diff --git a/.dockerignore b/.dockerignore index 5927e0e01954b..30534d959d406 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,18 +1,18 @@ -/* -!/VERSION.txt -!/build_envoy -!/ci -!/distribution/docker -!/configs/google-vrp -!/configs/*yaml -!/linux/amd64/release.tar.zst -!/linux/amd64/schema_validator_tool -!/linux/amd64/router_check_tool -!/linux/amd64/config_load_check_tool -!/linux/arm64/release.tar.zst -!/linux/arm64/schema_validator_tool -!/linux/arm64/router_check_tool -!/linux/arm64/config_load_check_tool -!/local -!/test/config/integration/certs -!/windows +# /* +# !/VERSION.txt +# !/build_envoy +# !/ci +# !/distribution/docker +# !/configs/google-vrp +# !/configs/*yaml +# !/linux/amd64/release.tar.zst +# !/linux/amd64/schema_validator_tool +# !/linux/amd64/router_check_tool +# !/linux/amd64/config_load_check_tool +# !/linux/arm64/release.tar.zst +# !/linux/arm64/schema_validator_tool +# !/linux/arm64/router_check_tool +# !/linux/arm64/config_load_check_tool +# !/local +# !/test/config/integration/certs +# !/windows diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index 53a28632fc9f3..0000000000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -blank_issues_enabled: false -contact_links: -- name: "Crash bug" - url: https://github.com/envoyproxy/envoy/security/policy - about: "Please file any crash bug (including asserts in debug builds) with envoy-security@googlegroups.com." diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index dff7986ed5d06..0000000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: enhancement,triage -assignees: '' - ---- - -*Title*: *One line description* - -*Description*: ->Describe the desired behavior, what scenario it enables and how it -would be used. - -[optional *Relevant Links*:] ->Any extra documentation required to understand the issue. diff --git a/.github/ISSUE_TEMPLATE/non--crash-security--bug.md b/.github/ISSUE_TEMPLATE/non--crash-security--bug.md deleted file mode 100644 index 5e4ded3ac93d3..0000000000000 --- a/.github/ISSUE_TEMPLATE/non--crash-security--bug.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -name: Non-{crash,security} bug -about: Bugs which are not crashes (including asserts in debug builds), DoS or other security issue -title: '' -labels: bug,triage -assignees: '' - ---- - -**If you are reporting *any* crash or *any* potential security issue, *do not* -open an issue in this repo. Please report the issue via emailing -envoy-security@googlegroups.com where the issue will be triaged appropriately.** - -*Title*: *One line description* - -*Description*: ->What issue is being seen? Describe what should be happening instead of -the bug, for example: Envoy should not crash, the expected value isn't -returned, etc. - -*Repro steps*: -> Include sample requests, environment, etc. All data and inputs -required to reproduce the bug. - ->**Note**: The [Envoy_collect tool](https://github.com/envoyproxy/envoy/blob/main/tools/envoy_collect/README.md) -gathers a tarball with debug logs, config and the following admin -endpoints: /stats, /clusters and /server_info. Please note if there are -privacy concerns, sanitize the data prior to sharing the tarball/pasting. - -*Admin and Stats Output*: ->Include the admin output for the following endpoints: /stats, -/clusters, /routes, /server_info. For more information, refer to the -[admin endpoint documentation.](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) - ->**Note**: If there are privacy concerns, sanitize the data prior to -sharing. - -*Config*: ->Include the config used to configure Envoy. - -*Logs*: ->Include the access logs and the Envoy logs. - ->**Note**: If there are privacy concerns, sanitize the data prior to -sharing. - -*Call Stack*: -> If the Envoy binary is crashing, a call stack is **required**. -Please refer to the [Bazel Stack trace documentation](https://github.com/envoyproxy/envoy/tree/main/bazel#stack-trace-symbol-resolution). diff --git a/.github/ISSUE_TEMPLATE/other.md b/.github/ISSUE_TEMPLATE/other.md deleted file mode 100644 index 98cc3b7808c98..0000000000000 --- a/.github/ISSUE_TEMPLATE/other.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Other -about: Questions, design proposals, tech debt, etc. -title: '' -labels: triage -assignees: '' - ---- - -**If you are reporting *any* crash or *any* potential security issue, *do not* -open an issue in this repo. Please report the issue via emailing -envoy-security@googlegroups.com where the issue will be triaged appropriately.** - -*Title*: *One line description* - -*Description*: ->Describe the issue. - -[optional *Relevant Links*:] ->Any extra documentation required to understand the issue. diff --git a/.github/ISSUE_TEMPLATE/test_flake.md b/.github/ISSUE_TEMPLATE/test_flake.md deleted file mode 100644 index 1198ff0825bcb..0000000000000 --- a/.github/ISSUE_TEMPLATE/test_flake.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: Test flake -about: Track a flaky test or other CI failure -title: '' -labels: 'area/test flakes' -assignees: '' - ---- diff --git a/.github/config.yml b/.github/config.yml deleted file mode 100644 index 495fad24871c6..0000000000000 --- a/.github/config.yml +++ /dev/null @@ -1,246 +0,0 @@ -agent-ubuntu: ubuntu-24.04 -build-image: - # Authoritative configuration for build image/s - repo: docker.io/envoyproxy/envoy-build - repo-gcr: gcr.io/envoy-ci/envoy-build - # default ci caching (ci) - sha: 20656853fae51927cda557e7af80ccff175f5de6f84bd0f092cd8672b2a6e0fe - sha-ci: 20656853fae51927cda557e7af80ccff175f5de6f84bd0f092cd8672b2a6e0fe - sha-devtools: 6e7a82d4f1ba040f4ebef0c1aae00cdbd205ff7a1284c20cc20984fdfa4a91d8 - sha-docker: 85b6c3e76f093d9c9d10a968b5615cc8d82f38d7aef311100d542e4d640f5a74 - sha-gcc: 439e870260c1599646d05b8b5d3bf1b6dd585c2e3cdac78dcb9f4081564c27fd - sha-mobile: bd1338a8951376211e4f4f6ff3171675670c4c582b0966f1d247abd3ba6a8a67 - sha-worker: 25a68eff24b7414a346977d545687b87851d1c5746c466798050fa12fc5d0686 - # TODO: remove this dupe (currently used by ci request handler) - mobile-sha: bd1338a8951376211e4f4f6ff3171675670c4c582b0966f1d247abd3ba6a8a67 - tag: 86873047235e9b8232df989a5999b9bebf9db69c - -config: - envoy: - icon: >- - [![](https://avatars.githubusercontent.com/u/30125649?s=24&v=4)](#) - -checks: - # Checks: this configures which _checks_ will be activated or skipped - # - # The configured _names_ need to match the checks configured for the repo - # - # Any check that is marked as `required` but is not triggered by the run - # config above in a given CI run is marked as `skipped` - # - # For example if macos is marked as `required: true` but then has a path - # selection that means its doesnt run the check will be `skipped` and pass - checks: - name: Envoy/Checks - on-run: - - check-build - - check-build-openssl - - check-coverage - - check-runtime - - check-san - required: true - macos: - name: Envoy/macOS - required: true - on-run: - - build-macos - prechecks: - name: Envoy/Prechecks - on-run: - - precheck-deps - - precheck-external - - precheck-format - - precheck-publish - - precheck-publish-config - required: true - # yamllint disable rule:line-length - advice: - general: | - ### Ensuring your commits are signed off - - You can set up DCO using Envoy's git hooks. - - ### Git hooks - - To set this up, do the following: - - ```console - $ ./support/bootstrap - ``` - - If you only want the DCO check you can do the following to disable the - other hooks - - ```console - $ echo NO_VERIFY=1 > .env - ``` - deps: | - ### Advice on updating dependencies - - General information about Envoy's depdendencies [can be found here](https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md) - format: | - ### Advice on correct formatting - - Envoy ensures a minimum standard for all files in the repository. - - You are strongly advised to heed the following CI notice: - - ```console - Please fix your editor to ensure: - - - no trailing whitespace - - no preceding mixed tabs/spaces - - all files end with a newline - ``` - # yamllint enable rule:line-length - publish: - name: >- - Envoy/Publish and verify - on-run: - - release - - verify - required: true - -run: - build-macos: - paths: - - .bazelrc - - .bazelversion - - .github/config.yml - - api/**/* - - bazel/**/* - - ci/**/* - - configs/**/* - - contrib/**/* - - envoy/**/* - - source/**/* - - test/**/* - check-build: - paths: - - "**/*" - check-build-openssl: - paths: - - "**/*" - check-coverage: - paths: - - "**/*" - check-runtime: - paths: - - source/server/cgroup_cpu_util.* - - test/server/*cgroup* - # this can be switched to always run once related ci lands. - push: paths - check-san: - paths: - - "**/*" - precheck-deps: - paths: - - .bazelrc - - .bazelversion - - .github/config.yml - - .github/dependabot.yml - - bazel/BUILD - - tools/dependency/* - - "**/*.bzl" - - "**/requirements.txt" - - "**/go.mod" - - "**/Dockerfile*" - push: paths - precheck-external: - paths: - - "**/*" - precheck-format: - paths: - - "**/*" - precheck-publish: - paths: - - "**/*" - precheck-publish-config: - paths: - - "**/*" - release: - paths: - - .bazelrc - - .bazelversion - - .github/config.yml - - api/**/* - - bazel/**/* - - ci/**/* - - contrib/**/* - - distribution/**/* - - envoy/**/* - - examples/**/* - - source/**/* - - tools/**/* - - VERSION.txt - verify: - paths: - - .bazelrc - - .bazelversion - - .github/config.yml - - .github/workflows/envoy-publish.yml - - .github/workflows/_publish_verify.yml - - api/**/* - - bazel/**/* - - ci/**/* - - contrib/**/* - - distribution/**/* - - envoy/**/* - - examples/**/* - - source/**/* - - tools/**/* - - VERSION.txt - push: paths - -tables: - env: - collapse: true - title: Environment - table-title: Request variables - filter: | - .request - | del(.["build-image" as $prefix | keys[] | select(startswith($prefix))]) - | del(.["version" as $prefix | keys[] | select(startswith($prefix))]) - | .actor = "\"\(.actor.name)\" @\(.actor.name)" - build-image: - collapse: true - title: Build image - table-title: Container image/s (as used in this CI run) - filter: | - "https://hub.docker.com/r/envoyproxy/envoy-build/tags?page=1&name=" as $dockerLink - | .request["build-image"] - | del(.changed) - | with_entries( - .value as $v - | ($v | split(":") | .[1] | split("@") | .[0]) as $tag - | .value = "[\($v | split("@") | .[0])](\($dockerLink)\($tag))") - build-image-current: - collapse: true - title: Build image (current) - table-title: Current or previous container image - filter: | - "https://hub.docker.com/r/envoyproxy/envoy-build/tags?page=1&name=" as $dockerLink - | if .request["build-image"].changed then - .request["build-image-current"] - | with_entries( - .value as $v - | ($v | split(":") | .[1] | split("@") | .[0]) as $tag - | .value = "[\($v | split("@") | .[0])](\($dockerLink)\($tag))") - else {} end - version: - collapse: true - title: Version - table-title: Envoy version (as used in this CI run) - filter: | - .request.version - | del(.changed) - version-current: - collapse: true - title: Version (current) - table-title: Current or previous version - filter: | - if .request.version.changed then - .request["version-current"] - else - {} - end diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 23035c585af5a..0000000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,129 +0,0 @@ -version: 2 -updates: - -# We currently have CI to make sure that all python `requirements.txt` files -# are listed here, and only existing `requirements.txt` files are listed here. -# -# Until https://github.com/envoyproxy/envoy/issues/26163 is resolved `Dockerfiles`, -# and `go.mod` files need to be kept in sync manually. -# -# Please ensure any new ones are added here, and any that are removed are removed here also. - -- package-ecosystem: "pip" - directory: "/tools/base" - open-pull-requests-limit: 20 - schedule: - interval: "daily" - time: "06:00" - -- package-ecosystem: "pip" - directory: "/docs/tools/python" - open-pull-requests-limit: 20 - schedule: - interval: "daily" - time: "06:00" - -- package-ecosystem: "pip" - directory: "/mobile/tools/python" - open-pull-requests-limit: 20 - schedule: - interval: "daily" - time: "06:00" - -- package-ecosystem: "docker" - directory: "/.devcontainer" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "docker" - directory: "/ci" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "docker" - directory: "/ci/matrix" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "docker" - directory: "/distribution/docker" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/contrib/golang/filters/http/test/test_data" - groups: - contrib-golang: - patterns: - - "*" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/contrib/golang/filters/http/test/test_data/dummy" - groups: - contrib-golang: - patterns: - - "*" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/contrib/golang/filters/network/test/test_data" - groups: - contrib-golang: - patterns: - - "*" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/contrib/golang/router/cluster_specifier/test/test_data/simple" - groups: - contrib-golang: - patterns: - - "*" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/contrib/golang/upstreams/http/tcp/test/test_data" - groups: - contrib-golang: - patterns: - - "*" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/source/extensions/dynamic_modules" - schedule: - interval: daily - time: "06:00" - -- package-ecosystem: "gomod" - directory: "/test/extensions/dynamic_modules/test_data/go" - schedule: - interval: daily - time: "06:00" diff --git a/.github/workflows/POLICY.md b/.github/workflows/POLICY.md deleted file mode 100644 index c52488cd22efe..0000000000000 --- a/.github/workflows/POLICY.md +++ /dev/null @@ -1,59 +0,0 @@ -# Envoy Github workflows - -## Trusted workflows - -Github workflows that are **not** triggered by a `pull_request` generally run with -the repository context/permissions. - -In various ways, these workflows can be triggered as the result of a `pull_request` -and/or be made to run untrusted code (ie PR code). - -This can be useful, but carries significant risks. - -In particular this can effect: - -- `pull_request_target` -- `workflow_run` -- `workflow_dispatch` - -Do not use these trigger events unless they are required. - -## Restrict global permissions and secrets in trusted workflows - -If a job requires specific permissions, these should be added on per-job basis. - -Global permissions should be set as follows: - -```yaml -permissions: - contents: read -``` - -Likewise, any secrets that a job requires should be set per-job. - -## Restrict access to `workflow_dispatch` - -It is important to restrict who can trigger these types of workflow. - -Do not allow any bots or app users to do so, unless this is specifically required. - -For example, you could add a `job` condition to prevent any bots from triggering the workflow: - -```yaml - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} -``` - -## Trusted/untrusted CI jobs - -If a trusted workflow is used to run untrusted code, then the entire job that runs this code -should be treated as untrusted. - -In this case, it is **essential** to ensure: - -- no write permissions in the untrusted job -- no secrets in the untrusted job diff --git a/.github/workflows/README.md b/.github/workflows/README.md deleted file mode 100644 index 743c7f39acdd0..0000000000000 --- a/.github/workflows/README.md +++ /dev/null @@ -1,198 +0,0 @@ -## CI configuration - -CI is configured in .github/config.yml. - -The configuration is per-branch and in this way different branches can have a different -runtime configuration. - -In a pull request only 2 things are read from the config.yml submitted in the request: - -- version -- build image - -As these can change the way the CI runs they are allowed to change. No other configuration -is read from the pull request itself. - -### Checks - -Which checks should run against a commit or PR is configured under the `checks` key. - -The names of these checks should match any checks that are set to required for the repo, -and if a check is required this should be set in the config to ensure the check is marked -as skipped if the related runs are skipped. - -### Runs - -This controls which workflows run, and where necessary which jobs in the workflows. - -This paths can be configured with glob matches to match changed files. - -Paths are always matched for PRs. - -For push requests the config can be set to: - -- always (default): Always runs -- paths: Runs when paths match -- never: Doesnt run on pushes - -## CI requests - -### All CI is requested - -Whether triggered by push event or a pull_request all CI should be viewed as "requested". - -This is very important as it means we can treat incoming triggers in much the same way -as we might handle an incoming web request. - -Much like a web request, CI requests may be "trusted" or "untrusted" and as a consequence -have more or less capability or access. - -Again, much like web requests, CI requests cannot be assumed to be safe. - -Any incoming data - critically data over which a user has the capability to change should -be treated in the same way that user data is handled in a web request. - -Failure to do this opens our CI up to many of the same attacks you might expect in a web scenario -- mostly injection attacks of various sorts. - -### Requests are always made _from_ the triggering branch - -The only CI workflow that is required/used on any branch other than `main` is `request.yml`. - -This file contains any custom configurations required by the branch - for example, build images. - -The request workflow on any branch always delegates to the `_request.yml` on `main`. - -The `_request.yml` workflow contains all required configuration for handling an incoming request. - -All other CI listens for the request workflow to run, and then runs with the requested/parsed data. - -### CI is always run _in_ the context of main - -Other than updating configurations in any given `request.yml` - no CI workflows are parsed -anywhere other than in the context of `main`. - -This means that **all** changes must be made to the `main` workflows for _any_ branch _and_ for PRs. - -Like branch CI, PRs also run in the context of `main` - making changes to these