Enforce MODULE.bazel.lock Versioning and CI Drift Check Across S-CORE Repositories #2628
Description
What
Introduce mandatory versioning and CI enforcement of MODULE.bazel.lock across all S-CORE repositories that use Bazel Bzlmod.
The goal is to strengthen:
- Long-term reproducibility
- Configuration traceability
- Deterministic dependency resolution
- Safety-readiness
Currently, several repositories do not commit MODULE.bazel.lock. Even with pinned bazel_dep versions, dependency resolution can drift due to:
- Transitive dependency updates
- Registry metadata changes
- Yanked releases
- Changes in Bazel’s resolver between versions
Without committing the lock file, the fully resolved module graph is not frozen, which can result in:
- Non-deterministic rebuilds
- Release branches building differently over time
- increased requalification effort for safety-relevant software
This task aims to close that gap systematically across all S-CORE repositories.
How
Step 1 – Repository Audit
- Identify all S-CORE repositories using Bazel with Bzlmod (MODULE.bazel present).
- Check which repositories:
- Already version MODULE.bazel.lock
- Do not version MODULE.bazel.lock
- Create a tracking checklist.
Step 2 – Introduce Lockfile Where Missing
Run:
bazel mod tidy
Commit the generated MODULE.bazel.lock
Ensure it is tracked in version control.
Step 3 – Add CI Drift Check
Add a CI job to enforce lock consistency:
#something like
bazel mod tidy
git diff --exit-code -- MODULE.bazel MODULE.bazel.lock
The job should fail if:
- MODULE.bazel.lock is missing
- The lock file changes after bazel mod tidy
- MODULE.bazel was modified without updating the lock file
This check should be integrated into the reusable workflow (preferred) or in the repo if not possible.
Estimates for realization
Impact to Users of the Feature
- Positive long-term impact:
- Deterministic builds-
- Stable release branches
- Improved auditability
- Reduced risk of silent dependency drift
Short-term impact:
- Contributors must run bazel mod tidy when modifying dependencies
- Lock file diffs may appear in PRs
Category
- Affects Detailed Design
Requirements / Architecture
- Requirements / Architecture are not affected by this change?