+
+Acqio is a Fintech that provides payment products and services for small and
+medium merchants. Acqio has a handful of monorepos and uses Bazel along with
+Kubernetes to deliver fast and reliable microservices.
+
+### [Adobe](https://www.adobe.com/)
+
+
+
+Adobe has released Bazel [rules](https://github.com/adobe/rules_gitops) for
+continuous, GitOps driven Kubernetes deployments.
+
+### [Asana](https://asana.com)
+
+
+
+Asana is a web and mobile application designed to help teams track their work.
+In their own words:
+
+> Bazel has increased reliability, stability, and speed for all of builds/tests
+at Asana. We no longer need to clean because of incorrect caches.
+
+### [Ascend.io](https://ascend.io)
+
+Ascend is a Palo Alto startup that offers solutions for large data sets
+analysis. Their motto is _Big data is hard. We make it easy_.
+
+### [ASML](https://asml.com)
+
+
+
+ASML is an innovation leader in the semiconductor industry. We provide chipmakers
+with everything they need – hardware, software and services – to mass produce
+patterns on silicon through lithography.
+
+### [Beeswax](https://www.beeswax.com/)
+
+> Beeswax is a New York based startup that provides real time bidding as
+service. Bazel powers their Jenkins based continuous integration and deployment
+framework. Beeswax loves Bazel because it is blazingly fast, correct and well
+supported across many languages and platforms.
+
+### [Braintree](https://www.braintreepayments.com)
+
+
+
+Braintree, a PayPal subsidiary, develops payment solutions for websites and
+applications. They use Bazel for parts of their internal build and Paul Gross
+even posted a
+[nice piece about how their switch to Bazel went](https://www.pgrs.net/2015/09/01/migrating-from-gradle-to-bazel/).
+
+### [Canva](https://www.canva.com/)
+
+
+Canva leverages Bazel to manage its large polyglot codebase, which includes
+Java, TypeScript, Scala, Python, and more. Migration to Bazel has delivered
+significant developer and compute infrastructure efficiencies, for example 5-6x
+decreases in average CI build times, and it continues to become the foundation
+of fast, reproducible, and standardised software builds at the company.
+
+### [CarGurus](https://www.cargurus.com)
+
+
+CarGurus is on a mission to build the world's most trusted and transparent
+automotive marketplace and uses Bazel to build their polyglot monorepo.
+
+### [Compass](https://www.compass.com)
+
+Compass is a tech-driven real estate platform. With an elite team of real
+estate, technology and business professionals, we aim to be the best and most
+trusted source for home seekers.
+
+### [Databricks](https://databricks.com)
+
+
+Databricks provides cloud-based integrated workspaces based on Apache Spark™.
+
+> The Databricks codebase is a Monorepo, containing the Scala code that powers
+most of our services, Javascript for front-end UI, Python for scripting,
+Jsonnet to configure our infrastructure, and much more [...] Even though our
+monorepo contains a million lines of Scala, working with code within is fast
+and snappy.
+([Speedy Scala Builds with Bazel at Databricks](https://databricks.com/blog/2019/02/27/speedy-scala-builds-with-bazel-at-databricks.html))
+
+### [Dataform](https://dataform.co)
+
+Dataform provides scalable analytics for data teams. They maintain a handful of
+NPM packages and a documentation site in one single monorepo and they do it all
+with Bazel.
+
+After the migration to Bazel, they
+[reported many benefits](https://github.com/bazelbuild/rules_nodejs#user-testimonials),
+including:
+
+> * Faster CI: we enabled the remote build caching which has reduced our average build time from 30 minutes to 5 (for the entire repository).
+> * Improvements to local development: no more random bash scripts that you forget to run, incremental builds reduced to seconds from minutes
+> * Developer setup time: New engineers can build all our code with just 3 dependencies - bazel, docker and the JVM. The last engineer to join our team managed to build all our code in < 30 minutes on a brand new, empty laptop
+
+### [Deep Silver FISHLABS](https://www.dsfishlabs.com)
+Deep Silver FISHLABS is a developer of high-end 3D games. They use Bazel with
+C++/Python/Go/C as a base for their internal build tooling and especially for
+baking and deploying all their 3D Assets.
+
+### [Dropbox](https://www.dropbox.com/)
+
+At Dropbox, Bazel is a key component to our distributed build and test
+environment. We use Bazel to combine TypeScript/Python/Go/C/Rust into reliable
+production releases.
+
+### [Engel & Völkers](https://www.engelvoelkers.com)
+
+Engel & Völkers AG is a privately owned German company that, via a series of
+franchised offices, provides services related to real estate transactions.
+
+> One of our internal project has seen a decrease of compilation time from 11
+minutes to roughly 1 minute, this was an impressive achievement and we are
+currently working on bringing Bazel to more projects.
+([Experimenting with Google Cloud Build and Bazel](https://www.engelvoelkers.com/en/tech/engineering/software-engineering/experimenting-with-google-cloud-build-and-bazel/))
+
+### [Etsy](https://www.etsy.com/)
+
+
+Etsy is an e-commerce website focused on handmade or vintage items and supplies,
+as well as unique factory-manufactured items.
+
+They use Bazel to build and test its Java-based search platform. Bazel produces
+both packages for bare metal servers and repeatable Docker images.
+
+### [Evertz.io](https://www.evertz.io/)
+
+Evertz.io is a multi-tenant, serverless SaaS platform for offering cost
+effective, multi-regional services worldwide to the Broadcast Media Industry,
+created by [Evertz Microsystems](https://en.wikipedia.org/wiki/Evertz_Microsystems).
+
+The website is fully built and deployed with an Angular and Bazel workflow
+([source](https://twitter.com/MattMackay/status/1113947685508341762)).
+
+### [FINDMINE](http://www.findmine.com)
+
+
+FINDMINE is a automation technology for the retail industry that uses machine
+learning to scale the currently manual and tedious process of product curation.
+We use Bazel to mechanize our entire python package building, testing, and
+deployment process.
+
+### [Flexport](https://www.flexport.com/)
+
+Flexport is a tech-enabled global freight forwarder; our mission is to make
+global trade easier for everyone. At Flexport, we use Bazel to build/test our
+Java/JavaScript services and client libraries and to generate Java and Ruby
+code from protobuf definitions.
+[Read about how we run individual JUnit 5 tests in isolation with Bazel.](https://flexport.engineering/connecting-bazel-and-junit5-by-transforming-arguments-46440c6ea068)
+
+### [Foursquare](https://foursquare.com)
+
+
+Foursquare's mission is to create technology that constructs meaningful
+bridges between digital spaces and physical places. We manage millions of
+lines of primarily Scala and Python code powering data-intensive
+applications, including complex codegen and container build processes, with
+Bazel.
+
+### [GermanTechJobs](https://germantechjobs.de)
+
+
+Bazel has simplified our workflows 10-fold and enabled shipping features at
+scale.
+
+### [Google](https://google.com)
+
+
+Bazel was designed to be able to scale to Google's needs and meet Google's
+requirements of reproducibility and platform/language support. All software at
+Google is built using Bazel. Google uses Bazel and its rules for millions of
+builds every day.
+
+### [Huawei](http://www.huawei.com/)
+
+> Huawei Technologies is using Bazel in about 30 projects, they are Java/Scala/Go
+projects, except for Go projects, others originally were built by Maven. We
+write a simple tool to translate a Maven-built project into Bazel-built one.
+More and more projects will use Bazel in recent future.
+
+### [IMC Trading](https://imc.com)
+
+
+> IMC is a global proprietary trading firm and market maker headquarted in
+Amsterdam. We are using Bazel to continuously build and test our
+Java/C++/Python/SystemVerilog projects.
+
+### [Improbable.io](https://improbable.io/)
+
+Improbable.io develops SpatialOS, a distributed operating system that enables
+creating huge simulations inhabited by millions of complex entities.
+
+### [Interaxon](https://www.choosemuse.com/)
+
+InteraXon is a thought-controlled computing firm that creates hardware and
+software platforms to convert brainwaves into digital signals.
+
+### [Jupiter](https://jupiter.co/)
+
+Jupiter is a company that provides delivery of groceries and household
+essentials every week.
+
+They use Bazel in their backend code, specifically to compile protos and Kotlin
+to JVM binaries, using remote caching.
+([source](https://starship.jupiter.co/jupiter-stack/))
+
+### [Just](https://gojust.com/)
+
+Just is an enterprise financial technology company, headquartered in Norway,
+creating software solutions to transform how global corporate treasurers manage
+risk and liquidity. Their entire application stack is built with Bazel.
+
+### [Line](https://line.me/)
+
+Line provides an app for instant communications, which is the most popular
+messaging application in Japan.
+They use Bazel on their codebase consisting of about 60% Swift and 40%
+C/C++/Objective-C/Objective-C++
+([source](https://twitter.com/thi_dt/status/1253334262020886532)).
+
+> After switching to Bazel, we were able to achieve a huge improvement in the
+build times. This brought a significant improvement in the turn-around time
+during a QA period. Distributing a new build to our testers no longer means
+another hour waiting for building and testing.
+([Improving Build Performance of LINE for iOS with Bazel](https://engineering.linecorp.com/en/blog/improving-build-performance-line-ios-bazel/))
+
+### [LingoChamp](https://www.liulishuo.com/en)
+
+
+LingoChamp provides professional solutions to English learners. We use Bazel
+for our go, java and python projects.
+
+### [LinkedIn](https://linkedin.com/)
+
+
+LinkedIn, a subsidiary of Microsoft, is the world’s largest professional social
+network. LinkedIn uses Bazel for building its iOS Apps.
+
+### [Lucid Software](https://lucid.co/)
+
+
+
+Lucid Software is a leader in visual collaboration, helping teams see and build the
+future from idea to reality. With its products—[Lucidchart](https://www.lucidchart.com/),
+[Lucidspark](https://lucidspark.com/), and [Lucidscale](https://lucidscale.com/)—teams
+can align around a shared vision, clarify complexity, and collaborate visually, no
+matter where they’re located.
+
+Lucid uses Bazel to build millions of lines of Scala and TypeScript.
+Migrating to Bazel has tremendously sped up its builds, reduced external
+dependencies on the build environment, and simplified developers' experience
+with the build system. Bazel has improved developer productivity at Lucid and
+unlocked further growth.
+
+### [Lyft](https://www.lyft.com/)
+
+Lyft is using Bazel for their iOS ([source](https://twitter.com/SmileyKeith/status/1116486751806033920)) and Android Apps.
+
+### [Meetup](http://www.meetup.com/)
+
+Meetup is an online social networking portal that facilitates offline group
+meetings.
+The Meetup engineering team contributes to
+[rules_scala](https://github.com/bazelbuild/rules_scala) and is the
+maintainer of [rules_avro](https://github.com/meetup/rules_avro)
+and [rules_openapi](https://github.com/meetup/rules_openapi).
+
+
+### [Nvidia](https://www.nvidia.com/)
+
+> At Nvidia we have been using dazel(docker bazel) for python to work around
+some of bazel's python short comings. Everything else runs in normal bazel
+(Mostly Go / Scala/ C++/ Cuda)
+([source](https://twitter.com/rwhitcomb/status/1080887723433447424))
+
+
+### [Peloton Technology](http://www.peloton-tech.com)
+
+Peloton Technology is an automated vehicle technology company that tackles truck
+accidents and fuel use. They use Bazel to _enable reliable builds for automotive
+safety systems_.
+
+### [Pigweed](https://pigweed.dev)
+
+
+
+Pigweed is an open-source solution for sustained, robust, and rapid embedded
+product development for large teams. Pigweed has shipped in millions of
+devices, including Google's suite of Pixel devices, Nest thermostats,
+[satellites](https://www.spinlaunch.com/), and [autonomous aerial
+drones](https://www.flyzipline.com/).
+
+Pigweed [uses Bazel as its primary build
+system](https://pigweed.dev/seed/0111-build-systems.html). The [Bazel for
+Embedded][pw-bazel-great] blog post discusses why we think it's a great build
+system for embedded projects!
+
+[pw-bazel-great]: https://blog.bazel.build/2024/08/08/bazel-for-embedded.html#why-bazel-for-embedded
+
+### [Pinterest](https://www.pinterest.com/)
+
+
+
+Pinterest is the world’s catalog of ideas. They use Bazel to build various
+backend services (Java/C++) and the iOS application (Objective-C/C++).
+
+> We identified Bazel was the best fit for our goals to build a foundation for
+an order of magnitude improvement in performance, eliminate variability in
+build environments and adopt incrementally. As a result, we’re now shipping all
+our iOS releases using Bazel.
+[Developing fast & reliable iOS builds at Pinterest](https://medium.com/@Pinterest_Engineering/developing-fast-reliable-ios-builds-at-pinterest-part-one-cb1810407b92)
+
+### [PubRef](https://github.com/pubref)
+
+PubRef is an emerging scientific publishing platform. They use Bazel with
+[rules_closure](https://github.com/bazelbuild/rules_closure) to build the
+frontend, native java rules to build the main backend,
+[rules_go](https://github.com/bazelbuild/rules_go),
+[rules_node](https://github.com/pubref/rules_node), and
+[rules_kotlin](https://github.com/pubref/rules_kotlin) to build assorted
+backend services. [rules_protobuf](https://github.com/pubref/rules_protobuf) is
+used to assist with gRPC-based communication between backend services.
+PubRef.org is based in Boulder, CO.
+
+### [Redfin](https://redfin.com/)
+Redfin is a next-generation real estate brokerage with full-service local
+agents. They use Bazel to build and deploy the website and various backend
+services.
+
+> With the conversion mostly behind us, things are greatly improved! Our CI
+builds are faster (*way* faster: they used to take 40–90 minutes, and now dev
+builds average 5–6 minutes). Reliability is far higher, too. This is harder to
+quantify, but the shift from unexplained build failures being something that
+“just happens” to being viewed as real problems to be solved has put us on a
+virtuous cycle of ever-increasing reliability.
+([We Switched from Maven to Bazel and Builds Got 10x Faster](https://redfin.engineering/we-switched-from-maven-to-bazel-and-builds-got-10x-faster-b265a7845854))
+
+### [Ritual](https://ritual.co)
+
+
+Ritual is a mobile pick up app, connecting restaurants with customers to offer
+a simple, time-saving tool to get the food and beverages they want, without the
+wait. Ritual uses Bazel for their backend services.
+
+### [Snap](https://www.snap.com/en-US/)
+
+Snap, the developer of Snapchat messaging app, has migrated from Buck to Bazel
+in 2020 ([source](https://twitter.com/wew/status/1326957862816509953)). For more
+details about their process, see their [engineering blog](https://eng.snap.com/blog/).
+
+### [Stripe](https://stripe.com)
+
+
+Stripe provides mobile payment solutions. They use Bazel in their build and test pipelines, as detailed in their [engineering blog](https://stripe.com/blog/fast-secure-builds-choose-two).
+
+### [Tinder](https://tinder.com)
+
+
+Tinder migrated its iOS app from CocoaPods to Bazel
+in 2021 ([source](https://medium.com/tinder/bazel-hermetic-toolchain-and-tooling-migration-c244dc0d3ae)).
+
+### [Tink](https://tink.com/)
+
+
+Tink is a european fintech, building the best way to connect to banks across
+Europe.
+
+They are using Bazel to build their backend services from a polyglot monorepo.
+Engineers at Tink are organizing the [bazel build //stockholm/...](https://www.meetup.com/BazelSTHLM/)
+meetup group.
+
+### [Tokopedia](https://www.tokopedia.com/)
+
+Tokopedia is an Indonesian technology company specializing in e-commerce, with
+over 90 million monthly active users and over 7 million merchants on the
+platform.
+
+They wrote the article
+[How Tokopedia Achieved 1000% Faster iOS Build Time](https://medium.com/tokopedia-engineering/how-tokopedia-achieved-1000-faster-ios-build-time-7664b2d8ae5),
+where they explain how Bazel sped up their builds. The build duration went from
+55 minutes to 10 minutes by using Bazel, and down to 5 minutes with remote
+caching.
+
+### [Trunk.io](https://trunk.io/merge/trunk-merge-and-bazel)
+
+
+Trunk is a San Francisco-based company backed by Andreessen Horowitz and Initialized Capital. Trunk offers a powerful pull request merge service with first-class support for the Bazel build system. By leveraging Bazel's understanding of dependencies within a codebase, Trunk's merge service intelligently creates parallel merge lanes, allowing independent changes to be tested and merged simultaneously.
+
+> Trunk’s internal monorepo builds modern C++ 20 and typescript all while leveraging bazel graph knowledge to selectively test and merge code.
+
+### [Twitter](https://twitter.com/)
+
+Twitter has made the decision to migrate from Pants to Bazel as their primary
+build tool
+([source](https://groups.google.com/forum/#!msg/pants-devel/PHVIbVDLhx8/LpSKIP5cAwAJ)).
+
+### [Two Sigma](https://www.twosigma.com/)
+
+
+Two Sigma is a New York-headquartered technology company dedicated to finding
+value in the world’s data.
+
+### [TypeDB](https://typedb.com)
+
+
+TypeDB is a database technology that can be used to intuitively model
+interconnected data. Through its type-theoretic and polymorphic query language,
+TypeQL, the data can be accessed with simple, human-readable queries that run at
+lightspeed.
+
+Bazel enables the TypeDB team to build a highly-orchestrated CI and distribution
+pipeline that manages many repositories in a wide variety of languages, and
+deploys to numerous platforms seamlessly. The TypeDB team has also released
+Bazel rules for assembling and deploying software distributions.
+
+### [Uber](https://www.uber.com)
+
+Uber is a ride-hailing company. With 900 active developers, Uber’s Go monorepo
+is likely one of the largest Go repositories using Bazel. See the article
+[Building Uber’s Go Monorepo with Bazel](https://eng.uber.com/go-monorepo-bazel/)
+to learn more about their experience.
+
+### [Uber Advanced Technologies Group](https://www.uber.com/info/atg/)
+
+
+Uber Advanced Technologies Group is focused on autonomous vehicle efforts at
+Uber, including trucking/freight and autonomous ride sharing. The organization
+uses Bazel as its primary build system.
+
+### [Vistar Media](http://vistarmedia.com)
+Vistar Media is an advertising platform that enables brands to reach consumers
+based on their behavior in the physical world. Their engineering team is
+primarily based out of Philadelphia and is using Bazel for builds, deploys, to
+speed up testing, and to consolidate repositories written with a variety of
+different technologies.
+
+### [VMware](https://www.vmware.com/)
+VMware uses Bazel to produce deterministic, reliable builds while developing
+innovative products for their customers.
+
+### [Wix](https://www.wix.com/)
+
+Wix is a cloud-based web development platform. Their backend uses Java and Scala
+code. They use remote execution with Google Cloud Build.
+
+> We have seen about 5 times faster clean builds when running with bazel remote
+execution which utilizes bazel’s great build/test parallelism capabilities when
+it dispatches build/test actions to a worker farm. Average build times are more
+than 10 times faster due to the utilization of bazel’s aggressive caching
+mechanism.
+([Migrating to Bazel from Maven or Gradle? 5 crucial questions you should ask yourself](https://medium.com/wix-engineering/migrating-to-bazel-from-maven-or-gradle-5-crucial-questions-you-should-ask-yourself-f23ac6bca070))
+
+### [Zenly](https://zen.ly/)
+
+Zenly is a live map of your friends and family. It’s the most fun way to meet up
+— or just see what’s up! — so you can feel together, even when you're apart.
+
+
+***
+
+## Open source projects using Bazel
+
+### [Abseil](https://abseil.io/)
+
+Abseil is an open-source collection of C++ code (compliant to C++11) designed
+to augment the C++ standard library.
+
+### [Angular](https://angular.io)
+
+
+
+Angular is a popular web framework.
+Angular is [built with Bazel](https://github.com/angular/angular/blob/master/docs/BAZEL.md).
+
+### [Apollo](https://github.com/ApolloAuto/apollo)
+
+Apollo is a high performance, flexible architecture which accelerates the
+development, testing, and deployment of Autonomous Vehicles.
+
+### [brpc](https://github.com/brpc/brpc)
+
+An industrial-grade RPC framework used throughout Baidu, with 1,000,000+
+instances(not counting clients) and thousands kinds of services, called
+"baidu-rpc" inside Baidu.
+
+### [cert-manager](https://github.com/jetstack/cert-manager)
+
+cert-manager is a Kubernetes add-on to automate the management and issuance of
+TLS certificates from various issuing sources. It will ensure certificates are
+valid and up to date periodically, and attempt to renew certificates at an
+appropriate time before expiry.
+
+### [CallBuilder](https://github.com/google/CallBuilder)
+
+A Java code generator that allows you to create a builder by writing one
+function.
+
+### [CPPItertools](https://github.com/ryanhaining/cppitertools)
+
+C++ library providing range-based for loop add-ons inspired by the Python
+builtins and itertools library. Like itertools and the Python3 builtins, this
+library uses lazy evaluation wherever possible.
+
+### [Copybara](https://github.com/google/copybara)
+
+Copybara is a tool for transforming and moving code between repositories.
+
+### [Dagger](https://google.github.io/dagger/)
+
+Dagger is a fully static, compile-time dependency injection framework for both
+Java and Android.
+
+### [DAML](https://github.com/digital-asset/daml)
+
+DAML is a smart contract language for building future-proof distributed
+applications on a safe, privacy-aware runtime.
+
+### [DeepMind Lab](https://github.com/deepmind/lab)
+
+A customisable 3D platform for agent-based AI research.
+
+### [Drake](https://github.com/RobotLocomotion/drake)
+
+Drake is a C++ toolbox started at MIT and now led by the Toyota Research
+Institute. It is a collection of tools for analyzing the dynamics of our robots
+and building control systems for them, with a heavy emphasis on
+optimization-based design/analysis.
+
+### [Envoy](https://github.com/lyft/envoy)
+
+C++ L7 proxy and communication bus
+
+### [Error Prone](https://github.com/google/error-prone)
+
+Catches common Java mistakes as compile-time errors. (Migration to Bazel is in
+progress.)
+
+### [Extensible Service Proxy](https://github.com/cloudendpoints/esp)
+
+Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management
+capabilities for JSON/REST or gRPC API services. The current implementation is
+based on an NGINX HTTP reverse proxy server.
+
+### [FFruit](https://gitlab.com/perezd/ffruit/)
+
+FFruit is a free & open source Android application to the popular service
+[Falling Fruit](https://fallingfruit.org).
+
+### [Gerrit Code Review](https://gerritcodereview.com)
+
+Gerrit is a code review and project management tool for Git based projects.
+
+### [Gitiles](https://gerrit.googlesource.com/gitiles/)
+
+Gitiles is a simple repository browser for Git repositories, built on JGit.
+
+### [Grakn](https://github.com/graknlabs/grakn)
+
+Grakn (https://grakn.ai/) is the knowledge graph engine to organise complex
+networks of data and make it queryable.
+
+### [GRPC](http://www.grpc.io)
+A language-and-platform-neutral remote procedure call system.
+(Bazel is a supported, although not primary, build system.)
+
+### [gVisor](https://github.com/google/gvisor)
+gVisor is a container runtime sandbox.
+
+### [Guetzli](https://github.com/google/guetzli/)
+
+Guetzli is a JPEG encoder that aims for excellent compression density at high
+visual quality.
+
+### [Gulava](http://www.github.com/google/gulava/)
+
+A Java code generator that lets you write Prolog-style predicates and use them
+seamlessly from normal Java code.
+
+### [Heron](https://github.com/apache/incubator-heron)
+
+Heron is a realtime, distributed, fault-tolerant stream processing engine from
+Twitter.
+
+### [Internet Computer Protocol](https://internetcomputer.org/)
+
+
+
+The Internet Computer Protocol is a publicly available blockchain network that
+enables replicated execution of general-purpose computation, serving hundreds
+of thousands of applications and their users.
+
+### [Jazzer](https://github.com/CodeIntelligenceTesting/jazzer)
+
+
+
+Jazzer is a fuzzer for Java and other JVM-based languages that integrates with JUnit 5.
+
+### [JGit](https://eclipse.org/jgit/)
+
+JGit is a lightweight, pure Java library implementing the Git version control
+system.
+
+### [Jsonnet](https://jsonnet.org/)
+
+An elegant, formally-specified config generation language for JSON.
+(Bazel is a supported build system.)
+
+### [Kubernetes](https://github.com/kubernetes/kubernetes)
+
+
+Kubernetes is an open source system for managing containerized applications
+across multiple hosts, providing basic mechanisms for deployment, maintenance,
+and scaling of applications.
+
+### [Kythe](https://github.com/google/kythe)
+
+An ecosystem for building tools that work with code.
+
+### [ls-lint](https://github.com/loeffel-io/ls-lint)
+
+
+
+An extremely fast directory and filename linter - Bring some structure to your
+project file system.
+
+### [Nomulus](https://github.com/google/nomulus)
+
+Top-level domain name registry service on Google App Engine.
+
+### [ONOS : Open Network Operating System](https://github.com/opennetworkinglab/onos)
+
+
+ONOS is the only SDN controller platform that supports the transition from
+legacy “brown field” networks to SDN “green field” networks. This enables
+exciting new capabilities, and disruptive deployment and operational cost points
+for network operators.
+
+### [PetitParser for Java](https://github.com/petitparser/java-petitparser)
+
+Grammars for programming languages are traditionally specified statically.
+They are hard to compose and reuse due to ambiguities that inevitably arise.
+PetitParser combines ideas from scannnerless parsing, parser combinators,
+parsing expression grammars and packrat parsers to model grammars and parsers
+as objects that can be reconfigured dynamically.
+
+### [PlaidML](https://github.com/plaidml/plaidml)
+
+PlaidML is a framework for making deep learning work everywhere.
+
+### [Project V](https://www.v2ray.com/)
+
+
+Project V is a set of tools to help you build your own privacy network over
+internet.
+
+### [Prysmatic Labs Ethereum 2.0 Implementation](https://github.com/prysmaticlabs/prysm)
+
+Prysm is a sharding client for Ethereum 2.0, a blockchain-based distributed
+computing platform.
+
+### [Ray](https://github.com/ray-project/ray)
+
+Ray is a flexible, high-performance distributed execution framework.
+
+### [Resty](https://github.com/go-resty/resty)
+
+Resty is a Simple HTTP and REST client library for Go (inspired by Ruby
+rest-client).
+
+### [Roughtime](https://roughtime.googlesource.com/roughtime)
+
+Roughtime is a project that aims to provide secure time synchronisation.
+
+### [Selenium](https://github.com/SeleniumHQ/selenium)
+
+Selenium is a portable framework for testing web applications.
+
+### [Semantic](https://github.com/github/semantic)
+
+Semantic is a Haskell library and command line tool for parsing, analyzing, and
+comparing source code. It is developed by GitHub (and used for example for the
+code navigation).
+
+### [Served](https://github.com/meltwater/served)
+
+Served is a C++ library for building high performance RESTful web servers.
+
+### [Sonnet](https://github.com/deepmind/sonnet)
+
+Sonnet is a library built on top of TensorFlow for building complex neural
+networks.
+
+### [Sorbet](https://github.com/sorbet/sorbet)
+
+Sorbet is a fast, powerful type checker for a subset of Ruby. It scales to
+codebases with millions of lines of code and can be adopted incrementally.
+
+### [Spotify](https://spotify.com)
+
+Spotify is using Bazel to build their iOS and Android Apps ([source](https://twitter.com/BalestraPatrick/status/1573355078995566594)).
+
+### [Tink](https://github.com/google/tink)
+
+Tink is a multi-language, cross-platform, open source library that provides
+cryptographic APIs that are secure, easy to use correctly, and hard(er) to
+misuse.
+
+### [TensorFlow](http://tensorflow.org)
+
+
+An open source software library for machine intelligence.
+
+### [Turbo Santa](https://github.com/turbo-santa/turbo-santa-common)
+
+A platform-independent GameBoy emulator.
+
+### [Wycheproof](https://github.com/google/wycheproof)
+
+Project Wycheproof tests crypto libraries against known attacks.
+
+### [XIOSim](https://github.com/s-kanev/XIOSim)
+
+XIOSim is a detailed user-mode microarchitectural simulator for the x86
+architecture.
+
+### [ZhihuDailyPurify](https://github.com/izzyleung/ZhihuDailyPurify)
+
+ZhihuDailyPurify is a light weight version of Zhihu Daily, a Chinese
+question-and-answer webs.
+
+---
+
+## Repositories, workspaces, packages, and targets
+- URL: https://bazel.build/concepts/build-ref
+- Source: concepts/build-ref.mdx
+- Slug: /concepts/build-ref
+
+Bazel builds software from source code organized in directory trees called
+repositories. A defined set of repositories comprises the workspace. Source
+files in repositories are organized in a nested hierarchy of packages, where
+each package is a directory that contains a set of related source files and one
+`BUILD` file. The `BUILD` file specifies what software outputs can be built from
+the source.
+
+### Repositories
+
+Source files used in a Bazel build are organized in _repositories_ (often
+shortened to _repos_). A repo is a directory tree with a boundary marker file at
+its root; such a boundary marker file could be `MODULE.bazel`, `REPO.bazel`, or
+in legacy contexts, `WORKSPACE` or `WORKSPACE.bazel`.
+
+The repo in which the current Bazel command is being run is called the _main
+repo_. Other, (external) repos are defined by _repo rules_; see [external
+dependencies overview](/external/overview) for more information.
+
+## Workspace
+
+A _workspace_ is the environment shared by all Bazel commands run from the same
+main repo. It encompasses the main repo and the set of all defined external
+repos.
+
+Note that historically the concepts of "repository" and "workspace" have been
+conflated; the term "workspace" has often been used to refer to the main
+repository, and sometimes even used as a synonym of "repository".
+
+## Packages
+
+The primary unit of code organization in a repository is the _package_. A
+package is a collection of related files and a specification of how they can be
+used to produce output artifacts.
+
+A package is defined as a directory containing a
+[`BUILD` file](/concepts/build-files) named either `BUILD` or `BUILD.bazel`. A
+package includes all files in its directory, plus all subdirectories beneath it,
+except those which themselves contain a `BUILD` file. From this definition, no
+file or directory may be a part of two different packages.
+
+For example, in the following directory tree there are two packages, `my/app`,
+and the subpackage `my/app/tests`. Note that `my/app/data` is not a package, but
+a directory belonging to package `my/app`.
+
+```
+src/my/app/BUILD
+src/my/app/app.cc
+src/my/app/data/input.txt
+src/my/app/tests/BUILD
+src/my/app/tests/test.cc
+```
+
+## Targets
+
+A package is a container of _targets_, which are defined in the package's
+`BUILD` file. Most targets are one of two principal kinds, _files_ and _rules_.
+
+Files are further divided into two kinds. _Source files_ are usually written by
+the efforts of people, and checked in to the repository. _Generated files_,
+sometimes called derived files or output files, are not checked in, but are
+generated from source files.
+
+The second kind of target is declared with a _rule_. Each rule instance
+specifies the relationship between a set of input and a set of output files. The
+inputs to a rule may be source files, but they also may be the outputs of other
+rules.
+
+Whether the input to a rule is a source file or a generated file is in most
+cases immaterial; what matters is only the contents of that file. This fact
+makes it easy to replace a complex source file with a generated file produced by
+a rule, such as happens when the burden of manually maintaining a highly
+structured file becomes too tiresome, and someone writes a program to derive it.
+No change is required to the consumers of that file. Conversely, a generated
+file may easily be replaced by a source file with only local changes.
+
+The inputs to a rule may also include _other rules_. The precise meaning of such
+relationships is often quite complex and language- or rule-dependent, but
+intuitively it is simple: a C++ library rule A might have another C++ library
+rule B for an input. The effect of this dependency is that B's header files are
+available to A during compilation, B's symbols are available to A during
+linking, and B's runtime data is available to A during execution.
+
+An invariant of all rules is that the files generated by a rule always belong to
+the same package as the rule itself; it is not possible to generate files into
+another package. It is not uncommon for a rule's inputs to come from another
+package, though.
+
+Package groups are sets of packages whose purpose is to limit accessibility of
+certain rules. Package groups are defined by the `package_group` function. They
+have three properties: the list of packages they contain, their name, and other
+package groups they include. The only allowed ways to refer to them are from the
+`visibility` attribute of rules or from the `default_visibility` attribute of
+the `package` function; they do not generate or consume files. For more
+information, refer to the [`package_group`
+documentation](/reference/be/functions#package_group).
+
+
+ Labels
+
+
+---
+
+## Migrating to Platforms
+- URL: https://bazel.build/concepts/platforms
+- Source: concepts/platforms.mdx
+- Slug: /concepts/platforms
+
+Bazel has sophisticated [support](#background) for modeling
+[platforms][Platforms] and [toolchains][Toolchains] for multi-architecture and
+cross-compiled builds.
+
+This page summarizes the state of this support.
+
+Key Point: Bazel's platform and toolchain APIs are available today. Not all
+languages support them. Use these APIs with your project if you can. Bazel is
+migrating all major languages so eventually all builds will be platform-based.
+
+See also:
+
+* [Platforms][Platforms]
+* [Toolchains][Toolchains]
+* [Background][Background]
+
+## Status
+
+### C++
+
+C++ rules use platforms to select toolchains when
+`--incompatible_enable_cc_toolchain_resolution` is set.
+
+This means you can configure a C++ project with:
+
+```posix-terminal
+bazel build //:my_cpp_project --platforms=//:myplatform
+```
+
+instead of the legacy:
+
+```posix-terminal
+bazel build //:my_cpp_project` --cpu=... --crosstool_top=... --compiler=...
+```
+
+This will be enabled by default in Bazel 7.0 ([#7260](https://github.com/bazelbuild/bazel/issues/7260)).
+
+To test your C++ project with platforms, see
+[Migrating Your Project](#migrating-your-project) and
+[Configuring C++ toolchains].
+
+### Java
+
+Java rules use platforms to select toolchains.
+
+This replaces legacy flags `--java_toolchain`, `--host_java_toolchain`,
+`--javabase`, and `--host_javabase`.
+
+See [Java and Bazel](/docs/bazel-and-java) for details.
+
+### Android
+
+Android rules use platforms to select toolchains when
+`--incompatible_enable_android_toolchain_resolution` is set.
+
+This means you can configure an Android project with:
+
+```posix-terminal
+bazel build //:my_android_project --android_platforms=//:my_android_platform
+```
+
+instead of with legacy flags like `--android_crosstool_top`, `--android_cpu`,
+and `--fat_apk_cpu`.
+
+This will be enabled by default in Bazel 7.0 ([#16285](https://github.com/bazelbuild/bazel/issues/16285)).
+
+To test your Android project with platforms, see
+[Migrating Your Project](#migrating-your-project).
+
+### Apple
+
+[Apple rules] do not support platforms and are not yet scheduled
+for support.
+
+You can still use platform APIs with Apple builds (for example, when building
+with a mixture of Apple rules and pure C++) with [platform
+mappings](#platform-mappings).
+
+### Other languages
+
+* [Go rules] fully support platforms
+* [Rust rules] fully support platforms.
+
+If you own a language rule set, see [Migrating your rule set] for adding
+support.
+
+## Background
+
+*Platforms* and *toolchains* were introduced to standardize how software
+projects target different architectures and cross-compile.
+
+This was
+[inspired][Inspiration]
+by the observation that language maintainers were already doing this in ad
+hoc, incompatible ways. For example, C++ rules used `--cpu` and
+ `--crosstool_top` to declare a target CPU and toolchain. Neither of these
+correctly models a "platform". This produced awkward and incorrect builds.
+
+Java, Android, and other languages evolved their own flags for similar purposes,
+none of which interoperated with each other. This made cross-language builds
+confusing and complicated.
+
+Bazel is intended for large, multi-language, multi-platform projects. This
+demands more principled support for these concepts, including a clear
+standard API.
+
+### Need for migration
+
+Upgrading to the new API requires two efforts: releasing the API and upgrading
+rule logic to use it.
+
+The first is done but the second is ongoing. This consists of ensuring
+language-specific platforms and toolchains are defined, language logic reads
+toolchains through the new API instead of old flags like `--crosstool_top`, and
+`config_setting`s select on the new API instead of old flags.
+
+This work is straightforward but requires a distinct effort for each language,
+plus fair warning for project owners to test against upcoming changes.
+
+This is why this is an ongoing migration.
+
+### Goal
+
+This migration is complete when all projects build with the form:
+
+```posix-terminal
+bazel build //:myproject --platforms=//:myplatform
+```
+
+This implies:
+
+1. Your project's rules choose the right toolchains for `//:myplatform`.
+1. Your project's dependencies choose the right toolchains for `//:myplatform`.
+1. `//:myplatform` references
+[common declarations][Common Platform Declarations]
+of `CPU`, `OS`, and other generic, language-independent properties
+1. All relevant [`select()`s][select()] properly match `//:myplatform`.
+1. `//:myplatform` is defined in a clear, accessible place: in your project's
+repo if the platform is unique to your project, or some common place all
+consuming projects can find it
+
+Old flags like `--cpu`, `--crosstool_top`, and `--fat_apk_cpu` will be
+deprecated and removed as soon as it's safe to do so.
+
+Ultimately, this will be the *sole* way to configure architectures.
+
+
+## Migrating your project
+
+If you build with languages that support platforms, your build should already
+work with an invocation like:
+
+```posix-terminal
+bazel build //:myproject --platforms=//:myplatform
+```
+
+See [Status](#status) and your language's documentation for precise details.
+
+If a language requires a flag to enable platform support, you also need to set
+that flag. See [Status](#status) for details.
+
+For your project to build, you need to check the following:
+
+1. `//:myplatform` must exist. It's generally the project owner's responsibility
+ to define platforms because different projects target different machines.
+ See [Default platforms](#default-platforms).
+
+1. The toolchains you want to use must exist. If using stock toolchains, the
+ language owners should include instructions for how to register them. If
+ writing your own custom toolchains, you need to [register](https://bazel.build/extending/toolchains#registering-building-toolchains) them in your
+ `MODULE.bazel` file or with [`--extra_toolchains`](https://bazel.build/reference/command-line-reference#flag--extra_toolchains).
+
+1. `select()`s and [configuration transitions][Starlark transitions] must
+ resolve properly. See [select()](#select) and [Transitions](#transitions).
+
+1. If your build mixes languages that do and don't support platforms, you may
+ need platform mappings to help the legacy languages work with the new API.
+ See [Platform mappings](#platform-mappings) for details.
+
+If you still have problems, [reach out](#questions) for support.
+
+### Default platforms
+
+Project owners should define explicit
+[platforms][Defining Constraints and Platforms] to describe the architectures
+they want to build for. These are then triggered with `--platforms`.
+
+When `--platforms` isn't set, Bazel defaults to a `platform` representing the
+local build machine. This is auto-generated at `@platforms//host` (aliased as
+`@bazel_tools//tools:host_platform`)
+so there's no need to explicitly define it. It maps the local machine's `OS`
+and `CPU` with `constraint_value`s declared in
+[`@platforms`](https://github.com/bazelbuild/platforms).
+
+### `select()`
+
+Projects can [`select()`][select()] on
+[`constraint_value` targets][constraint_value Rule] but not complete
+platforms. This is intentional so `select()` supports as wide a variety of
+machines as possible. A library with `ARM`-specific sources should support *all*
+`ARM`-powered machines unless there's reason to be more specific.
+
+To select on one or more `constraint_value`s, use:
+
+```python
+config_setting(
+ name = "is_arm",
+ constraint_values = [
+ "@platforms//cpu:arm",
+ ],
+)
+```
+
+This is equivalent to traditionally selecting on `--cpu`:
+
+```python
+config_setting(
+ name = "is_arm",
+ values = {
+ "cpu": "arm",
+ },
+)
+```
+
+More details [here][select() Platforms].
+
+`select`s on `--cpu`, `--crosstool_top`, etc. don't understand `--platforms`.
+When migrating your project to platforms, you must either convert them to
+`constraint_values` or use [platform mappings](#platform-mappings) to support
+both styles during migration.
+
+### Transitions
+
+[Starlark transitions][Starlark transitions] change
+flags down parts of your build graph. If your project uses a transition that
+sets `--cpu`, `--crossstool_top`, or other legacy flags, rules that read
+`--platforms` won't see these changes.
+
+When migrating your project to platforms, you must either convert changes like
+`return { "//command_line_option:cpu": "arm" }` to `return {
+"//command_line_option:platforms": "//:my_arm_platform" }` or use [platform
+mappings](#platform-mappings) to support both styles during migration.
+window.
+
+## Migrating your rule set
+
+If you own a rule set and want to support platforms, you need to:
+
+1. Have rule logic resolve toolchains with the toolchain API. See
+ [toolchain API][Toolchains] (`ctx.toolchains`).
+
+1. Optional: define an `--incompatible_enable_platforms_for_my_language` flag so
+ rule logic alternately resolves toolchains through the new API or old flags
+ like `--crosstool_top` during migration testing.
+
+1. Define the relevant properties that make up platform components. See
+ [Common platform properties](#common-platform-properties)
+
+1. Define standard toolchains and make them accessible to users through your
+ rule's registration instructions ([details](https://bazel.build/extending/toolchains#registering-building-toolchains))
+
+1. Ensure [`select()`s](#select) and
+ [configuration transitions](#transitions) support platforms. This is the
+ biggest challenge. It's particularly challenging for multi-language projects
+ (which may fail if *all* languages can't read `--platforms`).
+
+If you need to mix with rules that don't support platforms, you may need
+[platform mappings](#platform-mappings) to bridge the gap.
+
+### Common platform properties
+
+Common, cross-language platform properties like `OS` and `CPU` should be
+declared in [`@platforms`](https://github.com/bazelbuild/platforms).
+This encourages sharing, standardization, and cross-language compatibility.
+
+Properties unique to your rules should be declared in your rule's repo. This
+lets you maintain clear ownership over the specific concepts your rules are
+responsible for.
+
+If your rules use custom-purpose OSes or CPUs, these should be declared in your
+rule's repo vs.
+[`@platforms`](https://github.com/bazelbuild/platforms).
+
+## Platform mappings
+
+*Platform mappings* is a temporary API that lets platform-aware logic mix with
+legacy logic in the same build. This is a blunt tool that's only intended to
+smooth incompatibilities with different migration timeframes.
+
+Caution: Only use this if necessary, and expect to eventually eliminate it.
+
+A platform mapping is a map of either a `platform()` to a
+corresponding set of legacy flags or the reverse. For example:
+
+```python
+platforms:
+ # Maps "--platforms=//platforms:ios" to "--ios_multi_cpus=x86_64 --apple_platform_type=ios".
+ //platforms:ios
+ --ios_multi_cpus=x86_64
+ --apple_platform_type=ios
+
+flags:
+ # Maps "--ios_multi_cpus=x86_64 --apple_platform_type=ios" to "--platforms=//platforms:ios".
+ --ios_multi_cpus=x86_64
+ --apple_platform_type=ios
+ //platforms:ios
+
+ # Maps "--cpu=darwin_x86_64 --apple_platform_type=macos" to "//platform:macos".
+ --cpu=darwin_x86_64
+ --apple_platform_type=macos
+ //platforms:macos
+```
+
+Bazel uses this to guarantee all settings, both platform-based and
+legacy, are consistently applied throughout the build, including through
+[transitions](#transitions).
+
+By default Bazel reads mappings from the `platform_mappings` file in your
+workspace root. You can also set
+`--platform_mappings=//:my_custom_mapping`.
+
+See the [platform mappings design] for details.
+
+## API review
+
+A [`platform`][platform Rule] is a collection of
+[`constraint_value` targets][constraint_value Rule]:
+
+```python
+platform(
+ name = "myplatform",
+ constraint_values = [
+ "@platforms//os:linux",
+ "@platforms//cpu:arm",
+ ],
+)
+```
+
+A [`constraint_value`][constraint_value Rule] is a machine
+property. Values of the same "kind" are grouped under a common
+[`constraint_setting`][constraint_setting Rule]:
+
+```python
+constraint_setting(name = "os")
+constraint_value(
+ name = "linux",
+ constraint_setting = ":os",
+)
+constraint_value(
+ name = "mac",
+ constraint_setting = ":os",
+)
+```
+
+A [`toolchain`][Toolchains] is a [Starlark rule][Starlark rule]. Its
+attributes declare a language's tools (like `compiler =
+"//mytoolchain:custom_gcc"`). Its [providers][Starlark Provider] pass
+this information to rules that need to build with these tools.
+
+Toolchains declare the `constraint_value`s of machines they can
+[target][target_compatible_with Attribute]
+(`target_compatible_with = ["@platforms//os:linux"]`) and machines their tools can
+[run on][exec_compatible_with Attribute]
+(`exec_compatible_with = ["@platforms//os:mac"]`).
+
+When building `$ bazel build //:myproject --platforms=//:myplatform`, Bazel
+automatically selects a toolchain that can run on the build machine and
+build binaries for `//:myplatform`. This is known as *toolchain resolution*.
+
+The set of available toolchains can be registered in the `MODULE.bazel` file
+with [`register_toolchains`][register_toolchains Function] or at the
+command line with [`--extra_toolchains`][extra_toolchains Flag].
+
+For more information see [here][Toolchains].
+
+## Questions
+
+For general support and questions about the migration timeline, contact
+[bazel-discuss] or the owners of the appropriate rules.
+
+For discussions on the design and evolution of the platform/toolchain APIs,
+contact [bazel-dev].
+
+## See also
+
+* [Configurable Builds - Part 1]
+* [Platforms]
+* [Toolchains]
+* [Bazel Platforms Cookbook]
+* [Platforms examples]
+* [Example C++ toolchain]
+
+[Android Rules]: /docs/bazel-and-android
+[Apple Rules]: https://github.com/bazelbuild/rules_apple
+[Background]: #background
+[Bazel platforms Cookbook]: https://docs.google.com/document/d/1UZaVcL08wePB41ATZHcxQV4Pu1YfA1RvvWm8FbZHuW8/
+[bazel-dev]: https://groups.google.com/forum/#!forum/bazel-dev
+[bazel-discuss]: https://groups.google.com/forum/#!forum/bazel-discuss
+[Common Platform Declarations]: https://github.com/bazelbuild/platforms
+[constraint_setting Rule]: /reference/be/platforms-and-toolchains#constraint_setting
+[constraint_value Rule]: /reference/be/platforms-and-toolchains#constraint_value
+[Configurable Builds - Part 1]: https://blog.bazel.build/2019/02/11/configurable-builds-part-1.html
+[Configuring C++ toolchains]: /tutorials/ccp-toolchain-config
+[Defining Constraints and Platforms]: /extending/platforms#constraints-platforms
+[Example C++ toolchain]: https://github.com/gregestren/snippets/tree/master/custom_cc_toolchain_with_platforms
+[exec_compatible_with Attribute]: /reference/be/platforms-and-toolchains#toolchain.exec_compatible_with
+[extra_toolchains Flag]: /reference/command-line-reference#flag--extra_toolchains
+[Go Rules]: https://github.com/bazelbuild/rules_go
+[Inspiration]: https://blog.bazel.build/2019/02/11/configurable-builds-part-1.html
+[Migrating your rule set]: #migrating-your-rule-set
+[Platforms]: /extending/platforms
+[Platforms examples]: https://github.com/hlopko/bazel_platforms_examples
+[platform mappings design]: https://docs.google.com/document/d/1Vg_tPgiZbSrvXcJ403vZVAGlsWhH9BUDrAxMOYnO0Ls/edit
+[platform Rule]: /reference/be/platforms-and-toolchains#platform
+[register_toolchains Function]: /rules/lib/globals/module#register_toolchains
+[Rust rules]: https://github.com/bazelbuild/rules_rust
+[select()]: /docs/configurable-attributes
+[select() Platforms]: /docs/configurable-attributes#platforms
+[Starlark provider]: /extending/rules#providers
+[Starlark rule]: /extending/rules
+[Starlark transitions]: /extending/config#user-defined-transitions
+[target_compatible_with Attribute]: /reference/be/platforms-and-toolchains#toolchain.target_compatible_with
+[Toolchains]: /extending/toolchains
+
+---
+
+## Visibility
+- URL: https://bazel.build/concepts/visibility
+- Source: concepts/visibility.mdx
+- Slug: /concepts/visibility
+
+This page covers Bazel's two visibility systems:
+[target visibility](#target-visibility) and [load visibility](#load-visibility).
+
+Both types of visibility help other developers distinguish between your
+library's public API and its implementation details, and help enforce structure
+as your workspace grows. You can also use visibility when deprecating a public
+API to allow current users while denying new ones.
+
+## Target visibility
+
+**Target visibility** controls who may depend on your target — that is, who may
+use your target's label inside an attribute such as `deps`. A target will fail
+to build during the [analysis](/reference/glossary#analysis-phase) phase if it
+violates the visibility of one of its dependencies.
+
+Generally, a target `A` is visible to a target `B` if they are in the same
+location, or if `A` grants visibility to `B`'s location. In the absence of
+[symbolic macros](/extending/macros), the term "location" can be simplified
+to just "package"; see [below](#symbolic-macros) for more on symbolic macros.
+
+Visibility is specified by listing allowed packages. Allowing a package does not
+necessarily mean that its subpackages are also allowed. For more details on
+packages and subpackages, see [Concepts and terminology](/concepts/build-ref).
+
+For prototyping, you can disable target visibility enforcement by setting the
+flag `--check_visibility=false`. This shouldn't be done for production usage in
+submitted code.
+
+The primary way to control visibility is with a rule's
+[`visibility`](/reference/be/common-definitions#common.visibility) attribute.
+The following subsections describe the attribute's format, how to apply it to
+various kinds of targets, and the interaction between the visibility system and
+symbolic macros.
+
+### Visibility specifications
+
+All rule targets have a `visibility` attribute that takes a list of labels. Each
+label has one of the following forms. With the exception of the last form, these
+are just syntactic placeholders that don't correspond to any actual target.
+
+* `"//visibility:public"`: Grants access to all packages.
+
+* `"//visibility:private"`: Does not grant any additional access; only targets
+ in this location's package can use this target.
+
+* `"//foo/bar:__pkg__"`: Grants access to `//foo/bar` (but not its
+ subpackages).
+
+* `"//foo/bar:__subpackages__"`: Grants access to `//foo/bar` and all of its
+ direct and indirect subpackages.
+
+* `"//some_pkg:my_package_group"`: Grants access to all of the packages that
+ are part of the given [`package_group`](/reference/be/functions#package_group).
+
+ * Package groups use a
+ [different syntax](/reference/be/functions#package_group.packages) for
+ specifying packages. Within a package group, the forms
+ `"//foo/bar:__pkg__"` and `"//foo/bar:__subpackages__"` are respectively
+ replaced by `"//foo/bar"` and `"//foo/bar/..."`. Likewise,
+ `"//visibility:public"` and `"//visibility:private"` are just `"public"`
+ and `"private"`.
+
+For example, if `//some/package:mytarget` has its `visibility` set to
+`[":__subpackages__", "//tests:__pkg__"]`, then it could be used by any target
+that is part of the `//some/package/...` source tree, as well as targets
+declared in `//tests/BUILD`, but not by targets defined in
+`//tests/integration/BUILD`.
+
+**Best practice:** To make several targets visible to the same set
+of packages, use a `package_group` instead of repeating the list in each
+target's `visibility` attribute. This increases readability and prevents the
+lists from getting out of sync.
+
+**Best practice:** When granting visibility to another team's project, prefer
+`__subpackages__` over `__pkg__` to avoid needless visibility churn as that
+project evolves and adds new subpackages.
+
+Note: The `visibility` attribute may not specify non-`package_group` targets.
+Doing so triggers a "Label does not refer to a package group" or "Cycle in
+dependency graph" error.
+
+### Rule target visibility
+
+A rule target's visibility is determined by taking its `visibility` attribute
+-- or a suitable default if not given -- and appending the location where the
+target was declared. For targets not declared in a symbolic macro, if the
+package specifies a [`default_visibility`](/reference/be/functions#package.default_visibility),
+this default is used; for all other packages and for targets declared in a
+symbolic macro, the default is just `["//visibility:private"]`.
+
+```starlark
+# //mypkg/BUILD
+
+package(default_visibility = ["//friend:__pkg__"])
+
+cc_library(
+ name = "t1",
+ ...
+ # No visibility explicitly specified.
+ # Effective visibility is ["//friend:__pkg__", "//mypkg:__pkg__"].
+ # If no default_visibility were given in package(...), the visibility would
+ # instead default to ["//visibility:private"], and the effective visibility
+ # would be ["//mypkg:__pkg__"].
+)
+
+cc_library(
+ name = "t2",
+ ...
+ visibility = [":clients"],
+ # Effective visibility is ["//mypkg:clients, "//mypkg:__pkg__"], which will
+ # expand to ["//another_friend:__subpackages__", "//mypkg:__pkg__"].
+)
+
+cc_library(
+ name = "t3",
+ ...
+ visibility = ["//visibility:private"],
+ # Effective visibility is ["//mypkg:__pkg__"]
+)
+
+package_group(
+ name = "clients",
+ packages = ["//another_friend/..."],
+)
+```
+
+**Best practice:** Avoid setting `default_visibility` to public. It may be
+convenient for prototyping or in small codebases, but the risk of inadvertently
+creating public targets increases as the codebase grows. It's better to be
+explicit about which targets are part of a package's public interface.
+
+### Generated file target visibility
+
+A generated file target has the same visibility as the rule target that
+generates it.
+
+```starlark
+# //mypkg/BUILD
+
+java_binary(
+ name = "foo",
+ ...
+ visibility = ["//friend:__pkg__"],
+)
+```
+
+```starlark
+# //friend/BUILD
+
+some_rule(
+ name = "bar",
+ deps = [
+ # Allowed directly by visibility of foo.
+ "//mypkg:foo",
+ # Also allowed. The java_binary's "_deploy.jar" implicit output file
+ # target the same visibility as the rule target itself.
+ "//mypkg:foo_deploy.jar",
+ ]
+ ...
+)
+```
+
+### Source file target visibility
+
+Source file targets can either be explicitly declared using
+[`exports_files`](/reference/be/functions#exports_files), or implicitly created
+by referring to their filename in a label attribute of a rule (outside of a
+symbolic macro). As with rule targets, the location of the call to
+`exports_files`, or the BUILD file that referred to the input file, is always
+automatically appended to the file's visibility.
+
+Files declared by `exports_files` can have their visibility set by the
+`visibility` parameter to that function. If this parameter is not given, the visibility is public.
+
+Note: `exports_files` may not be used to override the visibility of a generated
+file.
+
+For files that do not appear in a call to `exports_files`, the visibility
+depends on the value of the flag
+[`--incompatible_no_implicit_file_export`](https://github.com/bazelbuild/bazel/issues/10225):
+
+* If the flag is true, the visibility is private.
+
+* Else, the legacy behavior applies: The visibility is the same as the
+ `BUILD` file's `default_visibility`, or private if a default visibility is
+ not specified.
+
+Avoid relying on the legacy behavior. Always write an `exports_files`
+declaration whenever a source file target needs non-private visibility.
+
+**Best practice:** When possible, prefer to expose a rule target rather than a
+source file. For example, instead of calling `exports_files` on a `.java` file,
+wrap the file in a non-private `java_library` target. Generally, rule targets
+should only directly reference source files that live in the same package.
+
+#### Example
+
+File `//frobber/data/BUILD`:
+
+```starlark
+exports_files(["readme.txt"])
+```
+
+File `//frobber/bin/BUILD`:
+
+```starlark
+cc_binary(
+ name = "my-program",
+ data = ["//frobber/data:readme.txt"],
+)
+```
+
+### Config setting visibility
+
+Historically, Bazel has not enforced visibility for
+[`config_setting`](/reference/be/general#config_setting) targets that are
+referenced in the keys of a [`select()`](/reference/be/functions#select). There
+are two flags to remove this legacy behavior:
+
+* [`--incompatible_enforce_config_setting_visibility`](https://github.com/bazelbuild/bazel/issues/12932)
+ enables visibility checking for these targets. To assist with migration, it
+ also causes any `config_setting` that does not specify a `visibility` to be
+ considered public (regardless of package-level `default_visibility`).
+
+* [`--incompatible_config_setting_private_default_visibility`](https://github.com/bazelbuild/bazel/issues/12933)
+ causes `config_setting`s that do not specify a `visibility` to respect the
+ package's `default_visibility` and to fallback on private visibility, just
+ like any other rule target. It is a no-op if
+ `--incompatible_enforce_config_setting_visibility` is not set.
+
+Avoid relying on the legacy behavior. Any `config_setting` that is intended to
+be used outside the current package should have an explicit `visibility`, if the
+package does not already specify a suitable `default_visibility`.
+
+### Package group target visibility
+
+`package_group` targets do not have a `visibility` attribute. They are always
+publicly visible.
+
+### Visibility of implicit dependencies
+
+Some rules have [implicit dependencies](/extending/rules#private_attributes_and_implicit_dependencies) —
+dependencies that are not spelled out in a `BUILD` file but are inherent to
+every instance of that rule. For example, a `cc_library` rule might create an
+implicit dependency from each of its rule targets to an executable target
+representing a C++ compiler.
+
+The visibility of such an implicit dependency is checked with respect to the
+package containing the `.bzl` file in which the rule (or aspect) is defined. In
+our example, the C++ compiler could be private so long as it lives in the same
+package as the definition of the `cc_library` rule. As a fallback, if the
+implicit dependency is not visible from the definition, it is checked with
+respect to the `cc_library` target.
+
+If you want to restrict the usage of a rule to certain packages, use
+[load visibility](#load-visibility) instead.
+
+### Visibility and symbolic macros
+
+This section describes how the visibility system interacts with
+[symbolic macros](/extending/macros).
+
+#### Locations within symbolic macros
+
+A key detail of the visibility system is how we determine the location of a
+declaration. For targets that are not declared in a symbolic macro, the location
+is just the package where the target lives -- the package of the `BUILD` file.
+But for targets created in a symbolic macro, the location is the package
+containing the `.bzl` file where the macro's definition (the
+`my_macro = macro(...)` statement) appears. When a target is created inside
+multiple nested targets, it is always the innermost symbolic macro's definition
+that is used.
+
+The same system is used to determine what location to check against a given
+dependency's visibility. If the consuming target was created inside a macro, we
+look at the innermost macro's definition rather than the package the consuming
+target lives in.
+
+This means that all macros whose code is defined in the same package are
+automatically "friends" with one another. Any target directly created by a macro
+defined in `//lib:defs.bzl` can be seen from any other macro defined in `//lib`,
+regardless of what packages the macros are actually instantiated in. Likewise,
+they can see, and can be seen by, targets declared directly in `//lib/BUILD` and
+its legacy macros. Conversely, targets that live in the same package cannot
+necessarily see one another if at least one of them is created by a symbolic
+macro.
+
+Within a symbolic macro's implementation function, the `visibility` parameter
+has the effective value of the macro's `visibility` attribute after appending
+the location where the macro was called. The standard way for a macro to export
+one of its targets to its caller is to forward this value along to the target's
+declaration, as in `some_rule(..., visibility = visibility)`. Targets that omit
+this attribute won't be visible to the caller of the macro unless the caller
+happens to be in the same package as the macro definition. This behavior
+composes, in the sense that a chain of nested calls to submacros may each pass
+`visibility = visibility`, re-exporting the inner macro's exported targets to
+the caller at each level, without exposing any of the macros' implementation
+details.
+
+#### Delegating privileges to a submacro
+
+The visibility model has a special feature to allow a macro to delegate its
+permissions to a submacro. This is important for factoring and composing macros.
+
+Suppose you have a macro `my_macro` that creates a dependency edge using a rule
+`some_library` from another package:
+
+```starlark
+# //macro/defs.bzl
+load("//lib:defs.bzl", "some_library")
+
+def _impl(name, visibility, ...):
+ ...
+ native.genrule(
+ name = name + "_dependency"
+ ...
+ )
+ some_library(
+ name = name + "_consumer",
+ deps = [name + "_dependency"],
+ ...
+ )
+
+my_macro = macro(implementation = _impl, ...)
+```
+
+```starlark
+# //pkg/BUILD
+
+load("//macro:defs.bzl", "my_macro")
+
+my_macro(name = "foo", ...)
+```
+
+The `//pkg:foo_dependency` target has no `visibility` specified, so it is only
+visible within `//macro`, which works fine for the consuming target. Now, what
+happens if the author of `//lib` refactors `some_library` to instead be
+implemented using a macro?
+
+```starlark
+# //lib:defs.bzl
+
+def _impl(name, visibility, deps, ...):
+ some_rule(
+ # Main target, exported.
+ name = name,
+ visibility = visibility,
+ deps = deps,
+ ...)
+
+some_library = macro(implementation = _impl, ...)
+```
+
+With this change, `//pkg:foo_consumer`'s location is now `//lib` rather than
+`//macro`, so its usage of `//pkg:foo_dependency` violates the dependency's
+visibility. The author of `my_macro` can't be expected to pass
+`visibility = ["//lib"]` to the declaration of the dependency just to work
+around this implementation detail.
+
+For this reason, when a dependency of a target is also an attribute value of the
+macro that declared the target, we check the dependency's visibility against the
+location of the macro instead of the location of the consuming target.
+
+In this example, to validate whether `//pkg:foo_consumer` can see
+`//pkg:foo_dependency`, we see that `//pkg:foo_dependency` was also passed as an
+input to the call to `some_library` inside of `my_macro`, and instead check the
+dependency's visibility against the location of this call, `//macro`.
+
+This process can repeat recursively, as long as a target or macro declaration is
+inside of another symbolic macro taking the dependency's label in one of its
+label-typed attributes.
+
+Note: Visibility delegation does not work for labels that were not passed into
+the macro, such as labels derived by string manipulation.
+
+#### Finalizers
+
+Targets declared in a rule finalizer (a symbolic macro with `finalizer = True`),
+in addition to seeing targets following the usual symbolic macro visibility
+rules, can *also* see all targets which are visible to the finalizer target's
+package.
+
+In other words, if you migrate a `native.existing_rules()`-based legacy macro to
+a finalizer, the targets declared by the finalizer will still be able to see
+their old dependencies.
+
+It is possible to define targets that a finalizer can introspect using
+`native.existing_rules()`, but which it cannot use as dependencies under the
+visibility system. For example, if a macro-defined target is not visible to its
+own package or to the finalizer macro's definition, and is not delegated to the
+finalizer, the finalizer cannot see such a target. Note, however, that a
+`native.existing_rules()`-based legacy macro will also be unable to see such a
+target.
+
+## Load visibility
+
+**Load visibility** controls whether a `.bzl` file may be loaded from other
+`BUILD` or `.bzl` files outside the current package.
+
+In the same way that target visibility protects source code that is encapsulated
+by targets, load visibility protects build logic that is encapsulated by `.bzl`
+files. For instance, a `BUILD` file author might wish to factor some repetitive
+target declarations into a macro in a `.bzl` file. Without the protection of
+load visibility, they might find their macro reused by other collaborators in
+the same workspace, so that modifying the macro breaks other teams' builds.
+
+Note that a `.bzl` file may or may not have a corresponding source file target.
+If it does, there is no guarantee that the load visibility and the target
+visibility coincide. That is, the same `BUILD` file might be able to load the
+`.bzl` file but not list it in the `srcs` of a [`filegroup`](/reference/be/general#filegroup),
+or vice versa. This can sometimes cause problems for rules that wish to consume
+`.bzl` files as source code, such as for documentation generation or testing.
+
+For prototyping, you may disable load visibility enforcement by setting
+`--check_bzl_visibility=false`. As with `--check_visibility=false`, this should
+not be done for submitted code.
+
+Load visibility is available as of Bazel 6.0.
+
+### Declaring load visibility
+
+To set the load visibility of a `.bzl` file, call the
+[`visibility()`](/rules/lib/globals/bzl#visibility) function from within the file.
+The argument to `visibility()` is a list of package specifications, just like
+the [`packages`](/reference/be/functions#package_group.packages) attribute of
+`package_group`. However, `visibility()` does not accept negative package
+specifications.
+
+The call to `visibility()` must only occur once per file, at the top level (not
+inside a function), and ideally immediately following the `load()` statements.
+
+Unlike target visibility, the default load visibility is always public. Files
+that do not call `visibility()` are always loadable from anywhere in the
+workspace. It is a good idea to add `visibility("private")` to the top of any
+new `.bzl` file that is not specifically intended for use outside the package.
+
+### Example
+
+```starlark
+# //mylib/internal_defs.bzl
+
+# Available to subpackages and to mylib's tests.
+visibility(["//mylib/...", "//tests/mylib/..."])
+
+def helper(...):
+ ...
+```
+
+```starlark
+# //mylib/rules.bzl
+
+load(":internal_defs.bzl", "helper")
+# Set visibility explicitly, even though public is the default.
+# Note the [] can be omitted when there's only one entry.
+visibility("public")
+
+myrule = rule(
+ ...
+)
+```
+
+```starlark
+# //someclient/BUILD
+
+load("//mylib:rules.bzl", "myrule") # ok
+load("//mylib:internal_defs.bzl", "helper") # error
+
+...
+```
+
+### Load visibility practices
+
+This section describes tips for managing load visibility declarations.
+
+#### Factoring visibilities
+
+When multiple `.bzl` files should have the same visibility, it can be helpful to
+factor their package specifications into a common list. For example:
+
+```starlark
+# //mylib/internal_defs.bzl
+
+visibility("private")
+
+clients = [
+ "//foo",
+ "//bar/baz/...",
+ ...
+]
+```
+
+```starlark
+# //mylib/feature_A.bzl
+
+load(":internal_defs.bzl", "clients")
+visibility(clients)
+
+...
+```
+
+```starlark
+# //mylib/feature_B.bzl
+
+load(":internal_defs.bzl", "clients")
+visibility(clients)
+
+...
+```
+
+This helps prevent accidental skew between the various `.bzl` files'
+visibilities. It also is more readable when the `clients` list is large.
+
+#### Composing visibilities
+
+Sometimes a `.bzl` file might need to be visible to an allowlist that is
+composed of multiple smaller allowlists. This is analogous to how a
+`package_group` can incorporate other `package_group`s via its
+[`includes`](/reference/be/functions#package_group.includes) attribute.
+
+Suppose you are deprecating a widely used macro. You want it to be visible only
+to existing users and to the packages owned by your own team. You might write:
+
+```starlark
+# //mylib/macros.bzl
+
+load(":internal_defs.bzl", "our_packages")
+load("//some_big_client:defs.bzl", "their_remaining_uses")
+
+# List concatenation. Duplicates are fine.
+visibility(our_packages + their_remaining_uses)
+```
+
+#### Deduplicating with package groups
+
+Unlike target visibility, you cannot define a load visibility in terms of a
+`package_group`. If you want to reuse the same allowlist for both target
+visibility and load visibility, it's best to move the list of package
+specifications into a .bzl file, where both kinds of declarations may refer to
+it. Building off the example in [Factoring visibilities](#factoring-visibilities)
+above, you might write:
+
+```starlark
+# //mylib/BUILD
+
+load(":internal_defs", "clients")
+
+package_group(
+ name = "my_pkg_grp",
+ packages = clients,
+)
+```
+
+This only works if the list does not contain any negative package
+specifications.
+
+#### Protecting individual symbols
+
+Any Starlark symbol whose name begins with an underscore cannot be loaded from
+another file. This makes it easy to create private symbols, but does not allow
+you to share these symbols with a limited set of trusted files. On the other
+hand, load visibility gives you control over what other packages may see your
+`.bzl file`, but does not allow you to prevent any non-underscored symbol from
+being loaded.
+
+Luckily, you can combine these two features to get fine-grained control.
+
+```starlark
+# //mylib/internal_defs.bzl
+
+# Can't be public, because internal_helper shouldn't be exposed to the world.
+visibility("private")
+
+# Can't be underscore-prefixed, because this is
+# needed by other .bzl files in mylib.
+def internal_helper(...):
+ ...
+
+def public_util(...):
+ ...
+```
+
+```starlark
+# //mylib/defs.bzl
+
+load(":internal_defs", "internal_helper", _public_util="public_util")
+visibility("public")
+
+# internal_helper, as a loaded symbol, is available for use in this file but
+# can't be imported by clients who load this file.
+...
+
+# Re-export public_util from this file by assigning it to a global variable.
+# We needed to import it under a different name ("_public_util") in order for
+# this assignment to be legal.
+public_util = _public_util
+```
+
+#### bzl-visibility Buildifier lint
+
+There is a [Buildifier lint](https://github.com/bazelbuild/buildtools/blob/master/WARNINGS.md#bzl-visibility)
+that provides a warning if users load a file from a directory named `internal`
+or `private`, when the user's file is not itself underneath the parent of that
+directory. This lint predates the load visibility feature and is unnecessary in
+workspaces where `.bzl` files declare visibilities.
+
+---
+
+## Configurable Build Attributes
+- URL: https://bazel.build/configure/attributes
+- Source: configure/attributes.mdx
+- Slug: /configure/attributes
+
+**_Configurable attributes_**, commonly known as [`select()`](
+/reference/be/functions#select), is a Bazel feature that lets users toggle the values
+of build rule attributes at the command line.
+
+This can be used, for example, for a multiplatform library that automatically
+chooses the appropriate implementation for the architecture, or for a
+feature-configurable binary that can be customized at build time.
+
+## Example
+
+```python
+# myapp/BUILD
+
+cc_binary(
+ name = "mybinary",
+ srcs = ["main.cc"],
+ deps = select({
+ ":arm_build": [":arm_lib"],
+ ":x86_debug_build": [":x86_dev_lib"],
+ "//conditions:default": [":generic_lib"],
+ }),
+)
+
+config_setting(
+ name = "arm_build",
+ values = {"cpu": "arm"},
+)
+
+config_setting(
+ name = "x86_debug_build",
+ values = {
+ "cpu": "x86",
+ "compilation_mode": "dbg",
+ },
+)
+```
+
+This declares a `cc_binary` that "chooses" its deps based on the flags at the
+command line. Specifically, `deps` becomes:
+
+| Command | +deps = | +
bazel build //myapp:mybinary --cpu=arm |
+ [":arm_lib"] |
+
bazel build //myapp:mybinary -c dbg --cpu=x86 |
+ [":x86_dev_lib"] |
+
bazel build //myapp:mybinary --cpu=ppc |
+ [":generic_lib"] |
+
bazel build //myapp:mybinary -c dbg --cpu=ppc |
+ [":generic_lib"] |
+
bazel build //examples/cpp:hello-world
+bazel-bin\examples\cpp\hello-world.exe
+```
+
+By default, the built binaries target x64 architecture. To build for ARM64
+architecture, use
+
+```none
+--platforms=//:windows_arm64 --extra_toolchains=@local_config_cc//:cc-toolchain-arm64_windows
+```
+
+You can introduce `@local_config_cc` in `MODULE.bazel` with
+
+```python
+bazel_dep(name = "rules_cc", version = "0.1.1")
+cc_configure = use_extension("@rules_cc//cc:extensions.bzl", "cc_configure_extension")
+use_repo(cc_configure, "local_config_cc")
+```
+
+To build and use Dynamically Linked Libraries (DLL files), see [this
+example](https://github.com/bazelbuild/bazel/tree/master/examples/windows/dll).
+
+**Command Line Length Limit**: To prevent the
+[Windows command line length limit issue](https://github.com/bazelbuild/bazel/issues/5163),
+enable the compiler parameter file feature via `--features=compiler_param_file`.
+
+### Build C++ with Clang
+
+From 0.29.0, Bazel supports building with LLVM's MSVC-compatible compiler driver (`clang-cl.exe`).
+
+**Requirement**: To build with Clang, you have to install **both**
+[LLVM](http://releases.llvm.org/download.html) and Visual C++ Build tools,
+because although you use `clang-cl.exe` as compiler, you still need to link to
+Visual C++ libraries.
+
+Bazel can automatically detect LLVM installation on your system, or you can explicitly tell
+Bazel where LLVM is installed by `BAZEL_LLVM`.
+
+* `BAZEL_LLVM` the LLVM installation directory
+
+ ```posix-terminal
+ set BAZEL_LLVM=C:\Program Files\LLVM
+ ```
+
+To enable the Clang toolchain for building C++, there are several situations.
+
+* In Bazel 7.0.0 and newer: Add a platform target to your `BUILD file` (eg. the
+ top level `BUILD` file):
+
+ ```
+ platform(
+ name = "x64_windows-clang-cl",
+ constraint_values = [
+ "@platforms//cpu:x86_64",
+ "@platforms//os:windows",
+ "@bazel_tools//tools/cpp:clang-cl",
+ ],
+ )
+ ```
+
+ Then enable the Clang toolchain by specifying the following build flags:
+
+ ```
+ --extra_toolchains=@local_config_cc//:cc-toolchain-x64_windows-clang-cl --extra_execution_platforms=//:x64_windows-clang-cl
+ ```
+
+* In Bazel older than 7.0.0 but newer than 0.28: Enable the Clang toolchain by
+ a build flag `--compiler=clang-cl`.
+
+ If your build sets the flag
+ [\-\-incompatible_enable_cc_toolchain_resolution]
+ (https://github.com/bazelbuild/bazel/issues/7260)
+ to `true`, then use the approach for Bazel 7.0.0.
+
+* In Bazel 0.28 and older: Clang is not supported.
+
+### Build Java
+
+To build Java targets, you need:
+
+* [The Java SE Development Kit](/install/windows#install-jdk)
+
+On Windows, Bazel builds two output files for `java_binary` rules:
+
+* a `.jar` file
+* a `.exe` file that can set up the environment for the JVM and run the binary
+
+Try building a target from one of our [sample
+projects](https://github.com/bazelbuild/bazel/tree/master/examples):
+
+```
+ bazel build //examples/java-native/src/main/java/com/example/myproject:hello-world
+ bazel-bin\examples\java-native\src\main\java\com\example\myproject\hello-world.exe
+```
+
+### Build Python
+
+To build Python targets, you need:
+
+* The [Python interpreter](/install/windows#install-python)
+
+On Windows, Bazel builds two output files for `py_binary` rules:
+
+* a self-extracting zip file
+* an executable file that can launch the Python interpreter with the
+ self-extracting zip file as the argument
+
+You can either run the executable file (it has a `.exe` extension) or you can run
+Python with the self-extracting zip file as the argument.
+
+Try building a target from one of our [sample
+projects](https://github.com/bazelbuild/bazel/tree/master/examples):
+
+```
+ bazel build //examples/py_native:bin
+ bazel-bin\examples\py_native\bin.exe
+ python bazel-bin\examples\py_native\bin.zip
+```
+
+If you are interested in details about how Bazel builds Python targets on
+Windows, check out this [design
+doc](https://github.com/bazelbuild/bazel-website/blob/master/designs/_posts/2016-09-05-build-python-on-windows.md).
+
+---
+
+## Contributing to Bazel
+- URL: https://bazel.build/contribute
+- Source: contribute/index.mdx
+- Slug: /contribute
+
+There are many ways to help the Bazel project and ecosystem.
+
+## Provide feedback
+
+As you use Bazel, you may find things that can be improved.
+You can help by [reporting issues](http://github.com/bazelbuild/bazel/issues)
+when:
+
+ - Bazel crashes or you encounter a bug that can [only be resolved using `bazel
+ clean`](/run/build#correct-incremental-rebuilds).
+ - The documentation is incomplete or unclear. You can also report issues
+ from the page you are viewing by using the "Create issue"
+ link at the top right corner of the page.
+ - An error message could be improved.
+
+## Participate in the community
+
+You can engage with the Bazel community by:
+
+ - Answering questions [on Stack Overflow](
+ https://stackoverflow.com/questions/tagged/bazel).
+ - Helping other users [on Slack](https://slack.bazel.build).
+ - Improving documentation or [contributing examples](
+ https://github.com/bazelbuild/examples).
+ - Sharing your experience or your tips, for example, on a blog or social media.
+
+## Contribute code
+
+Bazel is a large project and making a change to the Bazel source code
+can be difficult.
+
+You can contribute to the Bazel ecosystem by:
+
+ - Helping rules maintainers by contributing pull requests.
+ - Creating new rules and open-sourcing them.
+ - Contributing to Bazel-related tools, for example, migration tools.
+ - Improving Bazel integration with other IDEs and tools.
+
+Before making a change, [create a GitHub
+issue](http://github.com/bazelbuild/bazel/issues)
+or email [bazel-discuss@](mailto:bazel-discuss@googlegroups.com).
+
+The most helpful contributions fix bugs or add features (as opposed
+to stylistic, refactoring, or "cleanup" changes). Your change should
+include tests and documentation, keeping in mind backward-compatibility,
+portability, and the impact on memory usage and performance.
+
+To learn about how to submit a change, see the
+[patch acceptance process](/contribute/patch-acceptance).
+
+## Bazel's code description
+
+Bazel has a large codebase with code in multiple locations. See the [codebase guide](/contribute/codebase) for more details.
+
+Bazel is organized as follows:
+
+* Client code is in `src/main/cpp` and provides the command-line interface.
+* Protocol buffers are in `src/main/protobuf`.
+* Server code is in `src/main/java` and `src/test/java`.
+ * Core code which is mostly composed of [SkyFrame](/reference/skyframe)
+ and some utilities.
+ * Built-in rules are in `com.google.devtools.build.lib.rules` and in
+ `com.google.devtools.build.lib.bazel.rules`. You might want to read about
+ the [Challenges of Writing Rules](/rules/challenges) first.
+* Java native interfaces are in `src/main/native`.
+* Various tooling for language support are described in the list in the
+ [compiling Bazel](/install/compile-source) section.
+
+
+### Searching Bazel's source code
+
+To quickly search through Bazel's source code, use
+[Bazel Code Search](https://source.bazel.build/). You can navigate Bazel's
+repositories, branches, and files. You can also view history, diffs, and blame
+information. To learn more, see the
+[Bazel Code Search User Guide](/contribute/search).
+
+---
+
+## Guide for rolling out breaking changes
+- URL: https://bazel.build/contribute/breaking-changes
+- Source: contribute/breaking-changes.mdx
+- Slug: /contribute/breaking-changes
+
+It is inevitable that we will make breaking changes to Bazel. We will have to
+change our designs and fix the things that do not quite work. However, we need
+to make sure that community and Bazel ecosystem can follow along. To that end,
+Bazel project has adopted a
+[backward compatibility policy](/release/backward-compatibility).
+This document describes the process for Bazel contributors to make a breaking
+change in Bazel to adhere to this policy.
+
+1. Follow the [design document policy](/contribute/design-documents).
+
+1. [File a GitHub issue.](#github-issue)
+
+1. [Implement the change.](#implementation)
+
+1. [Update labels.](#labels)
+
+1. [Update repositories.](#update-repos)
+
+1. [Flip the incompatible flag.](#flip-flag)
+
+## GitHub issue
+
+[File a GitHub issue](https://github.com/bazelbuild/bazel/issues)
+in the Bazel repository.
+[See example.](https://github.com/bazelbuild/bazel/issues/6611)
+
+We recommend that:
+
+* The title starts with the name of the flag (the flag name will start with
+ `incompatible_`).
+
+* You add the label
+ [`incompatible-change`](https://github.com/bazelbuild/bazel/labels/incompatible-change).
+
+* The description contains a description of the change and a link to relevant
+ design documents.
+
+* The description contains a migration recipe, to explain users how they should
+ update their code. Ideally, when the change is mechanical, include a link to a
+ migration tool.
+
+* The description includes an example of the error message users will get if
+ they don't migrate. This will make the GitHub issue more discoverable from
+ search engines. Make sure that the error message is helpful and actionable.
+ When possible, the error message should include the name of the incompatible
+ flag.
+
+For the migration tool, consider contributing to
+[Buildifier](https://github.com/bazelbuild/buildtools/blob/master/buildifier/README.md).
+It is able to apply automated fixes to `BUILD`, `WORKSPACE`, and `.bzl` files.
+It may also report warnings.
+
+## Implementation
+
+Create a new flag in Bazel. The default value must be false. The help text
+should contain the URL of the GitHub issue. As the flag name starts with
+`incompatible_`, it needs metadata tags:
+
+```java
+ metadataTags = {
+ OptionMetadataTag.INCOMPATIBLE_CHANGE,
+ },
+```
+
+In the commit description, add a brief summary of the flag.
+Also add [`RELNOTES:`](release-notes.md) in the following form:
+`RELNOTES: --incompatible_name_of_flag has been added. See #xyz for details`
+
+The commit should also update the relevant documentation, so that there is no
+window of commits in which the code is inconsistent with the docs. Since our
+documentation is versioned, changes to the docs will not be inadvertently
+released prematurely.
+
+## Labels
+
+Once the commit is merged and the incompatible change is ready to be adopted, add the label
+[`migration-ready`](https://github.com/bazelbuild/bazel/labels/migration-ready)
+to the GitHub issue.
+
+If a problem is found with the flag and users are not expected to migrate yet:
+remove the flags `migration-ready`.
+
+If you plan to flip the flag in the next major release, add label `breaking-change-X.0" to the issue.
+
+## Updating repositories
+
+Bazel CI tests a list of important projects at
+[Bazel@HEAD + Downstream](https://buildkite.com/bazel/bazel-at-head-plus-downstream). Most of them are often
+dependencies of other Bazel projects, therefore it's important to migrate them to unblock the migration for the broader community. To monitor the migration status of those projects, you can use the [`bazelisk-plus-incompatible-flags` pipeline](https://buildkite.com/bazel/bazelisk-plus-incompatible-flags).
+Check how this pipeline works [here](https://github.com/bazelbuild/continuous-integration/tree/master/buildkite#checking-incompatible-changes-status-for-downstream-projects).
+
+Our dev support team monitors the [`migration-ready`](https://github.com/bazelbuild/bazel/labels/migration-ready) label. Once you add this label to the GitHub issue, they will handle the following:
+
+1. Create a comment in the GitHub issue to track the list of failures and downstream projects that need to be migrated ([see example](https://github.com/bazelbuild/bazel/issues/17032#issuecomment-1353077469))
+
+1. File Github issues to notify the owners of every downstream project broken by your incompatible change ([see example](https://github.com/bazelbuild/intellij/issues/4208))
+
+1. Follow up to make sure all issues are addressed before the target release date
+
+Migrating projects in the downstream pipeline is NOT entirely the responsibility of the incompatible change author, but you can do the following to accelerate the migration and make life easier for both Bazel users and the Bazel Green Team.
+
+1. Send PRs to fix downstream projects.
+
+1. Reach out to the Bazel community for help on migration (e.g. [Bazel Rules Authors SIG](https://bazel-contrib.github.io/SIG-rules-authors/)).
+
+## Flipping the flag
+
+Before flipping the default value of the flag to true, please make sure that:
+
+* Core repositories in the ecosystem are migrated.
+
+ On the [`bazelisk-plus-incompatible-flags` pipeline](https://buildkite.com/bazel/bazelisk-plus-incompatible-flags),
+ the flag should appear under `The following flags didn't break any passing Bazel team owned/co-owned projects`.
+
+* All issues in the checklist are marked as fixed/closed.
+
+* User concerns and questions have been resolved.
+
+When the flag is ready to flip in Bazel, but blocked on internal migration at Google, please consider setting the flag value to false in the internal `blazerc` file to unblock the flag flip. By doing this, we can ensure Bazel users depend on the new behaviour by default as early as possible.
+
+When changing the flag default to true, please:
+
+* Use `RELNOTES[INC]` in the commit description, with the
+ following format:
+ `RELNOTES[INC]: --incompatible_name_of_flag is flipped to true. See #xyz for
+ details`
+ You can include additional information in the rest of the commit description.
+* Use `Fixes #xyz` in the description, so that the GitHub issue gets closed
+ when the commit is merged.
+* Review and update documentation if needed.
+* File a new issue `#abc` to track the removal of the flag.
+
+## Removing the flag
+
+After the flag is flipped at HEAD, it should be removed from Bazel eventually.
+When you plan to remove the incompatible flag:
+
+* Consider leaving more time for users to migrate if it's a major incompatible change.
+ Ideally, the flag should be available in at least one major release.
+* For the commit that removes the flag, use `Fixes #abc` in the description
+ so that the GitHub issue gets closed when the commit is merged.
+
+---
+
+## The Bazel codebase
+- URL: https://bazel.build/contribute/codebase
+- Source: contribute/codebase.mdx
+- Slug: /contribute/codebase
+
+This document is a description of the codebase and how Bazel is structured. It
+is intended for people willing to contribute to Bazel, not for end-users.
+
+## Introduction
+
+The codebase of Bazel is large (~350KLOC production code and ~260 KLOC test
+code) and no one is familiar with the whole landscape: everyone knows their
+particular valley very well, but few know what lies over the hills in every
+direction.
+
+In order for people midway upon the journey not to find themselves within a
+forest dark with the straightforward pathway being lost, this document tries to
+give an overview of the codebase so that it's easier to get started with
+working on it.
+
+The public version of the source code of Bazel lives on GitHub at
+[github.com/bazelbuild/bazel](http://github.com/bazelbuild/bazel). This is not
+the "source of truth"; it's derived from a Google-internal source tree that
+contains additional functionality that is not useful outside Google. The
+long-term goal is to make GitHub the source of truth.
+
+Contributions are accepted through the regular GitHub pull request mechanism,
+and manually imported by a Googler into the internal source tree, then
+re-exported back out to GitHub.
+
+## Client/server architecture
+
+The bulk of Bazel resides in a server process that stays in RAM between builds.
+This allows Bazel to maintain state between builds.
+
+This is why the Bazel command line has two kinds of options: startup and
+command. In a command line like this:
+
+```
+ bazel --host_jvm_args=-Xmx8G build -c opt //foo:bar
+```
+
+Some options (`--host_jvm_args=`) are before the name of the command to be run
+and some are after (`-c opt`); the former kind is called a "startup option" and
+affects the server process as a whole, whereas the latter kind, the "command
+option", only affects a single command.
+
+Each server instance has a single associated workspace (collection of source
+trees known as "repositories") and each workspace usually has a single active
+server instance. This can be circumvented by specifying a custom output base
+(see the "Directory layout" section for more information).
+
+Bazel is distributed as a single ELF executable that is also a valid .zip file.
+When you type `bazel`, the above ELF executable implemented in C++ (the
+"client") gets control. It sets up an appropriate server process using the
+following steps:
+
+1. Checks whether it has already extracted itself. If not, it does that. This
+ is where the implementation of the server comes from.
+2. Checks whether there is an active server instance that works: it is running,
+ it has the right startup options and uses the right workspace directory. It
+ finds the running server by looking at the directory `$OUTPUT_BASE/server`
+ where there is a lock file with the port the server is listening on.
+3. If needed, kills the old server process
+4. If needed, starts up a new server process
+
+After a suitable server process is ready, the command that needs to be run is
+communicated to it over a gRPC interface, then the output of Bazel is piped back
+to the terminal. Only one command can be running at the same time. This is
+implemented using an elaborate locking mechanism with parts in C++ and parts in
+Java. There is some infrastructure for running multiple commands in parallel,
+since the inability to run `bazel version` in parallel with another command
+is somewhat embarrassing. The main blocker is the life cycle of `BlazeModule`s
+and some state in `BlazeRuntime`.
+
+At the end of a command, the Bazel server transmits the exit code the client
+should return. An interesting wrinkle is the implementation of `bazel run`: the
+job of this command is to run something Bazel just built, but it can't do that
+from the server process because it doesn't have a terminal. So instead it tells
+the client what binary it should `exec()` and with what arguments.
+
+When one presses Ctrl-C, the client translates it to a Cancel call on the gRPC
+connection, which tries to terminate the command as soon as possible. After the
+third Ctrl-C, the client sends a SIGKILL to the server instead.
+
+The source code of the client is under `src/main/cpp` and the protocol used to
+communicate with the server is in `src/main/protobuf/command_server.proto` .
+
+The main entry point of the server is `BlazeRuntime.main()` and the gRPC calls
+from the client are handled by `GrpcServerImpl.run()`.
+
+## Directory layout
+
+Bazel creates a somewhat complicated set of directories during a build. A full
+description is available in [Output directory layout](/remote/output-directories).
+
+The "main repo" is the source tree Bazel is run in. It usually corresponds to
+something you checked out from source control. The root of this directory is
+known as the "workspace root".
+
+Bazel puts all of its data under the "output user root". This is usually
+`$HOME/.cache/bazel/_bazel_${USER}`, but can be overridden using the
+`--output_user_root` startup option.
+
+The "install base" is where Bazel is extracted to. This is done automatically
+and each Bazel version gets a subdirectory based on its checksum under the
+install base. It's at `$OUTPUT_USER_ROOT/install` by default and can be changed
+using the `--install_base` command line option.
+
+The "output base" is the place where the Bazel instance attached to a specific
+workspace writes to. Each output base has at most one Bazel server instance
+running at any time. It's usually at `$OUTPUT_USER_ROOT/| Command | +deps = | +
bazel build //myapp:mybinary --cpu=arm |
+ [":arm_lib"] |
+
bazel build //myapp:mybinary -c dbg --cpu=x86 |
+ [":x86_dev_lib"] |
+
bazel build //myapp:mybinary --cpu=ppc |
+ [":generic_lib"] |
+
bazel build //myapp:mybinary -c dbg --cpu=ppc |
+ [":generic_lib"] |
+
Fast iterative development for Android
+ +This page describes how `bazel mobile-install` makes iterative development +for Android much faster. It describes the benefits of this approach versus the +drawbacks of separate build and install steps. + +## Summary + +To install small changes to an Android app very quickly, do the following: + + 1. Find the `android_binary` rule of the app you want to install. + 2. Connect your device to `adb`. + 3. Run `bazel mobile-install :your_target`. App startup will be a little + slower than usual. + 4. Edit the code or Android resources. + 5. Run `bazel mobile-install :your_target`. + 6. Enjoy a fast and minimal incremental installation! + +Some command line options to Bazel that may be useful: + + - `--adb` tells Bazel which adb binary to use + - `--adb_arg` can be used to add extra arguments to the command line of `adb`. + One useful application of this is to select which device you want to install + to if you have multiple devices connected to your workstation: + `bazel mobile-install :your_target -- --adb_arg=-s --adb_arg=
+
+This, of course, depends on the nature of the change: recompilation after
+changing a base library takes more time.
+
+### Limitations
+
+The tricks the stub application plays don't work in every case.
+The following cases highlight where it does not work as expected:
+
+ - Mobile-install is only supported via the Starlark rules of `rules_android`.
+ See the ["brief history of mobile-install"](#mobile-install-history) for
+ more detail.
+
+ - Only devices running ART are supported. Mobile-install uses API and runtime features
+ that only exist on devices running ART, not Dalvik. Any Android runtime more
+ recent than Android L (API 21+) should be compatible.
+
+ - Bazel itself must be run with a tool Java runtime _and_ language version
+ of 17 or higher.
+
+ - Bazel versions prior to 8.4.0 must specify some additional flags for
+ mobile-install. See [the Bazel Android tutorial](/start/android-app). These
+ flags inform Bazel where the Starlark mobile-install aspect is and which
+ rules are supported.
+
+### A brief history of mobile-install
+Earlier Bazel versions _natively_ included built-in build and test rules for
+popular languages and ecosystems such as C++, Java, and Android. These rules
+were therefore referred to as _native_ rules. Bazel 8 (released in 2024) removed
+support for these rules because many of them had been migrated to the
+[Starlark](/rules/language) language. See the ["Bazel 8.0 LTS blog post"](https://blog.bazel.build/2024/12/09/bazel-8-release.html)
+for more details.
+
+The legacy native Android rules also supported a legacy _native_ version of
+mobile-install functionality. This is referred to as "mobile-install v1" or
+"native mobile-install" now. This functionality was deleted in Bazel 8, along
+with the built-in Android rules.
+
+Now, all mobile-install functionality, as well as all Android build and test
+rules, are implemented in Starlark and reside in the `rules_android` GitHub
+repository. The latest version is known as "mobile-install v3" or "MIv3".
+
+_Naming note_: There was a "mobile-install **v2**" available only internally
+at Google at one point, but this was never published externally, and only v3
+continues to be used for both Google-internal and OSS rules_android deployment.
+
+---
+
+## Sandboxing
+- URL: https://bazel.build/docs/sandboxing
+- Source: docs/sandboxing.mdx
+- Slug: /docs/sandboxing
+
+This article covers sandboxing in Bazel and debugging your sandboxing
+environment.
+
+*Sandboxing* is a permission restricting strategy that isolates processes from
+each other or from resources in a system. For Bazel, this means restricting file
+system access.
+
+Bazel's file system sandbox runs processes in a working directory that only
+contains known inputs, such that compilers and other tools don't see source
+files they should not access, unless they know the absolute paths to them.
+
+Sandboxing doesn't hide the host environment in any way. Processes can freely
+access all files on the file system. However, on platforms that support user
+namespaces, processes can't modify any files outside their working directory.
+This ensures that the build graph doesn't have hidden dependencies that could
+affect the reproducibility of the build.
+
+More specifically, Bazel constructs an `execroot/` directory for each action,
+which acts as the action's work directory at execution time. `execroot/`
+contains all input files to the action and serves as the container for any
+generated outputs. Bazel then uses an operating-system-provided technique,
+containers on Linux and `sandbox-exec` on macOS, to constrain the action within
+`execroot/`.
+
+## Reasons for sandboxing
+
+- Without action sandboxing, Bazel doesn't know if a tool uses undeclared
+ input files (files that are not explicitly listed in the dependencies of an
+ action). When one of the undeclared input files changes, Bazel still
+ believes that the build is up-to-date and won’t rebuild the action. This can
+ result in an incorrect incremental build.
+
+- Incorrect reuse of cache entries creates problems during remote caching. A
+ bad cache entry in a shared cache affects every developer on the project,
+ and wiping the entire remote cache is not a feasible solution.
+
+- Sandboxing mimics the behavior of remote execution — if a build works well
+ with sandboxing, it will likely also work with remote execution. By making
+ remote execution upload all necessary files (including local tools), you can
+ significantly reduce maintenance costs for compile clusters compared to
+ having to install the tools on every machine in the cluster every time you
+ want to try out a new compiler or make a change to an existing tool.
+
+## What sandbox strategy to use
+
+You can choose which kind of sandboxing to use, if any, with the
+[strategy flags](user-manual.html#strategy-options). Using the `sandboxed`
+strategy makes Bazel pick one of the sandbox implementations listed below,
+preferring an OS-specific sandbox to the less hermetic generic one.
+[Persistent workers](/remote/persistent) run in a generic sandbox if you pass
+the `--worker_sandboxing` flag.
+
+The `local` (a.k.a. `standalone`) strategy does not do any kind of sandboxing.
+It simply executes the action's command line with the working directory set to
+the execroot of your workspace.
+
+`processwrapper-sandbox` is a sandboxing strategy that does not require any
+"advanced" features - it should work on any POSIX system out of the box. It
+builds a sandbox directory consisting of symlinks that point to the original
+source files, executes the action's command line with the working directory set
+to this directory instead of the execroot, then moves the known output artifacts
+out of the sandbox into the execroot and deletes the sandbox. This prevents the
+action from accidentally using any input files that are not declared and from
+littering the execroot with unknown output files.
+
+`linux-sandbox` goes one step further and builds on top of the
+`processwrapper-sandbox`. Similar to what Docker does under the hood, it uses
+Linux Namespaces (User, Mount, PID, Network and IPC namespaces) to isolate the
+action from the host. That is, it makes the entire filesystem read-only except
+for the sandbox directory, so the action cannot accidentally modify anything on
+the host filesystem. This prevents situations like a buggy test accidentally rm
+-rf'ing your $HOME directory. Optionally, you can also prevent the action from
+accessing the network. `linux-sandbox` uses PID namespaces to prevent the action
+from seeing any other processes and to reliably kill all processes (even daemons
+spawned by the action) at the end.
+
+`darwin-sandbox` is similar, but for macOS. It uses Apple's `sandbox-exec` tool
+to achieve roughly the same as the Linux sandbox.
+
+Both the `linux-sandbox` and the `darwin-sandbox` do not work in a "nested"
+scenario due to restrictions in the mechanisms provided by the operating
+systems. Because Docker also uses Linux namespaces for its container magic, you
+cannot easily run `linux-sandbox` inside a Docker container, unless you use
+`docker run --privileged`. On macOS, you cannot run `sandbox-exec` inside a
+process that's already being sandboxed. Thus, in these cases, Bazel
+automatically falls back to using `processwrapper-sandbox`.
+
+If you would rather get a build error — such as to not accidentally build with a
+less strict execution strategy — explicitly modify the list of execution
+strategies that Bazel tries to use (for example, `bazel build
+--spawn_strategy=worker,linux-sandbox`).
+
+Dynamic execution usually requires sandboxing for local execution. To opt out,
+pass the `--experimental_local_lockfree_output` flag. Dynamic execution silently
+sandboxes [persistent workers](/remote/persistent).
+
+## Downsides to sandboxing
+
+- Sandboxing incurs extra setup and teardown cost. How big this cost is
+ depends on many factors, including the shape of the build and the
+ performance of the host OS. For Linux, sandboxed builds are rarely more than
+ a few percent slower. Setting `--reuse_sandbox_directories` can
+ mitigate the setup and teardown cost.
+
+- Sandboxing effectively disables any cache the tool may have. You can
+ mitigate this by using [persistent workers](/remote/persistent), at
+ the cost of weaker sandbox guarantees.
+
+- [Multiplex workers](/remote/multiplex) require explicit worker support
+ to be sandboxed. Workers that do not support multiplex sandboxing run as
+ singleplex workers under dynamic execution, which can cost extra memory.
+
+## Debugging
+
+Follow the strategies below to debug issues with sandboxing.
+
+### Deactivated namespaces
+
+On some platforms, such as
+[Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/)
+cluster nodes or Debian, user namespaces are deactivated by default due to
+security concerns. If the `/proc/sys/kernel/unprivileged_userns_clone` file
+exists and contains a 0, you can activate user namespaces by running:
+
+```posix-terminal
+ sudo sysctl kernel.unprivileged_userns_clone=1
+```
+
+### Rule execution failures
+
+The sandbox may fail to execute rules because of the system setup. If you see a
+message like `namespace-sandbox.c:633: execvp(argv[0], argv): No such file or
+directory`, try to deactivate the sandbox with `--strategy=Genrule=local` for
+genrules, and `--spawn_strategy=local` for other rules.
+
+### Detailed debugging for build failures
+
+If your build failed, use `--verbose_failures` and `--sandbox_debug` to make
+Bazel show the exact command it ran when your build failed, including the part
+that sets up the sandbox.
+
+Example error message:
+
+```
+ERROR: path/to/your/project/BUILD:1:1: compilation of rule
+'//path/to/your/project:all' failed:
+
+Sandboxed execution failed, which may be legitimate (such as a compiler error),
+or due to missing dependencies. To enter the sandbox environment for easier
+debugging, run the following command in parentheses. On command failure, a bash
+shell running inside the sandbox will then automatically be spawned
+
+namespace-sandbox failed: error executing command
+ (cd /some/path && \
+ exec env - \
+ LANG=en_US \
+ PATH=/some/path/bin:/bin:/usr/bin \
+ PYTHONPATH=/usr/local/some/path \
+ /some/path/namespace-sandbox @/sandbox/root/path/this-sandbox-name.params --
+ /some/path/to/your/some-compiler --some-params some-target)
+```
+
+You can now inspect the generated sandbox directory and see which files Bazel
+created and run the command again to see how it behaves.
+
+Note that Bazel does not delete the sandbox directory when you use
+`--sandbox_debug`. Unless you are actively debugging, you should disable
+`--sandbox_debug` because it fills up your disk over time.
+
+---
+
+## Aspects
+- URL: https://bazel.build/extending/aspects
+- Source: extending/aspects.mdx
+- Slug: /extending/aspects
+
+This page explains the basics and benefits of using
+[aspects](/rules/lib/globals/bzl#aspect) and provides simple and advanced
+examples.
+
+Aspects allow augmenting build dependency graphs with additional information
+and actions. Some typical scenarios when aspects can be useful:
+
+* IDEs that integrate Bazel can use aspects to collect information about the
+ project.
+* Code generation tools can leverage aspects to execute on their inputs in
+ *target-agnostic* manner. As an example, `BUILD` files can specify a hierarchy
+ of [protobuf](https://developers.google.com/protocol-buffers/) library
+ definitions, and language-specific rules can use aspects to attach
+ actions generating protobuf support code for a particular language.
+
+## Aspect basics
+
+`BUILD` files provide a description of a project’s source code: what source
+files are part of the project, what artifacts (_targets_) should be built from
+those files, what the dependencies between those files are, etc. Bazel uses
+this information to perform a build, that is, it figures out the set of actions
+needed to produce the artifacts (such as running compiler or linker) and
+executes those actions. Bazel accomplishes this by constructing a _dependency
+graph_ between targets and visiting this graph to collect those actions.
+
+Consider the following `BUILD` file:
+
+```python
+java_library(name = 'W', ...)
+java_library(name = 'Y', deps = [':W'], ...)
+java_library(name = 'Z', deps = [':W'], ...)
+java_library(name = 'Q', ...)
+java_library(name = 'T', deps = [':Q'], ...)
+java_library(name = 'X', deps = [':Y',':Z'], runtime_deps = [':T'], ...)
+```
+
+This `BUILD` file defines a dependency graph shown in the following figure:
+
+
+
+**Figure 1.** `BUILD` file dependency graph.
+
+Bazel analyzes this dependency graph by calling an implementation function of
+the corresponding [rule](/extending/rules) (in this case "java_library") for every
+target in the above example. Rule implementation functions generate actions that
+build artifacts, such as `.jar` files, and pass information, such as locations
+and names of those artifacts, to the reverse dependencies of those targets in
+[providers](/extending/rules#providers).
+
+Aspects are similar to rules in that they have an implementation function that
+generates actions and returns providers. However, their power comes from
+the way the dependency graph is built for them. An aspect has an implementation
+and a list of all attributes it propagates along. Consider an aspect A that
+propagates along attributes named "deps". This aspect can be applied to
+a target X, yielding an aspect application node A(X). During its application,
+aspect A is applied recursively to all targets that X refers to in its "deps"
+attribute (all attributes in A's propagation list).
+
+Thus a single act of applying aspect A to a target X yields a "shadow graph" of
+the original dependency graph of targets shown in the following figure:
+
+
+
+**Figure 2.** Build graph with aspects.
+
+The only edges that are shadowed are the edges along the attributes in
+the propagation set, thus the `runtime_deps` edge is not shadowed in this
+example. An aspect implementation function is then invoked on all nodes in
+the shadow graph similar to how rule implementations are invoked on the nodes
+of the original graph.
+
+## Simple example
+
+This example demonstrates how to recursively print the source files for a
+rule and all of its dependencies that have a `deps` attribute. It shows
+an aspect implementation, an aspect definition, and how to invoke the aspect
+from the Bazel command line.
+
+```python
+def _print_aspect_impl(target, ctx):
+ # Make sure the rule has a srcs attribute.
+ if hasattr(ctx.rule.attr, 'srcs'):
+ # Iterate through the files that make up the sources and
+ # print their paths.
+ for src in ctx.rule.attr.srcs:
+ for f in src.files.to_list():
+ print(f.path)
+ return []
+
+print_aspect = aspect(
+ implementation = _print_aspect_impl,
+ attr_aspects = ['deps'],
+ required_providers = [CcInfo],
+)
+```
+
+Let's break the example up into its parts and examine each one individually.
+
+### Aspect definition
+
+```python
+print_aspect = aspect(
+ implementation = _print_aspect_impl,
+ attr_aspects = ['deps'],
+ required_providers = [CcInfo],
+)
+```
+Aspect definitions are similar to rule definitions, and defined using
+the [`aspect`](/rules/lib/globals/bzl#aspect) function.
+
+Just like a rule, an aspect has an implementation function which in this case is
+``_print_aspect_impl``.
+
+``attr_aspects`` is a list of rule attributes along which the aspect propagates.
+In this case, the aspect will propagate along the ``deps`` attribute of the
+rules that it is applied to.
+
+Another common argument for `attr_aspects` is `['*']` which would propagate the
+aspect to all attributes of a rule.
+
+``required_providers`` is a list of providers that allows the aspect to limit
+its propagation to only the targets whose rules advertise its required
+providers. For more details consult
+[the documentation of the aspect function](/rules/lib/globals/bzl#aspect).
+In this case, the aspect will only apply on targets that declare `CcInfo`
+provider.
+
+### Aspect implementation
+
+```python
+def _print_aspect_impl(target, ctx):
+ # Make sure the rule has a srcs attribute.
+ if hasattr(ctx.rule.attr, 'srcs'):
+ # Iterate through the files that make up the sources and
+ # print their paths.
+ for src in ctx.rule.attr.srcs:
+ for f in src.files.to_list():
+ print(f.path)
+ return []
+```
+
+Aspect implementation functions are similar to the rule implementation
+functions. They return [providers](/extending/rules#providers), can generate
+[actions](/extending/rules#actions), and take two arguments:
+
+* `target`: the [target](/rules/lib/builtins/Target) the aspect is being applied to.
+* `ctx`: [`ctx`](/rules/lib/builtins/ctx) object that can be used to access attributes
+ and generate outputs and actions.
+
+The implementation function can access the attributes of the target rule via
+[`ctx.rule.attr`](/rules/lib/builtins/ctx#rule). It can examine providers that are
+provided by the target to which it is applied (via the `target` argument).
+
+Aspects are required to return a list of providers. In this example, the aspect
+does not provide anything, so it returns an empty list.
+
+### Invoking the aspect using the command line
+
+The simplest way to apply an aspect is from the command line using the
+[`--aspects`](/reference/command-line-reference#flag--aspects)
+argument. Assuming the aspect above were defined in a file named `print.bzl`
+this:
+
+```bash
+bazel build //MyExample:example --aspects print.bzl%print_aspect
+```
+
+would apply the `print_aspect` to the target `example` and all of the
+target rules that are accessible recursively via the `deps` attribute.
+
+The `--aspects` flag takes one argument, which is a specification of the aspect
+in the format `
+
+This works, because Bazel will always run the validation action when the compile
+action is run, but this has significant drawbacks:
+
+1. The validation action is in the critical path of the build. Because Bazel
+thinks the empty output is required to run the compile action, it will run the
+validation action first, even though the compile action will ignore the input.
+This reduces parallelism and slows down builds.
+
+2. If other actions in the build might run instead of the
+compile action, then the empty outputs of validation actions need to be added to
+those actions as well (`java_library`'s source jar output, for example). This is
+also a problem if new actions that might run instead of the compile action are
+added later, and the empty validation output is accidentally left off.
+
+The solution to these problems is to use the Validations Output Group.
+
+#### Validations Output Group
+
+The Validations Output Group is an output group designed to hold the otherwise
+unused outputs of validation actions, so that they don't need to be artificially
+added to the inputs of other actions.
+
+This group is special in that its outputs are always requested, regardless of
+the value of the `--output_groups` flag, and regardless of how the target is
+depended upon (for example, on the command line, as a dependency, or through
+implicit outputs of the target). Note that normal caching and incrementality
+still apply: if the inputs to the validation action have not changed and the
+validation action previously succeeded, then the validation action won't be
+run.
+
+
+
+Using this output group still requires that validation actions output some file,
+even an empty one. This might require wrapping some tools that normally don't
+create outputs so that a file is created.
+
+A target's validation actions are not run in three cases:
+
+* When the target is depended upon as a tool
+* When the target is depended upon as an implicit dependency (for example, an
+ attribute that starts with "_")
+* When the target is built in the exec configuration.
+
+It is assumed that these targets have their own
+separate builds and tests that would uncover any validation failures.
+
+#### Using the Validations Output Group
+
+The Validations Output Group is named `_validation` and is used like any other
+output group:
+
+```python
+def _rule_with_validation_impl(ctx):
+
+ ctx.actions.write(ctx.outputs.main, "main output\n")
+ ctx.actions.write(ctx.outputs.implicit, "implicit output\n")
+
+ validation_output = ctx.actions.declare_file(ctx.attr.name + ".validation")
+ ctx.actions.run(
+ outputs = [validation_output],
+ executable = ctx.executable._validation_tool,
+ arguments = [validation_output.path],
+ )
+
+ return [
+ DefaultInfo(files = depset([ctx.outputs.main])),
+ OutputGroupInfo(_validation = depset([validation_output])),
+ ]
+
+
+rule_with_validation = rule(
+ implementation = _rule_with_validation_impl,
+ outputs = {
+ "main": "%{name}.main",
+ "implicit": "%{name}.implicit",
+ },
+ attrs = {
+ "_validation_tool": attr.label(
+ default = Label("//validation_actions:validation_tool"),
+ executable = True,
+ cfg = "exec"
+ ),
+ }
+)
+```
+
+Notice that the validation output file is not added to the `DefaultInfo` or the
+inputs to any other action. The validation action for a target of this rule kind
+will still run if the target is depended upon by label, or any of the target's
+implicit outputs are directly or indirectly depended upon.
+
+It is usually important that the outputs of validation actions only go into the
+validation output group, and are not added to the inputs of other actions, as
+this could defeat parallelism gains. Note however that Bazel doesn't
+have any special checking to enforce this. Therefore, you should test
+that validation action outputs are not added to the inputs of any actions in the
+tests for Starlark rules. For example:
+
+```python
+load("@bazel_skylib//lib:unittest.bzl", "analysistest")
+
+def _validation_outputs_test_impl(ctx):
+ env = analysistest.begin(ctx)
+
+ actions = analysistest.target_actions(env)
+ target = analysistest.target_under_test(env)
+ validation_outputs = target.output_groups._validation.to_list()
+ for action in actions:
+ for validation_output in validation_outputs:
+ if validation_output in action.inputs.to_list():
+ analysistest.fail(env,
+ "%s is a validation action output, but is an input to action %s" % (
+ validation_output, action))
+
+ return analysistest.end(env)
+
+validation_outputs_test = analysistest.make(_validation_outputs_test_impl)
+```
+
+#### Validation Actions Flag
+
+Running validation actions is controlled by the `--run_validations` command line
+flag, which defaults to true.
+
+## Deprecated features
+
+### Deprecated predeclared outputs
+
+There are two **deprecated** ways of using predeclared outputs:
+
+* The [`outputs`](/rules/lib/globals/bzl#rule.outputs) parameter of `rule` specifies
+ a mapping between output attribute names and string templates for generating
+ predeclared output labels. Prefer using non-predeclared outputs and
+ explicitly adding outputs to `DefaultInfo.files`. Use the rule target's
+ label as input for rules which consume the output instead of a predeclared
+ output's label.
+
+* For [executable rules](#executable-rules), `ctx.outputs.executable` refers
+ to a predeclared executable output with the same name as the rule target.
+ Prefer declaring the output explicitly, for example with
+ `ctx.actions.declare_file(ctx.label.name)`, and ensure that the command that
+ generates the executable sets its permissions to allow execution. Explicitly
+ pass the executable output to the `executable` parameter of `DefaultInfo`.
+
+### Runfiles features to avoid
+
+[`ctx.runfiles`](/rules/lib/builtins/ctx#runfiles) and the [`runfiles`](/rules/lib/builtins/runfiles)
+type have a complex set of features, many of which are kept for legacy reasons.
+The following recommendations help reduce complexity:
+
+* **Avoid** use of the `collect_data` and `collect_default` modes of
+ [`ctx.runfiles`](/rules/lib/builtins/ctx#runfiles). These modes implicitly collect
+ runfiles across certain hardcoded dependency edges in confusing ways.
+ Instead, add files using the `files` or `transitive_files` parameters of
+ `ctx.runfiles`, or by merging in runfiles from dependencies with
+ `runfiles = runfiles.merge(dep[DefaultInfo].default_runfiles)`.
+
+* **Avoid** use of the `data_runfiles` and `default_runfiles` of the
+ `DefaultInfo` constructor. Specify `DefaultInfo(runfiles = ...)` instead.
+ The distinction between "default" and "data" runfiles is maintained for
+ legacy reasons. For example, some rules put their default outputs in
+ `data_runfiles`, but not `default_runfiles`. Instead of using
+ `data_runfiles`, rules should *both* include default outputs and merge in
+ `default_runfiles` from attributes which provide runfiles (often
+ [`data`](/reference/be/common-definitions#common-attributes.data)).
+
+* When retrieving `runfiles` from `DefaultInfo` (generally only for merging
+ runfiles between the current rule and its dependencies), use
+ `DefaultInfo.default_runfiles`, **not** `DefaultInfo.data_runfiles`.
+
+### Migrating from legacy providers
+
+Historically, Bazel providers were simple fields on the `Target` object. They
+were accessed using the dot operator, and they were created by putting the field
+in a [`struct`](/rules/lib/builtins/struct) returned by the rule's
+implementation function instead of a list of provider objects:
+
+```python
+return struct(example_info = struct(headers = depset(...)))
+```
+
+Such providers can be retrieved from the corresponding field of the `Target` object:
+
+```python
+transitive_headers = [hdr.example_info.headers for hdr in ctx.attr.hdrs]
+```
+
+*This style is deprecated and should not be used in new code;* see following for
+information that may help you migrate. The new provider mechanism avoids name
+clashes. It also supports data hiding, by requiring any code accessing a
+provider instance to retrieve it using the provider symbol.
+
+For the moment, legacy providers are still supported. A rule can return both
+legacy and modern providers as follows:
+
+```python
+def _old_rule_impl(ctx):
+ ...
