From b646d4ce80952a873b33fc3660aae5495d0ce082 Mon Sep 17 00:00:00 2001
From: Alex Eagle <alex@aspect.dev>
Date: Mon, 18 Mar 2024 17:50:27 -0700
Subject: [PATCH] chore: fix e2e (#3)

* chore: fix e2e

* chore: fix

* chore: copy code review improvements from upstream

https://github.com/bazelbuild/rules_proto/pull/205
---
 .github/workflows/mirror_protoc_release.yml | 3 +++
 MODULE.bazel                                | 6 +++++-
 protoc/extensions.bzl                       | 8 ++++----
 protoc/private/mirror_protoc_release.sh     | 4 ++++
 protoc/toolchain.bzl                        | 9 +++++----
 5 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/mirror_protoc_release.yml b/.github/workflows/mirror_protoc_release.yml
index fa7de6a..6cbfb36 100644
--- a/.github/workflows/mirror_protoc_release.yml
+++ b/.github/workflows/mirror_protoc_release.yml
@@ -3,6 +3,9 @@ on:
   # Trigger manually in the UI
   workflow_dispatch:
   # Trigger daily at 06:10 UTC
+  # Note, the create-pull-request action only sends a PR if there's a code change,
+  # so a no-op execution of the mirror_protoc_releases script on most days will
+  # not create a pull request.
   schedule:
     - cron: "10 6 * * *"
 
diff --git a/MODULE.bazel b/MODULE.bazel
index 8dc0f23..6524e07 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -39,7 +39,11 @@ register_toolchains(
 )
 
 # Shows how a typical Python user fetches all the dependencies of their app, including the protobuf runtime
-pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
+pip = use_extension(
+    "@rules_python//python/extensions:pip.bzl",
+    "pip",
+    dev_dependency = True,
+)
 pip.parse(
     hub_name = "pypi",
     python_version = "3.11",
diff --git a/protoc/extensions.bzl b/protoc/extensions.bzl
index 4f24079..9db5c34 100644
--- a/protoc/extensions.bzl
+++ b/protoc/extensions.bzl
@@ -19,11 +19,11 @@ def _proto_extension_impl(module_ctx):
             if mod.is_root:
                 protoc_toolchains(toolchain.name, register = False, google_protobuf = toolchain.google_protobuf, version = toolchain.version)
                 root_name = toolchain.name
-            else:
-                registrations[toolchain.name] = toolchain.version
-    for name, version in registrations.items():
+            elif toolchain.name not in registrations.keys():
+                registrations[toolchain.name] = toolchain
+    for name, toolchain in registrations.items():
         if name != root_name:
-            protoc_toolchains(name, register = False, version = version)
+            protoc_toolchains(name, register = False, google_protobuf = toolchain.google_protobuf, version = toolchain.version)
 
 protoc = module_extension(
     implementation = _proto_extension_impl,
diff --git a/protoc/private/mirror_protoc_release.sh b/protoc/private/mirror_protoc_release.sh
index cd46ec4..4145df6 100755
--- a/protoc/private/mirror_protoc_release.sh
+++ b/protoc/private/mirror_protoc_release.sh
@@ -30,6 +30,10 @@ map(select(.tag_name == $version))[0]
 # Create a file that looks like a checksums.txt from a shasum command, i.e.
 # sha384-RVFu8PJJCOSXwYTqH7FyWRSgsP1AAjcEa+VViddVTgtd9wYvZjQoQ8jmlFxwfFw+ protobuf-26.0-rc3.tar.gz
 # sha384-JYSXGTSBfwUU6UzqazUTkT3lTZDzx10YdaNQYjojrT7X1Ro1fA+T4tjJw0e8UISV protobuf-26.0-rc3.zip
+#
+# Note, this follows https://en.wikipedia.org/wiki/Trust_on_first_use
+# in that we assume that a release is not tampered for 24h until we mirror it, then afterward
+# we are guaranteed that whatever we initially trusted does not change.
 CHECKSUMS=$(mktemp)
 for url in $(jq --arg version $VERSION --raw-output "$DOWNLOAD_URLS_FILTER" <$RELEASES); do
     sha=$(curl -sSL $url | shasum -b -a 384 | awk "{ print \$1 }" | xxd -r -p | base64)
diff --git a/protoc/toolchain.bzl b/protoc/toolchain.bzl
index 1731658..fa6329e 100644
--- a/protoc/toolchain.bzl
+++ b/protoc/toolchain.bzl
@@ -23,7 +23,7 @@ def _google_protobuf_alias_repo_impl(rctx):
 alias(name = "any_proto", actual = "@{0}//:any_proto")
 """.format(rctx.attr.alias_to))
 
-_google_protobuf_alias_repo = repository_rule(_google_protobuf_alias_repo_impl, attrs={"alias_to": attr.string()})
+_google_protobuf_alias_repo = repository_rule(_google_protobuf_alias_repo_impl, attrs = {"alias_to": attr.string()})
 
 def protoc_toolchains(name, version, google_protobuf = None, alias_to = "osx-aarch_64", register = True):
     """A utility method to load all Protobuf toolchains.
@@ -42,13 +42,14 @@ def protoc_toolchains(name, version, google_protobuf = None, alias_to = "osx-aar
 
     for platform in PROTOC_PLATFORMS.keys():
         prebuilt_protoc_repo(
-            # We must replace hyphen with underscore to workaround rules_python 
+            # We must replace hyphen with underscore to workaround rules_python
             # File "/output-base/external/rules_python~override/python/private/proto/py_proto_library.bzl", line 62, column 17, in _py_proto_aspect_impl
-            # Error in fail: Cannot generate Python code for a .proto whose path contains '-' 
+            # Error in fail: Cannot generate Python code for a .proto whose path contains '-'
             # (external/_main~protoc~toolchains_protoc_hub.osx-aarch_64/include/google/protobuf/any.proto).
             name = ".".join([name, platform.replace("-", "_")]),
             platform = platform,
-            version = version)
+            version = version,
+        )
     protoc_toolchains_repo(name = name, user_repository_name = name)
     if register:
         native.register_toolchains("@{}//:all".format(name))