refactor: improve copy.sh

.gitignore

@@ -1,3 +1,6 @@
+# ignoring e2e MODULE.bazel.lock for the time being
+# see https://github.com/bazelbuild/bazel/issues/20369
+e2e/smoke/MODULE.bazel.lock
 bazel-*
 .bazelrc.user
 .idea/

WORKSPACE.bazel

@@ -36,11 +36,20 @@ load("@bullseye//:packages.bzl", "bullseye_packages")
 
 bullseye_packages()
 
-# bazel run @apt_security//:lock
+deb_index(
+    name = "bullseye_nolock",
+    manifest = "//examples/debian_snapshot:bullseye_nolock.yaml",
+    nolock = True,
+)
+
+load("@bullseye_nolock//:packages.bzl", "bullseye_nolock_packages")
+
+bullseye_nolock_packages()
+
 deb_index(
     name = "apt_security",
-    # lock = "//examples/debian_snapshot_security:security.lock.json",
     manifest = "//examples/debian_snapshot_security:security.yaml",
+    nolock = True,
 )
 
 load("@apt_security//:packages.bzl", "apt_security_packages")

apt/extensions.bzl

@@ -20,8 +20,9 @@ def _distroless_extension(module_ctx):
                     install.resolve_transitive,
                 )
 
-                # buildifier: disable=print
-                print("\nNo lockfile was given, please run `bazel run @%s//:lock` to create the lockfile." % install.name)
+                if not install.nolock:
+                    # buildifier: disable=print
+                    print("\nNo lockfile was given, please run `bazel run @%s//:lock` to create the lockfile." % install.name)
             else:
                 lockf = lockfile.from_json(module_ctx, module_ctx.read(install.lock))
 
@@ -65,6 +66,10 @@ def _distroless_extension(module_ctx):
 install = tag_class(attrs = {
     "name": attr.string(doc = "Name of the generated repository"),
     "lock": attr.label(doc = """The lock file to use for the index."""),
+    "nolock": attr.bool(
+        doc = """If you explicitly want to run without a lock, set it to True to avoid the DEBUG messages.""",
+        default = False,
+    ),
     "manifest": attr.label(doc = """The file used to generate the lock file"""),
     "resolve_transitive": attr.bool(
         doc = """Whether dependencies of dependencies should be resolved and added to the lockfile.""",

apt/index.bzl

@@ -7,6 +7,7 @@ def deb_index(
         name,
         manifest,
         lock = None,
+        nolock = False,
         package_template = None,
         resolve_transitive = True):
     """A convience repository macro for apt rules.
@@ -20,9 +21,13 @@ def deb_index(
 
     deb_index(
         name = "bullseye",
-        # For the initial setup, the lockfile attribute can be omitted and generated by running
+        # For the initial setup, the lockfile attribute can be omitted and
+        # generated by running
         #    bazel run @bullseye//:lock
-        # This will generate the lock.json file next to the manifest file by replacing `.yaml` with `.lock.json`
+        # This will generate the lock.json file next to the manifest file by
+        # replacing `.yaml` with `.lock.json`.
+        # If you explicitly want to run without a lock, set nolock to True to
+        # avoid the DEBUG messages
         lock = "//examples/apt:bullseye.lock.json",
         manifest = "//examples/apt:bullseye.yaml",
     )
@@ -57,6 +62,8 @@ def deb_index(
 
     While we strongly encourage users to check in the generated lockfile, it's not always possible because Debian repositories are rolling by default. Therefore, a lockfile generated today might not work later if the upstream repository removes or publishes a new version of a package.
 
+    If you explicitly want to run without a lock, set the `nolock` attribute to True to avoid the DEBUG messages.
+
     #### Snapshot repositories
 
     ##### Debian
@@ -73,6 +80,7 @@ def deb_index(
         name: name of the repository
         manifest: label to a `manifest.yaml`
         lock: label to a `lock.json`
+        nolock: bool, set to True if you explicitly want to run without a lock and avoid the DEBUG messages.
         package_template: (EXPERIMENTAL!) a template file for generated BUILD files.
           Available template replacement keys are: `{target_name}`, `{deps}`, `{urls}`, `{name}`, `{arch}`, `{sha256}`, `{repo_name}`
         resolve_transitive: whether dependencies of dependencies should be resolved and added to the lockfile.
@@ -83,7 +91,7 @@ def deb_index(
         resolve_transitive = resolve_transitive,
     )
 
-    if not lock:
+    if not lock and not nolock:
         # buildifier: disable=print
         print("\nNo lockfile was given, please run `bazel run @%s//:lock` to create the lockfile." % name)
 

apt/private/BUILD.bazel

@@ -3,6 +3,7 @@ load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 exports_files([
     "dpkg_statusd.sh",
     "dpkg_status.sh",
+    "copy.sh.tmpl",
     "package.BUILD.tmpl",
 ])
 

