CUS-349: CI: enable remote execution in jobs that can use it (#45)

Added platform and C++ toolchain configurations for platforms we use
that have configured remote execution pools. This is mostly copied
from github.com/EngFlow/examples.

In .bazelrc, added platform configurations like remote_linux_x64.
One of these needs to be specified when using remote execution.
Also, rename the opal configuration to engflow and split out
engflow_bes.
We'll only support one cluster for this repo.

In workflows, added --config=<remote_platform> and replaced the
CLUSTER_CONFIG environment variable with either engflow or engflow_bes
as appropriate. The jobs driven with 'bazel run' cannot use remote
execution because that always runs on the host, so they're engflow_bes.

.bazelrc

@@ -24,23 +24,46 @@ build:noninteractive --keep_going
 build:release --config=noninteractive
 build:release --stamp
 
+# Platform-specific options for each supported platform.
+build:remote_linux_x64 --extra_execution_platforms=//platform/linux_x64
+build:remote_linux_x64 --extra_toolchains=//platform/linux_x64:cc-toolchain
+build:remote_linux_x64 --host_platform=//platform/linux_x64
+build:remote_linux_x64 --platforms=//platform/linux_x64
+
+build:remote_macos_x64 --extra_execution_platforms=//platform/macos_x64
+build:remote_macos_x64 --host_action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
+build:remote_macos_x64 --host_platform=//platform/macos_x64
+build:remote_macos_x64 --macos_minimum_os=12
+build:remote_macos_x64 --platforms=//platform/macos_x64
+
+build:remote_windows_x64 --extra_execution_platforms=//platform/windows_x64
+build:remote_windows_x64 --extra_toolchains=//platform/windows_x64:cc-toolchain
+build:remote_windows_x64 --host_platform=//platform/windows_x64
+build:remote_windows_x64 --platforms=//platform/windows_x64
+
+# Options for EngFlow remote execution.
 build:engflow_common --jobs=40
 build:engflow_common --define=EXECUTOR=remote
 build:engflow_common --experimental_inmemory_dotd_files
 build:engflow_common --experimental_inmemory_jdeps_files
 build:engflow_common --incompatible_strict_action_env=true
 build:engflow_common --remote_timeout=600
-build:engflow_common --legacy_important_outputs=false
+build:engflow_common --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
 build:engflow_common --grpc_keepalive_time=30s
 build:engflow_common --experimental_remote_cache_compression=true
-build:engflow_common --remote_instance_name=auth
-build:engflow_common --bes_instance_name=auth
-build:engflow_common --bes_lifecycle_events
+build:engflow_common --remote_download_minimal
+
+build:engflow_bes --bes_backend=grpcs://opal.cluster.engflow.com
+build:engflow_bes --bes_results_url=https://opal.cluster.engflow.com/invocations/auth/
+build:engflow_bes --bes_instance_name=auth
+build:engflow_bes --bes_lifecycle_events
 
-build:opal --config=engflow_common
-build:opal --bes_backend=grpcs://opal.cluster.engflow.com
-build:opal --bes_results_url=https://opal.cluster.engflow.com/invocations/auth/
-# TODO(CUS-349): enable remote execution
+build:engflow --config=engflow_common
+build:engflow --config=engflow_bes
+build:engflow --remote_executor=grpcs://opal.cluster.engflow.com
+build:engflow --remote_instance_name=auth
 
-# Load authentication flags for the remote service, if any.
+# To authenticate with the clusters above, either add flags to this
+# .bazelrc.user file or to your $HOME/.bazelrc. These files may contain
+# credentials and local file system paths, so they're not checked in.
 try-import .bazelrc.user