+ legacy_data = struct(x = "foo", ...)
+ modern_data = MyInfo(y = "bar", ...)
+ # When any legacy providers are returned, the top-level returned value is a
+ # struct.
+ return struct(
+ # One key = value entry for each legacy provider.
+ legacy_info = legacy_data,
+ ...
+ # Additional modern providers:
+ providers = [modern_data, ...])
+```
+
+If `dep` is the resulting `Target` object for an instance of this rule, the
+providers and their contents can be retrieved as `dep.legacy_info.x` and
+`dep[MyInfo].y`.
+
+In addition to `providers`, the returned struct can also take several other
+fields that have special meaning (and thus don't create a corresponding legacy
+provider):
+
+* The fields `files`, `runfiles`, `data_runfiles`, `default_runfiles`, and
+ `executable` correspond to the same-named fields of
+ [`DefaultInfo`](/rules/lib/providers/DefaultInfo). It is not allowed to specify any of
+ these fields while also returning a `DefaultInfo` provider.
+
+* The field `output_groups` takes a struct value and corresponds to an
+ [`OutputGroupInfo`](/rules/lib/providers/OutputGroupInfo).
+
+In [`provides`](/rules/lib/globals/bzl#rule.provides) declarations of rules, and in
+[`providers`](/rules/lib/toplevel/attr#label_list.providers) declarations of dependency
+attributes, legacy providers are passed in as strings and modern providers are
+passed in by their `Info` symbol. Be sure to change from strings to symbols
+when migrating. For complex or large rule sets where it is difficult to update
+all rules atomically, you may have an easier time if you follow this sequence of
+steps:
+
+1. Modify the rules that produce the legacy provider to produce both the legacy
+ and modern providers, using the preceding syntax. For rules that declare they
+ return the legacy provider, update that declaration to include both the
+ legacy and modern providers.
+
+2. Modify the rules that consume the legacy provider to instead consume the
+ modern provider. If any attribute declarations require the legacy provider,
+ also update them to instead require the modern provider. Optionally, you can
+ interleave this work with step 1 by having consumers accept or require either
+ provider: Test for the presence of the legacy provider using
+ `hasattr(target, 'foo')`, or the new provider using `FooInfo in target`.
+
+3. Fully remove the legacy provider from all rules.
+
+---
+
+## Toolchains
+- URL: https://bazel.build/extending/toolchains
+- Source: extending/toolchains.mdx
+- Slug: /extending/toolchains
+
+This page describes the toolchain framework, which is a way for rule authors to
+decouple their rule logic from platform-based selection of tools. It is
+recommended to read the [rules](/extending/rules) and [platforms](/extending/platforms)
+pages before continuing. This page covers why toolchains are needed, how to
+define and use them, and how Bazel selects an appropriate toolchain based on
+platform constraints.
+
+## Motivation
+
+Let's first look at the problem toolchains are designed to solve. Suppose you
+are writing rules to support the "bar" programming language. Your `bar_binary`
+rule would compile `*.bar` files using the `barc` compiler, a tool that itself
+is built as another target in your workspace. Since users who write `bar_binary`
+targets shouldn't have to specify a dependency on the compiler, you make it an
+implicit dependency by adding it to the rule definition as a private attribute.
+
+```python
+bar_binary = rule(
+ implementation = _bar_binary_impl,
+ attrs = {
+ "srcs": attr.label_list(allow_files = True),
+ ...
+ "_compiler": attr.label(
+ default = "//bar_tools:barc_linux", # the compiler running on linux
+ providers = [BarcInfo],
+ ),
+ },
+)
+```
+
+`//bar_tools:barc_linux` is now a dependency of every `bar_binary` target, so
+it'll be built before any `bar_binary` target. It can be accessed by the rule's
+implementation function just like any other attribute:
+
+```python
+BarcInfo = provider(
+ doc = "Information about how to invoke the barc compiler.",
+ # In the real world, compiler_path and system_lib might hold File objects,
+ # but for simplicity they are strings for this example. arch_flags is a list
+ # of strings.
+ fields = ["compiler_path", "system_lib", "arch_flags"],
+)
+
+def _bar_binary_impl(ctx):
+ ...
+ info = ctx.attr._compiler[BarcInfo]
+ command = "%s -l %s %s" % (
+ info.compiler_path,
+ info.system_lib,
+ " ".join(info.arch_flags),
+ )
+ ...
+```
+
+The issue here is that the compiler's label is hardcoded into `bar_binary`, yet
+different targets may need different compilers depending on what platform they
+are being built for and what platform they are being built on -- called the
+*target platform* and *execution platform*, respectively. Furthermore, the rule
+author does not necessarily even know all the available tools and platforms, so
+it is not feasible to hardcode them in the rule's definition.
+
+A less-than-ideal solution would be to shift the burden onto users, by making
+the `_compiler` attribute non-private. Then individual targets could be
+hardcoded to build for one platform or another.
+
+```python
+bar_binary(
+ name = "myprog_on_linux",
+ srcs = ["mysrc.bar"],
+ compiler = "//bar_tools:barc_linux",
+)
+
+bar_binary(
+ name = "myprog_on_windows",
+ srcs = ["mysrc.bar"],
+ compiler = "//bar_tools:barc_windows",
+)
+```
+
+You can improve on this solution by using `select` to choose the `compiler`
+[based on the platform](/docs/configurable-attributes):
+
+```python
+config_setting(
+ name = "on_linux",
+ constraint_values = [
+ "@platforms//os:linux",
+ ],
+)
+
+config_setting(
+ name = "on_windows",
+ constraint_values = [
+ "@platforms//os:windows",
+ ],
+)
+
+bar_binary(
+ name = "myprog",
+ srcs = ["mysrc.bar"],
+ compiler = select({
+ ":on_linux": "//bar_tools:barc_linux",
+ ":on_windows": "//bar_tools:barc_windows",
+ }),
+)
+```
+
+But this is tedious and a bit much to ask of every single `bar_binary` user.
+If this style is not used consistently throughout the workspace, it leads to
+builds that work fine on a single platform but fail when extended to
+multi-platform scenarios. It also does not address the problem of adding support
+for new platforms and compilers without modifying existing rules or targets.
+
+The toolchain framework solves this problem by adding an extra level of
+indirection. Essentially, you declare that your rule has an abstract dependency
+on *some* member of a family of targets (a toolchain type), and Bazel
+automatically resolves this to a particular target (a toolchain) based on the
+applicable platform constraints. Neither the rule author nor the target author
+need know the complete set of available platforms and toolchains.
+
+## Writing rules that use toolchains
+
+Under the toolchain framework, instead of having rules depend directly on tools,
+they instead depend on *toolchain types*. A toolchain type is a simple target
+that represents a class of tools that serve the same role for different
+platforms. For instance, you can declare a type that represents the bar
+compiler:
+
+```python
+# By convention, toolchain_type targets are named "toolchain_type" and
+# distinguished by their package path. So the full path for this would be
+# //bar_tools:toolchain_type.
+toolchain_type(name = "toolchain_type")
+```
+
+The rule definition in the previous section is modified so that instead of
+taking in the compiler as an attribute, it declares that it consumes a
+`//bar_tools:toolchain_type` toolchain.
+
+```python
+bar_binary = rule(
+ implementation = _bar_binary_impl,
+ attrs = {
+ "srcs": attr.label_list(allow_files = True),
+ ...
+ # No `_compiler` attribute anymore.
+ },
+ toolchains = ["//bar_tools:toolchain_type"],
+)
+```
+
+The implementation function now accesses this dependency under `ctx.toolchains`
+instead of `ctx.attr`, using the toolchain type as the key.
+
+```python
+def _bar_binary_impl(ctx):
+ ...
+ info = ctx.toolchains["//bar_tools:toolchain_type"].barcinfo
+ # The rest is unchanged.
+ command = "%s -l %s %s" % (
+ info.compiler_path,
+ info.system_lib,
+ " ".join(info.arch_flags),
+ )
+ ...
+```
+
+`ctx.toolchains["//bar_tools:toolchain_type"]` returns the
+[`ToolchainInfo` provider](/rules/lib/toplevel/platform_common#ToolchainInfo)
+of whatever target Bazel resolved the toolchain dependency to. The fields of the
+`ToolchainInfo` object are set by the underlying tool's rule; in the next
+section, this rule is defined such that there is a `barcinfo` field that wraps
+a `BarcInfo` object.
+
+Bazel's procedure for resolving toolchains to targets is described
+[below](#toolchain-resolution). Only the resolved toolchain target is actually
+made a dependency of the `bar_binary` target, not the whole space of candidate
+toolchains.
+
+### Mandatory and Optional Toolchains
+
+By default, when a rule expresses a toolchain type dependency using a bare label
+(as shown above), the toolchain type is considered to be **mandatory**. If Bazel
+is unable to find a matching toolchain (see
+[Toolchain resolution](#toolchain-resolution) below) for a mandatory toolchain
+type, this is an error and analysis halts.
+
+It is possible instead to declare an **optional** toolchain type dependency, as
+follows:
+
+```python
+bar_binary = rule(
+ ...
+ toolchains = [
+ config_common.toolchain_type("//bar_tools:toolchain_type", mandatory = False),
+ ],
+)
+```
+
+When an optional toolchain type cannot be resolved, analysis continues, and the
+result of `ctx.toolchains["//bar_tools:toolchain_type"]` is `None`.
+
+The [`config_common.toolchain_type`](/rules/lib/toplevel/config_common#toolchain_type)
+function defaults to mandatory.
+
+The following forms can be used:
+
+- Mandatory toolchain types:
+ - `toolchains = ["//bar_tools:toolchain_type"]`
+ - `toolchains = [config_common.toolchain_type("//bar_tools:toolchain_type")]`
+ - `toolchains = [config_common.toolchain_type("//bar_tools:toolchain_type", mandatory = True)]`
+- Optional toolchain types:
+ - `toolchains = [config_common.toolchain_type("//bar_tools:toolchain_type", mandatory = False)]`
+
+```python
+bar_binary = rule(
+ ...
+ toolchains = [
+ "//foo_tools:toolchain_type",
+ config_common.toolchain_type("//bar_tools:toolchain_type", mandatory = False),
+ ],
+)
+```
+
+You can mix and match forms in the same rule, also. However, if the same
+toolchain type is listed multiple times, it will take the most strict version,
+where mandatory is more strict than optional.
+
+### Writing aspects that use toolchains
+
+Aspects have access to the same toolchain API as rules: you can define required
+toolchain types, access toolchains via the context, and use them to generate new
+actions using the toolchain.
+
+```py
+bar_aspect = aspect(
+ implementation = _bar_aspect_impl,
+ attrs = {},
+ toolchains = ['//bar_tools:toolchain_type'],
+)
+
+def _bar_aspect_impl(target, ctx):
+ toolchain = ctx.toolchains['//bar_tools:toolchain_type']
+ # Use the toolchain provider like in a rule.
+ return []
+```
+
+## Defining toolchains
+
+To define some toolchains for a given toolchain type, you need three things:
+
+1. A language-specific rule representing the kind of tool or tool suite. By
+ convention this rule's name is suffixed with "\_toolchain".
+
+ 1. **Note:** The `\_toolchain` rule cannot create any build actions.
+ Rather, it collects artifacts from other rules and forwards them to the
+ rule that uses the toolchain. That rule is responsible for creating all
+ build actions.
+
+2. Several targets of this rule type, representing versions of the tool or tool
+ suite for different platforms.
+
+3. For each such target, an associated target of the generic
+ [`toolchain`](/reference/be/platforms-and-toolchains#toolchain)
+ rule, to provide metadata used by the toolchain framework. This `toolchain`
+ target also refers to the `toolchain_type` associated with this toolchain.
+ This means that a given `_toolchain` rule could be associated with any
+ `toolchain_type`, and that only in a `toolchain` instance that uses
+ this `_toolchain` rule that the rule is associated with a `toolchain_type`.
+
+For our running example, here's a definition for a `bar_toolchain` rule. Our
+example has only a compiler, but other tools such as a linker could also be
+grouped underneath it.
+
+```python
+def _bar_toolchain_impl(ctx):
+ toolchain_info = platform_common.ToolchainInfo(
+ barcinfo = BarcInfo(
+ compiler_path = ctx.attr.compiler_path,
+ system_lib = ctx.attr.system_lib,
+ arch_flags = ctx.attr.arch_flags,
+ ),
+ )
+ return [toolchain_info]
+
+bar_toolchain = rule(
+ implementation = _bar_toolchain_impl,
+ attrs = {
+ "compiler_path": attr.string(),
+ "system_lib": attr.string(),
+ "arch_flags": attr.string_list(),
+ },
+)
+```
+
+The rule must return a `ToolchainInfo` provider, which becomes the object that
+the consuming rule retrieves using `ctx.toolchains` and the label of the
+toolchain type. `ToolchainInfo`, like `struct`, can hold arbitrary field-value
+pairs. The specification of exactly what fields are added to the `ToolchainInfo`
+should be clearly documented at the toolchain type. In this example, the values
+return wrapped in a `BarcInfo` object to reuse the schema defined above; this
+style may be useful for validation and code reuse.
+
+Now you can define targets for specific `barc` compilers.
+
+```python
+bar_toolchain(
+ name = "barc_linux",
+ arch_flags = [
+ "--arch=Linux",
+ "--debug_everything",
+ ],
+ compiler_path = "/path/to/barc/on/linux",
+ system_lib = "/usr/lib/libbarc.so",
+)
+
+bar_toolchain(
+ name = "barc_windows",
+ arch_flags = [
+ "--arch=Windows",
+ # Different flags, no debug support on windows.
+ ],
+ compiler_path = "C:\\path\\on\\windows\\barc.exe",
+ system_lib = "C:\\path\\on\\windows\\barclib.dll",
+)
+```
+
+Finally, you create `toolchain` definitions for the two `bar_toolchain` targets.
+These definitions link the language-specific targets to the toolchain type and
+provide the constraint information that tells Bazel when the toolchain is
+appropriate for a given platform.
+
+```python
+toolchain(
+ name = "barc_linux_toolchain",
+ exec_compatible_with = [
+ "@platforms//os:linux",
+ "@platforms//cpu:x86_64",
+ ],
+ target_compatible_with = [
+ "@platforms//os:linux",
+ "@platforms//cpu:x86_64",
+ ],
+ toolchain = ":barc_linux",
+ toolchain_type = ":toolchain_type",
+)
+
+toolchain(
+ name = "barc_windows_toolchain",
+ exec_compatible_with = [
+ "@platforms//os:windows",
+ "@platforms//cpu:x86_64",
+ ],
+ target_compatible_with = [
+ "@platforms//os:windows",
+ "@platforms//cpu:x86_64",
+ ],
+ toolchain = ":barc_windows",
+ toolchain_type = ":toolchain_type",
+)
+```
+
+The use of relative path syntax above suggests these definitions are all in the
+same package, but there's no reason the toolchain type, language-specific
+toolchain targets, and `toolchain` definition targets can't all be in separate
+packages.
+
+See the [`go_toolchain`](https://github.com/bazelbuild/rules_go/blob/master/go/private/go_toolchain.bzl)
+for a real-world example.
+
+### Toolchains and configurations
+
+An important question for rule authors is, when a `bar_toolchain` target is
+analyzed, what [configuration](/reference/glossary#configuration) does it see, and what transitions
+should be used for dependencies? The example above uses string attributes, but
+what would happen for a more complicated toolchain that depends on other targets
+in the Bazel repository?
+
+Let's see a more complex version of `bar_toolchain`:
+
+```python
+def _bar_toolchain_impl(ctx):
+ # The implementation is mostly the same as above, so skipping.
+ pass
+
+bar_toolchain = rule(
+ implementation = _bar_toolchain_impl,
+ attrs = {
+ "compiler": attr.label(
+ executable = True,
+ mandatory = True,
+ cfg = "exec",
+ ),
+ "system_lib": attr.label(
+ mandatory = True,
+ cfg = "target",
+ ),
+ "arch_flags": attr.string_list(),
+ },
+)
+```
+
+The use of [`attr.label`](/rules/lib/toplevel/attr#label) is the same as for a standard rule,
+but the meaning of the `cfg` parameter is slightly different.
+
+The dependency from a target (called the "parent") to a toolchain via toolchain
+resolution uses a special configuration transition called the "toolchain
+transition". The toolchain transition keeps the configuration the same, except
+that it forces the execution platform to be the same for the toolchain as for
+the parent (otherwise, toolchain resolution for the toolchain could pick any
+execution platform, and wouldn't necessarily be the same as for parent). This
+allows any `exec` dependencies of the toolchain to also be executable for the
+parent's build actions. Any of the toolchain's dependencies which use `cfg =
+"target"` (or which don't specify `cfg`, since "target" is the default) are
+built for the same target platform as the parent. This allows toolchain rules to
+contribute both libraries (the `system_lib` attribute above) and tools (the
+`compiler` attribute) to the build rules which need them. The system libraries
+are linked into the final artifact, and so need to be built for the same
+platform, whereas the compiler is a tool invoked during the build, and needs to
+be able to run on the execution platform.
+
+## Registering and building with toolchains
+
+At this point all the building blocks are assembled, and you just need to make
+the toolchains available to Bazel's resolution procedure. This is done by
+registering the toolchain, either in a `MODULE.bazel` file using
+`register_toolchains()`, or by passing the toolchains' labels on the command
+line using the `--extra_toolchains` flag.
+
+```python
+register_toolchains(
+ "//bar_tools:barc_linux_toolchain",
+ "//bar_tools:barc_windows_toolchain",
+ # Target patterns are also permitted, so you could have also written:
+ # "//bar_tools:all",
+ # or even
+ # "//bar_tools/...",
+)
+```
+
+When using target patterns to register toolchains, the order in which the
+individual toolchains are registered is determined by the following rules:
+
+* The toolchains defined in a subpackage of a package are registered before the
+ toolchains defined in the package itself.
+* Within a package, toolchains are registered in the lexicographical order of
+ their names.
+
+Now when you build a target that depends on a toolchain type, an appropriate
+toolchain will be selected based on the target and execution platforms.
+
+```python
+# my_pkg/BUILD
+
+platform(
+ name = "my_target_platform",
+ constraint_values = [
+ "@platforms//os:linux",
+ ],
+)
+
+bar_binary(
+ name = "my_bar_binary",
+ ...
+)
+```
+
+```sh
+bazel build //my_pkg:my_bar_binary --platforms=//my_pkg:my_target_platform
+```
+
+Bazel will see that `//my_pkg:my_bar_binary` is being built with a platform that
+has `@platforms//os:linux` and therefore resolve the
+`//bar_tools:toolchain_type` reference to `//bar_tools:barc_linux_toolchain`.
+This will end up building `//bar_tools:barc_linux` but not
+`//bar_tools:barc_windows`.
+
+## Toolchain resolution
+
+Note: [Some Bazel rules](/concepts/platforms#status) do not yet support
+toolchain resolution.
+
+For each target that uses toolchains, Bazel's toolchain resolution procedure
+determines the target's concrete toolchain dependencies. The procedure takes as
+input a set of required toolchain types, the target platform, the list of
+available execution platforms, and the list of available toolchains. Its outputs
+are a selected toolchain for each toolchain type as well as a selected execution
+platform for the current target.
+
+The available execution platforms and toolchains are gathered from the
+external dependency graph via
+[`register_execution_platforms`](/rules/lib/globals/module#register_execution_platforms)
+and
+[`register_toolchains`](/rules/lib/globals/module#register_toolchains) calls in
+`MODULE.bazel` files.
+Additional execution platforms and toolchains may also be specified on the
+command line via
+[`--extra_execution_platforms`](/reference/command-line-reference#flag--extra_execution_platforms)
+and
+[`--extra_toolchains`](/reference/command-line-reference#flag--extra_toolchains).
+The host platform is automatically included as an available execution platform.
+Available platforms and toolchains are tracked as ordered lists for determinism,
+with preference given to earlier items in the list.
+
+The set of available toolchains, in priority order, is created from
+`--extra_toolchains` and `register_toolchains`:
+
+1. Toolchains registered using `--extra_toolchains` are added first. (Within
+ these, the **last** toolchain has highest priority.)
+2. Toolchains registered using `register_toolchains` in the transitive external
+ dependency graph, in the following order: (Within these, the **first**
+ mentioned toolchain has highest priority.)
+ 1. Toolchains registered by the root module (as in, the `MODULE.bazel` at the
+ workspace root);
+ 2. Toolchains registered in the user's `WORKSPACE` file, including in any
+ macros invoked from there;
+ 3. Toolchains registered by non-root modules (as in, dependencies specified by
+ the root module, and their dependencies, and so forth);
+ 4. Toolchains registered in the "WORKSPACE suffix"; this is only used by
+ certain native rules bundled with the Bazel installation.
+
+**NOTE:** [Pseudo-targets like `:all`, `:*`, and
+`/...`](/run/build#specifying-build-targets) are ordered by Bazel's package
+loading mechanism, which uses a lexicographic ordering.
+
+The resolution steps are as follows.
+
+1. A `target_compatible_with` or `exec_compatible_with` clause *matches* a
+ platform if, for each `constraint_value` in its list, the platform also has
+ that `constraint_value` (either explicitly or as a default).
+
+ If the platform has `constraint_value`s from `constraint_setting`s not
+ referenced by the clause, these do not affect matching.
+
+1. If the target being built specifies the
+ [`exec_compatible_with` attribute](/reference/be/common-definitions#common.exec_compatible_with)
+ (or its rule definition specifies the
+ [`exec_compatible_with` argument](/rules/lib/globals/bzl#rule.exec_compatible_with)),
+ the list of available execution platforms is filtered to remove
+ any that do not match the execution constraints.
+
+1. The list of available toolchains is filtered to remove any toolchains
+ specifying `target_settings` that don't match the current configuration.
+
+1. For each available execution platform, you associate each toolchain type with
+ the first available toolchain, if any, that is compatible with this execution
+ platform and the target platform.
+
+1. Any execution platform that failed to find a compatible mandatory toolchain
+ for one of its toolchain types is ruled out. Of the remaining platforms, the
+ first one becomes the current target's execution platform, and its associated
+ toolchains (if any) become dependencies of the target.
+
+The chosen execution platform is used to run all actions that the target
+generates.
+
+In cases where the same target can be built in multiple configurations (such as
+for different CPUs) within the same build, the resolution procedure is applied
+independently to each version of the target.
+
+If the rule uses [execution groups](/extending/exec-groups), each execution
+group performs toolchain resolution separately, and each has its own execution
+platform and toolchains.
+
+## Debugging toolchains
+
+If you are adding toolchain support to an existing rule, use the
+`--toolchain_resolution_debug=regex` flag. During toolchain resolution, the flag
+provides verbose output for toolchain types or target names that match the regex variable. You
+can use `.*` to output all information. Bazel will output names of toolchains it
+checks and skips during the resolution process.
+
+For example, to debug toolchain selection for all actions created directly by
+`//my:target`:
+
+```sh
+$ bazel build //my:all --toolchain_resolution_debug=//my:target
+```
+
+To debug toolchain selection for all actions over all build targets:
+
+```sh
+$ bazel build //my:all --toolchain_resolution_debug=.*
+```
+
+If you'd like to see which [`cquery`](/query/cquery) dependencies are from toolchain
+resolution, use `cquery`'s [`--transitions`](/query/cquery#transitions) flag:
+
+```
+# Find all direct dependencies of //cc:my_cc_lib. This includes explicitly
+# declared dependencies, implicit dependencies, and toolchain dependencies.
+$ bazel cquery 'deps(//cc:my_cc_lib, 1)'
+//cc:my_cc_lib (96d6638)
+@bazel_tools//tools/cpp:toolchain (96d6638)
+@bazel_tools//tools/def_parser:def_parser (HOST)
+//cc:my_cc_dep (96d6638)
+@local_config_platform//:host (96d6638)
+@bazel_tools//tools/cpp:toolchain_type (96d6638)
+//:default_host_platform (96d6638)
+@local_config_cc//:cc-compiler-k8 (HOST)
+//cc:my_cc_lib.cc (null)
+@bazel_tools//tools/cpp:grep-includes (HOST)
+
+# Which of these are from toolchain resolution?
+$ bazel cquery 'deps(//cc:my_cc_lib, 1)' --transitions=lite | grep "toolchain dependency"
+ [toolchain dependency]#@local_config_cc//:cc-compiler-k8#HostTransition -> b6df211
+```
+
+---
+
+## Module extensions
+- URL: https://bazel.build/external/extension
+- Source: external/extension.mdx
+- Slug: /external/extension
+
+Module extensions allow users to extend the module system by reading input data
+from modules across the dependency graph, performing necessary logic to resolve
+dependencies, and finally creating repos by calling [repo
+rules](/external/repo). These extensions have capabilities similar to repo
+rules, which enables them to perform file I/O, send network requests, and so on.
+Among other things, they allow Bazel to interact with other package management
+systems while also respecting the dependency graph built out of Bazel modules.
+
+You can define module extensions in `.bzl` files, just like repo rules. They're
+not invoked directly; rather, each module specifies pieces of data called *tags*
+for extensions to read. Bazel runs module resolution before evaluating any
+extensions. The extension reads all the tags belonging to it across the entire
+dependency graph.
+
+## Extension usage
+
+Extensions are hosted in Bazel modules themselves. To use an extension in a
+module, first add a `bazel_dep` on the module hosting the extension, and then
+call the [`use_extension`](/rules/lib/globals/module#use_extension) built-in function
+to bring it into scope. Consider the following example — a snippet from a
+`MODULE.bazel` file to use the "maven" extension defined in the
+[`rules_jvm_external`](https://github.com/bazelbuild/rules_jvm_external)
+module:
+
+```python
+bazel_dep(name = "rules_jvm_external", version = "4.5")
+maven = use_extension("@rules_jvm_external//:extensions.bzl", "maven")
+```
+
+This binds the return value of `use_extension` to a variable, which allows the
+user to use dot-syntax to specify tags for the extension. The tags must follow
+the schema defined by the corresponding *tag classes* specified in the
+[extension definition](#extension_definition). For an example specifying some
+`maven.install` and `maven.artifact` tags:
+
+```python
+maven.install(artifacts = ["org.junit:junit:4.13.2"])
+maven.artifact(group = "com.google.guava",
+ artifact = "guava",
+ version = "27.0-jre",
+ exclusions = ["com.google.j2objc:j2objc-annotations"])
+```
+
+Use the [`use_repo`](/rules/lib/globals/module#use_repo) directive to bring repos
+generated by the extension into the scope of the current module.
+
+```python
+use_repo(maven, "maven")
+```
+
+Repos generated by an extension are part of its API. In this example, the
+"maven" module extension promises to generate a repo called `maven`. With the
+declaration above, the extension properly resolves labels such as
+`@maven//:org_junit_junit` to point to the repo generated by the "maven"
+extension.
+
+Note: Module extensions are evaluated lazily. This means that an extension will
+typically not be evaluated unless some module brings one of its repositories
+into scope using `use_repo` and that repository is referenced in a build. While
+testing a module extension, `bazel mod deps` can be useful as it
+unconditionally evaluates all module extensions.
+
+## Extension definition
+
+You can define module extensions similarly to [repo rules](/external/repo),
+using the [`module_extension`](/rules/lib/globals/bzl#module_extension)
+function. However, while repo rules have a number of attributes, module
+extensions have [`tag_class`es](/rules/lib/globals/bzl#tag_class), each of which
+has a number of attributes. The tag classes define schemas for tags used by this
+extension. For example, the "maven" extension above might be defined like this:
+
+```python
+# @rules_jvm_external//:extensions.bzl
+
+_install = tag_class(attrs = {"artifacts": attr.string_list(), ...})
+_artifact = tag_class(attrs = {"group": attr.string(), "artifact": attr.string(), ...})
+maven = module_extension(
+ implementation = _maven_impl,
+ tag_classes = {"install": _install, "artifact": _artifact},
+)
+```
+
+These declarations show that `maven.install` and `maven.artifact` tags can be
+specified using the specified attribute schema.
+
+The implementation function of module extensions are similar to those of repo
+rules, except that they get a [`module_ctx`](/rules/lib/builtins/module_ctx) object,
+which grants access to all modules using the extension and all pertinent tags.
+The implementation function then calls repo rules to generate repos.
+
+```python
+# @rules_jvm_external//:extensions.bzl
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") # a repo rule
+def _maven_impl(ctx):
+ # This is a fake implementation for demonstration purposes only
+
+ # collect artifacts from across the dependency graph
+ artifacts = []
+ for mod in ctx.modules:
+ for install in mod.tags.install:
+ artifacts += install.artifacts
+ artifacts += [_to_artifact(artifact) for artifact in mod.tags.artifact]
+
+ # call out to the coursier CLI tool to resolve dependencies
+ output = ctx.execute(["coursier", "resolve", artifacts])
+ repo_attrs = _process_coursier_output(output)
+
+ # call repo rules to generate repos
+ for attrs in repo_attrs:
+ http_file(**attrs)
+ _generate_hub_repo(name = "maven", repo_attrs)
+```
+
+### Extension identity
+
+Module extensions are identified by the name and the `.bzl` file that appears
+in the call to `use_extension`. In the following example, the extension `maven`
+is identified by the `.bzl` file `@rules_jvm_external//:extension.bzl` and the
+name `maven`:
+
+```python
+maven = use_extension("@rules_jvm_external//:extensions.bzl", "maven")
+```
+
+Re-exporting an extension from a different `.bzl` file gives it a new identity
+and if both versions of the extension are used in the transitive module graph,
+then they will be evaluated separately and will only see the tags associated
+with that particular identity.
+
+As an extension author you should make sure that users will only use your
+module extension from one single `.bzl` file.
+
+## Repository names and visibility
+
+Repos generated by extensions have canonical names in the form of `{{ ""
+}}module_repo_canonical_name+extension_name{{
+"" }}+repo_name`. Note that the canonical name
+format is not an API you should depend on — it's subject to change at any time.
+
+This naming policy means that each extension has its own "repo namespace"; two
+distinct extensions can each define a repo with the same name without risking
+any clashes. It also means that `repository_ctx.name` reports the canonical name
+of the repo, which is *not* the same as the name specified in the repo rule
+call.
+
+Taking repos generated by module extensions into consideration, there are
+several repo visibility rules:
+
+* A Bazel module repo can see all repos introduced in its `MODULE.bazel` file
+ via [`bazel_dep`](/rules/lib/globals/module#bazel_dep) and
+ [`use_repo`](/rules/lib/globals/module#use_repo).
+* A repo generated by a module extension can see all repos visible to the
+ module that hosts the extension, *plus* all other repos generated by the
+ same module extension (using the names specified in the repo rule calls as
+ their apparent names).
+ * This might result in a conflict. If the module repo can see a repo with
+ the apparent name `foo`, and the extension generates a repo with the
+ specified name `foo`, then for all repos generated by that extension
+ `foo` refers to the former.
+* Similarly, in a module extension's implementation function, repos created
+ by the extension can refer to each other by their apparent names in
+ attributes, regardless of the order in which they are created.
+ * In case of a conflict with a repository visible to the module, labels
+ passed to repository rule attributes can be wrapped in a call to
+ [`Label`](/rules/lib/toplevel/attr#label) to ensure that they refer to
+ the repo visible to the module instead of the extension-generated repo
+ of the same name.
+
+### Overriding and injecting module extension repos
+
+The root module can use
+[`override_repo`](/rules/lib/globals/module#override_repo) and
+[`inject_repo`](/rules/lib/globals/module#inject_repo) to override or inject
+module extension repos.
+
+#### Example: Replacing `rules_java`'s `java_tools` with a vendored copy
+
+```python
+# MODULE.bazel
+local_repository = use_repo_rule("@bazel_tools//tools/build_defs/repo:local.bzl", "local_repository")
+local_repository(
+ name = "my_java_tools",
+ path = "vendor/java_tools",
+)
+
+bazel_dep(name = "rules_java", version = "7.11.1")
+java_toolchains = use_extension("@rules_java//java:extension.bzl", "toolchains")
+
+override_repo(java_toolchains, remote_java_tools = "my_java_tools")
+```
+
+#### Example: Patch a Go dependency to depend on `@zlib` instead of the system zlib
+
+```python
+# MODULE.bazel
+bazel_dep(name = "gazelle", version = "0.38.0")
+bazel_dep(name = "zlib", version = "1.3.1.bcr.3")
+
+go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
+go_deps.from_file(go_mod = "//:go.mod")
+go_deps.module_override(
+ patches = [
+ "//patches:my_module_zlib.patch",
+ ],
+ path = "example.com/my_module",
+)
+use_repo(go_deps, ...)
+
+inject_repo(go_deps, "zlib")
+```
+
+```diff
+# patches/my_module_zlib.patch
+--- a/BUILD.bazel
++++ b/BUILD.bazel
+@@ -1,6 +1,6 @@
+ go_binary(
+ name = "my_module",
+ importpath = "example.com/my_module",
+ srcs = ["my_module.go"],
+- copts = ["-lz"],
++ cdeps = ["@zlib"],
+ )
+```
+
+## Best practices
+
+This section describes best practices when writing extensions so they are
+straightforward to use, maintainable, and adapt well to changes over time.
+
+### Put each extension in a separate file
+
+When extensions are in a different files, it allows one extension to load
+repositories generated by another extension. Even if you don't use this
+functionality, it's best to put them in separate files in case you need it
+later. This is because the extension's identify is based on its file, so moving
+the extension into another file later changes your public API and is a backwards
+incompatible change for your users.
+
+### Specify reproducibility and use facts
+
+If your extension always defines the same repositories given the same inputs
+(extension tags, files it reads, etc.) and in particular doesn't rely on
+any [downloads](/rules/lib/builtins/module_ctx#download) that aren't guarded by
+a checksum, consider returning
+[`extension_metadata`](/rules/lib/builtins/module_ctx#extension_metadata) with
+`reproducible = True`. This allows Bazel to skip this extension when writing to
+the `MODULE.bazel` lockfile, which helps keep the lockfile small and reduces
+the chance of merge conflicts. Note that Bazel still caches the results of
+reproducible extensions in a way that persists across server restarts, so even
+a long-running extension can be marked as reproducible without a performance
+penalty.
+
+If your extension relies on effectively immutable data obtained from outside
+the build, most commonly from the network, but you don't have a checksum
+available to guard the download, consider using the `facts` parameter of
+[`extension_metadata`](/rules/lib/builtins/module_ctx#extension_metadata) to
+persistently record such data and thus allow your extension to become
+reproducible. `facts` is expected to be a dictionary with string keys and
+arbitrary JSON-like Starlark values that is always persisted in the lockfile and
+available to future evaluations of the extension via the
+[`facts`](/rules/lib/builtins/module_ctx#facts) field of `module_ctx`.
+
+`facts` are not invalidated even when the code of your module extension changes,
+so be prepared to handle the case where the structure of `facts` changes.
+Bazel also assumes that two different `facts` dicts produced by two different
+evaluations of the same extension can be shallowly merged (i.e., as if by using
+the `|` operator on two dicts). This is partially enforced by `module_ctx.facts`
+not supporting enumeration of its entries, just lookups by key.
+
+An example of using `facts` would be to record a mapping from version numbers of
+some SDK to the an object containing the download URL and checksum of that
+version. The first time the extension is evaluated, it can fetch this mapping
+from the network, but on later evaluations it can use the mapping from `facts`
+to avoid the network requests.
+
+### Specify dependence on operating system and architecture
+
+If your extension relies on the operating system or its architecture type,
+ensure to indicate this in the extension definition using the `os_dependent`
+and `arch_dependent` boolean attributes. This ensures that Bazel recognizes the
+need for re-evaluation if there are changes to either of them.
+
+Since this kind of dependence on the host makes it more difficult to maintain
+the lockfile entry for this extension, consider
+[marking the extension reproducible](#specify_reproducibility) if possible.
+
+### Only the root module should directly affect repository names
+
+Remember that when an extension creates repositories, they are created within
+the namespace of the extension. This means collisions can occur if different
+modules use the same extension and end up creating a repository with the same
+name. This often manifests as a module extension's `tag_class` having a `name`
+argument that is passed as a repository rule's `name` value.
+
+For example, say the root module, `A`, depends on module `B`. Both modules
+depend on module `mylang`. If both `A` and `B` call
+`mylang.toolchain(name="foo")`, they will both try to create a repository named
+`foo` within the `mylang` module and an error will occur.
+
+To avoid this, either remove the ability to set the repository name directly,
+or only allow the root module to do so. It's OK to allow the root module this
+ability because nothing will depend on it, so it doesn't have to worry about
+another module creating a conflicting name.
+
+---
+
+## Frequently asked questions
+- URL: https://bazel.build/external/faq
+- Source: external/faq.mdx
+- Slug: /external/faq
+
+This page answers some frequently asked questions about external dependencies in
+Bazel.
+
+## MODULE.bazel
+
+### How should I version a Bazel module?
+
+Setting `version` with the [`module`] directive in the source archive
+`MODULE.bazel` can have several downsides and unintended side effects if not
+managed carefully:
+
+* Duplication: releasing a new version of a module typically involves both
+ incrementing the version in `MODULE.bazel` and tagging the release, two
+ separate steps that can fall out of sync. While automation can
+ reduce this risk, it's simpler and safer to avoid it altogether.
+
+* Inconsistency: users overriding a module with a specific commit using a
+ [non-registry override] will see an incorrect version. for example, if the
+ `MODULE.bazel` in the source archive sets `version = "0.3.0"` but
+ additional commits have been made since that release, a user overriding
+ with one of those commits would still see `0.3.0`. In reality, the version
+ should reflect that it's ahead of the release, for example `0.3.1-rc1`.
+
+* Non-registry override issues: using placeholder values can cause issues
+ when users override a module with a non-registry override. For example,
+ `0.0.0` doesn't sort as the highest version, which is usually the expected
+ behavior users want when doing a non-registry override.
+
+Thus, it's best to avoid setting the version in the source archive
+`MODULE.bazel`. Instead, set it in the `MODULE.bazel` stored in the registry
+(e.g., the [Bazel Central Registry]), which is the actual source of truth for
+the module version during Bazel's external dependency resolution (see [Bazel
+registries]).
+
+This is usually automated, for example the [`rules-template`] example rule
+repository uses a [bazel-contrib/publish-to-bcr publish.yaml GitHub Action] to
+publish the release to the BCR. The action [generates a patch for the source
+archive `MODULE.bazel`] with the release version. This patch is stored in the
+registry and is applied when the module is fetched during Bazel's external
+dependency resolution.
+
+This way, the version in the releases in the registry will be correctly set to
+the released version and thus, `bazel_dep`, `single_version_override` and
+`multiple_version_override` will work as expected, while avoiding potential
+issues when doing a non-registry override because the version in the source
+archive will be the default value (`''`), which will always be handled
+correctly (it's the default version value after all) and will behave as
+expected when sorting (the empty string is treated as the highest version).
+
+[Bazel Central Registry]: https://registry.bazel.build/
+[Bazel registries]: https://bazel.build/external/registry
+[bazel-contrib/publish-to-bcr publish.yaml GitHub Action]: https://github.com/bazel-contrib/publish-to-bcr/blob/v0.2.2/.github/workflows/publish.yaml
+[generates a patch for the source archive `MODULE.bazel`]: https://github.com/bazel-contrib/publish-to-bcr/blob/v0.2.2/src/domain/create-entry.ts#L176-L216
+[`module`]: /rules/lib/globals/module#module
+[non-registry override]: module.md#non-registry_overrides
+[`rules-template`]: https://github.com/bazel-contrib/rules-template
+
+### When should I increment the compatibility level?
+
+The [`compatibility_level`](module.md#compatibility_level) of a Bazel module
+should be incremented _in the same commit_ that introduces a backwards
+incompatible ("breaking") change.
+
+However, Bazel can throw an error if it detects that versions of the _same
+module_ with _different compatibility levels_ exist in the resolved dependency
+graph. This can happen when for example' two modules depend on versions of a
+third module with different compatibility levels.
+
+Thus, incrementing `compatibility_level` too frequently can be very disruptive
+and is discouraged. To avoid this situation, the `compatibility_level` should be
+incremented _only_ when the breaking change affects most use cases and isn't
+easy to migrate and/or work-around.
+
+### Why does MODULE.bazel not support `load`s?
+
+During dependency resolution, the MODULE.bazel file of all referenced external
+dependencies are fetched from registries. At this stage, the source archives of
+the dependencies are not fetched yet; so if the MODULE.bazel file `load`s
+another file, there is no way for Bazel to actually fetch that file without
+fetching the entire source archive. Note the MODULE.bazel file itself is
+special, as it's directly hosted on the registry.
+
+There are a few use cases that people asking for `load`s in MODULE.bazel are
+generally interested in, and they can be solved without `load`s:
+
+* Ensuring that the version listed in MODULE.bazel is consistent with build
+ metadata stored elsewhere, for example in a .bzl file: This can be achieved
+ by using the
+ [`native.module_version`](/rules/lib/toplevel/native#module_version) method
+ in a .bzl file loaded from a BUILD file.
+* Splitting up a very large MODULE.bazel file into manageable sections,
+ particularly for monorepos: The root module can use the
+ [`include`](/rules/lib/globals/module#include) directive to split its
+ MODULE.bazel file into multiple segments. For the same reason we don't allow
+ `load`s in MODULE.bazel files, `include` cannot be used in non-root modules.
+* Users of the old WORKSPACE system might remember declaring a repo, and then
+ immediately `load`ing from that repo to perform complex logic. This
+ capability has been replaced by [module extensions](extension).
+
+### Can I specify a SemVer range for a `bazel_dep`?
+
+No. Some other package managers like [npm][npm-semver] and [Cargo][cargo-semver]
+support version ranges (implicitly or explicitly), and this often requires a
+constraint solver (making the output harder to predict for users) and makes
+version resolution nonreproducible without a lockfile.
+
+Bazel instead uses [Minimal Version Selection](module#version-selection) like
+Go, which in contrast makes the output easy to predict and guarantees
+reproducibility. This is a tradeoff that matches Bazel's design goals.
+
+Furthermore, Bazel module versions are [a superset of
+SemVer](module#version-format), so what makes sense in a strict SemVer
+environment doesn't always carry over to Bazel module versions.
+
+### Can I automatically get the latest version for a `bazel_dep`?
+
+Some users occasionally ask for the ability to specify `bazel_dep(name = "foo",
+version = "latest")` to automatically get the latest version of a dep. This is
+similar to [the question about SemVer
+ranges](#can-i-specify-a-semver-range-for-a-bazel-dep), and the answer is also
+no.
+
+The recommended solution here is to have automation take care of this. For
+example, [Renovate](https://docs.renovatebot.com/modules/manager/) supports
+Bazel modules.
+
+Sometimes, users asking this question are really looking for a way to quickly
+iterate during local development. This can be achieved by using a
+[`local_path_override`](/rules/lib/globals/module#local_path_override).
+
+### Why all these `use_repo`s?
+
+Module extension usages in MODULE.bazel files sometimes come with a big
+`use_repo` directive. For example, a typical usage of the
+[`go_deps` extension][go_deps] from `gazelle` might look like:
+
+```python
+go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
+go_deps.from_file(go_mod = "//:go.mod")
+use_repo(
+ go_deps,
+ "com_github_gogo_protobuf",
+ "com_github_golang_mock",
+ "com_github_golang_protobuf",
+ "org_golang_x_net",
+ ... # potentially dozens of lines...
+)
+```
+
+The long `use_repo` directive may seem redundant, since the information is
+arguably already in the referenced `go.mod` file.
+
+The reason Bazel needs this `use_repo` directive is that it runs module
+extensions lazily. That is, a module extension is only run if its result is
+observed. Since a module extension's "output" is repo definitions, this means
+that we only run a module extension if a repo it defines is requested (for
+instance, if the target `@org_golang_x_net//:foo` is built, in the example
+above). However, we don't know which repos a module extension would define until
+after we run it. This is where the `use_repo` directive comes in; the user can
+tell Bazel which repos they expect the extension to generate, and Bazel would
+then only run the extension when these specific repos are used.
+
+To help the maintain this `use_repo` directive, a module extension can return
+an [`extension_metadata`](/rules/lib/builtins/module_ctx#extension_metadata)
+object from its implementation function. The user can run the `bazel mod tidy`
+command to update the `use_repo` directives for these module extensions.
+
+## Bzlmod migration
+
+### Which is evaluated first, MODULE.bazel or WORKSPACE?
+
+When both `--enable_bzlmod` and `--enable_workspace` are set, it's natural to
+wonder which system is consulted first. The short answer is that MODULE.bazel
+(Bzlmod) is evaluated first.
+
+The long answer is that "which evaluates first" is not the right question to
+ask; rather, the right question to ask is: in the context of the repo with
+[canonical name](overview#canonical-repo-name) `@@foo`, what does the [apparent
+repo name](overview#apparent-repo-name) `@bar` resolve to? Alternatively, what
+is the repo mapping of `@@base`?
+
+Labels with apparent repo names (a single leading `@`) can refer to different
+things based on the context they're resolved from. When you see a label
+`@bar//:baz` and wonder what it actually points to, you need to first find out
+what the context repo is: for example, if the label is in a BUILD file located
+in the repo `@@foo`, then the context repo is `@@foo`.
+
+Then, depending on what the context repo is, the ["repository
+visibility" table](migration#repository-visibility) in the migration guide can
+be used to find out which repo an apparent name actually resolves to.
+
+* If the context repo is the main repo (`@@`):
+ 1. If `bar` is an apparent repo name introduced by the root module's
+ MODULE.bazel file (through any of
+ [`bazel_dep`](/rules/lib/globals/module#bazel_dep.repo_name),
+ [`use_repo`](/rules/lib/globals/module#use_repo),
+ [`module`](/rules/lib/globals/module#module.repo_name),
+ [`use_repo_rule`](/rules/lib/globals/module#use_repo_rule)), then `@bar`
+ resolves to what that MODULE.bazel file claims.
+ 2. Otherwise, if `bar` is a repo defined in WORKSPACE (which means that its
+ canonical name is `@@bar`), then `@bar` resolves to `@@bar`.
+ 3. Otherwise, `@bar` resolves to something like
+ `@@[unknown repo 'bar' requested from @@]`, and this will ultimately
+ result in an error.
+* If the context repo is a Bzlmod-world repo (that is, it corresponds to a
+ non-root Bazel module, or is generated by a module extension), then it
+ will only ever see other Bzlmod-world repos, and no WORKSPACE-world repos.
+ * Notably, this includes any repos introduced in a `non_module_deps`-like
+ module extension in the root module, or `use_repo_rule` instantiations
+ in the root module.
+* If the context repo is defined in WORKSPACE:
+ 1. First, check if the context repo definition has the magical
+ `repo_mapping` attribute. If so, go through the mapping first (so for a
+ repo defined with `repo_mapping = {"@bar": "@baz"}`, we would be looking
+ at `@baz` below).
+ 2. If `bar` is an apparent repo name introduced by the root module's
+ MODULE.bazel file, then `@bar` resolves to what that MODULE.bazel file
+ claims. (This is the same as item 1 in the main repo case.)
+ 3. Otherwise, `@bar` resolves to `@@bar`. This most likely will point to a
+ repo `bar` defined in WORKSPACE; if such a repo is not defined, Bazel
+ will throw an error.
+
+For a more succinct version:
+
+* Bzlmod-world repos (excluding the main repo) will only see Bzlmod-world
+ repos.
+* WORKSPACE-world repos (including the main repo) will first see what the root
+ module in the Bzlmod world defines, then fall back to seeing WORKSPACE-world
+ repos.
+
+Of note, labels in the Bazel command line (including Starlark flags, label-typed
+flag values, and build/test target patterns) are treated as having the main repo
+as the context repo.
+
+## Other
+
+### How do I prepare and run an offline build?
+
+Use the `bazel fetch` command to prefetch repos. You can use the `--repo` flag
+(like `bazel fetch --repo @foo`) to fetch only the repo `@foo` (resolved in the
+context of the main repo, see [question
+above](#which-is-evaluated-first-module-bazel-or-workspace)), or use a target
+pattern (like `bazel fetch @foo//:bar`) to fetch all transitive dependencies of
+`@foo//:bar` (this is equivalent to `bazel build --nobuild @foo//:bar`).
+
+The make sure no fetches happen during a build, use `--nofetch`. More precisely,
+this makes any attempt to run a non-local repository rule fail.
+
+If you want to fetch repos _and_ modify them to test locally, consider using
+the [`bazel vendor`](vendor) command.
+
+### How do I use HTTP proxies?
+
+Bazel respects the `http_proxy` and `HTTPS_PROXY` environment variables commonly
+accepted by other programs, such as
+[curl](https://everything.curl.dev/usingcurl/proxies/env.html).
+
+### How do I make Bazel prefer IPv6 in dual-stack IPv4/IPv6 setups?
+
+On IPv6-only machines, Bazel can download dependencies with no changes. However,
+on dual-stack IPv4/IPv6 machines Bazel follows the same convention as Java,
+preferring IPv4 if enabled. In some situations, for example when the IPv4
+network cannot resolve/reach external addresses, this can cause `Network
+unreachable` exceptions and build failures. In these cases, you can override
+Bazel's behavior to prefer IPv6 by using the
+[`java.net.preferIPv6Addresses=true` system
+property](https://docs.oracle.com/javase/8/docs/api/java/net/doc-files/net-properties.html).
+Specifically:
+
+* Use `--host_jvm_args=-Djava.net.preferIPv6Addresses=true` [startup
+ option](/docs/user-manual#startup-options), for example by adding the
+ following line in your [`.bazelrc` file](/run/bazelrc):
+
+ `startup --host_jvm_args=-Djava.net.preferIPv6Addresses=true`
+
+* When running Java build targets that need to connect to the internet (such
+ as for integration tests), use the
+ `--jvmopt=-Djava.net.preferIPv6Addresses=true` [tool
+ flag](/docs/user-manual#jvmopt). For example, include in your [`.bazelrc`
+ file](/run/bazelrc):
+
+ `build --jvmopt=-Djava.net.preferIPv6Addresses`
+
+* If you are using
+ [`rules_jvm_external`](https://github.com/bazelbuild/rules_jvm_external) for
+ dependency version resolution, also add
+ `-Djava.net.preferIPv6Addresses=true` to the `COURSIER_OPTS` environment
+ variable to [provide JVM options for
+ Coursier](https://github.com/bazelbuild/rules_jvm_external#provide-jvm-options-for-coursier-with-coursier_opts).
+
+### Can repo rules be run remotely with remote execution?
+
+No; or at least, not yet. Users employing remote execution services to speed up
+their builds may notice that repo rules are still run locally. For example, an
+`http_archive` would be first downloaded onto the local machine (using any local
+download cache if applicable), extracted, and then each source file would be
+uploaded to the remote execution service as an input file. It's natural to ask
+why the remote execution service doesn't just download and extract that archive,
+saving a useless roundtrip.
+
+Part of the reason is that repo rules (and module extensions) are akin to
+"scripts" that are run by Bazel itself. A remote executor doesn't necessarily
+even have a Bazel installed.
+
+Another reason is that Bazel often needs the BUILD files in the downloaded and
+extracted archives to perform loading and analysis, which _are_ performed
+locally.
+
+There are preliminary ideas to solve this problem by re-imagining repo rules as
+build rules, which would naturally allow them to be run remotely, but conversely
+raise new architectural concerns (for example, the `query` commands would
+potentially need to run actions, complicating their design).
+
+For more previous discussion on this topic, see [A way to support repositories
+that need Bazel for being
+fetched](https://github.com/bazelbuild/bazel/discussions/20464).
+
+[npm-semver]: https://docs.npmjs.com/about-semantic-versioning
+[cargo-semver]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#version-requirement-syntax
+[go_deps]: https://github.com/bazel-contrib/rules_go/blob/master/docs/go/core/bzlmod.md#specifying-external-dependencies
+
+---
+
+## Lockfile
+- URL: https://bazel.build/external/lockfile
+- Source: external/lockfile.mdx
+- Slug: /external/lockfile
+
+keywords: product:Bazel,lockfile,Bzlmod
+---
+title: 'Bazel Lockfile'
+---
+
+
+
+The lockfile feature in Bazel enables the recording of specific versions or
+dependencies of software libraries or packages required by a project. It
+achieves this by storing the result of module resolution and extension
+evaluation. The lockfile promotes reproducible builds, ensuring consistent
+development environments. Additionally, it enhances build efficiency by allowing
+Bazel to skip the parts of the resolution process that are unaffected by changes
+in project dependencies. Furthermore, the lockfile improves stability by
+preventing unexpected updates or breaking changes in external libraries, thereby
+reducing the risk of introducing bugs.
+
+## Lockfile Generation
+
+The lockfile is generated under the workspace root with the name
+`MODULE.bazel.lock`. It is created or updated during the build process,
+specifically after module resolution and extension evaluation. Importantly, it
+only includes dependencies that are included in the current invocation of the
+build.
+
+When changes occur in the project that affect its dependencies, the lockfile is
+automatically updated to reflect the new state. This ensures that the lockfile
+remains focused on the specific set of dependencies required for the current
+build, providing an accurate representation of the project's resolved
+dependencies.
+
+## Lockfile Usage
+
+The lockfile can be controlled by the flag
+[`--lockfile_mode`](/reference/command-line-reference#flag--lockfile_mode) to
+customize the behavior of Bazel when the project state differs from the
+lockfile. The available modes are:
+
+* `update` (Default): Use the information that is present in the lockfile to
+ skip downloads of known registry files and to avoid re-evaluating extensions
+ whose results are still up-to-date. If information is missing, it will
+ be added to the lockfile. In this mode, Bazel also avoids refreshing
+ mutable information, such as yanked versions, for dependencies that haven't
+ changed.
+* `refresh`: Like `update`, but mutable information is always refreshed when
+ switching to this mode and roughly every hour while in this mode.
+* `error`: Like `update`, but if any information is missing or out-of-date,
+ Bazel will fail with an error. This mode never changes the lockfile or
+ performs network requests during resolution. Module extensions that marked
+ themselves as `reproducible` may still perform network requests, but are
+ expected to always produce the same result.
+* `off`: The lockfile is neither checked nor updated.
+
+## Lockfile Benefits
+
+The lockfile offers several benefits and can be utilized in various ways:
+
+- **Reproducible builds.** By capturing the specific versions or dependencies
+ of software libraries, the lockfile ensures that builds are reproducible
+ across different environments and over time. Developers can rely on
+ consistent and predictable results when building their projects.
+
+- **Fast incremental resolutions.** The lockfile enables Bazel to avoid
+ downloading registry files that were already used in a previous build.
+ This significantly improves build efficiency, especially in scenarios where
+ resolution can be time-consuming.
+
+- **Stability and risk reduction.** The lockfile helps maintain stability by
+ preventing unexpected updates or breaking changes in external libraries. By
+ locking the dependencies to specific versions, the risk of introducing bugs
+ due to incompatible or untested updates is reduced.
+
+### Hidden lockfile
+
+Bazel also maintains another lockfile at
+`"$(bazel info output_base)"/MODULE.bazel.lock`. The format and contents of this
+lockfile are explicitly unspecified. It is only used as a performance
+optimization. While it can be deleted together with the output base via
+`bazel clean --expunge`, any need to do so is a bug in either Bazel itself or a
+module extension.
+
+## Lockfile Contents
+
+The lockfile contains all the necessary information to determine whether the
+project state has changed. It also includes the result of building the project
+in the current state. The lockfile consists of two main parts:
+
+1. Hashes of all remote files that are inputs to module resolution.
+2. For each module extension, the lockfile includes inputs that affect it,
+ represented by `bzlTransitiveDigest`, `usagesDigest` and other fields, as
+ well as the output of running that extension, referred to as
+ `generatedRepoSpecs`
+
+Here is an example that demonstrates the structure of the lockfile, along with
+explanations for each section:
+
+```json
+{
+ "lockFileVersion": 10,
+ "registryFileHashes": {
+ "https://bcr.bazel.build/bazel_registry.json": "8a28e4af...5d5b3497",
+ "https://bcr.bazel.build/modules/foo/1.0/MODULE.bazel": "7cd0312e...5c96ace2",
+ "https://bcr.bazel.build/modules/foo/2.0/MODULE.bazel": "70390338... 9fc57589",
+ "https://bcr.bazel.build/modules/foo/2.0/source.json": "7e3a9adf...170d94ad",
+ "https://registry.mycorp.com/modules/foo/1.0/MODULE.bazel": "not found",
+ ...
+ },
+ "selectedYankedVersions": {
+ "foo@2.0": "Yanked for demo purposes"
+ },
+ "moduleExtensions": {
+ "//:extension.bzl%lockfile_ext": {
+ "general": {
+ "bzlTransitiveDigest": "oWDzxG/aLnyY6Ubrfy....+Jp6maQvEPxn0pBM=",
+ "usagesDigest": "aLmqbvowmHkkBPve05yyDNGN7oh7QE9kBADr3QIZTZs=",
+ ...,
+ "generatedRepoSpecs": {
+ "hello": {
+ "bzlFile": "@@//:extension.bzl",
+ ...
+ }
+ }
+ }
+ },
+ "//:extension.bzl%lockfile_ext2": {
+ "os:macos": {
+ "bzlTransitiveDigest": "oWDzxG/aLnyY6Ubrfy....+Jp6maQvEPxn0pBM=",
+ "usagesDigest": "aLmqbvowmHkkBPve05y....yDNGN7oh7r3QIZTZs=",
+ ...,
+ "generatedRepoSpecs": {
+ "hello": {
+ "bzlFile": "@@//:extension.bzl",
+ ...
+ }
+ }
+ },
+ "os:linux": {
+ "bzlTransitiveDigest": "eWDzxG/aLsyY3Ubrto....+Jp4maQvEPxn0pLK=",
+ "usagesDigest": "aLmqbvowmHkkBPve05y....yDNGN7oh7r3QIZTZs=",
+ ...,
+ "generatedRepoSpecs": {
+ "hello": {
+ "bzlFile": "@@//:extension.bzl",
+ ...
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+### Registry File Hashes
+
+The `registryFileHashes` section contains the hashes of all files from
+remote registries accessed during module resolution. Since the resolution
+algorithm is fully deterministic when given the same inputs and all remote
+inputs are hashed, this ensures a fully reproducible resolution result while
+avoiding excessive duplication of remote information in the lockfile. Note that
+this also requires recording when a particular registry didn't contain a certain
+module, but a registry with lower precedence did (see the "not found" entry in
+the example). This inherently mutable information can be updated via
+`bazel mod deps --lockfile_mode=refresh`.
+
+Bazel uses the hashes from the lockfile to look up registry files in the
+repository cache before downloading them, which speeds up subsequent
+resolutions.
+
+### Selected Yanked Versions
+
+The `selectedYankedVersions` section contains the yanked versions of modules
+that were selected by module resolution. Since this usually result in an error
+when trying to build, this section is only non-empty when yanked versions are
+explicitly allowed via `--allow_yanked_versions` or
+`BZLMOD_ALLOW_YANKED_VERSIONS`.
+
+This field is needed since, compared to module files, yanked version information
+is inherently mutable and thus can't be referenced by a hash. This information
+can be updated via `bazel mod deps --lockfile_mode=refresh`.
+
+### Module Extensions
+
+The `moduleExtensions` section is a map that includes only the extensions used
+in the current invocation or previously invoked, while excluding any extensions
+that are no longer utilized. In other words, if an extension is not being used
+anymore across the dependency graph, it is removed from the `moduleExtensions`
+map.
+
+If an extension is independent of the operating system or architecture type,
+this section features only a single "general" entry. Otherwise, multiple
+entries are included, named after the OS, architecture, or both, with each
+corresponding to the result of evaluating the extension on those specifics.
+
+Each entry in the extension map corresponds to a used extension and is
+identified by its containing file and name. The corresponding value for each
+entry contains the relevant information associated with that extension:
+
+1. The `bzlTransitiveDigest` is the digest of the extension implementation
+ and the .bzl files transitively loaded by it.
+2. The `usagesDigest` is the digest of the _usages_ of the extension in the
+ dependency graph, which includes all tags.
+3. Further unspecified fields that track other inputs to the extension,
+ such as contents of files or directories it reads or environment
+ variables it uses.
+4. The `generatedRepoSpecs` encode the repositories created by the
+ extension with the current input.
+5. The optional `moduleExtensionMetadata` field contains metadata provided by
+ the extension such as whether certain repositories it created should be
+ imported via `use_repo` by the root module. This information powers the
+ `bazel mod tidy` command.
+
+Module extensions can opt out of being included in the lockfile by setting the
+returning metadata with `reproducible = True`. By doing so, they promise that
+they will always create the same repositories when given the same inputs.
+
+## Best Practices
+
+To maximize the benefits of the lockfile feature, consider the following best
+practices:
+
+* Regularly update the lockfile to reflect changes in project dependencies or
+ configuration. This ensures that subsequent builds are based on the most
+ up-to-date and accurate set of dependencies. To lock down all extensions
+ at once, run `bazel mod deps --lockfile_mode=update`.
+
+* Include the lockfile in version control to facilitate collaboration and
+ ensure that all team members have access to the same lockfile, promoting
+ consistent development environments across the project.
+
+* Use [`bazelisk`](/install/bazelisk) to run Bazel, and include a
+ `.bazelversion` file in version control that specifies the Bazel version
+ corresponding to the lockfile. Because Bazel itself is a dependency of
+ your build, the lockfile is specific to the Bazel version, and will
+ change even between [backwards compatible](/release/backward-compatibility)
+ Bazel releases. Using `bazelisk` ensures that all developers are using
+ a Bazel version that matches the lockfile.
+
+By following these best practices, you can effectively utilize the lockfile
+feature in Bazel, leading to more efficient, reliable, and collaborative
+software development workflows.
+
+## Merge Conflicts
+
+The lockfile format is designed to minimize merge conflicts, but they can still
+happen.
+
+### Automatic Resolution
+
+Bazel provides a custom
+[git merge driver](https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver)
+to help resolve these conflicts automatically.
+
+Set up the driver by adding this line to a `.gitattributes` file in the root of
+your git repository:
+
+```gitattributes
+# A custom merge driver for the Bazel lockfile.
+# https://bazel.build/external/lockfile#automatic-resolution
+MODULE.bazel.lock merge=bazel-lockfile-merge
+```
+
+Then each developer who wants to use the driver has to register it once by
+following these steps:
+
+1. Install [jq](https://jqlang.github.io/jq/download/) (1.5 or higher).
+2. Run the following commands:
+
+```bash
+jq_script=$(curl https://raw.githubusercontent.com/bazelbuild/bazel/master/scripts/bazel-lockfile-merge.jq)
+printf '%s\n' "${jq_script}" | less # to optionally inspect the jq script
+git config --global merge.bazel-lockfile-merge.name "Merge driver for the Bazel lockfile (MODULE.bazel.lock)"
+git config --global merge.bazel-lockfile-merge.driver "jq -s '${jq_script}' -- %O %A %B > %A.jq_tmp && mv %A.jq_tmp %A"
+```
+
+### Manual Resolution
+
+Simple merge conflicts in the `registryFileHashes` and `selectedYankedVersions`
+fields can be safely resolved by keeping all the entries from both sides of the
+conflict.
+
+Other types of merge conflicts should not be resolved manually. Instead:
+
+1. Restore the previous state of the lockfile
+ via `git reset MODULE.bazel.lock && git checkout MODULE.bazel.lock`.
+2. Resolve any conflicts in the `MODULE.bazel` file.
+3. Run `bazel mod deps` to update the lockfile.
+
+---
+
+## Migration
+- URL: https://bazel.build/external/migration
+- Source: external/migration.mdx
+- Slug: /external/migration
+
+keywords: bzlmod
+---
+title: 'Bzlmod Migration Guide'
+---
+
+
+
+Due to the [shortcomings of
+WORKSPACE](/external/overview#workspace-shortcomings), Bzlmod is replacing the
+legacy WORKSPACE system. The WORKSPACE file is already disabled in Bazel 8 (late
+2024) and will be removed in Bazel 9 (late 2025). This guide helps you migrate
+your project to Bzlmod and drop WORKSPACE for managing external dependencies.
+
+## Why migrate to Bzlmod?
+
+* There are many [advantages](overview#benefits) compared to the legacy
+ WORKSPACE system, which helps to ensure a healthy growth of the Bazel
+ ecosystem.
+
+* If your project is a dependency of other projects, migrating to Bzlmod will
+ unblock their migration and make it easier for them to depend on your
+ project.
+
+* Migration to Bzlmod is a necessary step in order to use future Bazel
+ versions (mandatory in Bazel 9).
+
+## How to migrate to Bzlmod?
+
+Recommended migration process:
+
+1. Use [migration tool](/external/migration_tool) as a helper tool to
+ streamline the migration process as much as possible.
+2. If there are errors left after using the migration tool, resolve them
+ manually. For understanding the main differences between concepts inside
+ `WORKSPACE` and `MODULE.bazel` files, check [WORKSPACE versus
+ Bzlmod](#workspace-vs-bzlmod) section.
+
+## WORKSPACE vs Bzlmod
+
+Bazel's WORKSPACE and Bzlmod offer similar features with different syntax. This
+section explains how to migrate from specific WORKSPACE functionalities to
+Bzlmod.
+
+### Define the root of a Bazel workspace
+
+The WORKSPACE file marks the source root of a Bazel project, this responsibility
+is replaced by MODULE.bazel in Bazel version 6.3 and later. With Bazel versions
+prior to 6.3, there should still be a `WORKSPACE` or `WORKSPACE.bazel` file at
+your workspace root, maybe with comments like:
+
+* **WORKSPACE**
+
+ ```python
+ # This file marks the root of the Bazel workspace.
+ # See MODULE.bazel for external dependencies setup.
+ ```
+
+### Enable Bzlmod in your bazelrc
+
+`.bazelrc` lets you set flags that apply every time your run Bazel. To enable
+Bzlmod, use the `--enable_bzlmod` flag, and apply it to the `common` command so
+it applies to every command:
+
+* **.bazelrc**
+
+ ```
+ # Enable Bzlmod for every Bazel command
+ common --enable_bzlmod
+ ```
+
+### Specify repository name for your workspace
+
+* **WORKSPACE**
+
+ The [`workspace`](/rules/lib/globals/workspace#workspace) function is used
+ to specify a repository name for your workspace. This allows a target
+ `//foo:bar` in the workspace to be referenced as `@Installing using Homebrew
+ +### Step 1: Install Homebrew on macOS + +Install [Homebrew](https://brew.sh/) (a one-time step): + +```posix-terminal +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" +``` + +### Step 2: Install Bazel via Homebrew + +Install the Bazel package via Homebrew as follows: + +```posix-terminal +brew install bazel +``` + +All set! You can confirm Bazel is installed successfully by running the +following command: + +```posix-terminal +bazel --version +``` + +Once installed, you can upgrade to a newer version of Bazel using the +following command: + +```posix-terminal +brew upgrade bazel +``` + +Installing using the binary installer
+ +The binary installers are on Bazel's +[GitHub releases page](https://github.com/bazelbuild/bazel/releases). + +The installer contains the Bazel binary. Some additional libraries +must also be installed for Bazel to work. + +### Step 1: Install Xcode command line tools + +If you don't intend to use `ios_*` rules, it is sufficient to install the Xcode +command line tools package by using `xcode-select`: + +```posix-terminal +xcode-select --install +``` + +Otherwise, for `ios_*` rule support, you must have Xcode 6.1 or later with iOS +SDK 8.1 installed on your system. + +Download Xcode from the +[App Store](https://apps.apple.com/us/app/xcode/id497799835) or the +[Apple Developer site](https://developer.apple.com/download/more/?=xcode). + +Once Xcode is installed, accept the license agreement for all users with the +following command: + +```posix-terminal +sudo xcodebuild -license accept +``` + +### Step 2: Download the Bazel installer + +Next, download the Bazel binary installer named +`bazel-| Query | +Target Built | +Output | +
|---|---|---|
| bazel cquery "//x:tool" | +//x:tool | +//x:tool(targetconfig) | +
| bazel cquery "//x:tool" --universe_scope="//x:my_gen" | +//x:my_gen | +//x:tool(execconfig) | +