fix(bazel): resolve tinyland registry deps in standalone build#2
Conversation
- add the active tinyland Bazel registry before BCR in .bazelrc - rename the generated npm extension repo from generic 'npm' to tummycrypt_tinyland_activitypub_npm - update BUILD.bazel loads to use the module-scoped npm repo - bump bazel_dep versions per dep mapping Validation: typecheck ✓, build ✓, check:package ✓
Greptile SummaryThis PR makes Confidence Score: 5/5Safe to merge — all findings are P2 (cleanup suggestions), and the author confirms typecheck, build, and package checks pass. No P0 or P1 issues found. The only open question is whether bazel_dep(tummycrypt_tinyland_content_types) is still needed now that BUILD.bazel no longer references it directly, but this is a harmless dead-declaration at worst. No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant Bazel
participant PrivateReg as tinyland-inc/bazel-registry
participant BCR as bcr.bazel.build
participant npm as tummycrypt_tinyland_activitypub_npm
Bazel->>PrivateReg: resolve tummycrypt_tinyland_content_types@0.2.3
PrivateReg-->>Bazel: module metadata
Bazel->>BCR: resolve aspect_rules_js, aspect_rules_ts, etc.
BCR-->>Bazel: module metadata
Bazel->>npm: npm_translate_lock (pnpm-lock.yaml)
npm-->>Bazel: @tummycrypt_tinyland_activitypub_npm repo
Bazel->>Bazel: load @tummycrypt_tinyland_activitypub_npm//:defs.bzl
Bazel->>Bazel: npm_link_all_packages → :node_modules
Bazel->>Bazel: ts_project(deps=[:node_modules, :node_modules/@types/node])
Reviews (4): Last reviewed commit: "ci: use authenticated Bazel package work..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| @@ -1,4 +1,6 @@ | |||
| common --enable_bzlmod | |||
| common --registry=https://raw.githubusercontent.com/tinyland-inc/bazel-registry/main | |||
There was a problem hiding this comment.
The registry URL pins to the main branch, so any push to main in tinyland-inc/bazel-registry immediately changes which module metadata Bazel fetches — breaking reproducibility and creating a supply-chain window. Pinning to a commit SHA or a tag makes the lockstep explicit and auditable.
| common --registry=https://raw.githubusercontent.com/tinyland-inc/bazel-registry/main | |
| common --registry=https://raw.githubusercontent.com/tinyland-inc/bazel-registry/<commit-sha-or-tag> |
Earlier commit on this branch only updated BUILD.bazel @npm// references but missed updating MODULE.bazel's npm.npm_translate_lock(name = ...) and use_repo(npm, ...) entries. This commit completes the rename.
The standalone repo's bazel_dep edges in MODULE.bazel handle inter-module resolution. The //packages/* references were leftover from monorepo BUILD.bazel generation and don't resolve in standalone builds. Validation: typecheck ✓, build ✓, check:package ✓
Bump to 0.2.3 to release the npm-scope/registry repair (PR #2) under a fresh tag. The existing v0.2.2 tag predates the repair commits. Validation: typecheck ✓, build ✓, check:package ✓
1 participant
Layer 1 repair following security#2 pattern. Validation: typecheck ✓, build ✓, check:package ✓