apt/private/copy.sh.tmpl

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -o pipefail -o errexit -o nounset
+
+lock=$(realpath "$1")
+autofix=${{2:-}}
+
+cd "$BUILD_WORKING_DIRECTORY"
+
+echo
+echo "Writing lockfile to {workspace_relative_path}"
+cp "$lock" "{workspace_relative_path}"
+
+# Detect which file we wish the user to edit
+if [ -e "$BUILD_WORKSPACE_DIRECTORY/WORKSPACE" ]; then
+     wksp_file="WORKSPACE"
+elif [ -e "$BUILD_WORKSPACE_DIRECTORY/WORKSPACE.bazel" ]; then
+     wksp_file="WORKSPACE.bazel"
+elif [ -e "$BUILD_WORKSPACE_DIRECTORY/MODULE.bazel" ]; then
+    wksp_file="MODULE.bazel"
+else
+    echo>&2 "Error: no MODULE.bazel or WORKSPACE file was found"
+    exit 1
+fi
+
+# Detect a vendored buildozer binary in canonical location (tools/buildozer)
+if [ -e "$BUILD_WORKSPACE_DIRECTORY/tools/buildozer" ]; then
+    buildozer="tools/buildozer"
+else
+    # Assume it's on the $PATH
+    buildozer="buildozer"
+fi
+
+echo
+
+cmd="$buildozer 'set lock \"{lock_label}\"' $wksp_file:{repo_name}"
+
+if [[ "$autofix" == "--autofix" ]]; then
+    eval "$cmd"
+else
+    cat <<EOF
+Run the following command to add the 'lock' attribute
+to the "{repo_name}" repo in $wksp_file:
+
+    $cmd
+
+or run the following command to do it automatically:
+
+    bazel run @{repo_name}//:lock -- --autofix
+EOF
+fi

apt/private/resolve.bzl

@@ -83,48 +83,6 @@ def internal_resolve(rctx, yq_toolchain_prefix, manifest, include_transitive):
                 lockf.add_package_dependency(package, dep, arch)
     return lockf
 
-_COPY_SH_TMPL = """\
-#!/usr/bin/env bash
-set -o pipefail -o errexit -o nounset
-
-lock=$(realpath $1)
-
-cd $BUILD_WORKING_DIRECTORY
-
-echo ''
-echo 'Writing lockfile to {workspace_relative_path}' 
-cp $lock {workspace_relative_path}
-
-# Detect which file we wish the user to edit
-if [ -e $BUILD_WORKSPACE_DIRECTORY/WORKSPACE ]; then
-    wksp_file="WORKSPACE"
-elif [ -e $BUILD_WORKSPACE_DIRECTORY/WORKSPACE.bazel ]; then
-    wksp_file="WORKSPACE.bazel"
-else
-    echo>&2 "Error: neither WORKSPACE nor WORKSPACE.bazel file was found"
-    exit 1
-fi
-
-# Detect a vendored buildozer binary in canonical location (tools/buildozer)
-if [ -e $BUILD_WORKSPACE_DIRECTORY/tools/buildozer ]; then
-    buildozer="tools/buildozer"
-else
-    # Assume it's on the $PATH
-    buildozer="buildozer"
-fi
-
-if [[ "${{2:-}}" == "--autofix" ]]; then
-    echo ''
-    ${{buildozer}} 'set lock \"{label}\"' ${{wksp_file}}:{name}
-else
-    cat <<EOF
-Run the following command to add the lockfile or pass --autofix flag to do it automatically.
-
-   ${{buildozer}} 'set lock \"{label}\"' ${{wksp_file}}:{name}
-EOF
-fi
-"""
-
 _BUILD_TMPL = """
 filegroup(
     name = "lockfile",
@@ -147,16 +105,22 @@ def _deb_resolve_impl(rctx):
     lockf = internal_resolve(rctx, rctx.attr.yq_toolchain_prefix, rctx.attr.manifest, rctx.attr.resolve_transitive)
     lockf.write("lock.json")
 
-    locklabel = rctx.attr.manifest.relative(rctx.attr.manifest.name.replace(".yaml", ".lock.json"))
+    lock_filename = rctx.attr.manifest.name.replace(".yaml", ".lock.json")
+    lock_label = rctx.attr.manifest.relative(lock_filename)
+    workspace_relative_path = "{}{}".format(
+        ("%s/" % lock_label.package) if lock_label.package else "",
+        lock_label.name,
+    )
+
     rctx.file(
         "copy.sh",
-        _COPY_SH_TMPL.format(
-            # TODO: don't assume the canonical -> apparent repo mapping character, as it might change
-            # https://bazelbuild.slack.com/archives/C014RARENH0/p1719237766005439
-            # https://github.com/bazelbuild/bazel/issues/22865
-            name = rctx.name.split("~")[-1],
-            label = locklabel,
-            workspace_relative_path = (("%s/" % locklabel.package) if locklabel.package else "") + locklabel.name,
+        rctx.read(Label("//apt/private:copy.sh.tmpl")).format(
+            # NOTE: the split("~") is needed when we run bazel from another
+            # directory, e.g. when running e2e tests we change dir to e2e/smoke
+            # and then rctx.name is 'rules_distroless~~apt~bullseye'
+            repo_name = rctx.name.split("~")[-1].replace("_resolve", ""),
+            lock_label = lock_label,
+            workspace_relative_path = workspace_relative_path,
         ),
         executable = True,
     )

apt/tests/BUILD.bazel

@@ -1,10 +1,6 @@
-load(":package_resolution_test.bzl", "version_depends_test")
-load(":version_test.bzl", "version_compare_test", "version_parse_test", "version_sort_test")
+load(":package_resolution_test.bzl", "package_resolution_tests")
+load(":version_test.bzl", "version_tests")
 
-version_compare_test(name = "version_compare_test")
+package_resolution_tests()
 
-version_parse_test(name = "version_parse_test")
-
-version_depends_test(name = "version_depends")
-
-version_sort_test(name = "version_sort_test")
+version_tests()