Use pkg_install to copy binaries to BINARY_OUTPUTS_DIR.

Using a shell script to find and copy the binaries is fragile and error prone -- and splits the configuration between bazel and a shell script. Using `pkg_install` instead solves this problem. Also fix a fix overly broad default package visibilities. scripts/build_target.sh still lists explicit paths; it will be updated as part of a future improvement to the GitHub Actions build process. Change-Id: Ifc5b54fe6edbef04cd3ef967c60364b9b1080966
google-parfait · Aug 22, 2024 · bc4f994 · bc4f994
1 parent a4bc93b
commit bc4f994
Show file tree

Hide file tree

Showing 11 changed files with 40 additions and 29 deletions.
diff --git a/BUILD b/BUILD
@@ -13,6 +13,8 @@
 # limitations under the License.
 
 load("@bazel_toolchains//rules/exec_properties:exec_properties.bzl", "create_rbe_exec_properties_dict")
+load("@rules_pkg//pkg:install.bzl", "pkg_install")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
 
 exports_files([".rustfmt.toml"])
 
@@ -28,3 +30,28 @@ platform(
     ),
     parents = ["@local_config_platform//:host"],
 )
+
+# All artifacts that will be built for release, along with their names in the
+# destination directory.
+_ALL_BINARIES = {
+    "//containers/agg_core:oci_runtime_bundle.tar": "agg_core/container.tar",
+    "//containers/confidential_transform_test_concat:oci_runtime_bundle.tar": "confidential_transform_test_concat/container.tar",
+    "//containers/fed_sql:oci_runtime_bundle.tar": "fed_sql/container.tar",
+    "//containers/sql_server:oci_runtime_bundle.tar": "sql_server/container.tar",
+    "//containers/test_concat:oci_runtime_bundle.tar": "test_concat/container.tar",
+    "//examples/square_enclave_app": "square_example/binary",
+    "//examples/sum_enclave_app": "sum_example/binary",
+    "//ledger_enclave_app": "ledger/binary",
+    "//replicated_ledger_enclave_app": "replicated_ledger/binary",
+}
+
+pkg_files(
+    name = "all_binaries",
+    srcs = _ALL_BINARIES.keys(),
+    renames = _ALL_BINARIES,
+)
+
+pkg_install(
+    name = "install_binaries",
+    srcs = [":all_binaries"],
+)
diff --git a/containers/agg_core/BUILD b/containers/agg_core/BUILD
@@ -16,8 +16,6 @@ load("@oak//bazel:defs.bzl", "oci_runtime_bundle")
 load("@rules_oci//oci:defs.bzl", "oci_image")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
 
-package(default_visibility = ["//:__subpackages__"])
-
 cc_binary(
     name = "main",
     srcs = ["main.cc"],
@@ -47,6 +45,7 @@ oci_image(
 oci_runtime_bundle(
     name = "oci_runtime_bundle",
     image = ":oci_image",
+    visibility = ["//:__pkg__"],
 )
 
 cc_library(

diff --git a/containers/confidential_transform_test_concat/BUILD b/containers/confidential_transform_test_concat/BUILD
@@ -90,4 +90,5 @@ oci_image(
 oci_runtime_bundle(
     name = "oci_runtime_bundle",
     image = ":oci_image",
+    visibility = ["//:__pkg__"],
 )
diff --git a/containers/fed_sql/BUILD b/containers/fed_sql/BUILD
@@ -104,4 +104,5 @@ oci_image(
 oci_runtime_bundle(
     name = "oci_runtime_bundle",
     image = ":oci_image",
+    visibility = ["//:__pkg__"],
 )
diff --git a/containers/sql_server/BUILD b/containers/sql_server/BUILD
@@ -16,8 +16,6 @@ load("@oak//bazel:defs.bzl", "oci_runtime_bundle")
 load("@rules_oci//oci:defs.bzl", "oci_image")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
 
-package(default_visibility = ["//:__subpackages__"])
-
 cc_binary(
     name = "main",
     srcs = ["main.cc"],
@@ -47,6 +45,7 @@ oci_image(
 oci_runtime_bundle(
     name = "oci_runtime_bundle",
     image = ":oci_image",
+    visibility = ["//:__pkg__"],
 )
 
 cc_library(

diff --git a/containers/test_concat/BUILD b/containers/test_concat/BUILD
@@ -45,6 +45,7 @@ oci_image(
 oci_runtime_bundle(
     name = "oci_runtime_bundle",
     image = ":oci_image",
+    visibility = ["//:__pkg__"],
 )
 
 cc_library(

diff --git a/examples/square_enclave_app/BUILD b/examples/square_enclave_app/BUILD
@@ -18,6 +18,7 @@ rust_binary(
     name = "square_enclave_app",
     srcs = glob(["src/*.rs"]),
     platform = "@oak//:x86_64-unknown-none",
+    visibility = ["//:__pkg__"],
     deps = [
         "//examples/square_service",
         "//pipeline_transforms",

