Bazel support?

[petemounce]

Hi there - we use bazel within our multi-product repos. It would be great to have dependabot understand and integrate with that?

Broadly, bazel is a cross-platform and cross-language build system. It wants one to specify all external dependencies within a WORKSPACE file within the root of the repo (with plans I think to allow WORKSPACE files, plural, within the repo).

A WORKSPACE file (and other Bazel files) is written in a language called Starlark

A WORKSPACE file can take dependencies as follows:

• on dependencies that are themselves built via bazel
• on dependencies not built via bazel
• on dependencies packaged via that language's package manager (for details, the bazelbuild/rules_* repos)

A great first addition would be to handle the git_repository and http_archive dependency rules, since mostly these target github sha1s or tags.

I don't know which language dependabot itself is written in, but there is a Starlark parser in golang if it happens to be go.

[feelepxyz]

@petemounce thanks for the suggestion! Definitely keen on supporting more build/infra tools. We've been holding off on adding new languages for a while to get all existing languages into a stable state. Still got a way to go so will hold of on this until we get some breathing room ✌️🤠

[alexeagle]

Note: renovatebot.com already supports Bazel and we use it in a number of Bazel-adjacent repos

[JensRantil]

there is a Starlark parser in golang if it happens to be go.

It might be worth pointing out that Skylark is a subset of Python 3 as that might simplify parsing of the WORKSPACE file.

I have a Bazel project where I'm interested in enabling dependabot. I considered 1) writing a script that generate a pom.xml from the WORKSPACE file to hack around the lack of support and 2) adding a CI check that make sure that the pom.xml file is synced with WORKSPACE. This would obviously mean that no submitted pull requests by dependabot would work, but at least we'd know of security issues. Maybe too hacky, haven't decided...

[petemounce]

Ping to make un-stale; would still love bazel support.

[Michael-Nolan]

I want to 2nd this! Bazel support would be awesome.

What would dependabot look like for Bazel? Would it be just the actual dependencies, or also the be able to update the workspace rules and rule hashes and the .bazelversion?

Compared to say Maven, Bazel has a lot of moving parts.

[chenrui333]

Any update on this thread?

[cpsauer]

Not dependabot, but solving the same need: I worked with the renovate author to get things in good working shape for Bazel. It's now doing a great job auto-updating our GitHub-hosted dependencies. I'd recommend giving Renovate a try, if you're trying to automate Bazel dependency updates.

(I'd originally followed this issue long ago, hoping dependabot would add Bazel support.)

[chenrui333]

I have not worked with renovate before, should I be concerned about its introduction into my corporate usage?

[rkhir]

there is a Starlark parser in golang if it happens to be go.

It might be worth pointing out that Skylark is a subset of Python 3 as that might simplify parsing of the WORKSPACE file.

I have a Bazel project where I'm interested in enabling dependabot. I considered 1) writing a script that generate a pom.xml from the WORKSPACE file to hack around the lack of support and 2) adding a CI check that make sure that the pom.xml file is synced with WORKSPACE. This would obviously mean that no submitted pull requests by dependabot would work, but at least we'd know of security issues. Maybe too hacky, haven't decided...

@JensRantil, great Idea. although Bazel does support the pom.xml generation part of this rule the file can be synced on each bazel build ... command, which will save the implementer a few steps. 🍻

[dmivankov]

Can confirm that for maven/java/scala dependencies the approach of generating pom.xml and putting it into repository works. As a convenience you may want to have scripts/command to convert between bzl and pom

• put (sorted) list of artifact names into separate .bzl file
• script to generate pom from rule mentioned above (for PRs updating .bzl file)
• script to generate .bzl file from .pom file via for example xslt transformation (for dependabot or other PRs updating .pom file)
• bazel test to check that .pom file matches .bzl targets
• bazel test to check that .bzl file matches from-pom-generation script output

or indeed also do some sort of hook that'd figure out syncing automatically

[petemounce]

@feelepxyz friendly ping in hope of an update?

[feelepxyz]

@petemounce 👋 I'm no longer working on Dependabot so not sure what the current plans are.

cc @exvuma as pm for Dependabot who might be able to answer.

[hcoona]

@exvuma ping

[ztl8702]

What would dependabot look like for Bazel? Would it be just the actual dependencies, or also the be able to update the workspace rules and rule hashes and the .bazelversion?

With bzlmod being generally available, maybe this issue's scope can be changed to:

• keeping bazel_deps in MODULE.bzl up to date ?

The metadata of versions can be retrieved from http://registry.bazel.build/

[cpsauer]

^ I think maybe in addition. I'm guessing it'll be a good while before WORKSPACE goes away.

[mihaimaruseac]

Bzlmod is easier to parse than WORKSPACE. With bzlmod, this will be a tractable amount of work, but with WORKSPACE it's not as easy as each project can have their own method of specifying dependencies, including having multiple macros/functions in the same file.

E.g., TensorFlow has separate files where the dependencies are actually mentioned given the needs of downstream projects. https://github.com/tensorflow/tensorflow/blob/3416f491d8a571bf6bac142b48cd70ad07518c21/WORKSPACE Bzlmod would simplify this a lot

[romanowski]

We have a new alternative: Bazel Steward. It is an open-source bot to update dependencies dedicated to Bazel projects. It runs Bazel under the hood to extract dependencies, so it should work with most setups, including custom ones.

For now, it supports only maven dependencies, Bazel version, and version of Bazel rules, but there are plans to add support for NPM, go modules, and more.

[meteorcloudy]

renovatebot has already added support for Bzlmod: https://github.com/renovatebot/renovate/issues/13658

[albertocavalcante]

Despite the above options, would still be great to see this implemented in Dependabot as well. Just to add, support for Bazel upgrades through Bazelisk would be appreciated.

And it's not clear to me: is this feature request being considered?