fips: Make build bazel hermetic#39728
Merged
agrawroh merged 4 commits intoenvoyproxy:mainfrom Jun 6, 2025
Merged
Conversation
repokitteh-read-only
bot
added
the
deps
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
phlax
changed the title
phlax
commented
Jun 4, 2025
Signed-off-by: Ryan Northey <ryan@synca.io>
phlax
force-pushed
the
fips-cleanup
branch
3 times, most recently
from
89bfc89 to
11e7abc
Compare
ggreenway
requested changes
Jun 4, 2025
Member
ggreenway
left a comment
ggreenway
left a comment
There was a problem hiding this comment.
I tried building this locally and got error
ERROR: /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/boringssl_fips/BUILD.bazel:131:8: configurable attribute "exec_properties" in @@boringssl_fips//:build doesn't match this configuration. Would a default condition help?
Conditions checked:
//bazel:engflow_rbe_x86_64
//bazel:engflow_rbe_aarch64
To see a condition's definition, run: bazel query --output=build <condition label>.
This instance of @@boringssl_fips//:build has configuration identifier 54cb9a0. To inspect its configuration, run: bazel config 54cb9a0.
command: bazel build --config=clang --test_output=errors --@envoy//source/extensions/wasm_runtime/v8:enabled=false --define boringssl=fips //:envoy
Member
Author
|
now i see why it was working for me (sometimes) ... we add the env iff its a libc++ - so that was never gonna work by itself - adding a flag/setting to control this ... |
Member
Author
|
k, i think the conditionality should be fixed i tested this with both libc++ and libstc++ assuming our stdlib flags work correctly - which i think they do in this case - then this should work now for both libc++/libstdc++ whats not tested is the arm build - iirc we do have some downstream arm fips builders so it might be worth adding some ci at some point to check it works as expected - altho thinking about it - if you (@ggreenway) are testing this directly with macos/arm then i guess that is at least getting tested locally |
phlax
force-pushed
the
fips-cleanup
branch
2 times, most recently
from
3b0d02a to
c7a1f67
Compare
Signed-off-by: Ryan Northey <ryan@synca.io>
phlax
commented
Jun 5, 2025
Member
|
/lgtm deps |
repokitteh-read-only
bot
removed
the
deps
agrawroh
approved these changes
Jun 6, 2025
phlax
pushed a commit
that referenced
this pull request
Sep 25, 2025
[This PR](#39728) moved the Go dependency in FIPS builds to a Bazel `http_archive`. Once that was done, Bazel's `filegroup` doesn't seem to be dealing so well with non-UTF-8 characters present in a file name in Go's test suite, causing the build to fail. ``` #23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: error reading file '@@fips_go_linux_amd64//:test/fixedbugs/issue27836.dir/Þmain.go': /build/top/BUILD/envoy/build/bazel_root/base/external/fips_go_linux_amd64/test/fixedbugs/issue27836.dir/Þmain.go (No such file or directory) #23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: 1 input file(s) are in error #23 171.2 Target //distribution/binary:release failed to build ``` It's not fully understood what circumstances cause Bazel to behave like that, but it seems reasonable to remove the `test` directory from the exports. Once a bug is filed to the Bazel project I'll update the PR with the issue number. Signed-off-by: Gustavo <grnmeira@gmail.com>
grnmeira
added a commit
to grnmeira/envoy
that referenced
this pull request
Oct 17, 2025
[This PR](envoyproxy#39728) moved the Go dependency in FIPS builds to a Bazel `http_archive`. Once that was done, Bazel's `filegroup` doesn't seem to be dealing so well with non-UTF-8 characters present in a file name in Go's test suite, causing the build to fail. ``` envoyproxy#23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: error reading file '@@fips_go_linux_amd64//:test/fixedbugs/issue27836.dir/Þmain.go': /build/top/BUILD/envoy/build/bazel_root/base/external/fips_go_linux_amd64/test/fixedbugs/issue27836.dir/Þmain.go (No such file or directory) envoyproxy#23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: 1 input file(s) are in error envoyproxy#23 171.2 Target //distribution/binary:release failed to build ``` It's not fully understood what circumstances cause Bazel to behave like that, but it seems reasonable to remove the `test` directory from the exports. Once a bug is filed to the Bazel project I'll update the PR with the issue number. Signed-off-by: Gustavo <grnmeira@gmail.com>
phlax
pushed a commit
that referenced
this pull request
Oct 17, 2025
[This PR](#39728) moved the Go dependency in FIPS builds to a Bazel `http_archive`. Once that was done, Bazel's `filegroup` doesn't seem to be dealing so well with non-UTF-8 characters present in a file name in Go's test suite, causing the build to fail. ``` #23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: error reading file '@@fips_go_linux_amd64//:test/fixedbugs/issue27836.dir/Þmain.go': /build/top/BUILD/envoy/build/bazel_root/base/external/fips_go_linux_amd64/test/fixedbugs/issue27836.dir/Þmain.go (No such file or directory) #23 170.8 ERROR: /build/top/BUILD/envoy/build/bazel_root/base/external/boringssl_fips/BUILD.bazel:70:8: Executing genrule @@boringssl_fips//:build failed: 1 input file(s) are in error #23 171.2 Target //distribution/binary:release failed to build ``` It's not fully understood what circumstances cause Bazel to behave like that, but it seems reasonable to remove the `test` directory from the exports. Once a bug is filed to the Bazel project I'll update the PR with the issue number. Signed-off-by: Gustavo <grnmeira@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.