-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bazel: support bzlmod #13658
Comments
Seems like we can treat this as a new Renovate "manager" with name bzlmod while keeping the existing/legacy bazel in place? Also looks like we need a new datasource for the registry part. |
Hi there, You're requesting support for a new package manager. We need to know some basic information about this package manager first. Please copy/paste the new package manager questionnaire, and fill it out in full. Once the questionnaire is filled out we will evaluate if adding support for this manager is something we want to do. Good luck, The Renovate team |
I think, @alexeagle could probably do a better job than I, since I think he's contributing and probably knows the folks leading it. Alex, would you be down? |
Yeah I'd like to help with this. The feature is still experimental until later this year. Bazel official repos use renovate too, we can probably get help from upstream. |
Hey there, just a ping since the Bazel team has re-committed to this new dependency manager in their next major release 6.0. As a concrete example, this spot https://github.com/aspect-build/rules_js/blob/main/MODULE.bazel#L9 ought to get updated whenever https://github.com/bazelbuild/bazel-central-registry/blob/main/modules/aspect_bazel_lib/metadata.json has a new release. |
Hi @alexeagle. Can you or anyone else involved fill out our questionnaire? i.e. #13658 (comment) This looks like it's essentially a brand new package manager, even if we decide to keep with the "bazel" naming and support both old and new at the same time. |
New package manager questionnaireDid you read our documentation on adding a package manager?
BasicsName of package managerbzlmod What language does this support?starlark (Bazel's configuration language) How popular is this package manager?Not at all yet, but presumably after Bazel 6.0, most Bazel users will migrate to it. Does this language have other (competing?) package managers?
Package File DetectionWhat type of package files and names does it use?
What fileMatch pattern(s) should be used?
Is it likely that many users would need to extend this pattern for custom file names?
Is the fileMatch pattern likely to get many "false hits" for files that have nothing to do with package management?Don't think soParsing and ExtractionCan package files have "local" links to each other that need to be resolved?It can link to local packages, but I don't think renovate would need to be aware of those. Is there a reason why package files need to be parsed together (in serial) instead of independently?There's only one such file. What format/syntax is the package file in?
Starlark How do you suggest parsing the file?
There are parsers in a few languages, e.g. bazelbuild/starlark-go - but renovate already supports Bazel's existing Does the package file structure distinguish between different "types" of dependencies? e.g. production dependencies, development dependencies, etc?
List all the sources/syntaxes of dependencies that can be extractedDescribe which types of dependencies above are supported and which will be implemented in futureVersioningWhat versioning scheme does the package file(s) use?Semver Does this versioning scheme support range constraints, e.g.
|
FYI the launch for this new package manager is coming up in the next 4-6 weeks, as the primary new feature of Bazel 6.0 |
Does bzlmod replace WORKSPACE, or is its purpose to move bazel "modules" out of WORKSPACE and e.g. references to docker images or maven packages will still remain in WORKSPACE files? https://registry.bazel.build/ is a front for https://github.com/bazelbuild/bazel-central-registry. Does it have a documented API? On the other hand the syntax for a custom registry is this:
This implies we might be best to use github to query the default registry so that we have a consistent approach for both the default registry as well as custom registries. FWIW I wonder why there was the need to standardize I note the absence of release timestamps for bazel modules. Intentional, or you hope they will be reverse engineered from the commit they reference? |
Sorry I've been on vacation- @fmeum can probably help to answer. |
Not every Bazel repository will also be a Bazel module. After a migration period where most users will use both All non-Bazel-aware dependencies will continue loaded via the same
Yes, the docs are here.
No, as explained in the docs I linked above, a registry can be used under any base URL. GitHub isn't special-cased in any way, it's just that it happens to be a common source and users should know that they have to use
The registry doesn't contain such metadata explicitly, but it could be set to the author time of the commit that added it. What would such a timestamp be used for? It is not too late to influence the design of the registry if that would help tools such as Renovate interact with it better. |
In addition to the above, it should also be noted that bzlmod supports a relaxed version of semver with an arbitrary number of components (rather than just |
Users find it helpful to know how old a release which Renovate is proposing is. 1 hour? 1 day? 1 week? etc. Additionally some users like to use this programmatically, via the Renovate setting |
I think the question still remains about whether Renovate should use the default registry API, or parse its GitHub content directly. If Renovate needs to support alternative registries, and those won't have APIs, it makes sense to have a single, consistent way to parse all registries - i.e. the raw approach instead of API-based. |
All registries, including the default one, have the same API that's fully satisfied by serving static files in the right places. It just so happens that |
Agreed, that would be very useful to have as information. There is an open issue to include the source repo in the metadata for each Bazel module, so individual versions could potentially be linked to releases in those repos as well. |
FYI now that Bazel 6.0.0 final has shipped, and this new package manager is no longer experimental, some users have started to adopt it. |
Nothing is currently planned. Personally I don't have time right now unfortunately. I suggest the best approach would be to call it a new package manager |
Regarding the versioning scheme, bzlmod doesn't actually require SemVer https://bazel.build/external/module#version_format. Versions like AFAIK lockfiles are planned as well bazelbuild/bazel#14554. Since a proposal hasn't been draftet yet I'd guess is that those will be part of bzlmod with bazel 7, 8 or 9. |
The Bzlmod lockfile proposal is here: https://docs.google.com/document/d/1HPeH_L-lRK54g8A27gv0q7cbk18nwJ-jOq_14XEiZdc/edit#heading=h.5mcn15i0e1ch |
FYI. I am starting work on implementing bzlmod support. @rarkins Is it possible to assign the issue to me? |
🎉 This issue has been resolved in version 35.123.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
What would you like Renovate to be able to do?
Hi, @rarkins. Thanks for the wonderfully great tool that is Renovate. It's been spectacular for our Bazel repo--and we point other Bazel users to you guys every chance we get, including in Bazel tools we've open sourced.
I just stumbled upon some docs indicating that Bazel working to update their external dependency management to use a different, more unified file format, and has a working version out. They call the manager bzlmod. @alexeagle, who I know you've cc'd on Bazel issues before, wrote a great blog post on it. I'll just link, because I certainly can't do a better job describing it here. https://blog.aspect.dev/bzlmod
It'll probably take a bit before things switch over, but I thought I should give a heads, and ask if it'd be something you'd consider supporting with Renovate, especially since I didn't see any other issues mentioning it. As far as I can tell, the need for Renovate with it should be as burning as ever; I haven't seen anything about notifying users about updates on the Bazel side.
Thanks so much for your consideration,
Chris
If you have any ideas on how this should be implemented, please tell us here.
Package fetching would probably need to be from the registry, possibly delegating to Bazel. The actual format is simpler than the current WORKSPACE approach, though it's be in a new file, MODULE.bazel.
The text was updated successfully, but these errors were encountered: