Skip to content

Enforce MODULE.bazel.lock Versioning and CI Drift Check Across S-CORE Repositories #2628

New issue
New issue
Open
Open
Enforce MODULE.bazel.lock Versioning and CI Drift Check Across S-CORE Repositories#2628
@dcalavrezo-qorix

Description

@dcalavrezo-qorix
dcalavrezo-qorix
opened on Feb 26, 2026

What

Introduce mandatory versioning and CI enforcement of MODULE.bazel.lock across all S-CORE repositories that use Bazel Bzlmod.

The goal is to strengthen:

  • Long-term reproducibility
  • Configuration traceability
  • Deterministic dependency resolution
  • Safety-readiness

Currently, several repositories do not commit MODULE.bazel.lock. Even with pinned bazel_dep versions, dependency resolution can drift due to:

  • Transitive dependency updates
  • Registry metadata changes
  • Yanked releases
  • Changes in Bazel’s resolver between versions

Without committing the lock file, the fully resolved module graph is not frozen, which can result in:

  • Non-deterministic rebuilds
  • Release branches building differently over time
  • increased requalification effort for safety-relevant software

This task aims to close that gap systematically across all S-CORE repositories.

How

Step 1 – Repository Audit

  • Identify all S-CORE repositories using Bazel with Bzlmod (MODULE.bazel present).
  • Check which repositories:
    • Already version MODULE.bazel.lock
    • Do not version MODULE.bazel.lock
  • Create a tracking checklist.

Step 2 – Introduce Lockfile Where Missing

Run:

bazel mod tidy

Commit the generated MODULE.bazel.lock
Ensure it is tracked in version control.

Step 3 – Add CI Drift Check

Add a CI job to enforce lock consistency:

#something like
bazel mod tidy
git diff --exit-code -- MODULE.bazel MODULE.bazel.lock

The job should fail if:

  • MODULE.bazel.lock is missing
  • The lock file changes after bazel mod tidy
  • MODULE.bazel was modified without updating the lock file

This check should be integrated into the reusable workflow (preferred) or in the repo if not possible.

Estimates for realization

Impact to Users of the Feature

  • Positive long-term impact:
  • Deterministic builds-
  • Stable release branches
  • Improved auditability
  • Reduced risk of silent dependency drift

Short-term impact:

  • Contributors must run bazel mod tidy when modifying dependencies
  • Lock file diffs may appear in PRs

Category

  • Affects Detailed Design

Requirements / Architecture

  • Requirements / Architecture are not affected by this change?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    INF - Infrastructure Community

    Status

    Draft

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions