WIP: feat: hermetic build for enola #1730 (custom-hermetic-build)

[dotdoom]

Relates to #1730.

[gemini-code-assist]

Summary of Changes

Hello @dotdoom, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces significant changes to the Nix build definition for the enola application, aiming to achieve a fully hermetic build. By separating the dependency fetching and caching into a dedicated derivation and pinning external registries, the build process becomes more reproducible and resilient to external network fluctuations, ensuring consistent build outcomes.

Highlights

• Hermetic Bazel Dependency Management: The build process for enola now explicitly fetches and caches Bazel dependencies using a pinned bazel-central-registry and a local repository cache. This ensures that builds are reproducible and isolated from external network changes.
• Two-Phase Nix Derivation: The enola build is split into two Nix derivations: enola-deps for fetching and archiving Bazel dependencies, and the main enola derivation for building the application using these pre-cached dependencies.
• Pinned Bazel Central Registry: A specific commit of the bazel-central-registry is now fetched from GitHub and utilized, further enhancing the hermeticity and reproducibility of the build.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a hermetic Nix build for the enola package by implementing a two-phase build process. This is a significant improvement for build reproducibility. The review identifies a couple of issues with the implementation. First, there are some redundant dependencies in the nativeBuildInputs of the main derivation. More critically, the buildPhase of the main derivation is missing steps for generating a version file and for compiling protocol buffer sources, which would likely lead to build failures or incorrect application behavior. The suggested changes aim to fix these issues and ensure the build is both correct and hermetic.

[gemini-code-assist]

The buildPhase is missing two crucial steps from the original derivation that are still required:

1. Version file generation: The command echo -n "${gitRev}" > tools/version/VERSION is missing. Without it, the application will lack correct version information at runtime.
2. Protobuf source generation: The bash tools/protoc/protoc.bash command is missing. This step is necessary to generate Java source files from .proto definitions before the build. Its absence will cause the bazel build to fail due to missing sources.

Please reintroduce these steps into the buildPhase.

              buildPhase = ''
                runHook preBuild

                # For dev.enola.common.Version to read version
                echo -n "${gitRev}" > tools/version/VERSION

                # Generate Java files from .proto
                bash tools/protoc/protoc.bash

                export HOME="$NIX_BUILD_TOP"
                ( cd "$NIX_BUILD_TOP" && tar xfz $deps )
                ${bazel}/bin/bazel --batch build \
                  --nofetch \
                  --repository_cache="$NIX_BUILD_TOP/output/cache" \
                  --registry=file://${bazel-central-registry} \
                  //java/dev/enola/cli:enola_deploy.jar

                runHook postBuild
              '';

[gemini-code-assist]

The nativeBuildInputs list contains redundant packages. The buildTools attribute already includes pkgs.which and jdk', so adding them again here is unnecessary. Removing these duplicates will improve the clarity and maintainability of the code.

              nativeBuildInputs = buildTools ++ [
                pkgs.makeWrapper
              ];