This is a minimal example that shows you how to pull in a hermetic instance of a binary from a local nix repository installation and use it in your bazel build.
It builds on top of https://github.com/filmil/bazel_local_nix, which is a set of rules that sets up a local hermetic nix repository.
Now, that one in turn builds on top of https://github.com/tweag/rules_nixpkgs. However, that repository does not give simple examples. It gives complex examples that set up hermetic toolchains and such. But there isn't really a very basic example that shows how you would just take one simple binary from a nix repository and use it in your build.
This repo fixes that issue.
At the moment the only supported platform is x86_64
under Linux
.
I prefer downloading a bazelisk binary, and setting it somewhere in your
$PATH
under the name bazel
.
git clone https://github.com/filmil/bazel-nix-example --recurse-submodules
Sorry about the "submodules" bit. This was the only way I could take in
the required //tools
scripts.
bazel build //:hello
The first run will take its sweet time to install a local copy of nix
into your
bazel cache. Subsequent runs will take significantly less time.
This will produce a file bazel-bin/hello.txt
, which contains some text
produced by running a hermetic instance of GNU Hello. You can take
a look at BUILD.bazel to see how this is achieved.
If you consider using bazel
as your build system of choice, I hope at least part
of your decision is based on bazel's ability to create hermetic builds.
Unfortunately, build hermeticity is not automatic. You have to make it happen.
Usually, this means you must bazelize every dependency your project has. With
many deps, this becomes a big additional task for the project maintainer. You
need to find a way to build your dependency hermetically, and expose it to
bazel
so that it can be used in the build.
nix
makes this step trivial, but it is invasive by default because it
requires installing into a path /nix
which a regular user usually does
not have access to.
The approach I give here instead installs the nix repository into the
bazel cache dir, which allows bazel
to set up the repo as part of
the project's build process.
The nixpkgs rules then allow us to make that installation available to the bazel build comparatively easily. The nix hermeticity rules allow us to guarantee the hermeticity of the resulting build.
In turn, this means the combination given here offers you an easy way to bazelize every dependency, using the fact that nix already does a lot of that legwork, and that nixpkgs rules are available to glue the two systems together.