ci: use rules_buf instead of buf binary directly

api/bazel/repositories.bzl

@@ -27,15 +27,16 @@ def api_dependencies():
     external_http_archive(
         name = "com_google_googleapis",
     )
-
     external_http_archive(
         name = "com_github_cncf_xds",
     )
-
     external_http_archive(
         name = "prometheus_metrics_model",
         build_file_content = PROMETHEUSMETRICS_BUILD_CONTENT,
     )
+    external_http_archive(
+        name = "rules_buf",
+    )
     external_http_archive(
         name = "rules_proto",
     )
@@ -47,14 +48,9 @@ def api_dependencies():
         name = "opentelemetry_proto",
         build_file_content = OPENTELEMETRY_BUILD_CONTENT,
     )
-    external_http_archive(
-        name = "com_github_bufbuild_buf",
-        build_file_content = BUF_BUILD_CONTENT,
-    )
     external_http_archive(
         name = "dev_cel",
     )
-
     external_http_archive(
         name = "com_github_chrusty_protoc_gen_jsonschema",
     )
@@ -387,17 +383,3 @@ go_grpc_library(
     ],
 )
 """
-
-BUF_BUILD_CONTENT = """
-package(
-    default_visibility = ["//visibility:public"],
-)
-
-filegroup(
-    name = "buf",
-    srcs = [
-        "@com_github_bufbuild_buf//:bin/buf",
-    ],
-    tags = ["manual"], # buf is downloaded as a linux binary; tagged manual to prevent build for non-linux users
-)
-"""

api/bazel/repository_locations.bzl

@@ -101,6 +101,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/prometheus/client_model/blob/v{version}/LICENSE",
     ),
+    rules_buf = dict(
+        project_name = "Bazel rules for Buf",
+        project_desc = "Bazel rules for Buf",
+        project_url = "https://github.com/bufbuild/rules_buf",
+        version = "0.3.0",
+        sha256 = "89c6d6e6523802ee7f1210340a69fab4ee0b47554953a1ecbe359319fd3f93dc",
+        release_date = "2024-05-22",
+        strip_prefix = "rules_buf-{version}",
+        urls = ["https://github.com/bufbuild/rules_buf/archive/refs/tags/v{version}.tar.gz"],
+        use_category = ["api"],
+        license = "Apache-2.0",
+        license_url = "https://github.com/bufbuild/rules_buf/blob/{version}/LICENSE",
+    ),
     rules_proto = dict(
         project_name = "Protobuf Rules for Bazel",
         project_desc = "Protocol buffer rules for Bazel",
@@ -127,19 +140,6 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/open-telemetry/opentelemetry-proto/blob/v{version}/LICENSE",
     ),
-    com_github_bufbuild_buf = dict(
-        project_name = "buf",
-        project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
-        project_url = "https://buf.build",
-        version = "1.50.0",
-        sha256 = "80c1211dfc4844499c6ddad341bb21206579883fd33cea0a2c40c82befd70602",
-        strip_prefix = "buf",
-        urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2025-01-17",
-        use_category = ["api"],
-        license = "Apache-2.0",
-        license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
-    ),
     com_github_chrusty_protoc_gen_jsonschema = dict(
         project_name = "protoc-gen-jsonschema",
         project_desc = "Protobuf to JSON-Schema compiler",

bazel/dependency_imports.bzl

@@ -10,6 +10,7 @@ load("@emsdk//:emscripten_deps.bzl", "emscripten_deps")
 load("@fuzzing_pip3//:requirements.bzl", pip_fuzzing_dependencies = "install_deps")
 load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies")
 load("@proxy_wasm_rust_sdk//bazel:dependencies.bzl", "proxy_wasm_rust_sdk_dependencies")
+load("@rules_buf//buf:repositories.bzl", "rules_buf_toolchains")
 load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_dependencies")
 load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies")
 load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
@@ -25,7 +26,9 @@ GO_VERSION = "1.23.1"
 JQ_VERSION = "1.7"
 YQ_VERSION = "4.24.4"
 
-def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, yq_version = YQ_VERSION):
+BUF_VERSION = "v1.50.0"
+
+def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, yq_version = YQ_VERSION, buf_version = BUF_VERSION):
     rules_foreign_cc_dependencies()
     go_rules_dependencies()
     go_register_toolchains(go_version)
@@ -66,6 +69,8 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
     register_yq_toolchains(version = yq_version)
     parser_deps()
 
+    rules_buf_toolchains(version = buf_version)
+
     # These dependencies, like most of the Go in this repository, exist only for the API.
     # These repos also have transient dependencies - `build_external` allows them to use them.
     # TODO(phlax): remove `build_external` and pin all transients

ci/do_ci.sh

@@ -29,6 +29,9 @@ else
 fi
 
 setup_clang_toolchain() {
+    if [[ -n "${CLANG_TOOLCHAIN_SETUP}" ]]; then
+        return
+    fi
     CONFIG_PARTS=()
     if [[ -n "${ENVOY_RBE}" ]]; then
         CONFIG_PARTS+=("remote")
@@ -209,9 +212,7 @@ function bazel_envoy_api_build() {
 }
 
 function bazel_envoy_api_go_build() {
-    if [[ -z "$CLANG_TOOLCHAIN_SETUP" ]]; then
-        setup_clang_toolchain
-    fi
+    setup_clang_toolchain
     GO_IMPORT_BASE="github.com/envoyproxy/go-control-plane"
     GO_TARGETS=(@envoy_api//...)
     read -r -a GO_PROTOS <<< "$(bazel query "${BAZEL_GLOBAL_OPTIONS[@]}" "kind('go_proto_library', ${GO_TARGETS[*]})" | tr '\n' ' ')"

tools/api_proto_breaking_change_detector/BUILD

@@ -9,8 +9,8 @@ py_binary(
         "detector.py",
     ],
     data = [
-        "@com_github_bufbuild_buf//:buf",
         "@envoy_api//:proto_breaking_change_detector_buf_config",
+        "@rules_buf_toolchains//:buf",
     ],
     main = "detector.py",
     tags = ["manual"],
@@ -25,9 +25,9 @@ py_binary(
     srcs = [
         "detector_ci.py",
     ],
-    args = ["$(location @com_github_bufbuild_buf//:buf)"],
+    args = ["$(location @rules_buf_toolchains//:buf)"],
     data = [
-        "@com_github_bufbuild_buf//:buf",
+        "@rules_buf_toolchains//:buf",
     ],
     deps = [
         ":detector",

tools/api_proto_breaking_change_detector/detector_test.py

@@ -85,7 +85,7 @@ def test_remove_and_reserve_field(self):
 
 
 class BufTests(TestAllowedChanges, TestBreakingChanges, unittest.TestCase):
-    _buf_path = runfiles.Create().Rlocation("com_github_bufbuild_buf/bin/buf")
+    _buf_path = runfiles.Create().Rlocation("rules_buf_toolchains/buf")
 
     @classmethod
     def _run_command_print_error(cls, cmd):

tools/proto_format/proto_format.sh

@@ -33,5 +33,5 @@ bazel "${BAZEL_STARTUP_OPTIONS[@]}" run "${BAZEL_BUILD_OPTIONS[@]}" \
 if [[ -n "$CI_BRANCH" ]] || [[ "${FORCE_PROTO_FORMAT}" == "yes" ]]; then
     echo "Run buf tests"
     cd api/ || exit 1
-    bazel "${BAZEL_STARTUP_OPTIONS[@]}" run "${BAZEL_BUILD_OPTIONS[@]}" @com_github_bufbuild_buf//:bin/buf lint
+    bazel "${BAZEL_STARTUP_OPTIONS[@]}" run "${BAZEL_BUILD_OPTIONS[@]}" @rules_buf_toolchains//:buf lint
 fi