Bazel外部仓库与checksum治理（WORKSPACE-镜像-哈希）最佳实践

**实现示例** ```ts type Repo = { name: string; urls: string[]; sha256: string } const allowOrigins = new Set(['https://mirror.example.com','https://github.com']) function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function urlAllowed(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowOrigins.has(x.origin) } catch { return false } } function evaluate(r: Repo): { ok: boolean; errors: string[] } { const errors: string[] = [] if (!r.name || !hex64(r.sha256)) errors.push('entry') if (r.urls.length === 0 || !r.urls.every(urlAllowed)) errors.push('urls') return { ok: errors.length === 0, errors } } ``` **审计与运行治理** - 审计外部仓库 URL 与哈希；异常阻断并输出修复建议。 - 镜像清单变更需审批与归档。