refactor: cleanup toolchains (#57)

.bazelrc

@@ -3,6 +3,7 @@
 # Settings that apply only to CI are in .github/workflows/ci.bazelrc
 
 build --incompatible_strict_action_env
+common --nolegacy_external_runfiles
 
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members

.github/workflows/ci.bazelrc

@@ -15,6 +15,9 @@ test --test_env=XDG_CACHE_HOME
 # Allow DOCKER_HOST to leak into test actions
 test --test_env=DOCKER_HOST
 
+# Disable legacy external runfiles
+common --nolegacy_external_runfiles
+
 # try to import platform specific overrides
 try-import %workspace%/.github/workflows/darwin.bazelrc
 

cosign/toolchain.bzl

@@ -19,9 +19,7 @@ def _cosign_toolchain_impl(ctx):
         files = depset([binary]),
         runfiles = ctx.runfiles(files = [binary]),
     )
-    cosign_info = CosignInfo(
-        binary = binary,
-    )
+    cosign_info = CosignInfo(binary = binary)
 
     # Export all the providers inside our ToolchainInfo
     # so the resolved_toolchain rule can grab and re-export them.

example/attach/BUILD.bazel

@@ -22,7 +22,7 @@ sh_test(
     args = [
         "$(COSIGN_BIN)",
         "$(CRANE_BIN)",
-        "$(LAUNCHER)",
+        "$(LAUNCHER_WRAPPER)",
         "$(location :attach)",
         "$(location :image)",
         "$(location sbom.spdx)",

example/attach/test.bash

@@ -1,16 +1,17 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly COSIGN="$1"
-readonly CRANE="$2"
-readonly REGISTRY_LAUNCHER="$3"
+readonly COSIGN="${1/external\//../}"
+readonly CRANE="${2/external\//../}"
+readonly REGISTRY_LAUNCHER="${3/external\//../}"
 readonly ATTACHER="$4"
 readonly IMAGE_PATH="$5"
 readonly SBOM_PATH="$6"
 
+
 # Launch a registry instance at a random port
 source "${REGISTRY_LAUNCHER}"
-start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log
+REGISTRY=$(start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log)
 echo "Registry is running at ${REGISTRY}"
 
 readonly REPOSITORY="${REGISTRY}/local" 

example/push/BUILD.bazel

@@ -9,41 +9,40 @@ oci_image(
 
 oci_push(
     name = "push_image",
+    default_tags = ["latest"],
     image = ":image",
     repository = "index.docker.io/<ORG>/image",
-    default_tags = ["latest"]
 )
 
 oci_push(
     name = "push_image_wo_tags",
     image = ":image",
-    repository = "index.docker.io/<ORG>/image"
+    repository = "index.docker.io/<ORG>/image",
 )
 
 oci_image_index(
     name = "image_index",
     images = [
-        ":image"
-    ]
+        ":image",
+    ],
 )
 
 oci_push(
     name = "push_image_index",
+    default_tags = ["nightly"],
     image = ":image_index",
     repository = "index.docker.io/<ORG>/image",
-    default_tags = ["nightly"]
 )
 
-
 sh_test(
     name = "test",
     srcs = ["test.bash"],
     args = [
         "$(CRANE_BIN)",
-        "$(LAUNCHER)",
+        "$(LAUNCHER_WRAPPER)",
         "$(location :push_image)",
         "$(location :push_image_index)",
-        "$(location :push_image_wo_tags)"
+        "$(location :push_image_wo_tags)",
     ],
     data = [
         ":push_image",

example/push/test.bash

@@ -1,12 +1,12 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly CRANE="$1"
-readonly REGISTRY_LAUNCHER="$2"
+readonly CRANE="${1/external\//../}"
+readonly REGISTRY_LAUNCHER="${2/external\//../}"
 
 # Launch a registry instance at a random port
 source "${REGISTRY_LAUNCHER}"
-start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log
+REGISTRY=$(start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log)
 echo "Registry is running at ${REGISTRY}"
 
 

example/sign/BUILD.bazel

@@ -31,7 +31,7 @@ sh_test(
     args = [
         "$(CRANE_BIN)",
         "$(COSIGN_BIN)",
-        "$(LAUNCHER)",
+        "$(LAUNCHER_WRAPPER)",
         "$(location :sign)",
         "$(location :image)",
     ],

example/sign/test.bash

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly CRANE="$1"
-readonly COSIGN="$2"
-readonly REGISTRY_LAUNCHER="$3"
+readonly CRANE="${1/external\//../}"
+readonly COSIGN="${2/external\//../}"
+readonly REGISTRY_LAUNCHER="${3/external\//../}"
 readonly IMAGE_SIGNER="$4"
 readonly IMAGE="$5"
 
 # Launch a registry instance at a random port
 source "${REGISTRY_LAUNCHER}"
-start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log
+REGISTRY=$(start_registry $TEST_TMPDIR $TEST_TMPDIR/output.log)
 echo "Registry is running at ${REGISTRY}"
 
 readonly REPOSITORY="${REGISTRY}/local" 

oci/dependencies.bzl

@@ -38,7 +38,7 @@ def rules_oci_dependencies():
 
     http_archive(
         name = "aspect_bazel_lib",
-        sha256 = "be236556c7b9c7b91cb370e837fdcec62b6e8893408cd4465ae883c9d7c67024",
-        strip_prefix = "bazel-lib-1.18.0",
-        url = "https://github.com/aspect-build/bazel-lib/archive/refs/tags/v1.18.0.tar.gz",
+        sha256 = "79623d656aa23ad3fd4692ab99786c613cd36e49f5566469ed97bc9b4c655f03",
+        strip_prefix = "bazel-lib-1.23.3",
+        url = "https://github.com/aspect-build/bazel-lib/archive/refs/tags/v1.23.3.tar.gz",
     )

oci/private/BUILD.bazel

@@ -9,7 +9,8 @@ exports_files([
     "image.sh.tpl",
     "image_index.sh.tpl",
     "tarball.sh.tpl",
-    "push.sh.tpl"
+    "push.sh.tpl",
+    "zot_launcher.sh.tpl",
 ])
 
 filegroup(

oci/private/image.bzl

@@ -91,8 +91,8 @@ def _oci_image_impl(ctx):
         output = launcher,
         is_executable = True,
         substitutions = {
-            "{{registry_launcher_path}}": registry.registry_info.launcher_path,
-            "{{crane_path}}": crane.crane_info.crane_path,
+            "{{registry_launcher_path}}": registry.registry_info.launcher.path,
+            "{{crane_path}}": crane.crane_info.binary.path,
             "{{jq_path}}": jq.jqinfo.bin.path,
             "{{storage_dir}}": "/".join([ctx.bin_dir.path, ctx.label.package, "storage_%s" % ctx.label.name]),
         },
@@ -146,7 +146,8 @@ def _oci_image_impl(ctx):
         arguments = [args],
         outputs = [output],
         executable = launcher,
-        tools = crane.crane_info.crane_files + registry.registry_info.registry_files + [jq.jqinfo.bin],
+        tools = [crane.crane_info.binary, registry.registry_info.launcher, registry.registry_info.registry, jq.jqinfo.bin],
+        mnemonic = "OCIImage",
         progress_message = "OCI Image %{label}",
     )
 

oci/private/image.sh.tpl

@@ -5,6 +5,11 @@ set -o pipefail -o errexit -o nounset
 # Then invokes crane with arguments provided after substituting `oci:registry` with REGISTRY variable exported by start_registry.
 # NB: --output argument is an option only understood by this wrapper and will pull artifact image into a oci layout.
 
+readonly REGISTRY_LAUNCHER="{{registry_launcher_path}}"
+readonly CRANE="{{crane_path}}"
+readonly JQ="{{jq_path}}"
+readonly STORAGE_DIR="{{storage_dir}}"
+
 readonly STDERR=$(mktemp)
 
 silent_on_success() {
@@ -15,9 +20,6 @@ silent_on_success() {
 }
 trap "silent_on_success" EXIT
 