.github/workflows/main.yml

@@ -28,10 +28,8 @@ env:
   # Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
   BAZELISK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   CLUSTER_HOST: opal.cluster.engflow.com
-  CLUSTER_CONFIG: opal
   CRED_HELPER_TOKEN: ${{ secrets.OPAL_CRED_HELPER_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  OPAL_RPC_CREDENTIALS: ${{ secrets.OPAL_RPC_CREDENTIALS }}
 
 jobs:
   # TODO(OND-616): use remote execution and caching for all CI Runner jobs.
@@ -44,7 +42,7 @@ jobs:
       - "engflow-pool=ci_sysbox_x64"
       - "engflow-runtime=sysbox-runc"
       - "engflow-runner-id=${{ github.repository_id }}_bazel-builder_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
-    timeout-minutes: 10
+    timeout-minutes: 30
 
     env:
       ARCH: "x64"
@@ -59,8 +57,7 @@ jobs:
       - name: Run all tests
         if: success()
         run: |
-          # TODO(CUS-345): Enable remote execution
-          bazel test --config=noninteractive --config="${CLUSTER_CONFIG}" //...
+          bazel test --config=noninteractive --config=engflow --config=remote_linux_x64 //...
 
       - name: Log out
         run: infra/logout.sh
@@ -106,8 +103,8 @@ jobs:
         shell: bash
         run: |
           # TODO(CUS-345): Enable remote execution
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- test ./...
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- clean -cache -modcache
 
       - name: Log out
         shell: bash
@@ -138,8 +135,8 @@ jobs:
         if: success()
         run: |
           # TODO(CUS-345): Enable remote execution
-          bazel run --config=noninteractive @rules_go//go -- test ./...
-          bazel run --config=noninteractive @rules_go//go -- clean -cache -modcache
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- test ./...
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- clean -cache -modcache
 
       - name: Log out
         run: infra/logout.sh
@@ -168,7 +165,7 @@ jobs:
       - name: Check copyright headers
         if: success()
         run: |
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" //infra/internal/check_copyright_headers
+          bazel run --config=noninteractive --config=engflow_bes //infra/internal/check_copyright_headers
 
       - name: Log out
         run: infra/logout.sh

.github/workflows/presubmit.yml

@@ -30,12 +30,10 @@ env:
   # Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
   BAZELISK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   CLUSTER_HOST: opal.cluster.engflow.com
-  CLUSTER_CONFIG: opal
   CRED_HELPER_TOKEN: ${{ secrets.OPAL_CRED_HELPER_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
-  # TODO(OND-616): use remote execution and caching for all CI Runner jobs.
   bazel-builder:
     runs-on:
       - self-hosted
@@ -45,7 +43,7 @@ jobs:
       - "engflow-pool=ci_sysbox_x64"
       - "engflow-runtime=sysbox-runc"
       - "engflow-runner-id=${{ github.repository_id }}_bazel-builder_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
-    timeout-minutes: 10
+    timeout-minutes: 30
 
     env:
       ARCH: "x64"
@@ -60,8 +58,11 @@ jobs:
       - name: Run all tests
         if: success()
         run: |
-          # TODO(CUS-345): Enable remote execution
-          bazel test --config=noninteractive --config="${CLUSTER_CONFIG}" //...
+          bazel test \
+            --config=noninteractive \
+            --config=engflow \
+            --config=remote_linux_x64 \
+            //...
 
       - name: Log out
         run: infra/logout.sh
@@ -107,8 +108,8 @@ jobs:
         shell: bash
         run: |
           # TODO(CUS-345): Enable remote execution
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- test ./...
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- clean -cache -modcache
 
       - name: Log out
         shell: bash
@@ -139,8 +140,8 @@ jobs:
         if: success()
         run: |
           # TODO(CUS-345): Enable remote execution
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- test ./...
+          bazel run --config=noninteractive --config=engflow_bes @rules_go//go -- clean -cache -modcache
 
       - name: Log out
         run: infra/logout.sh
@@ -169,7 +170,7 @@ jobs:
       - name: Check copyright headers
         if: success()
         run: |
-          bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" //infra/internal/check_copyright_headers
+          bazel run --config=noninteractive --config=engflow_bes //infra/internal/check_copyright_headers
 
