bazel updates for rh9 build targets/RBE platform (#2093) #2536
No reviewers
Labels
No labels
1week
2weeks
Failed compliance check
IP cameras
NATS
Possible security concern
Review effort 1/5
Review effort 2/5
Review effort 3/5
Review effort 4/5
Review effort 5/5
UI
aardvark
accessibility
amd64
api
arm64
auth
back-end
bgp
blog
bug
build
checkers
ci-cd
cleanup
cnpg
codex
core
dependencies
device-management
documentation
duplicate
dusk
ebpf
enhancement
eta 1d
eta 1hr
eta 3d
eta 3hr
feature
fieldsurvey
github_actions
go
good first issue
help wanted
invalid
javascript
k8s
log-collector
mapper
mtr
needs-triage
netflow
network-sweep
observability
oracle
otel
plug-in
proton
python
question
reddit
redhat
research
rperf
rperf-checker
rust
sdk
security
serviceradar-agent
serviceradar-agent-gateway
serviceradar-web
serviceradar-web-ng
siem
snmp
sysmon
topology
ubiquiti
wasm
wontfix
zen-engine
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
carverauto/serviceradar!2536
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "refs/pull/2536/head"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Imported from GitHub pull request.
Original GitHub pull request: #2095
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2095
Original created: 2025-12-10T05:06:51Z
Original updated: 2025-12-10T05:12:47Z
Original head: carverauto/serviceradar:main
Original base: update/rust_edge_onboarding
Original merged: 2025-12-10T05:12:39Z by @mfreeman451
User description
bazel updates for rh9 build targets/RBE platform
fixing runs-on targets
buildah updates
WIP buildah fixes
wip buildah
WIP
reverting buildah stuff
bazel updates
fixing sysmon/zfs builds
el9 update
bazel updates for rh9/sysmon
linted
IMPORTANT: Please sign the Developer Certificate of Origin
Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:
Describe your changes
Issue ticket number and link
Code checklist before requesting a review
PR Type
Enhancement
Description
Add EL9 (RHEL 9) build platform support with ZFS library integration
Separate sysmon package into ZFS and non-ZFS variants for compatibility
Implement custom RPM spec template to disable AutoReq for optional ZFS dependencies
Update GitHub Actions workflows to use arc-runner-set and add EL9 RBE image build
Add manifest flag to release publishing for flexible artifact selection
Diagram Walkthrough
File Walkthrough
12 files
Add manifest flag for flexible artifact selectionSupport custom RPM spec templates in packagingConfigure sysmon with ZFS and non-ZFS variantsSeparate EL9 and standard package targetsNew workflow to build EL9 RBE executor imageAdd EL9 package publishing step to releaseDefine ZFS constraint and EL9 RBE platformAdd sysmon_zfs variant with ZFS feature flagInstall ZFS libraries and update environment pathsSeparate musl and ZFS builder stages for binariesExport custom RPM spec template fileAdd publish_packages_el9 binary for EL9 artifacts8 files
Custom RPM spec disabling AutoReq for ZFSAdd el9 build configuration for RBE platformSwitch to arc-runner-set for page deploymentSwitch to arc-runner-set for lintingSwitch to arc-runner-set for SBOM generationSwitch to arc-runner-set for syft SBOMSwitch to arc-runner-set for Go testsSwitch to arc-runner-set for web linting2 files
Update checkout action to v4Add libzetta dependency for ZFS supportImported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2095#issuecomment-3635405563
Original created: 2025-12-10T05:07:46Z
PR Compliance Guide 🔍
Below is a summary of compliance checks for this PR:
No security concerns identified
No security vulnerabilities detected by AI analysis. Human verification advised for critical code.🎫 No ticket provided
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status: Passed
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status:
Missing Audit Logs: The added EL9 publishing step executes packaging and GitHub release uploads without any
added audit logging of critical actions or outcomes within the new script block.
Referred Code
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status:
Input Validation: The new --manifest flag value is accepted and used without additional validation of path
existence/format beyond runfile resolution which may mask edge cases when run outside
Bazel.
Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status:
Secrets In Build: The workflow and Docker build steps introduce registry logins and build secrets usage
without explicit safeguards against logging secret values, warranting review of logs for
potential exposure.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status:
Workflow Inputs: The new workflow builds and pushes container images using secrets without explicit
validation of inputs or protections beyond defaults, requiring verification that untrusted
PRs cannot exfiltrate secrets on forks.
Referred Code
Compliance status legend
🟢 - Fully Compliant🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2095#issuecomment-3635407659
Original created: 2025-12-10T05:08:52Z
PR Code Suggestions ✨
Explore these optional code suggestions:
Unify build systems for RPMs
The PR introduces a Bazel-based build for EL9 RPMs but also updates a parallel
Docker-based RPM build system. To reduce redundancy and maintenance, the
Dockerfile-based build should be deprecated in favor of the integrated Bazel
pipeline.
Examples:
docker/rpm/Dockerfile.rpm.sysmon [1-112]
packaging/packages.bzl [627-655]
Solution Walkthrough:
Before:
After:
Suggestion importance[1-10]: 9
__
Why: This suggestion correctly identifies a significant architectural redundancy, as the PR maintains and updates a Docker-based RPM build system in
docker/rpm/Dockerfile.rpm.sysmonalongside the newly enhanced Bazel-based system, increasing long-term maintenance complexity.Avoid hardcoded Docker image tags
Remove the hardcoded Docker image tag
v1.0.23from the metadata extraction stepto reduce maintenance overhead and prevent using stale build environments.
.github/workflows/build-rbe-image-el9.yml [41-51]
Suggestion importance[1-10]: 6
__
Why: The suggestion correctly identifies a hardcoded Docker tag
v1.0.23in multiple files, which is a significant maintenance risk, and proposes a valid improvement to make the workflow more robust.Combine RUN instructions to reduce layers
Combine multiple
RUNinstructions in thezfs-builderstage into a singleinstruction to reduce the number of Docker image layers.
docker/rpm/Dockerfile.rpm.sysmon [32-51]
Suggestion importance[1-10]: 3
__
Why: The suggestion correctly points out a Docker best practice, but since this is a multi-stage build, the impact on the final image size is zero, and the effect on build time is minimal due to layer caching.
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2095#issuecomment-3635416777
Original created: 2025-12-10T05:12:46Z
CI Feedback 🧐
A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
Action: Dependabot
Failed stage: Run Dependabot [❌]
Failure summary:
Dependabot security update failed for the Cargo dependency
remove_dir_all:- Latest resolvable
version in this repo is
0.5.3- Lowest non-vulnerable (patched) version is
0.8.0(advisory affects<0.8.0)- Because
0.8.0(or higher) could not be resolved under current constraints, the securityupdate was not possible.
- Action exited with code 1 after reporting
security_update_not_possiblefor
remove_dir_all.Relevant error logs: