ci: add Bazel RBE lane

[haasonsaas]

Summary

• add Bazel 9/Bzlmod/rules_python wiring for the Orbit Agent package and pytest suite
• reuse the existing requirements-dev.lock so Bazel resolves the same DSPy/Flask/Twilio dependency graph as CI
• add a repo-scoped Bazel RBE workflow gated by BAZEL_RBE_ENABLED and the evalops-orbit-agent-rbe runner label

Test plan

• actionlint .github/workflows/ci.yml .github/workflows/bazel-rbe.yml
• python3 -m pytest -q
• make bazel-check

[cursor]

PR Summary

Medium Risk
Medium risk because it introduces new Bazel/Bzlmod build configuration and a self-hosted GitHub Actions lane that can affect CI reliability and remote execution behavior.

Overview
Adds Bazel 9 + Bzlmod support for this repo, including MODULE.bazel/lockfile, .bazelrc (with a remote-gcp-dev RBE config), .bazelignore, and a root BUILD.bazel that defines a py_library for orbit_agent plus a Bazel-driven py_test target.

Introduces a new GitHub Actions workflow (bazel-rbe.yml) gated by BAZEL_RBE_ENABLED that runs make bazel-check and an RBE smoke test on a labeled self-hosted runner, plus local tooling glue: Makefile Bazel targets, a gcloud IAP tunnel helper (run-bazel-rbe.sh), a Bazel platform definition, and a Bazel-friendly tests/pytest_main.py entrypoint; also ignores /bazel-* outputs in .gitignore.

^{Reviewed by Cursor Bugbot for commit 0b405b4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mkdocs-material@​9.7.6
	mypy@​2.1.0
	mkdocs@​1.6.1
	pytest@​9.0.3
	pre-commit@​4.6.0
	ruff@​0.15.12
	pytest-cov@​7.1.0
	pytest-asyncio@​1.3.0
	types-pyyaml@​6.0.12.20260510
	types-requests@​2.33.0.20260508

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 0b405b4. Configure here.}

[cursor]

Tunnel cleanup trap registered after resource creation

Low Severity

The trap cleanup EXIT is registered after the IAP tunnel process is started and sleep 2 runs. If the script is interrupted (e.g., CI job cancellation sending SIGTERM) during the sleep 2 window, the tunnel background process is orphaned because the EXIT trap hasn't been registered yet. On the self-hosted runner used by this workflow, orphaned gcloud tunnel processes persist across jobs. Moving the cleanup function definition and trap cleanup EXIT to before the tunnel-start block would close this gap.

 

^{Reviewed by Cursor Bugbot for commit 0b405b4. Configure here.}