world-federation-of-advertisers · SanjayVas · Oct 23, 2024 · Oct 23, 2024
diff --git a/.bazelrc b/.bazelrc
@@ -18,15 +18,22 @@ build --java_language_version=11
 # Pass environment variables.
 test --test_env TESTCONTAINERS_RYUK_DISABLED=true
 
-# Disable remote cache upload by default.
-build --noremote_upload_local_results
+# Configuration for remote cache.
+build --noremote_upload_local_results  # Do not upload by default
+build --remote_download_outputs=minimal
+build --remote_timeout=3600
+build:remote-cache --remote_cache=grpcs://halo-cmm.buildbuddy.io
+build:remote-cache --experimental_remote_cache_compression
+build:remote-cache --experimental_remote_cache_compression_threshold=100
 
 # Configuration for continuous integration (CI).
 common:ci --lockfile_mode=error
 build:ci --compilation_mode=opt
-build:ci --host_platform //build/platforms:ubuntu_22_04
-common:remote-cache --remote_cache=https://storage.googleapis.com/halo-cmm-build-cache/cross-media-measurement
-common:remote-cache --google_default_credentials
+build:ci --build_metadata=ROLE=CI
+build:ci --build_metadata=VISIBILITY=PUBLIC
+build:ci --config=remote-cache
+build:ci --config=results
+build:ci --config=remote
 
 # Configuration for GitHub Container Registry
 build:ghcr --define container_registry=ghcr.io
@@ -40,3 +47,4 @@ import %workspace%/container.bazelrc
 import %workspace%/maven.bazelrc
 import %workspace%/remote.bazelrc
 import %workspace%/results.bazelrc
+try-import %workspace%/auth.bazelrc
diff --git a/.github/workflows/api-lint.yml b/.github/workflows/api-lint.yml
@@ -29,8 +29,6 @@ jobs:
   lint:
     name: API lint
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     defaults:
       run:
         shell: bash
@@ -42,22 +40,22 @@ jobs:
         version: 1.67.2
         sha256: 260064fad8c38feae402595b6cefef51d70e72b0b5968359c79ee8f3ad33ab27
 
-    # Authenticate to Google Cloud for access to remote cache.
-    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-        service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
 
     - name: Write ~/.bazelrc
       run: |
         cat << EOF > ~/.bazelrc
         common --config=ci
-        common --config=remote-cache
+        build --remote_download_outputs=toplevel  # Need descriptor set output.
         EOF
 
-    - env:
-        BAZEL: bazelisk
-      run: |
-        tools/api-lint wfa/measurement/system
-        tools/api-lint wfa/measurement/securecomputation
+    - uses: world-federation-of-advertisers/actions/setup-bazel@v2
+
+    - run: tools/api-lint wfa/measurement/system
+    - run: tools/api-lint wfa/measurement/securecomputation
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -34,8 +34,6 @@ jobs:
   build-test:
     name: Build and test
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     env:
       CLUSTER_LOGS_PATH: cluster-logs
     steps:
@@ -47,18 +45,18 @@ jobs:
 
       - uses: ./.github/actions/free-disk-space
 
-      # Authenticate to Google Cloud for access to remote cache.
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+      - name: Write auth.bazelrc
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        run: |
+          cat << EOF > auth.bazelrc
+          build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+          EOF
 
       - name: Write ~/.bazelrc
         run: |
           cat << EOF > ~/.bazelrc
           common --config=ci
-          common --config=remote-cache
           build --remote_upload_local_results
           build --define container_registry=localhost:5001
           build --define image_repo_prefix=halo

diff --git a/.github/workflows/configure-aws-duchy.yml b/.github/workflows/configure-aws-duchy.yml
@@ -88,6 +88,14 @@ jobs:
         WORKER2_DUCHY_CERT_ID: ${{ vars.WORKER2_DUCHY_CERT_ID }}
       run: ./.github/workflows/export-duchy-cert-id.sh
 
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
+
     - name: Write ~/.bazelrc
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}

diff --git a/.github/workflows/configure-duchy.yml b/.github/workflows/configure-duchy.yml
@@ -88,6 +88,14 @@ jobs:
         WORKER2_DUCHY_CERT_ID: ${{ vars.WORKER2_DUCHY_CERT_ID }}
       run: ./.github/workflows/export-duchy-cert-id.sh
 
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
+
     - name: Write ~/.bazelrc
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}
@@ -116,27 +124,6 @@ jobs:
         build --define duchy_storage_bucket=$STORAGE_BUCKET
         EOF
 
-    - name: Get Bazel cache params
-      id: get-cache-params
-      run: |
-        cache_path="$(bazelisk info output_base)"
-        echo "cache-path=${cache_path}" >> "$GITHUB_OUTPUT"
-
-        tree_hash="$(git rev-parse HEAD:)"
-        restore_key="duchy-bazel-"
-        echo "restore-key=${restore_key}" >> "$GITHUB_OUTPUT"
-
-        cache_key="${restore_key}${tree_hash}"
-        echo "cache-key=${cache_key}" >> "$GITHUB_OUTPUT"
-
-    - name: Restore Bazel cache
-      uses: actions/cache/restore@v4
-      with:
-        path: ${{ steps.get-cache-params.outputs.cache-path }}
-        key: ${{ steps.get-cache-params.outputs.cache-key }}
-        restore-keys: |
-          ${{ steps.get-cache-params.outputs.restore-key }}
-
     - name: Export BAZEL_BIN
       run: echo "BAZEL_BIN=$(bazelisk info bazel-bin)" >> $GITHUB_ENV
 
