Skip to content

Inject package_metadata into module repos #27829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fmeum wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Inject package_metadata into module repos #27829

fmeum wants to merge 3 commits into from
+255 −92

Conversation

@fmeum
Copy link
Collaborator

@fmeum fmeum commented Dec 1, 2025
edited
Loading

RELNOTES: Bazel modules from a registry that don't include a REPO.bazel file now automatically have a package_metadata target with their PURL injected and registered as the default for all targets in the module repo. Any module that is patched locally via a single_version_override will receive a deterministic version modifier that is unique on best-effort basis.

@fmeum fmeum force-pushed the inject-package-metadata branch 5 times, most recently from 0abce9f to 4ad0d6f Compare December 2, 2025 08:59
@fmeum fmeum marked this pull request as ready for review December 2, 2025 09:10
@fmeum fmeum requested a review from fweikert December 2, 2025 09:10
@github-actions github-actions bot added team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. awaiting-review PR is awaiting review from an assigned reviewer labels Dec 2, 2025
@fmeum
Copy link
Collaborator Author

fmeum commented Dec 2, 2025

FYI @mzeren-vmw @Yannic

@meteorcloudy
Copy link
Member

meteorcloudy commented Dec 2, 2025

Does the PURL fragment already provide license info?

FYI @kotlaja this might be useful for the GDC Bzlmod migration.

@fmeum
Copy link
Collaborator Author

fmeum commented Dec 2, 2025

Does the PURL fragment already provide license info?

It doesn't, but it uniquely identifies the source for that info. My personal opinion is that "Bazel module <-> Bazel PURL" is a trivial one-to-one mapping and "Bazel module -> license" is a function that can only be evaluated by a lawyer, so it makes sense to automate the "Bazel module -> PURL" part and let users figure out the "PURL -> license" part, perhaps even out of band.

@fmeum fmeum mentioned this pull request Dec 2, 2025
Merged
@aiuto
Copy link

aiuto commented Dec 2, 2025

It doesn't, but it uniquely identifies the source for that info. My personal opinion is that "Bazel module <-> Bazel PURL" is a trivial one-to-one mapping

Well.. not really. Because with module overrides, you can get local patches which make my code labeled as purl=x different from your code labeled as purl=X. PURL's are like any other URL, they are sort of a hint more than anything precise.
OTOH, we recognize this in the supply chain tools and will let you override licenses and other attestations by purl or target.

@meteorcloudy meteorcloudy added awaiting-PR-merge PR has been approved by a reviewer and is ready to be merge internally and removed awaiting-review PR is awaiting review from an assigned reviewer labels Dec 3, 2025
@meteorcloudy
Copy link
Member

meteorcloudy commented Dec 3, 2025

@fweikert Please also take a look

@fmeum
Copy link
Collaborator Author

fmeum commented Dec 3, 2025

I can send a followup pr to address @aiuto's concern: In the case of a single_version_override, we can append a hash of all patches to the version number as a new segment. This ensures that patches are always visible on the SBOM level.

github-merge-queue bot pushed a commit to bazel-contrib/supply-chain that referenced this pull request Dec 3, 2025
@fmeum
Pass tags through package_metadata (#132)
e8dcd97 
Allows targets to be tagged as manual.
This is relevant for bazelbuild/bazel#27829: if
we inject targets, we don't want folks to be confused by them showing up
in their bazel build @rrepo//....
@fmeum
Copy link
Collaborator Author

fmeum commented Dec 3, 2025

@bazel-io fork 9.0.0

@bazel-io bazel-io mentioned this pull request Dec 3, 2025
Open
@meteorcloudy
Copy link
Member

meteorcloudy commented Dec 4, 2025

@fmeum We have some test failures on RBE during import: https://buildkite.com/bazel/google-bazel-presubmit/builds/98041

Maybe try to rebase to HEAD and see if it reproduce on the PR?

@fmeum
Copy link
Collaborator Author

fmeum commented Dec 4, 2025

I will take a look and address @aiuto's comment along the way.

@meteorcloudy
Copy link
Member

meteorcloudy commented Dec 4, 2025

Oh, postsubmit is red since https://buildkite.com/bazel/bazel-bazel/builds/34042

@meteorcloudy
Copy link
Member

meteorcloudy commented Dec 4, 2025

postsubmit is due to some RBE infra change, we are fixing it.

@fmeum fmeum force-pushed the inject-package-metadata branch from eaa95a2 to 66af745 Compare December 4, 2025 21:36
@fmeum fmeum force-pushed the inject-package-metadata branch from 66af745 to 6bf21d1 Compare December 4, 2025 21:38
@fmeum fmeum requested a review from meteorcloudy December 4, 2025 21:57
@fmeum
Copy link
Collaborator Author

fmeum commented Dec 4, 2025

@aiuto Could you take another look? I hope I addressed your concern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Wyverald Wyverald Awaiting requested review from Wyverald Wyverald is a code owner

@fweikert fweikert Awaiting requested review from fweikert

@meteorcloudy meteorcloudy Awaiting requested review from meteorcloudy meteorcloudy is a code owner

Assignees

No one assigned

Labels

awaiting-PR-merge PR has been approved by a reviewer and is ready to be merge internally team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fmeum @meteorcloudy @aiuto