Replace nixpkgs_cc_configure() with a toolchain

.bazelrc

@@ -1 +1,7 @@
 build --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
+build --crosstool_top=@nixpkgs_config_cc//:toolchain
+# Using toolchain resolution can lead to spurious dependencies on
+# `@local_config_cc//:builtin_include_directory_paths`. This needs to be
+# resolved before `--incompatible_enable_cc_toolchain_resolution` can be
+# recommended for `nixpkgs_cc_configure_hermetic`.
+# build --incompatible_enable_cc_toolchain_resolution

CHANGELOG.md

@@ -10,12 +10,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Changed
 
+- The implementation of `nixpkgs_cc_configure` has been replaced by a more
+  hermetic version that no longer uses Bazel's builtin autodection toolchain
+  under the hood. The previous behavior is now available under the name
+  `nixpkgs_cc_configure_deprecated`, if required.
+  See [#128][#128].
 - The values in the `nixopts` attribute to `nixpkgs_package` are now subject to
   location expansion. Any instance of `$(location LABEL)` in the `nixopts`
   attribute will be expanded to the file path of the file referenced by
   `LABEL`. To pass a plain `$` to Nix it must be escaped as `$$`.
   See [#132][#132].
 
+### Deprecated
+
+- The old implementation of `nixpkgs_cc_configure`, now available under the
+  name `nixpkgs_cc_configure_deprecated`, has been marked as deprecated in
+  favor of `nixpkgs_cc_configure` and will be replaced by it in future.
+  See [#128][#128].
+
+[#128]: https://github.com/tweag/rules_nixpkgs/pull/128
 [#132]: https://github.com/tweag/rules_nixpkgs/pull/132
 
 ## [0.7.0] - 2020-04-20

README.md

@@ -24,6 +24,7 @@ Links:
 * [nixpkgs_git_repository](#nixpkgs_git_repository)
 * [nixpkgs_package](#nixpkgs_package)
 * [nixpkgs_cc_configure](#nixpkgs_cc_configure)
+* [nixpkgs_cc_configure_deprecated](#nixpkgs_cc_configure_deprecated)
 * [nixpkgs_go_configure](#nixpkgs_go_configure)
 
 ## Setup
@@ -328,15 +329,132 @@ filegroup(
 
 ### nixpkgs_cc_configure
 
+Use a CC toolchain from Nixpkgs. No-op if not a nix-based platform.
+
+By default, Bazel auto-configures a CC toolchain from commands (e.g.
+`gcc`) available in the environment. To make builds more hermetic, use
+this rule to specify explicitly which commands the toolchain should use.
+
+Specifically, it builds a Nix derivation that provides the CC toolchain
+tools in the `bin/` path and constructs a CC toolchain that uses those
+tools. Tools that aren't found are replaced by `${coreutils}/bin/false`.
+You can inspect the resulting `@<name>_info//:CC_TOOLCHAIN_INFO` to see
+which tools were discovered.
+
+This rule depends on [`rules_cc`](https://github.com/bazelbuild/rules_cc).
+
+Note:
+
+You need to configure `--crosstool_top=@<name>//:toolchain` to activate this
+toolchain.
+
+Example:
+
+```bzl
+nixpkgs_cc_configure(repository = "@nixpkgs//:default.nix")
+```
+
+<table class="table table-condensed table-bordered table-params">
+  <colgroup>
+    <col class="col-param" />
+    <col class="param-description" />
+  </colgroup>
+  <thead>
+    <tr>
+      <th colspan="2">Attributes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><code>attribute_path</code></td>
+      <td>
+        <p><code>String; optional</code></p>
+        <p>Obtain the toolchain from the Nix expression under this attribute path. Requires `nix_file` or `nix_file_content`.</p>
+      </td>
+      <td><code>nix_file</code></td>
+      <td>
+        <p><code>String; optional</code></p>
+        <p>Obtain the toolchain from the Nix expression defined in this file. Specify only one of `nix_file` or `nix_file_content`.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>nix_file_content</code></td>
+      <td>
+        <p><code>String; optional</code></p>
+        <p>Obtain the toolchain from the given Nix expression. Specify only one of `nix_file` or `nix_file_content`.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>nix_file_deps</code></td>
+      <td>
+        <p><code>List of labels; optional</code></p>
+        <p>Additional files that the Nix expression depends on.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>repository</code></td>
+      <td>
+        <p><code>Label; optional</code></p>
+        <p>Provides `<nixpkgs>`. Specify one of `repositories` or `repository`.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>repositories</code></td>
+      <td>
+        <p><code>String-keyed label dict; optional</code></p>
+        <p>Provides `<nixpkgs>` and other repositories. Specify one of `repositories` or `repository`.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>nixopts</code></td>
+      <td>
+        <p><code>String list; optional</code></p>
+        <p>
+            Extra flags to pass when calling Nix. Subject to location
+            expansion, any instance of <code>$(location LABEL)</code> will be
+            replaced by the path to the file ferenced by <code>LABEL</code>
+            relative to the workspace root.
+        </p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>quiet</code></td>
+      <td>
+        <p><code>Bool; optional</code></p>
+        <p>Whether to hide `nix-build` output.</p>
+      </td>
+    </tr>
+    <tr>
+      <td><code>fail_not_supported</code></td>
+      <td>
+        <p><code>Bool; optional</code></p>
+        <p>Whether to fail if `nix-build` is not available.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+### nixpkgs_cc_configure_deprecated
+
 Tells Bazel to use compilers and linkers from Nixpkgs for the CC
 toolchain. By default, Bazel autodetects a toolchain on the current
 `PATH`. Overriding this autodetection makes builds more hermetic and
 is considered a best practice.
 
+Deprecated:
+
+Use `nixpkgs_cc_configure` instead.
+
+While this improves upon Bazel's autoconfigure toolchain by picking tools from
+a Nix derivation rather than the environment, it is still not fully hermetic as
+it is affected by the environment. In particular, system include directories
+specified in the environment can leak in and affect the cache keys of targets
+depending on the cc toolchain leading to cache misses.
+
 Example:
 
 ```bzl
-nixpkgs_cc_configure(repository = "@nixpkgs//:default.nix")
+nixpkgs_cc_configure_deprecated(repository = "@nixpkgs//:default.nix")
 ```
 
 <table class="table table-condensed table-bordered table-params">

WORKSPACE

@@ -161,7 +161,12 @@ nixpkgs_package(
     repository = "@nixpkgs",
 )
 
-nixpkgs_cc_configure(repository = "@remote_nixpkgs")
+nixpkgs_cc_configure(
+    # Use a different name to be able to distinguish this toolchain from the
+    # builtin one in the tests.
+    name = "nixpkgs_config_cc",
+    repository = "@remote_nixpkgs",
+)
 
 nixpkgs_python_configure(
     python2_attribute_path = "python2",

nixpkgs/BUILD.bazel

@@ -42,6 +42,8 @@ bzl_library(
     visibility = ["//visibility:public"],
     deps = [
         ":bazel_tools",
+        "@bazel_skylib//lib:new_sets",
         "@bazel_skylib//lib:paths",
+        "@bazel_skylib//lib:sets",
     ],
 )