files in a PR will have -no effect until/unless they are landed on the `main` branch. - -### Lifecycle of a CI request - -#### Incoming request: - -Requests can be triggered by a `push` to `main` or a release branch or from a -`pull_request_target` to those branches. - -The `request.yml` file handles this and *must* live on every branch. - -This wf then calls the reusable `_request.yml` workflow, typically on `main`, but -branches can pin this if required. - -#### Request is handled by `_request.yml` workflow: - -This workflow initially reads the `.github/config.yml` from the target branch. - -It uses this to decide which CI and which checks need to be run, and collects information -about the CI request. - -This can be configured on a per-branch basis, by editing the file on the branch. - -This also holds the authoritative build image information. - -Users can request a CI run in a PR with custom build images by editing the config.yml file -on the relevant branch. CI will allow this but flag the change. - -Likewise the version is checked at this stage, and CI flags if it has changed. - -No other CI vars should be editable by users in a PR. - -#### CI check runs *on main* listen for incoming requests and run if required: - -These checks *always* run on `main` but with the repo checked out for the branch or the PR. - -If branches require custom CI this can be added in the relevant file *on main* with -a condition to only trigger for relevant target branch. - -#### Checks are completed at the end of each CI run: - -Currently this reports only on the overall outcome of the CI run and updates the check. - -We can add eg Slack reporting here to notify on failed `main` runs. - -#### Retesting - -PR CI can be retested by issuing `/retest` on the PR. - -This finds the checks related to the latest request and restarts them if they are -failed or cancelled. - -Links on the request page link to the original checks, but the checks themselves will -offer a `reload` button to refresh to the latest version. - -## Branch CI - -All CI is run on `main` - branch CI included. - -The CI will checkout the correct commits and run the CI at that point. - -This means that the CI on `main` should always be able to run the current supported branches. - -There are possible workaround for custom branch CI but the better path is to ensure legacy support -in current `main` or backport any required changes. - -## CI caching - -Currently only x86 Docker images are cached. - -Github has a hard per-repo limit of 10GB cache for CI which is LRU cycled when exceeded. - -This should just be enough to store x86 and arm Docker images for most of our release branches -but will not leave anything to spare. - -We can probably set up a bucket cache for bazel and other caching but this will need to be -done separately for un/trusted CI. - -### Cache mutex - -Due to shortcomings in Github's concurrency algorithm we are using a mutex lock that -is currently stored in the (private) https://github.com/envoyproxy/ci-mutex repository. - -The lock allows CI jobs to wait while the cache is being primed rather than all jobs attempting -to prime the cache simultaneously. - -## Development, testing and CI - -Any Github workflows that use the repository context (`pull_request_target`, `workflow_run`, etc) -**are not tested in Pull Requests** - -This means that changes to CI must be tested/verified in the (private) staging repository. - -### CI enabling vars - -The CI workflows and actions are receptive to certain environment variables being set. - -`ENVOY_CI`: this allows CI to run in non-`envoyproxy/envoy` repos -`ENVOY_MOBILE_CI`: this allows mobile CI to be run in non-`envoyproxy/envoy` repos -`ENVOY_MACOS_CI`: this allows macOS CI to be run in non-`envoyproxy/envoy` repos -`ENVOY_WINDOWS_CI`: this allows Windows CI to be run in non-`envoyproxy/envoy` repos - -With these flags activated the CI runs will respect the normal conditions for running. - -### CI override vars - -The CI workflows will also trigger for specific run settings. - -For example: - -`ENVOY_CI_RUN_MOBILE_ANDROID` would trigger the android CI irrespective of files changed, etc. - -These correspond to the run names as configured in config.yml - for example: - -`ENVOY_CI_RUN_BUILD_MACOS` would ensure the `build-macos` run is triggered. - -### Debugging CI - -Setting `CI_DEBUG` will provide a large amount of runtime information. - -Generally this does not want to be set in a production context. diff --git a/.github/workflows/_check_build.yml b/.github/workflows/_check_build.yml deleted file mode 100644 index ab1076cd161de..0000000000000 --- a/.github/workflows/_check_build.