Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
48 changes: 48 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,44 @@ build --incompatible_strict_action_env
# creating symlinks in `/usr/local/bin`, which we always want to be loaded first.
build --action_env=PATH=/usr/local/bin:/usr/bin:/bin

# Apply `build:<os>` configs automatically based on the host OS, so
# the MacOS-only settings below don't leak into Linux builds.
build --enable_platform_specific_config

# Pin the MacOS deployment target so the published wheel's
# compatibility floor is decoupled from whichever MacOS/Xcode the
# build host happens to ship. Two things determine that floor, and
# each needs its own knob:
# - The `minos` load command on the native binaries comes from the
# `-target arm64-apple-macosx<version>` triple that the MacOS
# toolchain's `wrapped_clang` injects. That `<version>` is
# `--macos_minimum_os`, which defaults to the SDK version (i.e.
# the build host's) when unset, so we pin it.
# - The wheel's platform tag is forced by our `pip_package` rule
# (see `MACOS_PLATFORM_TAG`); the `--action_env` just keeps
# `MACOSX_DEPLOYMENT_TARGET` consistent for any wheel-build tool
# that reads it.
# Pinning these to the same version means a newer SDK can't silently
# raise the floor and produce a wheel that fails to install (tag) or
# fails to load at runtime (minos) on MacOS versions we still support.
# We pin to the MacOS 14 floor; the minor is 0 because `pip` only
# accepts `macosx_<major>_0` wheels for MacOS >= 11. Must stay in
# sync with the `MACOS_PLATFORM_TAG` constant in
# `bazel/pip_package_rule/pip_package.bzl`.
build:macos --macos_minimum_os=14.0
build:macos --action_env=MACOSX_DEPLOYMENT_TARGET=14.0

# Building for an old deployment target (14.0, below the build host's
# MacOS) only protects users on those older systems if our code never
# calls an API introduced after it. `clang` already flags
# unguarded use of such an API (one reached without an `@available`
# guard), but only as a warning by default, which is easy to miss in
# CI output. Promoting `-Wunguarded-availability` to an error makes
# the build fail on it instead, so we can't ship a wheel that would
# hit a missing symbol at runtime on a MacOS version we still claim
# to support.
build:macos --copt=-Werror=unguarded-availability

# Allow `rules_oci` to (attempt to) pull images, even when it first
# calls a credential helper that fails (i.e. one with no credentials
# set up). The images we pull tend to not need any auth, so a lack of
Expand Down Expand Up @@ -180,6 +218,16 @@ test --test_env=TZ
# we will print stack traces when running Reboot from Node.js.
test --test_env=REBOOT_BAZEL_TEST=true

# When running our own tests, also validate effects for "trusted" Reboot
# library servicers, which otherwise skip their effect-validation re-runs
# for app developers. See https://github.com/reboot-dev/mono/issues/4499.
test --test_env=RBT_VALIDATE_TRUSTED_EFFECTS=true

# Keep tests hermetic: don't let `rbt` invocations inside tests run the
# new-version check (a network fetch against PyPI). See
# https://github.com/reboot-dev/mono/issues/5528.
test --test_env=REBOOT_NO_VERSION_CHECK=true

# Bazel doesn't print stdout/stderr for failed tests if the contents exceeds 1MB
# by default; increase this to 10MB for CI purposes.
test --experimental_ui_max_stdouterr_bytes=10485760
5 changes: 4 additions & 1 deletion .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,10 @@
// but that's complicated.
// https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/docker-in-docker.md
"ghcr.io/devcontainers/features/docker-in-docker:2": {
"version": "latest"
// Buildx is already installed via `docker-buildx-plugin` in the
// Dockerfile, so skip the feature's own `buildx` download.
"version": "latest",
"installDockerBuildx": false
},
// GitHub recently changed their default to no longer install sshd by default.
// See: https://github.com/cli/cli/issues/5739. We now need to add it in
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/build_and_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ jobs:
QUERY="$QUERY \
except attr(\"tags\",\"requires-pulumi\",//tests/...) \
except attr(\"tags\",\"requires-linux-x86\",//tests/...) \
except attr(\"tags\",\"requires-macos\",//tests/...) \
except attr(\"tags\",\"manual\",//tests/...)"

# 3) If this is a PR labelled "reboot-release", also drop flaky
Expand Down Expand Up @@ -148,9 +149,11 @@ jobs:
with:
show-progress: false
- name: Setup Node
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: "18"
# Docusaurus >= 3.9 requires Node >= 20. Pinned to match
# the Bazel toolchain (`node_version` in WORKSPACE.bazel).
node-version: "20.19.0"
- name: Install dependencies
working-directory: ./documentation
run: npm install
Expand Down Expand Up @@ -191,7 +194,7 @@ jobs:
uses: ./.github/workflows/reboot_macos_environment.yml
secrets: inherit
with:
runs-on: depot-macos-14
runs-on: depot-macos-15
# TODO: Make "LocalEnvoy" tests work on MacOS.
# See https://github.com/reboot-dev/mono/issues/2345
run: |
Expand Down
60 changes: 36 additions & 24 deletions .github/workflows/reboot_macos_environment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ name: Reusable Workflow for Reboot MacOS
# # The nested job needs write permissions, which means this job also needs them.
# secrets: inherit
# with:
# runs-on: depot-macos-14
# runs-on: depot-macos-15
# run: |
# # Command 1:
# bazel build //...
Expand Down Expand Up @@ -42,24 +42,24 @@ env:
TZ: ${{ inputs.timezone }}
# There is no Python 3.10.12 available for MacOS.
PYTHON_VERSION: 3.10.11
# The latest of 02/24/2025.
XCODE_VERSION: 15.2
# The default Xcode on the 'depot-macos-15' image.
XCODE_VERSION: 16.4
AUTOCONF_VERSION: 2.72
MYPY_VERSION: 1.18.1
LLVM_VERSION: 19

jobs:
check-runner:
name: Validate runner
# There is no reason to run that job on the 'depot-macos-14', which
# There is no reason to run that job on the 'depot-macos-15', which
# is a more expensive runner, since we are just checking the arguments
# provided to the workflow.
runs-on: depot-ubuntu-24.04
steps:
- name: Fail if runner is not 'depot-macos-14'
if: ${{ inputs.runs-on != 'depot-macos-14' }}
- name: Fail if runner is not 'depot-macos-15'
if: ${{ inputs.runs-on != 'depot-macos-15' }}
run: |
echo "Error: Unsupported runner. Must be 'depot-macos-14'."; exit 1
echo "Error: Unsupported runner. Must be 'depot-macos-15'."; exit 1

# Helper job that we run before any other jobs to ensure that we
# have all of the secrets that we need.
Expand All @@ -68,7 +68,7 @@ jobs:
# 'https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets'.
check-secrets:
name: Check Secrets
# There is no reason to run that job on the 'depot-macos-14',
# There is no reason to run that job on the 'depot-macos-15',
# which is a more expensive runner, since we are just checking the secrets.
runs-on: depot-ubuntu-24.04
steps:
Expand All @@ -90,6 +90,16 @@ jobs:
HOMEBREW_NO_INSTALL_CLEANUP: 1
HOMEBREW_NO_ENV_HINTS: 1
steps:
# Depot folks suggestion: macOS runners stay up continuously rather
# than being recycled after each job, so Homebrew's package cache
# can build up over time. Adding a cleanup step before the install
# usually fixes this.
- name: Free disk space
run: |
brew cleanup -s
rm -rf ~/Library/Caches/Homebrew
df -h

- name: Update Homebrew
run: |
brew update -q
Expand Down Expand Up @@ -126,14 +136,13 @@ jobs:
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Install Rye
- name: Install uv
run: |
curl -sSf https://raw.githubusercontent.com/astral-sh/rye/main/scripts/install.sh | RYE_VERSION="0.31.0" RYE_INSTALL_OPTION="--yes" bash
echo 'source "$HOME/.rye/env"' >> $HOME/.bash_profile
source "$HOME/.rye/env"
rye config --set-bool behavior.use-uv=true
curl -LsSf https://astral.sh/uv/0.11.13/install.sh | sh
echo 'export PATH="$HOME/.local/bin:$PATH"' >> $HOME/.bash_profile
export PATH="$HOME/.local/bin:$PATH"
# TODO: See https://github.com/reboot-dev/mono/issues/2652.
sudo ln -s $(which rye) /usr/local/bin/rye
sudo ln -sf "$HOME/.local/bin/uv" /usr/local/bin/uv

# Our 'examples' tests are bazel 'sh_test', which means they are
# configured in another way than the 'py_test' tests.
Expand All @@ -156,30 +165,33 @@ jobs:
run: |
brew list jq &>/dev/null || brew install jq

# MacOS runners aren't able to run Docker inside, so we have
# to run Envoy as an executable during 'rbt dev run'.
- name: Install Envoy executable
run: |
# We would like to pin the envoy version, but there is no available
# brew formula for that.
# https://github.com/envoyproxy/envoy/issues/14520
brew install envoy

