Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host supply-chain rules #102

Open
9 tasks done
Yannic opened this issue Nov 25, 2024 · 3 comments
Open
9 tasks done

Host supply-chain rules #102

Yannic opened this issue Nov 25, 2024 · 3 comments

Comments

@Yannic
Copy link
Contributor

Yannic commented Nov 25, 2024

As discussed in the SIG meeting a few weeks ago, we'd like to move license/compliance/provenance rules out of bazelbuild/rules_license and make it owned by the community.

Therefore, we'd like to create bazel-contrib/supply-chain to host the rules and providers for declaring package metadata like licenses.

This will be a new GitHub repo with multiple bzlmod repos (looking to start with 2, but planning to extend over time to cover other areas of the supply chain).

bazel-contrib/supply-chain/
  README.md

  metadata/
    README.md
    MODULE.bazel (`package_metadata`)
    ...

  sbom/
    README.md
    MODULE.bazel (`rules_sbom`)
    ...
  • package_metadata will contain providers for declaring package metadata (e.g., PURL of the package, its license, GH repo it's hosted on, ...) and rules for injecting the providers into the build graph (e.g., via package(default_package_metadata=["//:metadata"]). We expect that virtually every bzlmod repo will depend on this (including rule sets), so we're making this a separate repo without any dependencies to not pull in any rules/languages that users/companies might not want and thus prevents them from using package_metadata.
  • rules_sbom will contain rules that generate a SBOM (file) for a target by traversing the transitive dependencies to collect package_metadata for everything in the transitive closure of said target.

Checklist:

  • Must use an open-source license, preferably Apache-2.0.
  • Must have wide applicability in the community.
  • Must have a clear point of contact who answers questions from the SIG.
  • Must be “production quality”:
    clear README or other documentation outlining the goal of these rules, how to use them etc.
    generated API documentation
    include examples of use
    tests that are running continuously
  • Must reply to issues/PRs in 2-3 weeks (exact service level agreement TBD)
  • Must have more than one person who is committed to review/approve PRs
    We recommend encoding this as a CODEOWNERS file.
    • see points of contact above
  • Must publish semver releases.
    Optional: follow the same release pattern as the rules-template does.
  • Must work with LTS Bazel version
  • Must publish the rules to the Bazel Central Registry, keep that CI green
@jsharpe
Copy link
Member

jsharpe commented Nov 26, 2024

rules_license has 37 users in the BCR: https://registry.bazel.build/modules/rules_license. Is that going to become a forwarding shim to package_metadata or are we expecting those users to migrate?

@Yannic
Copy link
Contributor Author

Yannic commented Nov 26, 2024

rules_license will become a shim to package_metadata. I think the expectation is that people still migrate to use package_metadata directly instead of going through the shim, but we'll make sure that there's a smooth migration path with the shims

@Yannic
Copy link
Contributor Author

Yannic commented Nov 26, 2024

This has been approved by the SIG on 2024-11-26: https://docs.google.com/document/d/1YGCYAGLzTfqSOgRFVsB8hDz-kEoTgTEKKp9Jd07TJ5c/edit?tab=t.0#heading=h.whgqs97auf4i

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants