Ask questionsBazel support?

Hi there - we use bazel within our multi-product repos. It would be great to have dependabot understand and integrate with that?

Broadly, bazel is a cross-platform and cross-language build system. It wants one to specify all external dependencies within a WORKSPACE file within the root of the repo (with plans I think to allow WORKSPACE files, plural, within the repo).

A WORKSPACE file (and other Bazel files) is written in a language called Starlark

A WORKSPACE file can take dependencies as follows:

  • on dependencies that are themselves built via bazel
  • on dependencies not built via bazel
  • on dependencies packaged via that language's package manager (for details, the bazelbuild/rules_* repos)

A great first addition would be to handle the git_repository and http_archive dependency rules, since mostly these target github sha1s or tags.

I don't know which language dependabot itself is written in, but there is a Starlark parser in golang if it happens to be go.


Answer questions rkhir

there is a Starlark parser in golang if it happens to be go.

It might be worth pointing out that Skylark is a subset of Python 3 as that might simplify parsing of the WORKSPACE file.

I have a Bazel project where I'm interested in enabling dependabot. I considered 1) writing a script that generate a pom.xml from the WORKSPACE file to hack around the lack of support and 2) adding a CI check that make sure that the pom.xml file is synced with WORKSPACE. This would obviously mean that no submitted pull requests by dependabot would work, but at least we'd know of security issues. Maybe too hacky, haven't decided...

@JensRantil, great Idea. although Bazel does support the pom.xml generation part of this rule the file can be synced on each bazel build ... command, which will save the implementer a few steps. 🍻

Github User Rank List