Host `supply-chain` rules

Yannic commented 4 days ago

As discussed in the SIG meeting a few weeks ago, we'd like to move license/compliance/provenance rules out of bazelbuild/rules_license and make it owned by the community.

Therefore, we'd like to create bazel-contrib/supply-chain to host the rules and providers for declaring package metadata like licenses.

This will be a new GitHub repo with multiple bzlmod repos (looking to start with 2, but planning to extend over time to cover other areas of the supply chain).

bazel-contrib/supply-chain/
  README.md

  metadata/
    README.md
    MODULE.bazel (`package_metadata`)
    ...

  sbom/
    README.md
    MODULE.bazel (`rules_sbom`)
    ...

package_metadata will contain providers for declaring package metadata (e.g., PURL of the package, its license, GH repo it's hosted on, ...) and rules for injecting the providers into the build graph (e.g., via package(default_package_metadata=["//:metadata"]). We expect that virtually every bzlmod repo will depend on this (including rule sets), so we're making this a separate repo without any dependencies to not pull in any rules/languages that users/companies might not want and thus prevents them from using package_metadata.
rules_sbom will contain rules that generate a SBOM (file) for a target by traversing the transitive dependencies to collect package_metadata for everything in the transitive closure of said target.

Checklist:

[x] Must use an open-source license, preferably Apache-2.0.
[x] Must have wide applicability in the community.
[x] Must have a clear point of contact who answers questions from the SIG.
- Initially, @aiuto, @mzeren-vmw, @TheGrizzlyDev, @Yannic
[x] Must be “production quality”: clear README or other documentation outlining the goal of these rules, how to use them etc. generated API documentation include examples of use tests that are running continuously
[x] Must reply to issues/PRs in 2-3 weeks (exact service level agreement TBD)
[x] Must have more than one person who is committed to review/approve PRs We recommend encoding this as a CODEOWNERS file.
- see points of contact above
[x] Must publish semver releases. Optional: follow the same release pattern as the rules-template does.
[x] Must work with LTS Bazel version
[x] Must publish the rules to the Bazel Central Registry, keep that CI green

jsharpe commented 3 days ago

rules_license has 37 users in the BCR: https://registry.bazel.build/modules/rules_license. Is that going to become a forwarding shim to package_metadata or are we expecting those users to migrate?

Yannic commented 3 days ago

rules_license will become a shim to package_metadata. I think the expectation is that people still migrate to use package_metadata directly instead of going through the shim, but we'll make sure that there's a smooth migration path with the shims

Yannic commented 3 days ago

This has been approved by the SIG on 2024-11-26: https://docs.google.com/document/d/1YGCYAGLzTfqSOgRFVsB8hDz-kEoTgTEKKp9Jd07TJ5c/edit?tab=t.0#heading=h.whgqs97auf4i

bazel-contrib / SIG-rules-authors

Host `supply-chain` rules #102