The Bazel documentation now explicitly states:
> If the environment variable `$XDG_CACHE_HOME` is set on either Linux
> or macOS, the value `${XDG_CACHE_HOME}/bazel` will override the
> default.

With `bazel` 8.3.1 and earlier versions, this was not the case on macOS,
which just got fixed:
- bazelbuild/bazel#16937
- bazelbuild/bazel#25167
- bazelbuild/bazel#26773
- https://github.com/bazelbuild/bazel/releases/tag/8.4.0rc1

The Bazel documentation now explicitly states:
> If the environment variable `$XDG_CACHE_HOME` is set on either Linux
> or macOS, the value `${XDG_CACHE_HOME}/bazel` will override the
> default.

With `bazel` 8.3.1 and earlier versions, this was not the case on macOS,
which just got fixed:
- bazelbuild/bazel#16937
- bazelbuild/bazel#25167
- bazelbuild/bazel#26773
- https://github.com/bazelbuild/bazel/releases/tag/8.4.0rc1

### What does this PR do?
Now `bazelisk` is available on all our CI executors
([macOS](DataDog/ci-platform-machine-images#395)
runners,
[Linux](DataDog/datadog-agent-buildimages#951) &
[Windows](DataDog/datadog-agent-buildimages#953)
containers), this change secures an initial part of our `bazel` setup
while providing reusable job templates to ease caching in CI.

Practically, it adds a handful of jobs focusing on **building `bazel`
dependencies** in the corresponding GitLab `deps_build` stage.

Overall, it consists in:
1. verifying **`bazelisk` properly bootstraps `bazel` across all
platforms**, (primary scope of the PR)
2. extracting initial `bazel:`-prefixed CI job templates and dogfooding
them, (i.e. by building deps)
3. binding `bazelisk`/`bazel` caches to GitLab caching capabilities
(runner-based as of now): installed binaries, "repository cache", "repo
contents cache", and "disk cache" are all saved/restored correctly
to/from GitLab while honoring OS/architecture boundaries,
4. marking in-workspace cache in both `.bazelignore` and `.gitignore`,
5. adjusting code/job ownership accordingly.

### Motivation
Securing some initial `bazel` configuration in CI :
- ensures all platforms are kept in the radar over next iterations,
- prevents regressions over next iterations,
- establishes foundations for future jobs.

### Possible Drawbacks / Trade-offs
- on Windows, compilation errors made be descope dependencies being
built to **only `bzip2`**. This will be of course addressed in a
subsequent PR,
- GitLab caching is still runner-based for the time being, which can be
revisited later. (like everything)

### Additional Notes
Main addressed challenges:
- cache location conflicts[^1]: externalized "repo contents cache"
through `tools/bazel*` wrappers:
  - bazelbuild/bazel#26384
  - bazelbuild/bazel#26522
  - bazelbuild/bazel#26773
  - bazelbuild/bazel#26802
- macOS runners:
  - `bzip2` dependency: fetch from a reachable source:
    - [x] #40219
- Windows:
- `bazel` spawn strategy: fallback to a permissive strategy since
`sandboxed` is unsupported
    - [x] #40328
- `tools/bazel` wrapper: fallback to batch (`tools/bazel.bat`), since
`bash` is discouraged by `bazel` in this case and `tools/bazel.ps1`
poses detection problems,
  - long paths were supported in containers but not on runners:
    - [x] DataDog/ci-platform-machine-images#429
  - recursive symlinks: use `robocopy` instead of `copy`/`move`/`xcopy`.
  
[^1]:
> ERROR: The repo contents cache
[/path/to/datadog-agent/.cache/repo_contents] is inside the workspace
[/path/to/datadog-agent]. This can cause spurious failures. Disable the
repo contents cache with `--repo_contents_cache=`, or specify
`--repo_contents_cache=<path outside the workspace>`.

### Motivation
See:
- https://github.com/bazelbuild/bazel/releases/tag/8.4.0
- https://github.com/bazelbuild/bazel/releases/tag/8.4.1
- https://github.com/bazelbuild/bazel/releases/tag/8.4.2

(8.5.0 is due soon)

#### Cache & reliability
- 8.4.0 honors XDG_CACHE_HOME on macOS, which will definitely help ([ABLD-300](https://datadoghq.atlassian.net/browse/ABLD-300)): bazelbuild/bazel#26773
- 8.4.1 fixes a race condition affecting repository contents cache: bazelbuild/bazel#26950
- 8.4.0 fixes another race condition affecting workers: bazelbuild/bazel#26475

#### Modules
- 8.4.0 brings new `--module_mirrors` flag for fallback URLs when primary sources are slow/unavailable: bazelbuild/bazel#26850
- 8.4.0 avoids the need for dummy `MODULE.bazel` files with `git_repository`/`http_archive`: bazelbuild/bazel#26462
- 8.4.2 fixes a maintenance annoyance for `MODULE.bazel.lock` file: bazelbuild/bazel#27111

#### Platforms
- 8.4.0 allows to mitigate the long path issue with **MSVC on Windows**: bazelbuild/bazel#26532
- 8.4.2 fixes **macOS** compatibility issues: bazelbuild/bazel#27014

[ABLD-300]: https://datadoghq.atlassian.net/browse/ABLD-300?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Co-authored-by: regis.desgroppes <[email protected]>

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### Motivation
See:
- https://github.com/bazelbuild/bazel/releases/tag/8.4.0
- https://github.com/bazelbuild/bazel/releases/tag/8.4.1
- https://github.com/bazelbuild/bazel/releases/tag/8.4.2

(8.5.0 is due soon)

#### Cache & reliability
- 8.4.0 honors XDG_CACHE_HOME on macOS, which will definitely help ([ABLD-300](https://datadoghq.atlassian.net/browse/ABLD-300)): bazelbuild/bazel#26773
- 8.4.1 fixes a race condition affecting repository contents cache: bazelbuild/bazel#26950
- 8.4.0 fixes another race condition affecting workers: bazelbuild/bazel#26475

#### Modules
- 8.4.0 brings new `--module_mirrors` flag for fallback URLs when primary sources are slow/unavailable: bazelbuild/bazel#26850
- 8.4.0 avoids the need for dummy `MODULE.bazel` files with `git_repository`/`http_archive`: bazelbuild/bazel#26462
- 8.4.2 fixes a maintenance annoyance for `MODULE.bazel.lock` file: bazelbuild/bazel#27111

#### Platforms
- 8.4.0 allows to mitigate the long path issue with **MSVC on Windows**: bazelbuild/bazel#26532
- 8.4.2 fixes **macOS** compatibility issues: bazelbuild/bazel#27014

[ABLD-300]: https://datadoghq.atlassian.net/browse/ABLD-300?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Co-authored-by: regis.desgroppes <[email protected]>

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?

Generalizes `bazel` CI configuration to make deeply nested `bazel[isk]` invocations in
`omnibus` scripts and `invoke` tasks automatically benefit from the CI configuration
(`--config=ci` as defined in `.bazelrc`).

### Motivation

**Problem with previous approach:**

GitLab cache configuration was cumbersome with deeply nested bazel invocations.
Each `variable`, `cache`, and their respective `paths` needed to be explicitly
propagated to every build job (and soon, test jobs). This created a maintenance
burden with multiple points of configuration scattered across the codebase.

**Solution:**

Centralize Bazel CI configuration in `.bazelrc` (single point of maintenance)
and propagate only two environment variables:
- `CI`: Triggers `--config=ci` in wrapper scripts
- `XDG_CACHE_HOME`: Root directory for both bazelisk and bazel caches

This allows all nested bazel invocations to automatically use:
- Remote cache configuration (from `.bazelrc`)
- (Semi-)persistent local caches
- Other CI-specific flags

### Changes

**1. Simplified wrapper scripts**

Both `tools/bazel` and `tools/bazel.bat` now:
- Require `XDG_CACHE_HOME` to be set in CI
- Validate that `XDG_CACHE_HOME` points to a directory
- Generate minimal `.user.bazelrc` with only `--config=ci`
- Use local `.cache` fallback when not in CI

**2. Standardized cache location via XDG_CACHE_HOME**

Per runner type:
- **Persistent Linux runners**: `/data/bzl` (on persistent volume)
- **Ephemeral Linux/macOS runners**: `$RUNNER_TEMP_PROJECT_DIR`
- **Windows runners**: `c:\bzl` (on persistent volume)

**3. Platform-specific implementation**

- **Linux/macOS**: Native XDG_CACHE_HOME support (Bazel 7.2.0+ / 8.4.0+)
- **Windows**: Emulated via `--output_user_root=$XDG_CACHE_HOME/bazel`

**4. Updated GitLab CI configuration**

- Introduced `.bazel:defs:posix`, `.bazel:defs:windows`, `.bazel:defs:posix-persistent`
- Removed GitLab cache configuration (replaced by persistent volumes)
- Pass `CI` and `XDG_CACHE_HOME` to all jobs, including Windows Docker containers

### Implementation Details

**Using $RUNNER_TEMP_PROJECT_DIR:**

GitLab Runner creates `$RUNNER_TEMP_PROJECT_DIR` alongside `$CI_PROJECT_DIR`
with the same lifecycle (created before job, cleaned after job). We generalized
its use based on positive experience from our earlier externalization of Bazel's
`--repo_contents_cache`, which required a directory outside the build tree to
avoid circular dependencies.

**Windows path handling:**

Windows wrapper converts backslashes to forward slashes for Bazel compatibility
(see github.com/bazelbuild/bazel/issues/3275).

**tools/bazel (POSIX):**
```bash
if [ -n "${CI:-}" ]; then
  # Validate XDG_CACHE_HOME is a directory
  # Generate user.bazelrc with --config=ci
fi
```

**tools/bazel.bat (Windows):**
```batch
if defined CI (
  # Validate XDG_CACHE_HOME is a directory
  # Set --output_user_root=%XDG_CACHE_HOME%/bazel
  # Generate user.bazelrc with --config=ci
)
```

### References

- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Bazel Windows backslash issue: bazelbuild/bazel#3275
- Windows XDG feature request: bazelbuild/bazel#27808

### What does this PR do?
It generalizes `bazel` CI configuration to make nested `bazel[isk]` invocations in `omnibus` scripts and `invoke` tasks automatically benefit from `bazel --config=ci` (single point of maintenance defined in `.bazelrc`) as well as applicable caching.

### Motivation
The GitLab cache used so far for ephemeral runners was only benefiting top-level `bazel` commands used in smoke tests and linters. It didn't benefit nested `bazel` invocations, nor were settings implied by `--config=ci` because `tools/bazel[.bat]` hook scripts had no clue they were running in CI.

The GitLab cache configuration used to be too tricky to generalize due to the many environment variables involved, that's why the present approach consists in limiting them to only 2 environment variables:
- `CI`: to trigger `bazel --config=ci`.
    The presence of this variable is anyway a _de facto_ standard leveraged by existing tools, of which in-house `dda`,
- `XDG_CACHE_HOME`: root directory for both `bazelisk` and `bazel` caches.
    Originating from Linux/BSD ecosystems, this variable is also honored by `bazel` (8.4.0+) on macOS and I filed a feature request to get it honored on Windows - meanwhile we "emulate" it there via `--output_user_root=$XDG_CACHE_HOME/bazel` (only remaining path explicitly passed to `bazel`).

