Make extensions reproducible, add lock files

Returns `module_ctx.extension_metadata(reproducible = True)` from
module extensions and checks in `MODULE.bazel.lock` files. Adds
`--lockfile_mode=error` to the top level `.bazelrc`, and adds
`--lockfile_mode=update` where necessary to ensure tests don't break.

Also:

- Bumps `rules_go` to 0.58.2, which resolves
  bazel-contrib/rules_go#4480, and removes the temporary `git_override`.

- Bumps Go to 1.25.3 in `WORKSPACE` (missed in bazel-contrib#1778).

- Updates the `.bazelversion` files in nested repos to match the
  top-level `.bazelversion` file (missed in bazel-contrib#1778).

- Removes unnecessary `scala_deps.scala()` tags from the
  `dt_patches/test_dt_patches{,_user_srcjar}` and
  `test/compiler_sources_integrity` modules. This makes the resulting
  `MODULE.bazel.lock` files for the latter two modules much smaller.

- Removes `bazel shutdown` commands to speed up several tests, notably
  `dt_patches/dt_patch_test.sh` and `test/shell/test_examples.sh`.

Running

```txt
$ git diff --stat HEAD^ ':!:**.bazelversion' ':!:**MODULE.bazel.lock'
 .bazelci/presubmit.yml                                |  5 +++++
 .bazelrc                                              |  5 +++++
 .bcr/presubmit.yml                                    |  4 ++++
 .gitignore                                            |  5 ++---
 MODULE.bazel                                          | 13 ++-----------
 WORKSPACE                                             |  8 ++++----
 dt_patches/dt_patch_test.sh                           |  5 ++++-
 dt_patches/test_dt_patches/.bazelrc                   |  3 +++
 dt_patches/test_dt_patches/MODULE.bazel               |  1 -
 dt_patches/test_dt_patches_user_srcjar/.bazelrc       |  3 +++
 dt_patches/test_dt_patches_user_srcjar/MODULE.bazel   |  1 -
 dt_patches/test_dt_patches_user_srcjar/extensions.bzl |  4 +++-
 scala/extensions/config.bzl                           |  1 +
 scala/extensions/deps.bzl                             | 22 ++++++++++++++++++----
 scala/extensions/protoc.bzl                           |  3 +++
 scala/private/extensions/dev_deps.bzl                 |  1 +
 test/compiler_sources_integrity/.bazelrc              |  4 ++++
 test/compiler_sources_integrity/MODULE.bazel          |  1 -
 test/shell/test_examples.sh                           |  6 +++++-
 test_version.sh                                       |  4 +++-
 20 files changed, 70 insertions(+), 29 deletions(-)
```

---

At @jayconrod's suggestion, it seems worth revisiting the
`MODULE.bazel.lock` mechanism. The format appears to have stabilized
(especially in newer Bazels), and it seems explicitly marking extensions
as reproducible helps shrink lock files dramatically. While I've yet to
notice (or measure) performance benefits, the stability and security
benefits appear worth the effort.

Before marking `scala_deps` as reproducible, the `MODULE.bazel.lock`
file was 30892 lines long. This dramatic effect on our own lock file
suggests that this change will potentially help consumers maintain
smaller lock files as well.

The only time any of the extensions are nonreproducible is when a
`scala_deps.compiler_srcjar` tag contains no `label`, `sha256`, or
`integrity` attribute. This should prove so limited a case as to be
nonexistent in practice. Even so, the extension makes sure to indicate
that it's _not_ reproducible in that case. Diffing
`dt_patches/test_dt_patches{,_user_srcjar}/MODULE.bazel.lock` shows what
happens when a `compiler_srcjar` tag lacks those attributes.

Finally, `--lockfile_mode=error` is useful to detect lock file updates
when building with the default `.bazelversion`. However, running tests
with newer versions of Bazel in this mode will break. The `.bazelrc`
line introducing the `--lockfile_mode` flag has a comment suggesting
that users comment it out when testing other Bazel versions.

Author: mbland

.bazelci/presubmit.yml

@@ -41,6 +41,7 @@ tasks:
     shell_commands:
     # Install xmllint
     - sudo apt update && sudo apt install --reinstall libxml2-utils -y
+    - echo "common --lockfile_mode=update" >>.bazelrc
     - "./test_rules_scala.sh"
     soft_fail:
       - exit_status: "*"
@@ -150,8 +151,12 @@ tasks:
     working_directory: "examples/crossbuild"
     platform: ${{ bcr_platform }}
     bazel: ${{ bcr_bazel }}
+    build_flags:
+      - "--lockfile_mode=update"
     build_targets:
       - "//..."
+    test_flags:
+      - "--lockfile_mode=update"
     test_targets:
       - "//..."
     soft_fail:

.bazelrc

@@ -1,6 +1,11 @@
 # Remove once Bazel 8 becomes the minimum supported version.
 common --noenable_workspace --incompatible_use_plus_in_repo_names
 