@@ -156,13 +143,6 @@ jobs:
         "//src/main/k8s/dev:${DUCHY_NAME}_duchy.tar"
         //src/main/k8s/testing/secretfiles:archive
 
-    - name: Save Bazel cache
-      continue-on-error: true
-      uses: actions/cache/save@v4
-      with:
-        path: ${{ steps.get-cache-params.outputs.cache-path }}
-        key: ${{ steps.get-cache-params.outputs.cache-key }}
-
     - name: Make Kustomization dir
       run: mkdir -p "$KUSTOMIZATION_PATH"
 

diff --git a/.github/workflows/configure-kingdom.yml b/.github/workflows/configure-kingdom.yml
@@ -68,6 +68,14 @@ jobs:
           workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
 
+      - name: Write auth.bazelrc
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        run: |
+          cat << EOF > auth.bazelrc
+          build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+          EOF
+
       - name: Write ~/.bazelrc
         env:
           IMAGE_TAG: ${{ inputs.image-tag }}

diff --git a/.github/workflows/configure-reporting-v2.yml b/.github/workflows/configure-reporting-v2.yml
@@ -68,6 +68,14 @@ jobs:
         workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
 
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
+
     - name: Write ~/.bazelrc
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}

diff --git a/.github/workflows/configure-reporting.yml b/.github/workflows/configure-reporting.yml
@@ -68,6 +68,14 @@ jobs:
         workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
 
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
+
     - name: Write ~/.bazelrc
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}

diff --git a/.github/workflows/configure-simulators.yml b/.github/workflows/configure-simulators.yml
@@ -68,6 +68,14 @@ jobs:
         workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ vars.GKE_CONFIG_SERVICE_ACCOUNT }}
 
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
+
     - name: Write ~/.bazelrc
       env:
         IMAGE_TAG: ${{ inputs.image-tag }}

diff --git a/.github/workflows/publish-maven-artifacts.yml b/.github/workflows/publish-maven-artifacts.yml
@@ -25,8 +25,6 @@ jobs:
   publish-artifacts:
     name: Publish Maven artifacts
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -52,18 +50,18 @@ jobs:
           version: 7.1.2
           sha256: 8d5c459ab21b411b8be059a8bdf59f0d3eabf9dff943d5eccb80e36e525cc09d
 
-      # Authenticate to Google Cloud for access to remote cache.
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+      - name: Write auth.bazelrc
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        run: |
+          cat << EOF > auth.bazelrc
+          build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+          EOF
 
       - name: Write ~/.bazelrc
         run: |
           cat << EOF > ~/.bazelrc
           common --config=ci
-          common --config=remote-cache
           EOF
 
       - name: Get Bazel cache params

diff --git a/.github/workflows/push-images.yml b/.github/workflows/push-images.yml
@@ -25,29 +25,28 @@ jobs:
   push-images:
     runs-on: ubuntu-22.04
     permissions:
-      id-token: write
       packages: write
     env:
       CONTAINER_REGISTRY: ghcr.io
     steps:
       - uses: actions/checkout@v4
 
       - uses: ./.github/actions/free-disk-space
-
-      # Authenticate to Google Cloud for access to remote cache.
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+
+      - name: Write auth.bazelrc
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        run: |
+          cat << EOF > auth.bazelrc
+          build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+          EOF
 
       - name: Write ~/.bazelrc
         env:
           IMAGE_TAG: ${{ inputs.image-tag }}
         run: |
           cat << EOF > ~/.bazelrc
           common --config=ci
-          common --config=remote-cache
           build --define container_registry=$CONTAINER_REGISTRY
           build --define image_repo_prefix=$GITHUB_REPOSITORY_OWNER
           build --define image_tag=$IMAGE_TAG

diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
@@ -23,8 +23,6 @@ jobs:
   build-test:
     name: Build and test
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     env:
       CLUSTER_LOGS_PATH: cluster-logs
     steps:
@@ -33,18 +31,18 @@ jobs:
 
     - uses: ./.github/actions/free-disk-space
 
-    # Authenticate to Google Cloud for access to remote cache.
-    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-        service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
 
     - name: Write ~/.bazelrc
       run: |
         cat << EOF > ~/.bazelrc
         common --config=ci
-        common --config=remote-cache
         EOF
 
     - name: Get Bazel cache params

diff --git a/.github/workflows/run-k8s-tests.yml b/.github/workflows/run-k8s-tests.yml
@@ -31,22 +31,20 @@ on:
         - qa
         - head
 
-permissions:
-  id-token: write
-
 jobs:
   run-tests:
     runs-on: ubuntu-22.04
     environment: ${{ inputs.environment }}
     steps:
     - uses: actions/checkout@v4
 
-    # Authenticate to Google Cloud for access to remote cache.
-    - name: Authenticate to Google Cloud for remote cache
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: ${{ vars.BAZEL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
-        service_account: ${{ vars.BAZEL_BUILD_SERVICE_ACCOUNT }}
+    - name: Write auth.bazelrc
+      env:
+        BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+      run: |
+        cat << EOF > auth.bazelrc
+        build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY
+        EOF
 
     - name: Write ~/.bazelrc
       env:
@@ -57,7 +55,6 @@ jobs:
       run: |
         cat << EOF > ~/.bazelrc
         common --config=ci
-        common --config=remote-cache
         build --define kingdom_public_api_target=$KINGDOM_PUBLIC_API_TARGET
         build --define mc_name=$MC_NAME
         build --define mc_api_key=$MC_API_KEY

diff --git a/.gitignore b/.gitignore
@@ -17,4 +17,7 @@
 # Terraform directories
 .terraform/
 
+# Authentication credentials
+/auth.bazelrc
+
 **/node_modules