From 21ffc897ee7404520eaf60dfd0ab2fb67b49caae Mon Sep 17 00:00:00 2001 From: Joshua Haberman Date: Tue, 27 Jan 2026 21:29:42 -0800 Subject: [PATCH] Locked down visibility for OSS-only Bazel files. These files were only just introduced into this location, so this particular change is not breaking. PiperOrigin-RevId: 862030442 --- .github/workflows/release_prep.sh | 2 +- bazel/private/oss/BUILD.bazel | 2 +- bazel/private/oss/cc_proto_library.bzl | 4 ++++ bazel/private/oss/proto_bazel_features.bzl | 4 ++++ bazel/private/oss/py_proto_library.bzl | 4 ++++ .../private/oss/toolchains/prebuilt}/platforms.bzl | 2 ++ .../private/oss/toolchains/prebuilt/protoc_authenticity.bzl | 2 ++ bazel/private/oss/toolchains/prebuilt/protoc_extension.bzl | 6 +++++- bazel/private/oss/toolchains/prebuilt/protoc_toolchain.bzl | 6 ++++-- bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl | 2 ++ 10 files changed, 29 insertions(+), 5 deletions(-) rename {toolchain => bazel/private/oss/toolchains/prebuilt}/platforms.bzl (98%) diff --git a/.github/workflows/release_prep.sh b/.github/workflows/release_prep.sh index bb7835cbad6f1..bfc73677519ea 100755 --- a/.github/workflows/release_prep.sh +++ b/.github/workflows/release_prep.sh @@ -9,7 +9,7 @@ TAG=$1 PREFIX="protobuf-${TAG:1}" ARCHIVE="$PREFIX.bazel.tar.gz" ARCHIVE_TMP=$(mktemp) -INTEGRITY_FILE=${PREFIX}/bazel/private/prebuilt_tool_integrity.bzl +INTEGRITY_FILE=${PREFIX}/bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl # NB: configuration for 'git archive' is in /.gitattributes git archive --format=tar --prefix=${PREFIX}/ ${TAG} > $ARCHIVE_TMP diff --git a/bazel/private/oss/BUILD.bazel b/bazel/private/oss/BUILD.bazel index 24aecb637e227..6f6f56fd28c47 100644 --- a/bazel/private/oss/BUILD.bazel +++ b/bazel/private/oss/BUILD.bazel @@ -31,7 +31,7 @@ bzl_library( bzl_library( name = "py_proto_library_bzl", srcs = ["py_proto_library.bzl"], - visibility = ["//visibility:public"], + visibility = ["//bazel:__pkg__"], deps = [ "//bazel/common:proto_common_bzl", "//bazel/common:proto_info_bzl", diff --git a/bazel/private/oss/cc_proto_library.bzl b/bazel/private/oss/cc_proto_library.bzl index e51545011e522..e817621296071 100644 --- a/bazel/private/oss/cc_proto_library.bzl +++ b/bazel/private/oss/cc_proto_library.bzl @@ -15,6 +15,10 @@ load("//bazel/flags:flags.bzl", "get_flag_value") load("//bazel/private:cc_proto_support.bzl", "cc_proto_compile_and_link") load("//bazel/private:toolchain_helpers.bzl", "toolchains") +visibility([ + "//bazel/...", +]) + _CC_PROTO_TOOLCHAIN = Label("//bazel/private:cc_toolchain_type") _ProtoCcFilesInfo = provider(fields = ["files"], doc = "Provide cc proto files.") diff --git a/bazel/private/oss/proto_bazel_features.bzl b/bazel/private/oss/proto_bazel_features.bzl index 37efd40394675..1ca65802ac421 100644 --- a/bazel/private/oss/proto_bazel_features.bzl +++ b/bazel/private/oss/proto_bazel_features.bzl @@ -7,6 +7,10 @@ # """Vendored version of bazel_features for protobuf, to keep a one-step setup""" +visibility([ + "//", +]) + _PROTO_BAZEL_FEATURES = """bazel_features = struct( cc = struct( protobuf_on_allowlist = {protobuf_on_allowlist}, diff --git a/bazel/private/oss/py_proto_library.bzl b/bazel/private/oss/py_proto_library.bzl index c4864307af0df..1011a8962df31 100644 --- a/bazel/private/oss/py_proto_library.bzl +++ b/bazel/private/oss/py_proto_library.bzl @@ -5,6 +5,10 @@ load("//bazel/common:proto_common.bzl", "proto_common") load("//bazel/common:proto_info.bzl", "ProtoInfo") load("//bazel/private:toolchain_helpers.bzl", "toolchains") +visibility([ + "//bazel", +]) + _PY_PROTO_TOOLCHAIN = Label("//bazel/private:python_toolchain_type") _PyProtoInfo = provider( diff --git a/toolchain/platforms.bzl b/bazel/private/oss/toolchains/prebuilt/platforms.bzl similarity index 98% rename from toolchain/platforms.bzl rename to bazel/private/oss/toolchains/prebuilt/platforms.bzl