We use cookies to understand how people use Depot.
Depot
Sign InGet started
Cache

Bazel

Bazel is a build tool that builds code quickly and reliably. It is used by many large projects, including Google, and is optimized for incremental builds with advanced local and remote caching and parallel execution. Bazel supports many different languages and platforms, and is highly configurable, scaling to codebases of any size.

Depot Cache provides a remote cache service that can be used with Bazel, allowing you to incrementally cache and reuse parts of your builds. This cache is accessible from anywhere, both on your local machine and on CI/CD systems.

Configuring Bazel to use Depot Cache

Depot Cache can be used with Bazel from Depot's managed GitHub Actions runners, from your local machine, from any CI/CD system, or within containerized builds using Dockerfiles or Bake files.

From Depot-managed Actions runners

Depot GitHub Actions runners are pre-configured to use Depot Cache with Bazel - each runner is launched with a $HOME/.bazelrc file that is pre-populated with the connection details for Depot Cache.

If you don't want Depot to override the $HOME/.bazelrc file on each runner, disable Allow Actions jobs to automatically connect to Depot Cache in your organization settings page. You can manually configure Bazel to use Depot Cache as described in the "Using Depot Cache from your local machine or any CI/CD system" section.

Using Depot Cache with Bazel in depot/build-push-action

When using depot/build-push-action to build Docker images that contain Bazel workspaces, your build needs access to Bazel's remote cache credentials to benefit from caching.

These credentials are not automatically available inside your Docker build environment. Unlike builds running directly on Depot-managed GitHub Actions runners (which have automatic access to Depot Cache environment variables), containerized builds execute in isolated VMs that require explicit configuration.

Follow these steps to securely pass your Bazel credentials into your Docker build:

  1. Store the Depot token in a GitHub Secret named DEPOT_TOKEN.

  2. Configure your GitHub Action to pass secrets to the container build:

- name: Build and push
  uses: depot/build-push-action@v1
  with:
    context: .
    file: ./Dockerfile
    push: true
    tags: your-image:tag
    secrets: |
      "DEPOT_TOKEN=${{ secrets.DEPOT_TOKEN }}"
  1. Update your Dockerfile to mount the secrets and configure Bazel:
# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Create .bazelrc with cache configuration
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    echo "build --remote_cache=https://cache.depot.dev" >> ~/.bazelrc && \
    echo "build --remote_header=authorization=${DEPOT_TOKEN}" >> ~/.bazelrc && \
    bazel build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

Using Depot Cache from your local machine or any CI/CD system

To manually configure Bazel to use Depot Cache, you will need to set two build flags in your .bazelrc file. Configure Bazel to use the Depot Cache service endpoint and set API token as the authorization header:

build --remote_cache=https://cache.depot.dev
build --remote_header=authorization=DEPOT_TOKEN

If you are a member of multiple organizations, and you are authenticating with a user token, you must additionally specify which organization to use for cache storage with the x-depot-org header:

build --remote_header=x-depot-org=DEPOT_ORG_ID

After Bazel is configured to use Depot Cache, you can then run your builds as you normally would. Bazel will automatically communicate with Depot Cache to fetch and reuse any stored build artifacts from your previous builds.

Using Depot Cache with Bazel in Depot CLI

When building directly with Depot CLI, follow these steps:

  1. Update your Dockerfile to mount the secret and configure Bazel:
# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Create .bazelrc with cache configuration
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    echo "build --remote_cache=https://cache.depot.dev" >> ~/.bazelrc && \
    echo "build --remote_header=authorization=${DEPOT_TOKEN}" >> ~/.bazelrc && \
    bazel build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

  1. Build with Depot CLI:
depot build --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN -t your-image:tag .

Or with Docker Buildx:

docker buildx build --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN -t your-image:tag .

Using Depot Cache with Bazel in Bake files

When using Bake files to build Docker images containing Bazel workspaces, you can pass secrets through the target.secret attribute:

  1. Define the secret in your docker-bake.hcl file:
target "default" {
  context    = "."
  dockerfile = "Dockerfile"
  tags       = ["your-image:tag"]
  secret = [
    {
      type = "env"
      id   = "DEPOT_TOKEN"
    }
  ]
}
  1. Update your Dockerfile to mount the secret and configure Bazel:
# syntax=docker/dockerfile:1

# ... other Dockerfile instructions

# Create .bazelrc with cache configuration
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
    echo "build --remote_cache=https://cache.depot.dev" >> ~/.bazelrc && \
    echo "build --remote_header=authorization=${DEPOT_TOKEN}" >> ~/.bazelrc && \
    bazel build

Adding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.

  1. Run the build with depot bake:
DEPOT_TOKEN=your_token depot bake