chore: Test 'bazel vendor' Nix outputHash stability (re. #1875)

[vorburger]

This is a sub-set of #1873,

which we could try to get into a mergeable state sooner rather than later,

because it would allow to observe #1875 in practive - letting us see if vendor output is stable enough to e.g. run on GitHub Actions environment.

This PR currently fails for me locally due to Permission denied #1876; I'm curious to see if it passes on CI.

@dotdoom shout if you know how to fix that (permission) for this PR? Then I would merge this, and we could see how stable it really is.

[gemini-code-assist]

Summary of Changes

Hello @vorburger, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new Nix derivation aimed at rigorously testing the stability and reproducibility of the bazel vendor command's output. By creating a dedicated build process that vendors dependencies and then hashes the resulting directory, the PR seeks to gather practical data on whether the vendored output remains consistent across various build environments, directly addressing concerns outlined in issue #1875. This is a foundational step towards ensuring more reliable and predictable dependency management within the project.

Highlights

• New Nix Derivation for Bazel Vendor Testing: A new Nix derivation named bazel-vendor-dir has been added to flake.nix. This derivation is specifically designed to test the output hash stability of the bazel vendor command, addressing issue Clarify if bazel vendor is guaranteed to be 100% bit-equivalent reproducible #1875.
• Bazel Vendor Execution and Tarball Creation: The bazel-vendor-dir derivation's buildPhase executes bazel vendor --vendor_dir=VENDOR //... to fetch and store dependencies. Its installPhase then creates a reproducible tarball of the resulting VENDOR directory, ensuring consistent hashing.
• Hardcoded Output Hash for Stability Testing: The bazel-vendor-dir derivation includes a hardcoded outputHash. This is crucial for testing the reproducibility of the vendored output, allowing for direct comparison of hashes across different build environments.
• Dependency Integration with Enola Derivation: The existing enola derivation has been modified to include a dependency on bazel-vendor-dir. This ensures that the new test derivation is built and evaluated as part of the main project, forcing the stability test to run.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a Nix derivation to test the output hash stability of bazel vendor, which is a good step towards more reproducible builds. My review includes a critical fix for a likely permission error that is mentioned in the pull request description, which should allow the build to succeed in the sandboxed Nix environment. I've also added a minor suggestion to improve the build log's clarity.

[vorburger]

Given #1875 (comment), I'm closing this PR, as a "failed experiment".

#1878 picks up the .built/HOME (and hooks), which were part of this, but unrelated to vendoring.