index dbd386a1044bc..65d29b11dc743 100644 --- a/toolchain/platforms.bzl +++ b/bazel/private/oss/toolchains/prebuilt/platforms.bzl @@ -1,5 +1,7 @@ "List of published platforms on protobuf GitHub releases" +visibility("private") + # Keys are chosen to match the filenames published on protocolbuffers/protobuf releases # NB: keys in this list are nearly identical to /toolchain/BUILD.bazel#TOOLCHAINS # Perhaps we should share code. diff --git a/bazel/private/oss/toolchains/prebuilt/protoc_authenticity.bzl b/bazel/private/oss/toolchains/prebuilt/protoc_authenticity.bzl index c866304e510da..a989ebd98ee32 100644 --- a/bazel/private/oss/toolchains/prebuilt/protoc_authenticity.bzl +++ b/bazel/private/oss/toolchains/prebuilt/protoc_authenticity.bzl @@ -4,6 +4,8 @@ load("//bazel/common:proto_common.bzl", "proto_common") load("//bazel/private:toolchain_helpers.bzl", "toolchains") load(":tool_integrity.bzl", "RELEASE_VERSION") +visibility("private") + def _protoc_authenticity_impl(ctx): # When this flag is disabled, then users have no way to replace the protoc binary with their own toolchain registration. # Therefore there's no validation to perform. diff --git a/bazel/private/oss/toolchains/prebuilt/protoc_extension.bzl b/bazel/private/oss/toolchains/prebuilt/protoc_extension.bzl index 4efece6db7ff0..6b5e0a0ab0f56 100644 --- a/bazel/private/oss/toolchains/prebuilt/protoc_extension.bzl +++ b/bazel/private/oss/toolchains/prebuilt/protoc_extension.bzl @@ -1,9 +1,13 @@ "Module extensions for use under bzlmod" load("@bazel_skylib//lib:modules.bzl", "modules") -load("//toolchain:platforms.bzl", "PROTOBUF_PLATFORMS") +load(":platforms.bzl", "PROTOBUF_PLATFORMS") load(":protoc_toolchain.bzl", "prebuilt_protoc_repo") +visibility([ + "//src/google/protobuf", +]) + def create_all_toolchain_repos(name = "prebuilt_protoc"): for platform in PROTOBUF_PLATFORMS.keys(): prebuilt_protoc_repo( diff --git a/bazel/private/oss/toolchains/prebuilt/protoc_toolchain.bzl b/bazel/private/oss/toolchains/prebuilt/protoc_toolchain.bzl index 842ac00f97e22..cd0f682821e0a 100644 --- a/bazel/private/oss/toolchains/prebuilt/protoc_toolchain.bzl +++ b/bazel/private/oss/toolchains/prebuilt/protoc_toolchain.bzl @@ -1,8 +1,10 @@ "Repository rule that downloads a pre-compiled protoc from our official release for a single platform." -load("//toolchain:platforms.bzl", "PROTOBUF_PLATFORMS") +load(":platforms.bzl", "PROTOBUF_PLATFORMS") load(":tool_integrity.bzl", "RELEASED_BINARY_INTEGRITY", "RELEASE_VERSION") +visibility("private") + def release_version_to_artifact_name(release_version, platform): # versions have a "v" prefix like "v28.0" stripped_version = release_version.removeprefix("v") @@ -34,7 +36,7 @@ def _prebuilt_protoc_repo_impl(rctx): # Generated by @protobuf//bazel/private/oss/toolchains/prebuilt:protoc_toolchain.bzl load("@com_google_protobuf//bazel/toolchains:proto_toolchain.bzl", "proto_toolchain") -package(default_visibility = ["//visibility:public"]) +package(default_visibility = ["@com_google_protobuf//bazel/private/oss/toolchains/prebuilt:__pkg__"]) proto_toolchain( name = "prebuilt_protoc_toolchain", diff --git a/bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl b/bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl index 913b217cff44b..3b255dc968bd3 100644 --- a/bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl +++ b/bazel/private/oss/toolchains/prebuilt/tool_integrity.bzl @@ -6,6 +6,8 @@ so that the integrity of the prebuilt tools is included in the release artifact. The checked in content is only here to allow load() statements in the sources to resolve, and permit local testing. """ +visibility("private") + # An arbitrary version of protobuf that includes pre-built binaries. # See /examples/example_without_cc_toolchain which uses this for testing. # TODO: add some automation to update this version occasionally.