       - name: Log out
         run: infra/logout.sh

.github/workflows/release.yml

@@ -26,7 +26,6 @@ permissions:
   contents: write
 
 jobs:
-  # TODO(OND-616): use remote execution and caching for all CI Runner jobs.
   release:
     runs-on:
       - self-hosted
@@ -40,8 +39,16 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+
+      - name: Log in
+        run: infra/login.sh
+
       - name: release
+        if: success()
         run: |
           infra/release.sh "${{ inputs.version }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Log out
+        run: infra/logout.sh

.gitignore

@@ -1,4 +1,5 @@
 bazel-*
+.bazelrc.user
 
 # TODO(CUS-389): This file seems to thrash contents between builds (possibly due
 # to VSCode extension behavior). Ignore changes until we can better understand

cmd/engflow_auth/BUILD

@@ -34,7 +34,6 @@ go_test(
         "//internal/oauthdevice",
         "//internal/oauthtoken",
         "@com_github_stretchr_testify//assert",
-        "@com_github_zalando_go_keyring//:go-keyring",
         "@org_golang_x_oauth2//:oauth2",
     ],
 )

cmd/engflow_auth/main_test.go

@@ -30,13 +30,12 @@ import (
 	"github.com/EngFlow/auth/internal/oauthdevice"
 	"github.com/EngFlow/auth/internal/oauthtoken"
 	"github.com/stretchr/testify/assert"
-	"github.com/zalando/go-keyring"
 	"golang.org/x/oauth2"
 )
 
 func init() {
 	// Tests should not interact with the user's real keyring.
-	keyring.MockInit()
+	oauthtoken.KeyringMockInit()
 }
 
 func codedErrorContains(t *testing.T, gotErr error, code int, wantMsg string) bool {

infra/internal/check_copyright_headers/main.go

@@ -30,7 +30,7 @@ var (
 	skipRegexps = []*regexp.Regexp{
 		regexp.MustCompile(`^go\.mod$`),
 		regexp.MustCompile(`^go\.sum$`),
-		regexp.MustCompile(`^LICENSE$`),
+		regexp.MustCompile(`(^|/)LICENSE$`),
 		regexp.MustCompile(`^MODULE\.bazel\.lock$`),
 		regexp.MustCompile(`^MODULE\.bazel$`),
 		regexp.MustCompile(`^README.md$`),
@@ -40,6 +40,8 @@ var (
 		regexp.MustCompile(`^\.bazelversion$`),
 		regexp.MustCompile(`^\.gitignore$`),
 		regexp.MustCompile(`\.bzl$`),
+		regexp.MustCompile(`^platform/linux_x64/builtin_include_directory_paths`),
+		regexp.MustCompile(`^platform/linux_x64/module.modulemap`),
 	}
 	copyrightRegexp = regexp.MustCompile(`^(#|//) Copyright [0-9-]+ EngFlow Inc\.`)
 )

infra/release.sh

@@ -85,6 +85,8 @@ echo "[START]  Building artifacts"
 BUILD_RELEASE_VERSION="${RELEASE_VERSION}" \
     bazel build \
     --config=release \
+    --config=engflow \
+    --config=remote_linux_x64 \
     -- \
     //:release_artifacts
 echo "[FINISH] Building artifacts"

internal/oauthtoken/keyring.go

@@ -25,6 +25,15 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// KeyringMockInit initializes this package so that its methods may be called
+// from a test without reading or writing external state.
+func KeyringMockInit() {
+	mockUsername = "test"
+	keyring.MockInit()
+}
+
+var mockUsername string = ""
+
 type keyringNotFoundError struct {
 	service string
 	user    string
@@ -47,12 +56,16 @@ type Keyring struct {
 var _ LoadStorer = (*Keyring)(nil)
 
 func NewKeyring() (LoadStorer, error) {
-	u, err := user.Current()
-	if err != nil {
-		return nil, err
+	username := mockUsername
+	if username == "" {
+		u, err := user.Current()
+		if err != nil {
+			return nil, err
+		}
+		username = u.Username
 	}
 	return &Keyring{
-		username: u.Username,
+		username: username,
 	}, nil
 }