carverauto/serviceradar

Fork 0

Chore/fixing pub pkgs #2451

Closed

mfreeman451 wants to merge 4 commits from refs/pull/2451/head into main

mfreeman451 commented

2025-11-23 15:49:02 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1983
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1983
Original created: 2025-11-23T15:49:02Z
Original updated: 2025-12-08T06:54:38Z
Original head: carverauto/serviceradar:chore/fixing_pub_pkgs
Original base: main

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Bug fix

Description

Add rpmbuild toolchain detection and installation in CI/CD pipeline
Configure local packaging execution to ensure rpmbuild availability
Create new linux_pkg_local platform for local RPM package builds
Disable remote execution/cache during packaging workflow steps

Diagram Walkthrough

flowchart LR
  A["CI/CD Release Workflow"] --> B["Install rpmbuild & rpm tools"]
  B --> C["Refresh Bazel externals"]
  C --> D["Disable remote exec/cache"]
  D --> E["Build packages locally"]
  F["New linux_pkg_local platform"] --> E
  E --> G["Publish Debian & RPM packages"]

File Walkthrough

Relevant files

Configuration changes

release.yml

Configure local RPM packaging in release workflow

.github/workflows/release.yml

Added step to install rpmbuild and rpm tools with verification
Added step to refresh Bazel externals after rpm installation
Added step to disable remote executor and cache for packaging
Modified package publishing to use local config instead of remote RBE
Added platform constraints and rpmbuild availability flag to bazel run
command

+33/-2

BUILD.bazel

Add linux_pkg_local platform for local packaging

build/platforms/BUILD.bazel

Added new linux_pkg_local platform definition
Configured platform with Linux OS and x86_64 CPU constraints
Added @rules_pkg//pkg:not_compatible constraint for RPM compatibility
Set public visibility for the new platform