### Additional Notes
1. simplified wrapper scripts:
    - require that `$XDG_CACHE_HOME` denotes a directory in CI,
    - shrunk down ephemeral `.user.bazelrc` to the bare minimum,
2. standardized cache location via `XDG_CACHE_HOME` per runner type:
    - persistent Linux runners (only used for top-level `bazel` commands): `/data/bzl` (on persistent volume), now also for AArch64 (aka ARM64),
    - "ephemeral" Linux/macOS runners: `$CI_PROJECT_DIR/.cache`, because GitLab requires cacheable paths to reside below `$CI_PROJECT_DIR`,
    - Windows runners: `c:/bzl` (but `$RUNNER_TEMP_PROJECT_DIR` should be fine too if we get rid of `msbuild`, @alopezz to confirm or deny),
3. replaced `omnibus` cache insertions by a combined cache extension comprising both `bazel` caches as well as the `omnibus` cache definition. The latter is of course aimed at vanishing at the end of the ongoing transition, hence the name: `omnibus-transition`,
4. passed `CI` to `docker run`s in order to fail if we forget to propagate `XDG_CACHE_HOME` when enabling `bazel` there.

References:
- CI environment variable semantics: https://stackoverflow.com/a/64289573
- Bazel directory structure: https://bazel.build/remote/output-directories#layout-diagram
- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Windows XDG feature request: bazelbuild/bazel#27808
- Bazel Windows backslash issue: bazelbuild/bazel#3275

Co-authored-by: regis.desgroppes <[email protected]>

### What does this PR do?
It generalizes `bazel` CI configuration to make nested `bazel[isk]` invocations in `omnibus` scripts and `invoke` tasks automatically benefit from `bazel --config=ci` (single point of maintenance defined in `.bazelrc`) as well as applicable caching.

### Motivation
The GitLab cache used so far for ephemeral runners was only benefiting top-level `bazel` commands used in smoke tests and linters. It didn't benefit nested `bazel` invocations, nor were settings implied by `--config=ci` because `tools/bazel[.bat]` hook scripts had no clue they were running in CI.

The GitLab cache configuration used to be too tricky to generalize due to the many environment variables involved, that's why the present approach consists in limiting them to only 2 environment variables:
- `CI`: to trigger `bazel --config=ci`.
    The presence of this variable is anyway a _de facto_ standard leveraged by existing tools, of which in-house `dda`,
- `XDG_CACHE_HOME`: root directory for both `bazelisk` and `bazel` caches.
    Originating from Linux/BSD ecosystems, this variable is also honored by `bazel` (8.4.0+) on macOS and I filed a feature request to get it honored on Windows - meanwhile we "emulate" it there via `--output_user_root=$XDG_CACHE_HOME/bazel` (only remaining path explicitly passed to `bazel`).

### Additional Notes
1. simplified wrapper scripts:
    - require that `$XDG_CACHE_HOME` denotes a directory in CI,
    - shrunk down ephemeral `.user.bazelrc` to the bare minimum,
2. standardized cache location via `XDG_CACHE_HOME` per runner type:
    - persistent Linux runners (only used for top-level `bazel` commands): `/data/bzl` (on persistent volume), now also for AArch64 (aka ARM64),
    - "ephemeral" Linux/macOS runners: `$CI_PROJECT_DIR/.cache`, because GitLab requires cacheable paths to reside below `$CI_PROJECT_DIR`,
    - Windows runners: `c:/bzl` (but `$RUNNER_TEMP_PROJECT_DIR` should be fine too if we get rid of `msbuild`, @alopezz to confirm or deny),
3. replaced `omnibus` cache insertions by a combined cache extension comprising both `bazel` caches as well as the `omnibus` cache definition. The latter is of course aimed at vanishing at the end of the ongoing transition, hence the name: `omnibus-transition`,
4. passed `CI` to `docker run`s in order to fail if we forget to propagate `XDG_CACHE_HOME` when enabling `bazel` there.

References:
- CI environment variable semantics: https://stackoverflow.com/a/64289573
- Bazel directory structure: https://bazel.build/remote/output-directories#layout-diagram
- XDG Base Directory Specification: https://specifications.freedesktop.org/basedir/latest/
- Bazel XDG support (Linux): bazelbuild/bazel#21817 (7.2.0)
- Bazel XDG support (macOS): bazelbuild/bazel#26773 (8.4.0)
- Windows XDG feature request: bazelbuild/bazel#27808
- Bazel Windows backslash issue: bazelbuild/bazel#3275

Co-authored-by: regis.desgroppes <[email protected]>