[rules score] make sphinx build fully hermetic#293
Conversation
hoe-jo
commented
Jun 24, 2026
- include graphviz
- rework plantuml integration
- include graphbiz system deps as rootfs
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
2652b05 to
43e99d7
Compare
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
fefdf1c to
e72fe7c
Compare
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
| # Build exclude paths string - colon-separated list | ||
| exclude_paths = ":".join(ctx.attr.exclude_paths) if ctx.attr.exclude_paths else "" | ||
|
|
||
| wrapper_script = """#!/usr/bin/env bash |
There was a problem hiding this comment.
Would be fair to make this script also "sh" compliant. That way, we drop dependency on bash.
| bazel_dep(name = "download_utils", version = "1.2.2") | ||
| git_override( | ||
| module_name = "download_utils", | ||
| commit = "3b96912fb6622dda83f25efd1f8ae596fc4a63a6", | ||
| remote = "https://gitlab.arm.com/bazel/download_utils.git", | ||
| ) | ||
|
|
| # fakechroot + the x86_64 sysroot binaries only run on a linux/x86_64 host. | ||
| exec_compatible_with = [ | ||
| "@platforms//cpu:x86_64", | ||
| "@platforms//os:linux", | ||
| ], | ||
| # Prune plugins whose X11/pango/GD dependencies are absent from this minimal | ||
| # sysroot (they cannot be dlopened, causing dot -c to crash). Use find (not | ||
| # a hardcoded arch path) so the rule works on both amd64 and aarch64. |
There was a problem hiding this comment.
If we restrict the rule to x86_64 then this comment makes no sense.
| # exec_in_sysroot.sh) so glibc-level filesystem calls inside dot (e.g. | ||
| # opening the graphviz plugin directory, reading config6) are transparently | ||
| # redirected into the sysroot. | ||
| exec "${SYSROOT_INTERP}" --library-path "${SYSROOT_LIBPATH}" "${SYSROOT_DIR}/usr/bin/dot" "$@" |
There was a problem hiding this comment.
This is overly complex.
Ideally this should be:
| exec "${SYSROOT_INTERP}" --library-path "${SYSROOT_LIBPATH}" "${SYSROOT_DIR}/usr/bin/dot" "$@" | |
| /usr/bin/dot "$@" |
The rest either must go into exec_in_sysroot or be dropped.
| 2. **Host shell tools.** The sysroot-rework and extraction actions run under a | ||
| POSIX `sh` and use standard coreutils (`find`, `mktemp`, `chmod`, `rm`), | ||
| assumed present in the build environment. The generated `dot` launcher itself | ||
| requires `bash`, because it sources Bazel's `runfiles.bash` library (there is | ||
| no POSIX-`sh` runfiles equivalent in `@bazel_tools`). |
There was a problem hiding this comment.
There should be an equivalent. Potentially rules_shell?
- include graphviz - rework plantuml integration - include graphviz system deps via fakechroot Co-authored-by: Ulrich Huber <ulrich@huberulrich.de>
- exec_in_sysroot.sh: compute SYSROOT_INTERP and SYSROOT_LIBPATH, export them, and add SYSROOT_INTERP to FAKECHROOT_EXCLUDE_PATH so fakechroot does not intercept the interpreter's own exec - exec_in_sysroot.bzl: rewrite _setup_block() to invoke each sysroot_setup_commands entry via sysroot's ld-linux.so - dot.sh: replace /usr/bin/dot exec with sysroot-interpreter-based invocation using SYSROOT_INTERP / SYSROOT_LIBPATH / SYSROOT_DIR - BUILD: add exclude_paths = ["/tmp"] to the dot exec_in_sysroot target so PlantUML's temp .dot/.svg files in /tmp are not chrooted - Adapt conf.py to use the predefined variables
e72fe7c to
9861f3e
Compare
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
9861f3e to
10d92ea
Compare
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |
| validation, runs optional host/sysroot setup commands while the tree is | ||
| writable, and repackages the result into a single `<name>.tar` archive. | ||
|
|
||
| Requires a Debian/Ubuntu multiarch sysroot (x86_64 or aarch64). |
There was a problem hiding this comment.
| Requires a Debian/Ubuntu multiarch sysroot (x86_64 or aarch64). |
| The sysroot archive is expected to be prepared by a prepare_sysroot rule, | ||
| which performs plugin pruning / post-install setup once and caches the result. | ||
|
|
||
| Requires a Debian/Ubuntu multiarch sysroot (x86_64 or aarch64). |
There was a problem hiding this comment.
| Requires a Debian/Ubuntu multiarch sysroot (x86_64 or aarch64). |
- Remove duplicate implementation of sysroot-execution - Extract Shell script into template - Update Docs
10d92ea to
3e6f292
Compare
Coverage ReportCoverage report was generated. Full report can be downloaded from the CI artifacts (expand Artifacts at the bottom of the run). Overall coverage rate: |