diff --git a/examples/sum_enclave_app/BUILD b/examples/sum_enclave_app/BUILD
@@ -18,6 +18,7 @@ rust_binary(
     name = "sum_enclave_app",
     srcs = glob(["src/*.rs"]),
     platform = "@oak//:x86_64-unknown-none",
+    visibility = ["//:__pkg__"],
     deps = [
         "//examples/sum_service",
         "//pipeline_transforms",

diff --git a/ledger_enclave_app/BUILD b/ledger_enclave_app/BUILD
@@ -18,6 +18,7 @@ rust_binary(
     name = "ledger_enclave_app",
     srcs = glob(["src/*.rs"]),
     platform = "@oak//:x86_64-unknown-none",
+    visibility = ["//:__pkg__"],
     deps = [
         "//ledger_service",
         "//third_party/federated_compute",

diff --git a/replicated_ledger_enclave_app/BUILD b/replicated_ledger_enclave_app/BUILD
@@ -18,6 +18,7 @@ rust_binary(
     name = "replicated_ledger_enclave_app",
     srcs = glob(["src/*.rs"]),
     platform = "@oak//:x86_64-unknown-none",
+    visibility = ["//:__pkg__"],
     deps = [
         "//ledger_service",
         "@oak//oak_restricted_kernel_sdk",

diff --git a/scripts/build.sh b/scripts/build.sh
@@ -29,26 +29,11 @@
 set -e
 set -x
 
-readonly WORKSPACE_DIR="$(dirname -- "$0")/.."
 # If bazelisk isn't in user's path, the BAZELISK environment variable may be set
 # instead. This may also be used to pass startup options like --nosystem_rc to
 # bazel; this usage requires us to not quote ${BAZELISK} when used later.
 readonly BAZELISK="${BAZELISK:-bazelisk}"
 
-# List of targets that will be built in release mode, along with the name of the
-# resulting artifacts in BINARY_OUTPUTS_DIR.
-declare -Ar RELEASE_TARGETS=(
-  [//containers/sql_server:oci_runtime_bundle.tar]=sql_server/container.tar
-  [//containers/test_concat:oci_runtime_bundle.tar]=test_concat/container.tar
-  [//containers/confidential_transform_test_concat:oci_runtime_bundle.tar]=confidential_transform_test_concat/container.tar
-  [//containers/agg_core:oci_runtime_bundle.tar]=agg_core/container.tar
-  [//containers/fed_sql:oci_runtime_bundle.tar]=fed_sql/container.tar
-  [//examples/square_enclave_app:square_enclave_app]=square_example/binary
-  [//examples/sum_enclave_app:sum_enclave_app]=sum_example/binary
-  [//ledger_enclave_app:ledger_enclave_app]=ledger/binary
-  [//replicated_ledger_enclave_app:replicated_ledger_enclave_app]=replicated_ledger/binary
-)
-
 if [ "$1" == "continuous" ]; then
   ${BAZELISK} test //... --config=asan --build_tag_filters=-asan --test_tag_filters=-asan
 elif [ "$1" == "sanitizers" ]; then
@@ -57,20 +42,14 @@ elif [ "$1" == "sanitizers" ]; then
   ${BAZELISK} test //... --config=ubsan --build_tag_filters=-noubsan --test_tag_filters=-noubsan
 elif [ "$1" == "release" ]; then
   ${BAZELISK} test //...
-  ${BAZELISK} build -c opt "${!RELEASE_TARGETS[@]}"
 
   # BINARY_OUTPUTS_DIR may be unset if this script is run manually; it'll
   # always be set during CI builds.
   if [[ -n "${BINARY_OUTPUTS_DIR}" ]]; then
-    readonly BAZEL_BIN="$(${BAZELISK} info -c opt bazel-bin)"
-    for target in "${!RELEASE_TARGETS[@]}"; do
-      dst="${BINARY_OUTPUTS_DIR}/${RELEASE_TARGETS[$target]}"
-      mkdir --parents "$(dirname "$dst")"
-      # Binaries may be in one of multiple bazel-bin directories, not just the
-      # one returned by bazel. Since no binary will appear in more than one, we
-      # can simply add a wildcard character to allow suffixes (e.g. k8-opt*).
-      cp -f "${BAZEL_BIN%/bin}"*"/bin${target/:/\//}" "$dst"
-    done
+    ${BAZELISK} run -c opt //:install_binaries -- --destdir "${BINARY_OUTPUTS_DIR}"
+  else
+    # If unset, verify the binaries can be built with -c opt.
+    ${BAZELISK} build -c opt //:install_binaries
   fi
 else
   ${BAZELISK} test //...