fix(bzlmod): print working MODULE.bazel reproducibility instructions (#…

…317)

docs/pull.md

@@ -43,7 +43,7 @@ oci_image(
 ## oci_pull
 
 <pre>
-oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-image">image</a>, <a href="#oci_pull-repository">repository</a>, <a href="#oci_pull-registry">registry</a>, <a href="#oci_pull-platforms">platforms</a>, <a href="#oci_pull-digest">digest</a>, <a href="#oci_pull-tag">tag</a>, <a href="#oci_pull-reproducible">reproducible</a>)
+oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-image">image</a>, <a href="#oci_pull-repository">repository</a>, <a href="#oci_pull-registry">registry</a>, <a href="#oci_pull-platforms">platforms</a>, <a href="#oci_pull-digest">digest</a>, <a href="#oci_pull-tag">tag</a>, <a href="#oci_pull-reproducible">reproducible</a>, <a href="#oci_pull-is_bzlmod">is_bzlmod</a>)
 </pre>
 
 Repository macro to fetch image manifest data from a remote docker registry.
@@ -69,5 +69,6 @@ in rules like `oci_image`.
 | <a id="oci_pull-digest"></a>digest |  the digest string, starting with "sha256:", "sha512:", etc. If omitted, instructions for pinning are provided.   |  <code>None</code> |
 | <a id="oci_pull-tag"></a>tag |  a tag to choose an image from the registry. Exactly one of <code>tag</code> and <code>digest</code> must be set. Since tags are mutable, this is not reproducible, so a warning is printed.   |  <code>None</code> |
 | <a id="oci_pull-reproducible"></a>reproducible |  Set to False to silence the warning about reproducibility when using <code>tag</code>.   |  <code>True</code> |
+| <a id="oci_pull-is_bzlmod"></a>is_bzlmod |  whether the oci_pull is being called from a module extension   |  <code>False</code> |
 
 

oci/extensions.bzl

@@ -37,6 +37,7 @@ def _oci_extension(module_ctx):
                 digest = pull.digest,
                 tag = pull.tag,
                 reproducible = pull.reproducible,
+                is_bzlmod = True,
             )
         for toolchains in mod.tags.toolchains:
             if toolchains.name != "oci" and not mod.is_root:

oci/private/pull.bzl

@@ -53,7 +53,7 @@ _WWW_AUTH = {
         "realm": "cgr.dev/token",
         "service": "cgr.dev",
         "scope": "repository:{repository}:pull",
-    },    
+    },
 }
 
 def _strip_host(url):
@@ -77,7 +77,7 @@ def _get_auth(rctx, state, registry):
                 helper_val = config["credHelpers"][host_raw]
                 pattern = _fetch_auth_via_creds_helper(rctx, host_raw, helper_val)
 
-    # if no match for per registry credential helper for the host then look into auths dictionary 
+    # if no match for per registry credential helper for the host then look into auths dictionary
     if "auths" in config and len(pattern.keys()) == 0:
         for host_raw in config["auths"]:
             host = _strip_host(host_raw)
@@ -491,16 +491,20 @@ def _oci_alias_impl(rctx):
                 platforms.append('"{}"'.format("/".join(parts)))
             optional_platforms = "'add platforms {}'".format(" ".join(platforms))
 
+        is_bzlmod = hasattr(rctx.attr, "bzlmod_repository") and rctx.attr.bzlmod_repository
         util.warning(rctx, """\
 for reproducible builds, a digest is recommended.
 Either set 'reproducible = False' to silence this warning,
-or run the following command to change oci_pull to use a digest:
+or run the following command to change {rule} to use a digest:
+{warning}
 
-buildozer 'set digest "sha256:{digest}"' 'remove tag' 'remove platforms' {optional_platforms} WORKSPACE:{name}
+buildozer 'set digest "sha256:{digest}"' 'remove tag' 'remove platforms' {optional_platforms} {location}
     """.format(
-            name = rctx.attr.name,
+            location = "MODULE.bazel:" + rctx.attr.bzlmod_repository if is_bzlmod else "WORKSPACE:" + rctx.attr.name,
             digest = digest,
             optional_platforms = optional_platforms,
+            warning = "(make sure you use a recent buildozer release with MODULE.bazel support)" if is_bzlmod else "",
+            rule = "oci.pull" if is_bzlmod else "oci_pull",
         ))
 
     build = ""
@@ -531,6 +535,9 @@ oci_alias = repository_rule(
             "platform": attr.label(),
             "target_name": attr.string(),
             "reproducible": attr.bool(default = True, doc = "Set to False to silence the warning about reproducibility when using `tag`"),
+            "bzlmod_repository": attr.string(
+                doc = "For error reporting. When called from a module extension, provides the original name of the repository prior to mapping",
+            ),
         },
     ),
 )

oci/pull.bzl

@@ -53,7 +53,7 @@ _PLATFORM_TO_BAZEL_CPU = {
     "linux/mips64le": "@platforms//cpu:mips64",
 }
 
-def oci_pull(name, image = None, repository = None, registry = None, platforms = None, digest = None, tag = None, reproducible = True):
+def oci_pull(name, image = None, repository = None, registry = None, platforms = None, digest = None, tag = None, reproducible = True, is_bzlmod = False):
     """Repository macro to fetch image manifest data from a remote docker registry.
 
     To use the resulting image, you can use the `@wkspc` shorthand label, for example
@@ -83,6 +83,7 @@ def oci_pull(name, image = None, repository = None, registry = None, platforms =
             Exactly one of `tag` and `digest` must be set.
             Since tags are mutable, this is not reproducible, so a warning is printed.
         reproducible: Set to False to silence the warning about reproducibility when using `tag`.
+        is_bzlmod: whether the oci_pull is being called from a module extension
     """
 
     # Check syntax sugar for registry/repository in place of image
@@ -150,4 +151,5 @@ def oci_pull(name, image = None, repository = None, registry = None, platforms =
         # image attributes
         platforms = platform_to_image,
         platform = single_platform,
+        bzlmod_repository = name if is_bzlmod else None,
     )