Add googletest Bazel dep#497
Conversation
The vendored googletest instance at libs/3rparty/googletest is incompatible with newer Bazel versions. Instead we include the equivalent version from the google central registry as a Bazel dep directly. Change-Id: Idc1ce43aadedb3caeda3455b6f0f7af9f5496e63
christian-schilling
left a comment
There was a problem hiding this comment.
I don't think this is a good idea.
We vendor for a reason and there must be a way to make bazel work with a vendored googletest.
On top of that, see: https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/
There was a problem hiding this comment.
By which mean is the checked-in version in libs/3rdparty incopatible with bazel? It is just a copy of the official https://github.com/google/googletest.git right? Until now we do not yet have any usage of googletest?
Regarding mutable references: I think since we have checked in the MODULE.bazel.lock we are save in a sense that we pin to the explicit hashes stored in there. Of course in the end it depends on whether we have validated that whatever we now have pinned is also "okay".
|
Thank you for the input @christian-schilling
Can you elaborate why you think that it is not a good idea? There's a few alternative solutions but depending on the "why" some of them won't make sense either. The problem is that the old (four years old) googletest instance is just not compatible with newer Bazel versions ( If you dislike pulling in a Bazel dependency via the official Bazel Central Registry (BCR), we can apply the patch manually in the vendored instance.
As Christoph mentioned, the mutable-reference window exists only until the lockfile is updated. After I ran |
|
Bonus question: |
|
As Christoph suggested it seems we can also remove the transitive depedencies from the googltest patch and it still seems to work. We can do that if the priority is to avoid using the bazel_dep system. This is then totally untested of course and we're diverging from the official solution. |
5673e1e to
9d010bc
Compare
Change-Id: Iaee7155277d998ab7066a5975cfaff6aa90a4ee6
9d010bc to
5cac980
Compare
Yes. So I think which each external single point of failure we are adding to the build we are cumulatively making the build less reliable especially when considering the long term. As much as possible the build should be able to run with network completely disabled. That's much more secure and also more reliable. So I strongly suggest treating every reliance on any external infrastructure as a liability that needs to offer massive value to make up for the long term risks it introduces. I don't see that here. Not even close. Also: I understand correctly with this change the bzl and cmake builds would use different googletest sources? That does not sound very desirable either.
Of course that all also applies to transitive dependencies. A good way to test this would be to actually build in containers with There's a few alternative solutions but depending on the "why" some of them won't make sense either. The problem is that the old (four years old) googletest instance is just not compatible with newer Bazel versions (
Lockfile is of course better than just tags. Didn't know about that. |
|
My proposal would be for now:
|
Agreed 👍🏻 |


Add googletest Bazel dep
The vendored googletest v1.12.1 instance at libs/3rparty/googletest is incompatible with newer Bazel versions.
Instead we include the equivalent version from the google central registry as a Bazel dep directly.