:28:46Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Add authentication to prevent data leaks Add authentication to the BuildBuddy remote execution configuration to prevent potential data leaks. Use an API key managed in a separate, git-ignored `.bazelrc.local` file. .bazelrc [33-47] +# In .bazelrc +try-import %workspace%/.bazelrc.local + # Remote execution profile (opt-in via --config=remote). build:remote --remote_executor=grpcs://remote.buildbuddy.io build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --extra_execution_platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --crosstool_top=@buildbuddy_toolchain//:toolchain build:remote --extra_toolchains=@buildbuddy_toolchain//:cc_toolchain build:remote --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 build:remote --java_language_version=11 build:remote --tool_java_language_version=11 build:remote --java_runtime_version=remotejdk_11 build:remote --tool_java_runtime_version=remotejdk_11 build:remote --define=EXECUTOR=remote build:remote --incompatible_strict_action_env build:remote --remote_timeout=10m +# In .bazelrc.local (this file should be in .gitignore) +# build:remote --bes_header=x-buildbuddy-api-key=YOUR_API_KEY_HERE + Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability where builds are sent to a public endpoint without authentication, and provides a robust solution using best practices for secret management.	High
High-level	Evaluate security of using public service The suggestion raises a security concern about using BuildBuddy's public remote execution service, which sends source code to a third party. It recommends confirming that this practice complies with the organization's security policies. Examples: .bazelrc [34] `build:remote --remote_executor=grpcs://remote.buildbuddy.io` Solution Walkthrough: Before: `# .bazelrc # CI profile can layer on top of the remote config without re-declaring values. build:ci --keep_going --build_tag_filters=-manual # CI tests should avoid manual-only targets and preserve detailed output. test:ci --test_tag_filters=-manual --test_output=errors # No remote build configuration exists.` After: `# .bazelrc # ... (existing ci config) # Remote execution profile (opt-in via --config=remote). build:remote --remote_executor=grpcs://remote.buildbuddy.io build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64 # ... other remote configurations build:remote --remote_timeout=10m` Suggestion importance[1-10]: 9 __ Why: This suggestion raises a critical security and policy concern by correctly identifying that using the public BuildBuddy service (`remote.buildbuddy.io`) exposes proprietary source code to a third-party platform.	High
General	Use HTTPS for repository URL Change the `REPO_URL` in the build metadata from an SSH URL to an HTTPS URL to improve build portability and avoid potential authentication issues in CI/CD environments. .bazelrc [49] `-build --build_metadata=REPO_URL=git@github.com:carverauto/serviceradar.git +build --build_metadata=REPO_URL=https://github.com/carverauto/serviceradar.git` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion improves build portability by replacing the SSH-based `REPO_URL` with an HTTPS URL, which is more robust across different environments like CI/CD systems.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1648#issuecomment-3310289619 Original created: 2025-09-19T02:28:46Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>Security</td> <td> <details><summary>Add authentication to prevent data leaks</summary> ___ **Add authentication to the BuildBuddy remote execution configuration to prevent <br>potential data leaks. Use an API key managed in a separate, git-ignored <br><code>.bazelrc.local</code> file.** [.bazelrc [33-47]](https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR33-R47) ```diff +# In .bazelrc +try-import %workspace%/.bazelrc.local + # Remote execution profile (opt-in via --config=remote). build:remote --remote_executor=grpcs://remote.buildbuddy.io build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --extra_execution_platforms=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --crosstool_top=@buildbuddy_toolchain//:toolchain build:remote --extra_toolchains=@buildbuddy_toolchain//:cc_toolchain build:remote --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 build:remote --java_language_version=11 build:remote --tool_java_language_version=11 build:remote --java_runtime_version=remotejdk_11 build:remote --tool_java_runtime_version=remotejdk_11 build:remote --define=EXECUTOR=remote build:remote --incompatible_strict_action_env build:remote --remote_timeout=10m +# In .bazelrc.local (this file should be in .gitignore) +# build:remote --bes_header=x-buildbuddy-api-key=YOUR_API_KEY_HERE + ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 10</summary> __ Why: The suggestion correctly identifies a critical security vulnerability where builds are sent to a public endpoint without authentication, and provides a robust solution using best practices for secret management. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>High-level</td> <td> <details><summary>Evaluate security of using public service</summary> ___ **The suggestion raises a security concern about using BuildBuddy's public remote <br>execution service, which sends source code to a third party. It recommends <br>confirming that this practice complies with the organization's security <br>policies.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR34-R34">.bazelrc [34]</a> </summary> ```bazel build:remote --remote_executor=grpcs://remote.buildbuddy.io ``` </details> ### Solution Walkthrough: #### Before: ```bazel # .bazelrc # CI profile can layer on top of the remote config without re-declaring values. build:ci --keep_going --build_tag_filters=-manual # CI tests should avoid manual-only targets and preserve detailed output. test:ci --test_tag_filters=-manual --test_output=errors # No remote build configuration exists. ``` #### After: ```bazel # .bazelrc # ... (existing ci config) # Remote execution profile (opt-in via --config=remote). build:remote --remote_executor=grpcs://remote.buildbuddy.io build:remote --host_platform=@buildbuddy_toolchain//:platform_linux_x86_64 build:remote --platforms=@buildbuddy_toolchain//:platform_linux_x86_64 # ... other remote configurations build:remote --remote_timeout=10m ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion raises a critical security and policy concern by correctly identifying that using the public BuildBuddy service (`remote.buildbuddy.io`) exposes proprietary source code to a third-party platform. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Use HTTPS for repository URL</summary> ___ **Change the <code>REPO_URL</code> in the build metadata from an SSH URL to an HTTPS URL to <br>improve build portability and avoid potential authentication issues in CI/CD <br>environments.** [.bazelrc [49]](https://github.com/carverauto/serviceradar/pull/1648/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR49-R49) ```diff -build --build_metadata=REPO_URL=git@github.com:carverauto/serviceradar.git +build --build_metadata=REPO_URL=https://github.com/carverauto/serviceradar.git ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion improves build portability by replacing the SSH-based `REPO_URL` with an HTTPS URL, which is more robust across different environments like CI/CD systems. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>