-# this will redirect stderr(2) to stderr file.
-{
-
 function get_option() {
     local name=$1
     shift
@@ -30,7 +32,8 @@ function get_option() {
 
 
 function empty_base() {
-    local ref="$REGISTRY/oci/empty_base:latest"
+    local registry=$1
+    local ref="$registry/oci/empty_base:latest"
     # TODO: https://github.com/google/go-containerregistry/issues/1513
     ref="$("${CRANE}" append --oci-empty-base -t "${ref}" -f <(tar -cf tarfilename.tar -T /dev/null))"
     ref=$("${CRANE}" config "${ref}" | "${JQ}"  ".rootfs.diff_ids = [] | .history = []" | "${CRANE}" edit config "${ref}")
@@ -53,18 +56,15 @@ function base_from_layout() {
     # TODO: https://github.com/google/go-containerregistry/issues/1514
     local refs=$(mktemp)
     local oci_layout_path=$1
-    "${CRANE}" push "${oci_layout_path}" "${REGISTRY}/oci/layout:latest" --image-refs "${refs}"
+    local registry=$2
+    "${CRANE}" push "${oci_layout_path}" "${registry}/oci/layout:latest" --image-refs "${refs}"
     cat "${refs}"
 }
 
-readonly REGISTRY_LAUNCHER="{{registry_launcher_path}}"
-readonly CRANE="{{crane_path}}"
-readonly JQ="{{jq_path}}"
-readonly STORAGE_DIR="{{storage_dir}}"
-
+# this will redirect stderr(2) to stderr file.
+{
 source "${REGISTRY_LAUNCHER}"
-mkdir -p "${STORAGE_DIR}"
-start_registry "${STORAGE_DIR}" "${STDERR}"
+readonly REGISTRY=$(start_registry "${STORAGE_DIR}" "${STDERR}")
 
 OUTPUT=""
 WORKDIR=""
@@ -74,8 +74,8 @@ ENV_EXPANSIONS=()
 for ARG in "$@"; do
     case "$ARG" in
         (oci:registry*) FIXED_ARGS+=("${ARG/oci:registry/$REGISTRY}") ;;
-        (oci:empty_base) FIXED_ARGS+=("$(empty_base $@)") ;;
-        (oci:layout*) FIXED_ARGS+=("$(base_from_layout ${ARG/oci:layout\/})") ;;
+        (oci:empty_base) FIXED_ARGS+=("$(empty_base $REGISTRY $@)") ;;
+        (oci:layout*) FIXED_ARGS+=("$(base_from_layout ${ARG/oci:layout\/} $REGISTRY)") ;;
         (--env=*\${*}* | --env=*\$*) ENV_EXPANSIONS+=(${ARG#--env=}) ;;
         (--output=*) OUTPUT="${ARG#--output=}" ;;
         (--workdir=*) WORKDIR="${ARG#--workdir=}" ;;

oci/private/image_index.bzl

@@ -41,6 +41,7 @@ def _expand_image_to_args(image, expander):
 
 def _oci_image_index_impl(ctx):
     yq = ctx.toolchains["@aspect_bazel_lib//lib:yq_toolchain_type"]
+    coreutils = ctx.toolchains["@aspect_bazel_lib//lib:coreutils_toolchain_type"]
 
     launcher = ctx.actions.declare_file("image_index_{}.sh".format(ctx.label.name))
     ctx.actions.expand_template(
@@ -49,6 +50,7 @@ def _oci_image_index_impl(ctx):
         is_executable = True,
         substitutions = {
             "{{yq_path}}": yq.yqinfo.bin.path,
+            "{{coreutils_path}}": coreutils.coreutils_info.bin.path,
         },
     )
 
@@ -63,7 +65,7 @@ def _oci_image_index_impl(ctx):
         arguments = [args],
         outputs = [output],
         executable = launcher,
-        tools = [yq.yqinfo.bin],
+        tools = [yq.yqinfo.bin, coreutils.coreutils_info.bin],
         progress_message = "OCI Index %{label}",
     )
 
@@ -75,5 +77,6 @@ oci_image_index = rule(
     doc = _DOC,
     toolchains = [
         "@aspect_bazel_lib//lib:yq_toolchain_type",
+        "@aspect_bazel_lib//lib:coreutils_toolchain_type",
     ],
 )

oci/private/image_index.sh.tpl

@@ -2,7 +2,7 @@
 set -o pipefail -o errexit -o nounset
 
 readonly YQ="{{yq_path}}"
-
+readonly COREUTILS="{{coreutils_path}}"
 
 function add_image() {
     local image_path="$1"
@@ -27,13 +27,13 @@ function copy_blob() {
     local output_path="$2"
     local blob_image_relative_path="$3"
     local dest_path="${output_path}/${blob_image_relative_path}"
-    mkdir -p "$(dirname "${dest_path}")"
-    cat "${image_path}/${blob_image_relative_path}" > "${dest_path}"
+    "${COREUTILS}" mkdir -p "$(dirname "${dest_path}")"
+    "${COREUTILS}" cat "${image_path}/${blob_image_relative_path}" > "${dest_path}"
 }
 
 function create_oci_layout() {
     local path="$1"
-    mkdir -p "${path}"
+    "${COREUTILS}" mkdir -p "${path}"
 
     echo '{"imageLayoutVersion": "1.0.0"}' > "${path}/oci-layout" 
     echo '{"schemaVersion": 2, "manifests": []}' > "${path}/index.json"
@@ -53,9 +53,9 @@ for ARG in "$@"; do
 done
 
 
-export checksum=$(shasum -a 256 "${OUTPUT}/manifest_list.json" | cut -f 1 -d " ")
-export size=$(wc -c < "${OUTPUT}/manifest_list.json")
+export checksum=$("${COREUTILS}" sha256sum "${OUTPUT}/manifest_list.json" | "${COREUTILS}" cut -f 1 -d " ")
+export size=$("${COREUTILS}" wc -c < "${OUTPUT}/manifest_list.json")
 
 "${YQ}" --inplace --output-format=json '.manifests += [{"mediaType": "application/vnd.oci.image.index.v1+json", "size": env(size), "digest": "sha256:" + env(checksum)}]' "$OUTPUT/index.json"
 
-mv "${OUTPUT}/manifest_list.json" "$OUTPUT/blobs/sha256/${checksum}"
+"${COREUTILS}" mv "${OUTPUT}/manifest_list.json" "$OUTPUT/blobs/sha256/${checksum}"

oci/private/push.bzl

@@ -88,7 +88,7 @@ def _impl(ctx):
         output = executable,
         is_executable = True,
         substitutions = {
-            "{{crane_path}}": crane.crane_info.crane_path,
+            "{{crane_path}}": crane.crane_info.binary.short_path,
             "{{yq_path}}": jq.yqinfo.bin.short_path,
             "{{image_dir}}": ctx.file.image.short_path,
             "{{fixed_args}}": " ".join(_quote_args(fixed_args)),

oci/private/structure_test.bzl

@@ -44,13 +44,13 @@ def _structure_test_impl(ctx):
     ctx.actions.write(
         launcher,
         content = CMD.format(
-            st_path = st_info.structure_test_path,
+            st_path = st_info.binary.short_path,
             fixed_args = " ".join(fixed_args),
         ),
         is_executable = True,
     )
 
-    runfiles = ctx.runfiles(files = ctx.files.image + ctx.files.config + st_info.structure_test_files)
+    runfiles = ctx.runfiles(files = ctx.files.image + ctx.files.config + [st_info.binary])
 
     return DefaultInfo(runfiles = runfiles, executable = launcher)
 

oci/private/tarball.bzl

@@ -68,11 +68,11 @@ def _tarball_impl(ctx):
         output = executable,
         is_executable = True,
         substitutions = {
-            "%yq%": yq_bin.path,
-            "%image_dir%": image.path,
-            "%blobs_dir%": blobs.path,
-            "%manifest_path%": manifest.path,
-            "%repotags%": json.encode(ctx.attr.repotags),
+            "{{yq}}": yq_bin.path,
+            "{{image_dir}}": image.path,
+            "{{blobs_dir}}": blobs.path,
+            "{{manifest_path}}": manifest.path,
+            "{{repotags}}": json.encode(ctx.attr.repotags),
         },
     )
 

oci/private/tarball.sh.tpl

@@ -1,11 +1,11 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-readonly YQ="%yq%"
-readonly IMAGE_DIR="%image_dir%"
-readonly BLOBS_DIR="%blobs_dir%"
-readonly REPOTAGS='%repotags%'
-readonly TARBALL_MANIFEST_PATH="%manifest_path%"
+readonly YQ="{{yq}}"
+readonly IMAGE_DIR="{{image_dir}}"
+readonly BLOBS_DIR="{{blobs_dir}}"
+readonly REPOTAGS='{{repotags}}'
+readonly TARBALL_MANIFEST_PATH="{{manifest_path}}"
 
 MANIFEST_DIGEST=$(${YQ} eval '.manifests[0].digest | sub(":"; "/")' "${IMAGE_DIR}/index.json")
 MANIFEST_BLOB_PATH="${IMAGE_DIR}/blobs/${MANIFEST_DIGEST}"