+# Ensure that the `MODULE.bazel.lock` files don't change silently.
+# Comment out to actually update the lockfiles, and when testing a Bazel version
+# different from .bazelversion.
+common --lockfile_mode=error
+
 # Uncomment to run tests under `WORKSPACE`. Remove once Bazel 9 becomes the
 # minimum supported version.
 #common --enable_workspace --noenable_bzlmod

.bcr/presubmit.yml

@@ -9,7 +9,11 @@ bcr_test_module:
       name: "Build and test the example module"
       platform: ${{ platform }}
       bazel: ${{ bazel }}
+      build_flags:
+        - "--lockfile_mode=update"
       build_targets:
         - "//..."
+      test_flags:
+        - "--lockfile_mode=update"
       test_targets:
         - "//..."

.gitignore

@@ -20,12 +20,11 @@ repository-artifacts.json
 # From scripts/*.py
 **/__pycache__/
 
-# Until it settles down
-**/MODULE.bazel.lock
-
 # Used by some tests, but can also be used for local experimentation.
 tmp/
 
 # Not required by tests.
 deps/latest/.bazelversion
+deps/latest/MODULE.bazel.lock
+dt_patches/compiler_sources/MODULE.bazel.lock
 

MODULE.bazel

@@ -2,7 +2,7 @@
 
 module(
     name = "rules_scala",
-    version = "7.1.3",
+    version = "7.1.4",
     bazel_compatibility = [">=7.1.0"],
     compatibility_level = 7,
 )
@@ -257,19 +257,10 @@ bazel_dep(
 )
 bazel_dep(
     name = "rules_go",
-    version = "0.57.0",
+    version = "0.58.2",
     dev_dependency = True,
     repo_name = "io_bazel_rules_go",  # for com_github_bazelbuild_buildtools
 )
-
-# Temporary workaround until rules_go > 0.57.0 becomes available to resolve:
-# https://github.com/bazel-contrib/rules_go/issues/4480
-git_override(
-    module_name = "rules_go",
-    commit = "74199c92e20399b6ef46684b2c6fdd94b50a7892",
-    remote = "https://github.com/bazel-contrib/rules_go.git",
-)
-
 bazel_dep(name = "gazelle", version = "0.45.0", dev_dependency = True)
 
 go_sdk = use_extension(

MODULE.bazel.lock

@@ -106,10 +106,10 @@ local_repository(
 
 http_archive(
     name = "io_bazel_rules_go",
-    sha256 = "a729c8ed2447c90fe140077689079ca0acfb7580ec41637f312d650ce9d93d96",
+    sha256 = "54bbb67a4196170cc60ef3b52a2747ad1759cba4764b4c4752b744080ad99947",
     urls = [
-        "https://mirror.bazel.build/github.com/bazel-contrib/rules_go/releases/download/v0.57.0/rules_go-v0.57.0.zip",
-        "https://github.com/bazel-contrib/rules_go/releases/download/v0.57.0/rules_go-v0.57.0.zip",
+        "https://mirror.bazel.build/github.com/bazel-contrib/rules_go/releases/download/v0.58.2/rules_go-v0.58.2.zip",
+        "https://github.com/bazel-contrib/rules_go/releases/download/v0.58.2/rules_go-v0.58.2.zip",
     ],
 )
 
@@ -121,7 +121,7 @@ load(
 
 go_rules_dependencies()
 
-go_register_toolchains(version = "1.25.1")
+go_register_toolchains(version = "1.25.3")
 
 http_archive(
     name = "bazelci_rules",

WORKSPACE

@@ -1 +1 @@
-7.6.1
+7.6.2

dt_patches/compiler_sources/.bazelversion

@@ -16,7 +16,6 @@ run_in_test_repo() {
   cd "${dir}/${test_repo}" || return 1
   "${test_command[@]}" || response_code=$?
 
-  bazel shutdown
   cd ../..
   return $response_code
 }
@@ -120,6 +119,8 @@ $runner test_compiler_patch 3.5.2
 $runner test_compiler_patch 3.6.4
 $runner test_compiler_patch 3.7.3
 
+run_in_test_repo 'test_dt_patches' bazel shutdown
+
 $runner test_compiler_srcjar_error 2.12.11
 $runner test_compiler_srcjar_error 2.12.12
 $runner test_compiler_srcjar_error 2.12.13
@@ -152,3 +153,5 @@ $runner test_compiler_srcjar 3.4.3
 $runner test_compiler_srcjar_nonhermetic 3.5.2
 $runner test_compiler_srcjar_nonhermetic 3.6.4
 $runner test_compiler_srcjar_nonhermetic 3.7.3
+
+run_in_test_repo 'test_dt_patches_user_srcjar' bazel shutdown

dt_patches/dt_patch_test.sh

@@ -1 +1,4 @@
 import ../../.bazelrc
+
+# The `--repo_env` flags cause `MODULE.bazel.lock` updates.
+common --lockfile_mode=update