[build] limit what check job pulls in

[titusfortner]

User description

I'm moving this to its own PR since it is muddying the language specific PRs.

running query on every commit without any restraints pulls all the external-caches from MODULE, including huge ones like
oci-standalone-chrome, so want to reduce what must be loaded/cached.

💥 What does this PR do?

• Limit query to just //<language> targets we're interested in
• ensure errors are managed properly
• ensure results are unique so it can be passed directly to run somewhere

💡 Additional Considerations

We can minimize cache generated even further without changing targets by using cquery and a bunch of other flags (--//common:pin_browsers=false --keep_going --output=starlark --starlark:expr='target.label' --notool_deps --implicit_deps=false --include_aspects=false), but this is simplest to start. Even better, running cquery job on windows instead of linux would dramatically reduce cache issues because none of the pinned browser caches would get set.
So if we're still struggling with caching, that's a route we can take.

---

PR Type

Enhancement

---

Description

• Limit Bazel query universe to language bindings only

• Reduce external cache pulls for unrelated targets

• Add error handling and deduplication of results

• Improve script robustness with strict error checking

---

Diagram Walkthrough

flowchart LR
  A["Affected Files"] -->|"bazel query file()"| B["All Bazel Targets"]
  B -->|"rdeps limited to bindings"| C["Test Targets"]
  C -->|"sort -u"| D["Unique Results"]
  D --> E["GitHub Output"]

Loading

File Walkthrough

Relevant files

Enhancement

check-bazel-targets.sh Restrict Bazel query scope to language bindings                    scripts/github-actions/check-bazel-targets.sh Limit Bazel query universe to specific language binding directories instead of entire repo Add error handling with set -euo pipefail and conditional query execution Exclude manually tagged tests from results Deduplicate target results using sort -u before output Improve code clarity with better variable naming and comments +23/-14

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Bazel query injection Description: The Bazel query expression interpolates the unquoted, unescaped ${file} into "file(${file})", which can allow query/expression injection or unintended query behavior if a changed filename contains Bazel-query special characters (e.g., ), ,, quotes), potentially causing the CI job to query unintended targets or fail in attacker-controlled ways. check-bazel-targets.sh [17-20] Referred Code for file in $affected_files; do if query_output=$(bazel query --keep_going --noshow_progress "file(${file})" 2>/dev/null); then bazel_targets+=(${query_output}) fi
	GitHub output injection Description: Writing bazel-targets='${bazel_targets[*]}' directly to $GITHUB_OUTPUT can enable GitHub Actions output injection if any computed target string contains newlines or output command delimiters, allowing a crafted label/value to add or alter subsequent outputs consumed by later steps. check-bazel-targets.sh [44-44] Referred Code echo "bazel-targets='${bazel_targets[*]}'" | tee -a "$GITHUB_OUTPUT"
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Shell syntax error: The new for loop introduces an if ...; then without a matching fi, which will cause the script to fail rather than handling query failures gracefully. Referred Code for file in $affected_files; do if query_output=$(bazel query --keep_going --noshow_progress "file(${file})" 2>/dev/null); then bazel_targets+=(${query_output}) fi done Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unescaped query input: File paths from git diff --name-only are interpolated directly into the Bazel query expression (file(${file})) without escaping, which may allow malformed paths to break or manipulate the query. Referred Code affected_files=$(git diff --name-only "${COMMIT_RANGE}") # Map changed files to target labels bazel_targets=() for file in $affected_files; do if query_output=$(bazel query --keep_going --noshow_progress "file(${file})" 2>/dev/null); then bazel_targets+=(${query_output}) fi Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use a single bazel query Improve performance by replacing the loop that calls bazel query for each file with a single bazel query call for all affected files at once. scripts/github-actions/check-bazel-targets.sh [17-21] -for file in $affected_files; do - if query_output=$(bazel query --keep_going --noshow_progress "file(${file})" 2>/dev/null); then - bazel_targets+=(${query_output}) - fi -done +# Create a space-separated list of file(...) expressions for the query +file_queries=$(printf "file(%s) " $affected_files) +if query_output=$(bazel query --keep_going --noshow_progress "${file_queries}" 2>/dev/null); then + mapfile -t bazel_targets < <(echo "${query_output}") +fi + Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a significant performance bottleneck and proposes an effective optimization by replacing multiple bazel query calls with a single one.	Medium
	Safely iterate changed files Modify the script to correctly handle filenames containing spaces by reading affected_files into an array and iterating over it safely. scripts/github-actions/check-bazel-targets.sh [13-17] -affected_files=$(git diff --name-only "${COMMIT_RANGE}") -for file in $affected_files; do +readarray -t affected_files <<< "$(git diff --name-only "${COMMIT_RANGE}")" +for file in "${affected_files[@]}"; do Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion correctly identifies a bug where filenames with spaces would break the script and provides a robust fix using modern bash features.	Medium
Possible issue	Avoid redirecting stderr to null Remove the 2>/dev/null redirection from the bazel query command to allow error messages to be printed, which aids in debugging CI failures. scripts/github-actions/check-bazel-targets.sh [33-39] if query_output=$(bazel query \ --keep_going \ --noshow_progress \ "kind(test, rdeps(${BINDINGS_UNIVERSE}, set(${bazel_targets[@]}))) \ - except attr('tags','manual', ${BINDINGS_UNIVERSE})" 2>/dev/null); then + except attr('tags','manual', ${BINDINGS_UNIVERSE})"); then bazel_targets+=(${query_output}) fi Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that redirecting stderr to /dev/null hinders debugging, and removing it would improve the script's observability in CI.	Medium
	Guard GITHUB_OUTPUT usage Add a check to ensure the GITHUB_OUTPUT environment variable is set before it is used to prevent potential script failures. scripts/github-actions/check-bazel-targets.sh [44] +: "${GITHUB_OUTPUT:?GITHUB_OUTPUT must be set}" echo "bazel-targets='${bazel_targets[*]}'" | tee -a "$GITHUB_OUTPUT" Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that using an unset GITHUB_OUTPUT variable will cause the script to fail with set -u, and the proposed check makes the script more robust.	Medium
More