- name: Symlink executables arm64
# Our 'examples' tests are bazel 'sh_test', which means they only have
# access to a limited set of PATH entries
# TODO: See https://github.com/reboot-dev/mono/issues/2652.
run: |
sudo ln -s $(which autoconf) /usr/local/bin/autoconf
sudo ln -s $(which jq) /usr/local/bin/jq
sudo ln -s $(which envoy) /usr/local/bin/envoy

- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
show-progress: false

# MacOS runners aren't able to run Docker inside, so we have
# to run Envoy as an executable during 'rbt dev run'.
# `install_envoy.sh` downloads the Envoy version pinned in
# `reboot/settings.py` (`ENVOY_VERSION`) and prints the
# directory containing the binary. Symlink the binary to where
# our bazel 'sh_test' tests can find it, since they only have
# access to a limited set of PATH entries.
# TODO: See https://github.com/reboot-dev/mono/issues/2652.
- name: Install Envoy executable
run: |
ENVOY_DIR="$(sh reboot/plugin/lib/install_envoy.sh)"
sudo ln -s "$ENVOY_DIR/envoy" /usr/local/bin/envoy

# We need to differentiate between different MacOS environments, like
# arm64 and x86_64 in the remote cache, so we dump information about the
# environment into 'mac_os_environment.txt' and calculate a hash of
Expand Down
37 changes: 16 additions & 21 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ ARG ISTIO_VERSION=1.29.0
# This version should match `ENVOY_VERSION` in
# `public/reboot/settings.py` and
# `reboot/containers/reboot-base/Dockerfile`.
ARG ENVOY_VERSION=1.30.2
ARG ENVOY_VERSION=1.38.2

# Clang version used for C++ compilation on the host and in the
# manylinux-builder container.
Expand Down Expand Up @@ -499,24 +499,21 @@ RUN set -e; \
&& mv ./pulumi/* /usr/local/bin/ \
&& rm ${ARCHIVE_NAME}

# Install Rye as the target user. We configure rye to use uv, to only install
# Python inside of a project directory, and pre-fetch a few commonly used Python
# versions. (The last is optional but enables the Python versions to be cached
# in the Docker image).
# Install uv as the target user, and pre-fetch a few commonly used Python
# versions. (The latter is optional but enables the Python versions to be
# cached in the Docker image).
USER $UNAME
RUN curl -sSf https://raw.githubusercontent.com/astral-sh/rye/main/scripts/install.sh | RYE_VERSION="0.31.0" RYE_INSTALL_OPTION="--yes" bash \
&& "$HOME/.rye/shims/rye" config --set-bool behavior.use-uv=true \
&& "$HOME/.rye/shims/rye" config --set-bool behavior.global-python=false \
&& "$HOME/.rye/shims/rye" fetch cpython@3.10.13 \
&& "$HOME/.rye/shims/rye" fetch cpython@3.11.8 \
&& "$HOME/.rye/shims/rye" fetch cpython@3.12.2
RUN curl -LsSf https://astral.sh/uv/0.11.13/install.sh | sh \
&& "$HOME/.local/bin/uv" python install 3.10.13 3.11.8 3.12.2

# Bazel's `--incompatible_strict_action_env` causes a hardcoded PATH to be used which
# does not include the path where `rye` is installed. Rather than changing Bazel's PATH,
# we ensure that `rye` is accessible on it.
# does not include the path where `uv` is installed. Rather than changing Bazel's PATH,
# we ensure that `uv` is accessible on it.
# TODO: See https://github.com/reboot-dev/mono/issues/2652.
RUN sudo ln -s "$HOME/.rye/shims/rye" /usr/local/bin/rye
RUN echo "source \"$HOME/.rye/env\"" >> "$HOME/.bashrc"
# Use `-f`: base images / Dev Container features may already provide a
# `uv` there, and ours (pinned) must win.
RUN sudo ln -sf "$HOME/.local/bin/uv" /usr/local/bin/uv
RUN echo "export PATH=\"$HOME/.local/bin:\$PATH\"" >> "$HOME/.bashrc"
# Then return to root.
USER root

Expand Down Expand Up @@ -748,15 +745,13 @@ RUN set -e; \
# Install Node.js (which includes npm) for running JavaScript-based tests.
RUN dnf install -y nodejs && dnf clean all

