name: Bazel

on:

workflow_call:

inputs:

name:

description: Name of workflow

required: false

type: string

ref:

description: Git ref to checkout (branch, tag, or SHA)

required: false

type: string

default: ''

run:

description: Bazel command to run

required: true

type: string

os:

description: One of ubuntu, windows or macos

required: false

type: string

default: ubuntu

browser:

description: One of chrome, firefox, or edge

required: false

type: string

default: ''

caching:

description: Toggle caching of Bazel

required: false

type: boolean

default: true

node-version:

description: Custom Node version to install

required: false

type: string

default: ''

python-version:

description: Custom Python version to use

required: false

type: string

default: ''

ruby-version:

description: Custom Ruby version to use

required: false

type: string

default: ''

artifact-name:

description: Name of artifact to upload

required: false

type: string

default: ''

artifact-path:

description: Path/glob of files to upload (if empty, uploads git diff as changes.patch)

required: false

type: string

default: ''

rerun-with-debug:

description: Rerun failing tests with debugging enabled

required: false

type: boolean

default: false

gpg-sign:

description: Import GPG key for signing (Java releases)

required: false

type: boolean

default: false

fetch-depth:

description: Number of commits to fetch (0 for full history, empty for auto-detect)

required: false

type: string

default: ''

cache-name:

description: Name for cache restore (restores {name}.gz with key {name}-)

required: false

type: string

default: ''

gem-trusted-publishing:

description: Exchange GitHub OIDC token for a RubyGems API token (requires trusted publisher configured on rubygems.org)

required: false

type: boolean

default: false

jobs:

bazel:

name: ${{ inputs.name }}

runs-on: ${{ contains(inputs.os, '-') && inputs.os || format('{0}-latest', inputs.os) }}

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

SEL_M2_USER: ${{ secrets.SEL_M2_USER }}

SEL_M2_PASS: ${{ secrets.SEL_M2_PASS }}

TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}

TWINE_NIGHTLY_PASSWORD: ${{ secrets.TWINE_NIGHTLY_PASSWORD }}

GEM_HOST_API_KEY: ${{ secrets.GEM_HOST_API_KEY }}

NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}

steps:

- name: Remove extra tools to free disk space

if: inputs.os == 'ubuntu'

run: |

echo "Removing extra tools to free disk space..."

echo "Space before: $(df -BG / | tail -1 | awk '{print $4}')"

sudo rm -rf /opt/ghc || true

sudo rm -rf /usr/local/.ghcup || true

sudo rm -rf /usr/local/share/boost || true

sudo rm -rf /usr/share/swift || true

sudo rm -rf /usr/local/julia* || true

sudo rm -rf /usr/lib/google-cloud-sdk || true

sudo rm -rf /opt/hostedtoolcache/CodeQL || true

docker image prune -af 2>/dev/null || true

sync

after=$(df -BG / | tail -1 | awk '{print $4}')

echo "Space after: ${after}"

- name: Remove extra tools to free disk space (Windows)

if: inputs.os == 'windows'

shell: pwsh

run: |

Write-Host "Removing extra tools to free disk space..."

Write-Host "Space before: C: $([math]::Round((Get-PSDrive C).Free / 1GB, 1))GB free, D: $([math]::Round((Get-PSDrive D).Free / 1GB, 1))GB free"

Remove-Item -Path "C:\Miniconda" -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path "C:\tools\ghc" -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path "C:\Program Files\LLVM" -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path "C:\Program Files\PostgreSQL" -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path "C:\Program Files\MongoDB" -Recurse -Force -ErrorAction SilentlyContinue

Remove-Item -Path "C:\Program Files\MySQL" -Recurse -Force -ErrorAction SilentlyContinue

Write-Host "Space after: C: $([math]::Round((Get-PSDrive C).Free / 1GB, 1))GB free, D: $([math]::Round((Get-PSDrive D).Free / 1GB, 1))GB free"

- name: Calculate fetch depth

id: depth

shell: bash

env:

FETCH_DEPTH: ${{ inputs.fetch-depth }}

PR_COMMITS: ${{ github.event.pull_request.commits }}

run: |

# Use explicit value if provided

if [ -n "$FETCH_DEPTH" ]; then

echo "val=$FETCH_DEPTH" >> "$GITHUB_OUTPUT"

# For PRs, use commit count plus buffer for merge base

elif [ -n "$PR_COMMITS" ]; then

echo "val=$((PR_COMMITS + 2))" >> "$GITHUB_OUTPUT"