+11/-0

Imported from GitHub pull request. Original GitHub pull request: #1983 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1983 Original created: 2025-11-23T15:49:02Z Original updated: 2025-12-08T06:54:38Z Original head: carverauto/serviceradar:chore/fixing_pub_pkgs Original base: main --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Bug fix ___ ### **Description** - Add rpmbuild toolchain detection and installation in CI/CD pipeline - Configure local packaging execution to ensure rpmbuild availability - Create new linux_pkg_local platform for local RPM package builds - Disable remote execution/cache during packaging workflow steps ___ ### Diagram Walkthrough ```mermaid flowchart LR A["CI/CD Release Workflow"] --> B["Install rpmbuild & rpm tools"] B --> C["Refresh Bazel externals"] C --> D["Disable remote exec/cache"] D --> E["Build packages locally"] F["New linux_pkg_local platform"] --> E E --> G["Publish Debian & RPM packages"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>release.yml<dd><code>Configure local RPM packaging in release workflow</code>                </dd></summary> <hr> .github/workflows/release.yml <ul><li>Added step to install rpmbuild and rpm tools with verification <li> Added step to refresh Bazel externals after rpm installation <li> Added step to disable remote executor and cache for packaging <li> Modified package publishing to use local config instead of remote RBE <li> Added platform constraints and rpmbuild availability flag to bazel run command</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+33/-2</a>    </td> </tr> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Add linux_pkg_local platform for local packaging</code>                  </dd></summary> <hr> build/platforms/BUILD.bazel <ul><li>Added new <code>linux_pkg_local</code> platform definition <li> Configured platform with Linux OS and x86_64 CPU constraints <li> Added <code>@rules_pkg//pkg:not_compatible</code> constraint for RPM compatibility <li> Set public visibility for the new platform</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1983/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467e">+11/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 15:49:24 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1983#issuecomment-3568096909
Original created: 2025-11-23T15:49:24Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned package install Description: Using 'sudo apt-get update' and installing packages directly in CI without pinning versions or verifying package integrity can enable supply chain attacks or break reproducible builds if upstream packages are compromised or change unexpectedly. release.yml [75-81] Referred Code `sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version`
	Execution isolation risk Description: Overwriting '.bazelrc.remote' in CI to disable remote cache/execution could unintentionally persist across steps or jobs and weaken isolation guarantees, risking leakage of secrets via local execution logs or differing trust boundaries unless the workspace is cleaned between steps. release.yml [221-226] Referred Code `# Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF`
	Local build supply chain Description: Forcing local Bazel execution with '--config=no_remote' and host/local platforms increases reliance on the runner environment; if untrusted code or dependencies are built, this can elevate risk of supply chain compromise compared to controlled remote executors. release.yml [268-274] Referred Code `--config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing Auditing: The added CI steps perform critical actions (package installation, cache/exec configuration, and publishing) without emitting structured audit logs containing actor, timestamp, action, and outcome details. Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 182 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Shallow Errors: Shell steps use simple command failures and a single explicit exit without comprehensive checks or contextual error messages for edge cases (e.g., apt failures, bazel unavailability, write failures to .bazelrc.remote). Referred Code - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: \| # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 134 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1983#issuecomment-3568096909 Original created: 2025-11-23T15:49:24Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary>Unpinned package install </summary> Description: Using 'sudo apt-get update' and installing packages directly in CI without pinning versions or verifying package integrity can enable supply chain attacks or break reproducible builds if upstream packages are compromised or change unexpectedly. <a href='https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R75-R81'>release.yml [75-81]</a> <details open><summary>Referred Code</summary> ```yaml sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ``` </details></details></td></tr> <tr><td><details><summary>Execution isolation risk </summary> Description: Overwriting '.bazelrc.remote' in CI to disable remote cache/execution could unintentionally persist across steps or jobs and weaken isolation guarantees, risking leakage of secrets via local execution logs or differing trust boundaries unless the workspace is cleaned between steps. <a href='https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R221-R226'>release.yml [221-226]</a> <details open><summary>Referred Code</summary> ```yaml # Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF ``` </details></details></td></tr> <tr><td><details><summary>Local build supply chain </summary> Description: Forcing local Bazel execution with '--config=no_remote' and host/local platforms increases reliance on the runner environment; if untrusted code or dependencies are built, this can elevate risk of supply chain compromise compared to controlled remote executors. <a href='https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R268-R274'>release.yml [268-274]</a> <details open><summary>Referred Code</summary> ```yaml --config=no_remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --//toolchains/rpm:is_rpmbuild_available=1 \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=4>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R275'>Missing Auditing</a>: The added CI steps perform critical actions (package installation, cache/exec configuration, and publishing) without emitting structured audit logs containing actor, timestamp, action, and outcome details. <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 182 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R227'>Shallow Errors</a>: Shell steps use simple command failures and a single explicit exit without comprehensive checks or contextual error messages for edge cases (e.g., apt failures, bazel unavailability, write failures to .bazelrc.remote). <details open><summary>Referred Code</summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version - name: Refresh Bazel externals after rpm install run: | # Force the rules_pkg rpmbuild toolchain to re-detect the system rpmbuild binary. if command -v bazel >/dev/null 2>&1; then bazel clean --expunge else echo "bazel not yet installed; skipping clean (Bazelisk step will follow)" >&2 fi - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} ... (clipped 134 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 15:50:26 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1983#issuecomment-3568097707
Original created: 2025-11-23T15:50:26Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use a custom RBE container image Instead of disabling remote build execution (RBE) and installing `rpmbuild` locally, create a custom RBE Docker image that includes `rpmbuild`. This maintains a fully remote, consistent, and cached build process. Examples: .github/workflows/release.yml [73-91] `- name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 9 lines)` .github/workflows/release.yml [219-274] `- name: Disable remote exec/cache for packaging run: \| # Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF - name: Publish Debian and RPM packages ... (clipped 46 lines)` Solution Walkthrough: Before: `# .github/workflows/release.yml - name: Ensure rpmbuild available for rules_pkg toolchain run: \| sudo apt-get install -y rpm bazel clean --expunge - name: Disable remote exec/cache for packaging run: \| echo "build --remote_executor=" > .bazelrc.remote echo "build --remote_cache=" >> .bazelrc.remote - name: Publish Debian and RPM packages run: \| bazel run \ --config=no_remote \ --platforms=//build/platforms:linux_pkg_local \ ...` After: `# Dockerfile for custom RBE image FROM gcr.io/cloud-marketplace/google/rbe-ubuntu:latest RUN apt-get update && apt-get install -y rpm # .bazelrc (or similar config) # Point to the custom RBE image build:remote --remote_executor_docker_image=gcr.io/my-project/rbe-with-rpmbuild:latest # .github/workflows/release.yml # No local installation or remote disabling needed. - name: Publish Debian and RPM packages run: \| bazel run \ --config=remote \ ...` Suggestion importance[1-10]: 9 __ Why: This is a significant architectural suggestion that proposes a more robust, scalable, and idiomatic solution for using RBE, addressing the performance and consistency drawbacks of the PR's hybrid build approach.	High
Possible issue	Use correct rpmbuild availability constraint Replace the incorrect `@rules_pkg//pkg:not_compatible` constraint with the correct `@rules_pkg//pkg:rpmbuild_available` to properly signal `rpmbuild` availability for the platform. build/platforms/BUILD.bazel [39-48] `# Local Linux platform that explicitly satisfies rules_pkg's rpm compatibility gate. platform( name = "linux_pkg_local", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:x86_64", - "@rules_pkg//pkg:not_compatible", + "@rules_pkg//pkg:rpmbuild_available", ], visibility = ["//visibility:public"], )` Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical error in the Bazel platform definition that would likely cause build failures, and provides the correct constraint to fix it.	High
General	Simplify and optimize package installation Remove the redundant `rpm2cpio` package from the installation step and combine the `apt-get update` and `apt-get install` commands for better efficiency. .github/workflows/release.yml [73-81] `- name: Ensure rpmbuild available for rules_pkg toolchain run: \| - sudo apt-get update -y - sudo apt-get install -y rpm rpm2cpio + sudo apt-get update -y && sudo apt-get install -y rpm if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version` Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly identifies a redundant package installation and applies a best practice for `apt-get` usage in CI, which slightly improves script efficiency and clarity.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1983#issuecomment-3568097707 Original created: 2025-11-23T15:50:26Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Use a custom RBE container image</summary> ___ **Instead of disabling remote build execution (RBE) and installing <code>rpmbuild</code> locally, create a custom RBE Docker image that includes <code>rpmbuild</code>. This maintains a fully remote, consistent, and cached build process.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R91">.github/workflows/release.yml [73-91]</a> </summary> ```yaml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get update -y sudo apt-get install -y rpm rpm2cpio if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ... (clipped 9 lines) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R219-R274">.github/workflows/release.yml [219-274]</a> </summary> ```yaml - name: Disable remote exec/cache for packaging run: | # Clear remote settings so packaging runs entirely on the runner. cat > .bazelrc.remote <<'EOF' build --remote_executor= build --remote_cache= build --remote_download_minimal EOF - name: Publish Debian and RPM packages ... (clipped 46 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # .github/workflows/release.yml - name: Ensure rpmbuild available for rules_pkg toolchain run: | sudo apt-get install -y rpm bazel clean --expunge - name: Disable remote exec/cache for packaging run: | echo "build --remote_executor=" > .bazelrc.remote echo "build --remote_cache=" >> .bazelrc.remote - name: Publish Debian and RPM packages run: | bazel run \ --config=no_remote \ --platforms=//build/platforms:linux_pkg_local \ ... ``` #### After: ```yaml # Dockerfile for custom RBE image FROM gcr.io/cloud-marketplace/google/rbe-ubuntu:latest RUN apt-get update && apt-get install -y rpm # .bazelrc (or similar config) # Point to the custom RBE image build:remote --remote_executor_docker_image=gcr.io/my-project/rbe-with-rpmbuild:latest # .github/workflows/release.yml # No local installation or remote disabling needed. - name: Publish Debian and RPM packages run: | bazel run \ --config=remote \ ... ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This is a significant architectural suggestion that proposes a more robust, scalable, and idiomatic solution for using RBE, addressing the performance and consistency drawbacks of the PR's hybrid build approach. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Use correct rpmbuild availability constraint</summary> ___ **Replace the incorrect <code>@rules_pkg//pkg:not_compatible</code> constraint with the correct <code>@rules_pkg//pkg:rpmbuild_available</code> to properly signal <code>rpmbuild</code> availability for the platform.** [build/platforms/BUILD.bazel [39-48]](https://github.com/carverauto/serviceradar/pull/1983/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467eR39-R48) ```diff # Local Linux platform that explicitly satisfies rules_pkg's rpm compatibility gate. platform( name = "linux_pkg_local", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:x86_64", - "@rules_pkg//pkg:not_compatible", + "@rules_pkg//pkg:rpmbuild_available", ], visibility = ["//visibility:public"], ) ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a critical error in the Bazel platform definition that would likely cause build failures, and provides the correct constraint to fix it. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Simplify and optimize package installation</summary> ___ **Remove the redundant <code>rpm2cpio</code> package from the installation step and combine the <code>apt-get update</code> and <code>apt-get install</code> commands for better efficiency.** [.github/workflows/release.yml [73-81]](https://github.com/carverauto/serviceradar/pull/1983/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R73-R81) ```diff - name: Ensure rpmbuild available for rules_pkg toolchain run: | - sudo apt-get update -y - sudo apt-get install -y rpm rpm2cpio + sudo apt-get update -y && sudo apt-get install -y rpm if ! command -v rpmbuild >/dev/null 2>&1; then echo "rpmbuild not found after install" >&2 exit 1 fi rpmbuild --version ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion correctly identifies a redundant package installation and applies a best practice for `apt-get` usage in CI, which slightly improves script efficiency and clarity. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>