WIP NOK (re. #1730)

Author: vorburger

.bazelignore

@@ -7,3 +7,5 @@ site
 .cache
 .direnv
 .eclipse
+
+VENDOR

.github/workflows/ci.yaml

@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v31
       # TODO Remove --no-sandbox after https://github.com/enola-dev/enola/issues/1713
-      - run: nix run --no-sandbox . -- help
+      - run: nix run . -- help
 
   build:
     # https://github.com/orgs/community/discussions/25722

.gitignore

@@ -80,3 +80,6 @@ generated/protoc/java/dev/
 generated/classpath
 generated/javac-processors/
 generated/java-class
+
+# bazel vendor --vendor_dir=
+VENDOR

docs/use/index.md

@@ -89,8 +89,4 @@ or clearing `~/.jbang/cache`, do not currently work for this application due to
 
 ## Nix
 
-    nix run --no-sandbox github:enola-dev/enola
-
-If this fails after printing _"warning: ignoring the client-specified setting 'sandbox', because it is a restricted setting and you are not a trusted user",_ then you need to add your username to the `trusted-users` list in `/etc/nix/nix.conf` (e.g., `trusted-users = root your-username-here`), and then restart the Nix daemon with `sudo systemctl restart nix-daemon.service`.
-
-PS: See [issue #1713](https://github.com/enola-dev/enola/issues/1713) re. why `--no-sandbox` is still needed.
+    nix run github:enola-dev/enola

flake.nix

@@ -87,6 +87,46 @@
           # $ nix build .#enola
           # $ result/bin/enola --help
           default = enola;
+
+          bazel-vendor-dir = pkgs.stdenv.mkDerivation {
+            #pname = "bazel-vendor-dir";
+            #version = gitRev;
+            name = "bazel-vendor-dir";
+
+            nativeBuildInputs = [
+              pkgs.bazel_8
+              pkgs.protobuf
+              pkgs.protoc-gen-grpc-java
+              pkgs.which
+              jdk'
+            ];
+            src = ./.;
+            buildPhase = ''
+              runHook preBuild
+
+              bash tools/protoc/protoc.bash
+              mkdir VENDOR
+              pwd
+              ls
+              export HOME=$TMPDIR
+              bazel vendor --vendor_dir=VENDOR //...
+
+              runHook postBuild
+            '';
+            installPhase = ''
+              runHook preInstall
+
+              ls VENDOR
+              mkdir -p $out
+              cp -LR VENDOR $out
+              
+              runHook postInstall
+            '';
+            outputHashMode = "recursive"; # because bazel vendor creates subdirectories
+            # outputHash = "sha256-mn5Fj3hEjomN1zIAB1JfSItADiU2kstrGdeCH/wRPt4=";
+            outputHash = pkgs.lib.fakeHash;
+          };
+
           enola = pkgs.stdenv.mkDerivation {
             pname = "enola";
             version = gitRev;
@@ -100,25 +140,34 @@
             src = ./.;
 
             buildPhase = ''
+              runHook preBuild
+             
               # class dev.enola.common.Version reads VERSION
               echo -n "${gitRev}" >tools/version/VERSION
 
-              # See https://github.com/NixOS/nix/issues/14024
-              bash tools/protoc/protoc.bash
+              #echo ${bazel-vendor-dir}...
+              #ls -al ${bazel-vendor-dir}
+              #cp -R ${bazel-vendor-dir} bazel-vendor
+              #chmod -R u+w bazel-vendor
+              #echo bazel-vendor...
+              #ls -al bazel-vendor
 
               export HOME=$TMPDIR
-              bazel build //java/dev/enola/cli:enola_deploy.jar
+              bazel build --nofetch --vendor_dir=${bazel-vendor-dir} //java/dev/enola/cli:enola_deploy.jar
+
+              runHook postBuild
             '';
 
             installPhase = ''
+              runHook preInstall
+
               mkdir -p "$out/share/java"
               cp bazel-bin/java/dev/enola/cli/enola_deploy.jar "$out/share/java"
               makeWrapper ${jdk'}/bin/java $out/bin/enola \
                 --add-flags "-jar $out/share/java/enola_deploy.jar"
-            '';
 
-            # TODO https://github.com/enola-dev/enola/issues/1730
-            # outputHash = "sha256-hHa+tqNDxe3+Tl190xPWiNiCq0HWU5qcc52rjo3Ncl0=";
+              runHook postInstall
+            '';
           };
         };
 

tools/evilurl/test.bash

@@ -29,7 +29,7 @@ allow_list=("java/dev/enola/common/io/resource/UrlResource.java"
 
 # TODO Also grep for .toURL() invocations, and fail for any (new) ones.
 
-found_files=$(find . -name "*.java" -print0 | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
+found_files=$(find . -name "*.java" -print0 | grep -Zzv VENDOR/ | xargs -0 grep -lE "(^|[^a-zA-Z0-9_.])java\.net\.URL($|[^a-zA-Z0-9_#}])" | while IFS= read -r file; do
     file_name=$(basename "$file")
     allow_path="${file//.\//}"