refactor: use hermetic tar

Fixes #328

fix: supply mtree file for determinism

fix: set tar content times to beginning of this year

avoids some tools thinking that 1970 is 'too old'

refactor: extract function for mtree lines

refactor: cleanup STAGING_DIR

chore: bump to bazel-lib 2.0rc

chore: remove bazel 5 workaround

Bazel-lib 2.0 doesn't include this anymore

chore: upgrade stardoc to match bzlmod version

ci: test on bazel 7 rather than 5

oci/private/tarball.bzl

@@ -76,12 +76,14 @@ def _tarball_impl(ctx):
 
  image = ctx.file.image
  tarball = ctx.actions.declare_file("{}/tarball.tar".format(ctx.label.name))
+ bsdtar = ctx.toolchains["@aspect_bazel_lib//lib:tar_toolchain_type"]
  executable = ctx.actions.declare_file("{}/tarball.sh".format(ctx.label.name))
  repo_tags = ctx.file.repo_tags
 
  substitutions = {
  "{{format}}": ctx.attr.format,
  "{{jq_path}}": jq.bin.path,
+ "{{tar}}": bsdtar.tarinfo.binary.path,
  "{{image_dir}}": image.path,
  "{{tarball_path}}": tarball.path,
  }
@@ -96,9 +98,15 @@ def _tarball_impl(ctx):
  substitutions = substitutions,
  )
 
+ # TODO(2.0): this oci_tarball rule should just produce an mtree manifest instead,
+ # and then the tar rule can be composed in the oci_tarball macro in defs.bzl.
+ # To make it a non-breaking change, call the tar program from within this action instead.
  ctx.actions.run(
  executable = util.maybe_wrap_launcher_for_windows(ctx, executable),
- inputs = [image, repo_tags, executable],
+ inputs = depset(
+ direct = [image, repo_tags, executable],
+ transitive = [bsdtar.default.files],
+ ),
  outputs = [tarball],
  tools = [jq.bin],
  mnemonic = "OCITarball",
@@ -131,6 +139,7 @@ oci_tarball = rule(
  toolchains = [
  "@bazel_tools//tools/sh:toolchain_type",
  "@aspect_bazel_lib//lib:jq_toolchain_type",
+ "@aspect_bazel_lib//lib:tar_toolchain_type",
  ],
  executable = True,
 )

oci/private/tarball.sh.tpl

@@ -2,10 +2,9 @@
 set -o pipefail -o errexit -o nounset
 
 readonly FORMAT="{{format}}"
-readonly STAGING_DIR=$(mktemp -d)
 readonly JQ="{{jq_path}}"
+readonly TAR="{{tar}}"
 readonly IMAGE_DIR="{{image_dir}}"
-readonly BLOBS_DIR="${STAGING_DIR}/blobs"
 readonly TARBALL_PATH="{{tarball_path}}"
 readonly REPOTAGS=($(cat "{{tags}}"))
 readonly INDEX_FILE="${IMAGE_DIR}/index.json"
@@ -84,6 +83,7 @@ MANIFEST_BLOB_PATH="${IMAGE_DIR}/blobs/${MANIFEST_DIGEST}"
 
 CONFIG_DIGEST=$(${JQ} -r '.config.digest | sub(":"; "/")' ${MANIFEST_BLOB_PATH})
 CONFIG_BLOB_PATH="${IMAGE_DIR}/blobs/${CONFIG_DIGEST}"
+add_to_tar "${CONFIG_BLOB_PATH}" "blobs/${CONFIG_DIGEST}"
 
 LAYERS=$(${JQ} -cr '.layers | map(.digest | sub(":"; "/"))' ${MANIFEST_BLOB_PATH})
 
@@ -100,5 +100,7 @@ repotags="${REPOTAGS[@]+"${REPOTAGS[@]}"}"
  --arg config "blobs/${CONFIG_DIGEST}" \
  --argjson layers "${LAYERS}" > "${STAGING_DIR}/manifest.json"
 
-# TODO: https://github.com/bazel-contrib/rules_oci/issues/217
-tar -C "${STAGING_DIR}" -cf "${TARBALL_PATH}" manifest.json blobs
+add_to_tar "${manifest_json}" "manifest.json"
+
+# We've created the manifest, now hand it off to tar to create our final output
+"${TAR}" --create --file "${TARBALL_PATH}" "@${mtree}"

oci/repositories.bzl

@@ -1,6 +1,6 @@
 """Repository rules for fetching external tools"""
 
-load("@aspect_bazel_lib//lib:repositories.bzl", "register_copy_to_directory_toolchains", "register_coreutils_toolchains", "register_jq_toolchains")
+load("@aspect_bazel_lib//lib:repositories.bzl", "register_copy_to_directory_toolchains", "register_coreutils_toolchains", "register_jq_toolchains", "register_tar_toolchains")
 load("//oci/private:toolchains_repo.bzl", "PLATFORMS", "toolchains_repo")
 load("//oci/private:versions.bzl", "CRANE_VERSIONS", "ZOT_VERSIONS")
 
@@ -113,6 +113,7 @@ def oci_register_toolchains(name, crane_version, zot_version = None, register =
  Should be True for WORKSPACE users, but false when used under bzlmod extension
  """
  register_jq_toolchains(register = register)
+ register_tar_toolchains(register = register)
  register_coreutils_toolchains(register = register)
  register_copy_to_directory_toolchains(register = register)