enola-dev · vorburger · Oct 10, 2025 · Oct 9, 2025
diff --git a/.bazelignore b/.bazelignore
@@ -8,3 +8,5 @@ site
 .cache
 .direnv
 .eclipse
+
+VENDOR
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v31
       # TODO Remove --no-sandbox after https://github.com/enola-dev/enola/issues/1713
-      - run: nix run --no-sandbox . -- help
+      - run: nix run . -- help
 
   build:
     # https://github.com/orgs/community/discussions/25722

diff --git a/.gitignore b/.gitignore
@@ -79,3 +79,6 @@ generated/protoc/java/dev/
 generated/classpath
 generated/javac-processors/
 generated/java-class
+
+# bazel vendor --vendor_dir=
+VENDOR
diff --git a/Dockerfile-DevEnv b/Dockerfile-DevEnv
@@ -33,7 +33,7 @@ FROM docker.io/library/fedora:43
 
 RUN dnf update -y
 
-RUN dnf install -y fish gcc-c++ golang \
+RUN dnf install -y fish gcc-c++ \
     java-21-openjdk-devel java-21-openjdk-src java-21-openjdk-javadoc \
     java-21-openjdk-javadoc-zip java-21-openjdk-jmods
 

diff --git a/docs/use/index.md b/docs/use/index.md
@@ -89,8 +89,4 @@ or clearing `~/.jbang/cache`, do not currently work for this application due to
 
 ## Nix
 
-    nix run --no-sandbox github:enola-dev/enola
-
-If this fails after printing _"warning: ignoring the client-specified setting 'sandbox', because it is a restricted setting and you are not a trusted user",_ then you need to add your username to the `trusted-users` list in `/etc/nix/nix.conf` (e.g., `trusted-users = root your-username-here`), and then restart the Nix daemon with `sudo systemctl restart nix-daemon.service`.
-
-PS: See [issue #1713](https://github.com/enola-dev/enola/issues/1713) re. why `--no-sandbox` is still needed.
+    nix run github:enola-dev/enola
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -92,6 +92,52 @@
           # $ nix build .#enola
           # $ result/bin/enola --help
           default = enola;
+
+          bazel-vendor-dir = pkgs.stdenv.mkDerivation {
+            #pname = "bazel-vendor-dir";
+            #version = gitRev;
+            name = "bazel-vendor-dir";
+
+            nativeBuildInputs = [
+              pkgs.protobuf
+              pkgs.protoc-gen-grpc-java
+              pkgs.which
+              jdk'
+            ];
+            src = ./.;
+            buildPhase = ''
+              runHook preBuild
+
+              bash tools/protoc/protoc.bash
+              mkdir VENDOR
+              pwd
+              ls
+              # export HOME=$TMPDIR
+              # export HOME=$(pwd)/home
+              export HOME=/build/home
+              mkdir -p $HOME
+              pwd
+              ls
+              bazel vendor --vendor_dir=VENDOR //...
+
+              runHook postBuild
+            '';
+            installPhase = ''
+              runHook preInstall
+
+              tar czvf $out \
+                  --sort=name \
+                  --mtime='UTC 2080-02-01' \
+                  --owner=0 \
+                  --group=0 \
+                  --numeric-owner VENDOR
+
+              runHook postInstall
+            '';
+            # outputHash = pkgs.lib.fakeHash;
+            outputHash = "sha256-kpDyYdYTlC179qHOusvTncRXAGV7549GGoR1y4b8okA=";
+          };
+
           enola = pkgs.stdenv.mkDerivation {
             pname = "enola";
             version = gitRev;
@@ -101,6 +147,7 @@
               pkgs.cacert
               pkgs.makeWrapper
               pkgs.which
+              jdk'
             ];
             src = ./.;
 
@@ -110,14 +157,13 @@
               # class dev.enola.common.Version reads VERSION
               echo -n "${gitRev}" >tools/version/VERSION
 
-              # See https://github.com/NixOS/nix/issues/14024
-              bash tools/protoc/protoc.bash
-
               # https://github.com/enola-dev/enola/issues/1876
               export HOME="$PWD/.built/HOME"
               mkdir -p "$HOME"
 
-              bazel build //java/dev/enola/cli:enola_deploy.jar
+              tar xfz ${bazel-vendor-dir}
+              bash tools/protoc/protoc.bash
+              bazel build --vendor_dir=VENDOR //java/dev/enola/cli:enola_deploy.jar
 
               runHook postBuild
             '';

diff --git a/tools/evilurl/test.bash b/tools/evilurl/test.bash
@@ -29,7 +29,7 @@ allow_list=("java/dev/enola/common/io/resource/UrlResource.java"
 
 # TODO Also grep for .toURL() invocations, and fail for any (new) ones.
 
-found_files=$(find . -name "*.java" -print0 | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
+found_files=$(find . -name "*.java" -print0 | grep -Zzv VENDOR/ | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
     file_name=$(basename "$file")
     allow_path="${file//.\//}"
 

diff --git a/tools/java_toolchain/BUILD b/tools/java_toolchain/BUILD
@@ -2,7 +2,8 @@
 
 load(
     "@bazel_tools//tools/jdk:default_java_toolchain.bzl",
-    "DEFAULT_TOOLCHAIN_CONFIGURATION",
+    # See https://github.com/bazelbuild/rules_java/issues/325:
+    "NONPREBUILT_TOOLCHAIN_CONFIGURATION",
     "default_java_toolchain",
 )
 #load("@rules_java//java/toolchains:java_runtime.bzl", "java_runtime")
@@ -16,7 +17,8 @@ load(
 
 default_java_toolchain(
     name = "repository_default_java_toolchain",
-    configuration = DEFAULT_TOOLCHAIN_CONFIGURATION,
+    # See https://github.com/bazelbuild/rules_java/issues/325:
+    configuration = NONPREBUILT_TOOLCHAIN_CONFIGURATION,
 
     # INSTEAD of: java_runtime = "@rules_java//toolchains:remotejdk_21",
     # OR above's: java_runtime = ":jdk_runtime",
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,3 +8,5 @@ site @@
     .cache
     .direnv
     .eclipse
+    VENDOR