# Install Rye for the builder user. We use `sudo` to create a symlink in
# /usr/local/bin so it's accessible on the PATH regardless of the user.
# Install uv for the builder user. We create a symlink in /usr/local/bin
# so it's accessible on the PATH regardless of the user.
USER builder
RUN curl -sSf https://raw.githubusercontent.com/astral-sh/rye/main/scripts/install.sh | RYE_VERSION="0.31.0" RYE_INSTALL_OPTION="--yes" bash \
&& "$HOME/.rye/shims/rye" config --set-bool behavior.use-uv=true \
&& "$HOME/.rye/shims/rye" config --set-bool behavior.global-python=false
RUN curl -LsSf https://astral.sh/uv/0.11.13/install.sh | sh

USER root
RUN ln -s /home/builder/.rye/shims/rye /usr/local/bin/rye
RUN ln -sf /home/builder/.local/bin/uv /usr/local/bin/uv

# Switch back to the builder user for running tests.
USER builder
17 changes: 13 additions & 4 deletions bazel/pip_package_rule/pip_package.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,14 @@ Under the hood, there are three components to be aware of:

load("@host_arch_detector//:host_arch.bzl", "host_arch")

# The platform tag for wheels we build on MacOS. Its major/minor must
# match the deployment target pinned for MacOS hosts in `.bazelrc`
# (`--macos_minimum_os`). The minor must be 0: for MacOS >= 11
# `pip` only treats `macosx_<major>_0` wheels as compatible (it never
# generates a `macosx_14_2`-style tag), so a non-zero minor would make
# the wheel uninstallable.
MACOS_PLATFORM_TAG = "macosx_14_0"

def _debug_print(*args, **kwargs):
"""A helper to print information only while debugging.

Expand Down Expand Up @@ -574,7 +582,7 @@ def _pip_package_impl(ctx):
if is_platform_dependent:
if ctx.attr.os_name == "linux":
classifiers.append("Operating System :: POSIX :: Linux")
elif ctx.attr.os_name == "macosx_13_0":
elif ctx.attr.os_name == MACOS_PLATFORM_TAG:
classifiers.append("Operating System :: MacOS :: MacOS X")
else:
fail("Unsupported OS: %s" % ctx.attr.os_name)
Expand Down Expand Up @@ -1034,9 +1042,10 @@ def pip_package(name, visibility, tags = [], **kwargs):
os_name = select(
{
"@platforms//os:linux": "linux",
# The 'macosx_13_0' tag is what we get running on a GitHub
# Actions M1 runner.
"@platforms//os:osx": "macosx_13_0",
# The MacOS wheel's platform tag, it must stay in sync
# with the `minos` floor we pin for MacOS
# hosts in `.bazelrc` (`--macos_minimum_os`).
"@platforms//os:osx": MACOS_PLATFORM_TAG,
},
),
tags = tags,
Expand Down
4 changes: 2 additions & 2 deletions charts/reboot/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: 3.3.2
name: reboot
version: "1.1.0"
version: "1.2.0"
description: Reboot is a programming framework that enables transactional microservices built with the developer in mind.
type: application
keywords:
Expand All @@ -10,4 +10,4 @@ keywords:
- scalable
- reactive
home: https://docs.reboot.dev/
appVersion: "1.1.0"
appVersion: "1.2.0"
9 changes: 6 additions & 3 deletions ci/templates/build_and_test.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ jobs:
QUERY="$QUERY \
except attr(\"tags\",\"requires-pulumi\",//tests/...) \
except attr(\"tags\",\"requires-linux-x86\",//tests/...) \
except attr(\"tags\",\"requires-macos\",//tests/...) \
except attr(\"tags\",\"manual\",//tests/...)"

# 3) If this is a PR labelled "reboot-release", also drop flaky
Expand Down Expand Up @@ -194,9 +195,11 @@ jobs:
with:
show-progress: false
- name: Setup Node
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: "18"
# Docusaurus >= 3.9 requires Node >= 20. Pinned to match
# the Bazel toolchain (`node_version` in WORKSPACE.bazel).
node-version: "20.19.0"
- name: Install dependencies
<% if is_mono %>
working-directory: ./public/documentation
Expand Down Expand Up @@ -251,7 +254,7 @@ jobs:
uses: ./.github/workflows/reboot_macos_environment.yml
secrets: inherit
with:
runs-on: depot-macos-14
runs-on: depot-macos-15
# TODO: Make "LocalEnvoy" tests work on MacOS.
# See https://github.com/reboot-dev/mono/issues/2345
run: |
Expand Down
Loading
Loading