# For push events, read commit count from event payload

else

COMMIT_COUNT=$(jq -e '.commits | length // 0' "$GITHUB_EVENT_PATH" 2>/dev/null) || COMMIT_COUNT=0

echo "val=$((COMMIT_COUNT + 1))" >> "$GITHUB_OUTPUT"

fi

- name: Checkout source tree

uses: actions/checkout@v6

with:

ref: ${{ inputs.ref || github.ref }}

fetch-depth: ${{ steps.depth.outputs.val }}

fetch-tags: ${{ inputs.fetch-depth != '' }}

- name: Pull latest changes from head ref for PRs

if: contains(github.head_ref, 'renovate/')

shell: bash

run: git pull origin "$HEAD_REF"

env:

HEAD_REF: ${{ github.head_ref }}

- name: Pull latest changes from ref for branch pushes

if: contains(github.ref, 'renovate/')

shell: bash

run: git pull origin "$GIT_REF"

env:

GIT_REF: ${{ github.ref }}

- name: Restore cache

if: inputs.cache-name != ''

uses: actions/cache/restore@v5

with:

path: ${{ inputs.cache-name }}

key: ${{ inputs.cache-name }}-

restore-keys: ${{ inputs.cache-name }}-

- name: Remove driver directories Windows

if: inputs.os == 'windows'

run: |

rm "$env:ChromeWebDriver" -r -v

rm "$env:EdgeWebDriver" -r -v

rm "$env:GeckoWebDriver" -r -v

- name: Remove driver directories Non-Windows

if: inputs.os != 'windows'

run: |

sudo rm -rf "$CHROMEWEBDRIVER" "$EDGEWEBDRIVER" "$GECKOWEBDRIVER"

- name: Set Python version

if: inputs.python-version != ''

run: echo '${{ inputs.python-version }}' > py/.python-version

- name: Set Ruby version

if: inputs.ruby-version != ''

run: echo '${{ inputs.ruby-version }}' > rb/.ruby-version

- name: Setup Node

if: inputs.node-version != ''

uses: actions/setup-node@v6

with:

node-version: ${{ inputs.node-version }}

- name: Setup Bazel with caching

id: setup-bazel-cached

if: inputs.caching

continue-on-error: true

uses: bazel-contrib/setup-bazel@0.19.0

with:

cache-save: ${{ github.ref_name == 'trunk' }}

bazelisk-cache: true

bazelrc: common --color=yes

# Workaround for long path issues: https://github.com/bazelbuild/bazel/pull/22532

output-base: ${{ inputs.os == 'windows' && 'D://b' || '' }}

cache-version: 2

disk-cache: false

external-cache: |

manifest:

crates: rust/Cargo.Bazel.lock

"rules_ruby++ruby+ruby": false

"+pin_browsers_extension+linux_beta_chrome": false

"+pin_browsers_extension+linux_beta_chromedriver": true

"+pin_browsers_extension+linux_beta_firefox": false

"+pin_browsers_extension+linux_chrome": false

"+pin_browsers_extension+linux_chromedriver": true

"+pin_browsers_extension+linux_edge": false

"+pin_browsers_extension+linux_edgedriver": true

"+pin_browsers_extension+linux_firefox": false

"+pin_browsers_extension+linux_geckodriver": true

"+pin_browsers_extension+mac_beta_chrome": false

"+pin_browsers_extension+mac_beta_chromedriver": false

"+pin_browsers_extension+mac_beta_firefox": false

"+pin_browsers_extension+mac_chrome": false

"+pin_browsers_extension+mac_chromedriver": false

"+pin_browsers_extension+mac_edge": false

"+pin_browsers_extension+mac_edgedriver": false

"+pin_browsers_extension+mac_firefox": false

"+pin_browsers_extension+mac_geckodriver": false

repository-cache: true

- name: Report Bazel cache setup failure

if: steps.setup-bazel-cached.outcome == 'failure'

shell: bash

run: |

echo "::warning::Bazel cache setup failed — falling back to setup without cache"

echo "=== Disk space at time of cache failure ==="

df -h "$GITHUB_WORKSPACE" || true

if [[ "$RUNNER_OS" == "Windows" ]]; then df -h /c || true; fi

- name: Setup Bazel without caching

if: inputs.caching == false || steps.setup-bazel-cached.outcome == 'failure'

uses: bazel-contrib/setup-bazel@0.19.0

with:

cache-save: false

bazelisk-cache: true

external-cache: |

manifest:

crates: rust/Cargo.Bazel.lock

repository-cache: true

bazelrc: common --color=yes

- name: Disk usage after cache restore

if: inputs.os != 'macos'

shell: bash

run: |

df -h "$GITHUB_WORKSPACE"

if [[ "$RUNNER_OS" == "Windows" ]]; then df -h /c; fi

- name: Setup Fluxbox and Xvfb

if: inputs.os == 'ubuntu' && inputs.browser != ''

run: |

sudo apt-get update && sudo apt-get -y install fluxbox

Xvfb :99 &

fluxbox -display :99 &

echo "DISPLAY=:99" >> "$GITHUB_ENV"

- name: Set resolution

if: inputs.os == 'windows' && inputs.browser != ''

run: Set-DisplayResolution -Width 1920 -Height 1080 -Force

- name: Disable 8dot3 short names

if: inputs.os == 'windows'

run: fsutil 8dot3name set 0

- name: Enable Developer Mode

if: inputs.os == 'windows'

run: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v AllowDevelopmentWithoutDevLicense /d 1

- name: Setup Safari

if: inputs.browser == 'safari'

run: sudo safaridriver --enable

- name: Import GPG key

if: inputs.gpg-sign

uses: crazy-max/ghaction-import-gpg@v7

with:

gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}

passphrase: ${{ secrets.GPG_PASSPHRASE }}

- name: Configure RubyGems credentials via OIDC

if: inputs.gem-trusted-publishing

uses: rubygems/configure-rubygems-credentials@main

- name: Check disk space before build

if: inputs.os != 'macos'

shell: bash

run: |

df -h "$GITHUB_WORKSPACE"

if [[ "$RUNNER_OS" == "Windows" ]]; then

# On Windows the workspace is on D: but C: is the constrained drive

avail=$(df -k /c | awk 'NR==2 {printf "%.0f", $4/1024/1024}')

echo "Available disk space before build (C:): ${avail}GB"

df -h /c

else

avail=$(df -k "$GITHUB_WORKSPACE" | awk 'NR==2 {printf "%.0f", $4/1024/1024}')

echo "Available disk space before build: ${avail}GB"

fi

if [ "$avail" -lt 10 ]; then

echo "::error::Insufficient disk space: ${avail}GB available (need >=10GB)"

exit 1

fi

- name: Run Bazel

id: run-bazel

shell: bash

env:

MSYS_NO_PATHCONV: 1

MSYS2_ARG_CONV_EXCL: "*"

run: |

mkdir -p build

{

${{ inputs.run }}

} 2>&1 | tee build/bazel-console.log

- name: Rerun failures with debug

if: failure() && steps.run-bazel.outcome == 'failure'

shell: bash

run: ./scripts/github-actions/rerun-failures.sh '${{ inputs.run }}' '${{ inputs.rerun-with-debug }}'

- name: Collect failed test logs

if: failure() && steps.run-bazel.outcome == 'failure'

shell: bash

run: ./scripts/github-actions/collect-test-logs.sh

- name: Upload failed test logs

if: failure() && steps.run-bazel.outcome == 'failure'

uses: actions/upload-artifact@v7

with:

name: test-logs-${{ inputs.os }}-${{ inputs.name }}-${{ inputs.browser }}

retention-days: 7

path: build/failures/**

- name: Start SSH session

if: failure() && runner.debug == '1'

uses: mxschmitt/action-tmate@v3

with:

limit-access-to-actor: false

- name: Save git diff

if: always() && inputs.artifact-name != '' && inputs.artifact-path == ''

shell: bash

run: |

git add -A && git diff --binary --staged > changes.patch

[ -s changes.patch ] || rm -f changes.patch

- name: Upload artifact

if: always() && inputs.artifact-name != ''

uses: actions/upload-artifact@v7

with:

name: ${{ inputs.artifact-name }}

path: ${{ inputs.artifact-path || 'changes.patch' }}

retention-days: 6

if-no-files-found: ${{ inputs.artifact-path != '' && 'error' || 'ignore' }}

- name: Check disk space

if: always()

shell: bash

run: |

avail=$(df -k "$GITHUB_WORKSPACE" | awk 'NR==2 {printf "%.0f", $4/1024/1024}')

echo "Remaining disk space: ${avail}GB"

if [ "$avail" -lt 5 ]; then

echo "::error::Low disk space: ${avail}GB remaining"

exit 1

fi