Drop non-hermetic deps in _go_tool_binary_impl

dzbarsky · dzbarsky · commit 45a6cc913121 · 2025-05-26T22:55:53.000-04:00
diff --git a/go/private/rules/binary.bzl b/go/private/rules/binary.bzl
@@ -485,16 +485,18 @@ def _go_tool_binary_impl(ctx):
         name += ".exe"
 
     out = ctx.actions.declare_file(name)
+
+    # Using pre-declared directory for temporary output to avoid needing to use shell to create it.
+    gotmp = ctx.actions.declare_directory(name + "_gotmp")
     if sdk.goos == "windows":
-        # Using pre-declared directory for temporary output as there is no safe
-        # way under Windows to create unique temporary dir.
-        gotmp = ctx.actions.declare_directory("gotmp")
         cmd = """@echo off
 set GOMAXPROCS=1
 set GOCACHE=%cd%\\{gotmp}\\gocache
 set GOPATH=%cd%"\\{gotmp}\\gopath
 set GOTOOLCHAIN=local
 set GO111MODULE=off
+set GOTELEMETRY=off
+set GOENV=off
 {go} build -o {out} -trimpath -ldflags \"-buildid='' {ldflags}\" {srcs}
 set GO_EXIT_CODE=%ERRORLEVEL%
 RMDIR /S /Q "{gotmp}"
@@ -523,30 +525,44 @@ exit /b %GO_EXIT_CODE%
             mnemonic = "GoToolchainBinaryBuild",
         )
     else:
-        # Note: GOPATH is needed for Go 1.16.
-        cmd = """
-GOTMP=$(mktemp -d)
-trap "rm -rf \"$GOTMP\"" EXIT
-GOMAXPROCS=1 \
-GOCACHE="$GOTMP"/gocache \
-GOPATH="$GOTMP"/gopath \
-GOTOOLCHAIN=local \
-GO111MODULE=off \
-{go} build -o {out} -trimpath -ldflags '-buildid="" {ldflags}' {srcs}
-""".format(
-            go = sdk.go.path,
-            out = out.path,
-            srcs = " ".join([f.path for f in ctx.files.srcs]),
-            ldflags = ctx.attr.ldflags,
+        # A dummy action to generate `gotmp`; this way the compilation below can avoid listing it in `outputs`.
+        # The net effect is to avoid copying out the GOCACHE when actions run sandboxed.
+        # Incidentally, this makes the reproducibility test pass.
+        ctx.actions.write(
+            output = gotmp,
+            content = "",
         )
-        ctx.actions.run_shell(
-            command = cmd,
-            tools = depset(
-                ctx.files.srcs + [sdk.go],
+
+        # In case actions are running unsandboxed, GOCACHE in `gotmp` may have been polluted.
+        # -a flag forces a rebuild so we are not affected by it.
+        args = ctx.actions.args()
+        args.add("build")
+        args.add("-a")
+        args.add("-o", out)
+        args.add("-trimpath")
+        args.add("-ldflags", ctx.attr.ldflags, format = '-buildid="" %s')
+        args.add_all(ctx.files.srcs)
+
+        ctx.actions.run(
+            executable = sdk.go,
+            arguments = [args],
+            env = {
+                "GOMAXPROCS": "1",
+                "GOTOOLCHAIN": "local",
+                "GO111MODULE": "off",
+                "GOTELEMETRY": "off",
+                "GOENV": "off",
+                # GOCACHE and GOPATH will default themselves to locations under $HOME.
+                # Otherwise we would need to set them explicitly, in which case they must be absolute paths.
+                # That would require a wrapper script/shell dependency.
+                "HOME": gotmp.path,
+            },
+            inputs = depset(
+                ctx.files.srcs,
                 transitive = [sdk.headers, sdk.srcs, sdk.libs, sdk.tools],
             ),
-            toolchain = None,
             outputs = [out],
+            toolchain = None,
             mnemonic = "GoToolchainBinaryBuild",
         )
 
