Build Event for external dependencies used in the invocation

[sluongng]

Description of the feature request:

When troubleshooting past invocations, it might be useful to know which dependencies were used in the invocation: information like which version was used, any override was applied, which URL was it downloaded from with what checksum etc...

Which category does this issue belong to?

No response

What underlying problem are you trying to solve with this feature?

By sending a build event with this information, the BES implementation could help developer identify issues a bit more easily. We can also leverage the build events for downstream supply chain security keeping and identify vulnerabilities faster/easier.

Which operating system are you running Bazel on?

No response

What is the output of bazel info release?

No response

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

No response

Have you found anything relevant by searching the web?

The current Supply Chain Security approach is mostly oriented around using rules_license's aspect to gather the dependencies information. This works but requires additional setup on the code level.

Providing a build event based on bzlmod data would provide a much more sensible default with minimal setup needed. The tradeoff is that you will only get the dependencies information on the invocation level and not on a target level, which is fine for smaller user cases.

Any other information, logs, or outputs that you want to share?

No response

[fmeum]

As a first step, we could announce all Bazel modules and their versions. That's a very manageable and well-defined slice of data. Whether and how individual repos or extension tags should be announced is a more difficult question.