Bazel is a build tool that builds code quickly and reliably. It is used by many large projects, including Google, and is optimized for incremental builds with advanced local and remote caching and parallel execution. Bazel supports many different languages and platforms, and is highly configurable, scaling to codebases of any size.
Depot Cache provides a remote cache service that can be used with Bazel, allowing you to incrementally cache and reuse parts of your builds. This cache is accessible from anywhere, both on your local machine and on CI/CD systems.
Depot Cache can be used with Bazel from Depot's managed GitHub Actions runners, from your local machine, or from any CI/CD system.
Depot GitHub Actions runners are pre-configured to use Depot Cache with Bazel - each runner is launched with a $HOME/.bazelrc file that is pre-populated with the connection details for Depot Cache.
If this automatic configuration is incompatible with your specific setup, you can disable automatic configuration in your organization settings page and manually configure Bazel to use Depot Cache as described below.
To manually configure Bazel to use Depot Cache, you will need to set two build flags in your .bazelrc file. Configure Bazel to use the Depot Cache service endpoint and set API token as the authorization header:
build --remote_cache=https://cache.depot.dev
build --remote_header=authorization=DEPOT_TOKENIf you are a member of multiple organizations, and you are authenticating with a user token, you must additionally specify which organization to use for cache storage with the x-depot-org header:
build --remote_header=x-depot-org=DEPOT_ORG_IDOnce Bazel is configured to use Depot Cache, you can then run your builds as you normally would. Bazel will automatically communicate with Depot Cache to fetch and reuse any stored build artifacts from your previous builds.
depot/build-push-actionWhen using depot/build-push-action to build Docker images that contain Bazel workspaces, your build needs access to Bazel's remote cache credentials to benefit from caching.
These credentials are not automatically available inside your Docker build environment. Unlike builds running directly on Depot-managed GitHub Actions runners (which have automatic access to Depot Cache environment variables), containerized builds execute in isolated VMs that require explicit configuration.
Follow these steps to securely pass your Bazel credentials into your Docker build:
Store the Depot token in a GitHub Secret named DEPOT_TOKEN.
Configure your GitHub Action to pass secrets to the container build:
- name: Build and push
uses: depot/build-push-action@v1
with:
context: .
file: ./Dockerfile
push: true
tags: your-image:tag
secrets: |
"DEPOT_TOKEN=${{ secrets.DEPOT_TOKEN }}"# syntax=docker/dockerfile:1
# ... other Dockerfile instructions
# Create .bazelrc with cache configuration
RUN --mount=type=secret,id=DEPOT_TOKEN,env=DEPOT_TOKEN \
echo "build --remote_cache=https://cache.depot.dev" >> ~/.bazelrc && \
echo "build --remote_header=authorization=${DEPOT_TOKEN}" >> ~/.bazelrc && \
bazel buildAdding # syntax=docker/dockerfile:1 as the first line of your Dockerfile enables mounting secrets as environment variables.