bazel/wrapper_hook/flag_sync.py

import os
import pathlib
import sys
import time
import traceback
from typing import Dict

REPO_ROOT = pathlib.Path(__file__).parent.parent.parent
sys.path.append(str(REPO_ROOT))

from bazel.wrapper_hook.wrapper_debug import wrapper_debug
from tools.flag_sync.util import get_flags

# Allowed .bazelrc lines. Attempt to remove flag setting as attack vector.
ALLOW_LINES = [
    "common --config=local",
    "--experimental_throttle_remote_action_building",
    "--noexperimental_throttle_remote_action_building",
    "--dtlto=False",
    "--pgo_profile_use=False",
    "--bolt_profile_use=False",
    "common --all_headers=True",
]


def update_bazelrc(flags: Dict[str, Dict], verbose: bool):
    bazelrc_path = f"{REPO_ROOT}/.bazelrc.sync"
    if verbose:
        print(f"Updating {bazelrc_path}")

    enabled = set()
    for flag in flags.values():
        if flag["enabled"]:
            enabled.add(flag["value"])

    changed = True
    if os.path.exists(bazelrc_path):
        with open(bazelrc_path, "r") as bazelrc:
            lines = bazelrc.readlines()
            bazelrc = set([l.strip() for l in lines])
            changed = bazelrc != enabled

    if not changed:
        return

    with open(bazelrc_path, "w+") as bazelrc:
        for line in enabled:
            if line in ALLOW_LINES:
                bazelrc.write(line + "\n")
            else:
                print("Tried to write unallowed line. Skipping...")


def sync_and_update(namespace: str):
    flags = get_flags(namespace)
    update_bazelrc(flags, False)


def sync_flags(namespace: str) -> bool:
    start = time.time()
    try:
        sync_and_update(namespace)
    except Exception:
        traceback.print_exc()
        print("Failed to sync bazel flags. Skipping...")
        return False
    wrapper_debug(f"flag sync time: {time.time() - start}")
    return True
SERVER-107364 Flag Sync S3 Version (#36152) GitOrigin-RevId: 83b8a408f600aaff50472a2544a90538cc761d2c 2025-07-11 13:49:07 -05:00			`import os`
			`import pathlib`
			`import sys`
			`import time`
SERVER-114135 fix ignore failure case for s3 download script (#44180) GitOrigin-RevId: 31963df44c5b3990771373345229db2bc7b549f5 2025-11-19 11:45:09 -06:00			`import traceback`
SERVER-107364 Flag Sync S3 Version (#36152) GitOrigin-RevId: 83b8a408f600aaff50472a2544a90538cc761d2c 2025-07-11 13:49:07 -05:00			`from typing import Dict`

			`REPO_ROOT = pathlib.Path(__file__).parent.parent.parent`
			`sys.path.append(str(REPO_ROOT))`

			`from bazel.wrapper_hook.wrapper_debug import wrapper_debug`
			`from tools.flag_sync.util import get_flags`

			`# Allowed .bazelrc lines. Attempt to remove flag setting as attack vector.`
SERVER-107469 Set --noexperimental_throttle_remote_action_building to remove artificial build concurrency cap (#38455) GitOrigin-RevId: 7ca150af382bdc1c2e88b5bc8867b05738056dff 2025-07-14 09:14:07 -07:00			`ALLOW_LINES = [`
			`"common --config=local",`
			`"--experimental_throttle_remote_action_building",`
			`"--noexperimental_throttle_remote_action_building",`
SERVER-107041 Have default CI build with Clang LTO PGO (#41626) GitOrigin-RevId: 12685112b052141b84371dd9f614ae316d16f1ec 2025-09-23 11:45:11 -07:00			`"--dtlto=False",`
			`"--pgo_profile_use=False",`
			`"--bolt_profile_use=False",`
SERVER-108412 add auto header build file generation (#43122) GitOrigin-RevId: 237d2c30f1d527449e5c00a191eb8f9c9d710281 2025-11-18 16:26:08 -06:00			`"common --all_headers=True",`
SERVER-107469 Set --noexperimental_throttle_remote_action_building to remove artificial build concurrency cap (#38455) GitOrigin-RevId: 7ca150af382bdc1c2e88b5bc8867b05738056dff 2025-07-14 09:14:07 -07:00			`]`
SERVER-107364 Flag Sync S3 Version (#36152) GitOrigin-RevId: 83b8a408f600aaff50472a2544a90538cc761d2c 2025-07-11 13:49:07 -05:00

			`def update_bazelrc(flags: Dict[str, Dict], verbose: bool):`
			`bazelrc_path = f"{REPO_ROOT}/.bazelrc.sync"`
			`if verbose:`
			`print(f"Updating {bazelrc_path}")`

			`enabled = set()`
			`for flag in flags.values():`
			`if flag["enabled"]:`
			`enabled.add(flag["value"])`

			`changed = True`
			`if os.path.exists(bazelrc_path):`
			`with open(bazelrc_path, "r") as bazelrc:`
			`lines = bazelrc.readlines()`
			`bazelrc = set([l.strip() for l in lines])`
			`changed = bazelrc != enabled`

			`if not changed:`
			`return`

			`with open(bazelrc_path, "w+") as bazelrc:`
			`for line in enabled:`
			`if line in ALLOW_LINES:`
			`bazelrc.write(line + "\n")`
			`else:`
			`print("Tried to write unallowed line. Skipping...")`


			`def sync_and_update(namespace: str):`
			`flags = get_flags(namespace)`
			`update_bazelrc(flags, False)`


			`def sync_flags(namespace: str) -> bool:`
			`start = time.time()`
			`try:`
			`sync_and_update(namespace)`
			`except Exception:`
SERVER-114135 fix ignore failure case for s3 download script (#44180) GitOrigin-RevId: 31963df44c5b3990771373345229db2bc7b549f5 2025-11-19 11:45:09 -06:00			`traceback.print_exc()`
SERVER-107364 Flag Sync S3 Version (#36152) GitOrigin-RevId: 83b8a408f600aaff50472a2544a90538cc761d2c 2025-07-11 13:49:07 -05:00			`print("Failed to sync bazel flags. Skipping...")`
			`return False`
			`wrapper_debug(f"flag sync time: {time.time() - start}")`
			`return True`