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Check/build - -permissions: - contents: read - -on: - workflow_call: - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-build - cancel-in-progress: true - - -jobs: - build: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name ||matrix.target }} - with: - bazel-cache: true - bazel-extra: '--config=rbe' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - docker-ci: ${{ matrix.docker-ci || false }} - error-match: | - ERROR - error: - Error: - rbe: true - request: ${{ inputs.request }} - skip: ${{ matrix.skip != false && true || false }} - target: ${{ matrix.target }} - timeout-minutes: 180 - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: api - name: API - - target: compile_time_options - name: Compile time options - docker-ci: true - - target: gcc - name: GCC - - target: openssl - name: OpenSSL - skip: ${{ ! fromJSON(inputs.request).run.check-build-openssl }} diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml deleted file mode 100644 index 090ff4a8b9264..0000000000000 --- a/.github/workflows/_check_coverage.yml +++ /dev/null @@ -1,110 +0,0 @@ -name: Check/coverage - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcp-key: - required: true - - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-coverage - cancel-in-progress: true - - -jobs: - coverage: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name ||matrix.target }} - with: - bazel-cache: true - bazel-extra: '--config=rbe' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - error-match: | - ERROR - error: - Error: - lower than limit - rbe: true - request: ${{ inputs.request }} - runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} - steps-post: ${{ matrix.steps-post }} - target: ${{ matrix.target }} - timeout-minutes: 180 - upload-name: ${{ matrix.target }} - upload-path: generated/${{ matrix.target }}/html - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: coverage - name: Coverage - upload-name: coverage - upload-path: generated/coverage/html - steps-post: | - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - output-path: generated/coverage/html/gcs-metadata.json - input-format: yaml - input: | - bucket: ${{ - inputs.trusted - && vars.GCS_ARTIFACT_BUCKET_POST - || vars.GCS_ARTIFACT_BUCKET_PRE }} - sha: ${{ fromJSON(inputs.request).request.sha }} - path_upload: coverage - redirect: ${{ - vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX) - }}${{ fromJSON(inputs.request).request.pr - || fromJSON(inputs.request).request.target-branch }} - - shell: bash - run: | - ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated - - target: fuzz_coverage - name: Fuzz coverage - steps-post: | - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - output-path: generated/fuzz_coverage/html/gcs-metadata.json - input-format: yaml - input: | - bucket: ${{ - inputs.trusted - && vars.GCS_ARTIFACT_BUCKET_POST - || vars.GCS_ARTIFACT_BUCKET_PRE }} - sha: ${{ fromJSON(inputs.request).request.sha }} - path_upload: fuzz_coverage - redirect: ${{ - vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX) - }}${{ fromJSON(inputs.request).request.pr - || fromJSON(inputs.request).request.target-branch }} - - shell: bash - run: | - ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated - - upload: - secrets: - gcp-key: ${{ secrets.gcp-key }} - if: >- - !cancelled() - needs: coverage - uses: ./.github/workflows/_upload_gcs.yml - with: - artifacts: | - ["coverage", "fuzz_coverage"] diff --git a/.github/workflows/_check_san.yml b/.github/workflows/_check_san.yml deleted file mode 100644 index a306167844317..0000000000000 --- a/.github/workflows/_check_san.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Check/san - -permissions: - contents: read - -on: - workflow_call: - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-asan - cancel-in-progress: true - - -jobs: - san: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.target }} - with: - bazel-cache: true - bazel-extra: '--config=rbe' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - request: ${{ inputs.request }} - error-match: | - ERROR - error: - Error: - rbe: ${{ matrix.rbe }} - target: ${{ matrix.target }} - timeout-minutes: 180 - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: asan - rbe: true - - target: msan - rbe: true - - target: tsan - rbe: true diff --git a/.github/workflows/_cve_fetch.yml b/.github/workflows/_cve_fetch.yml deleted file mode 100644 index ba7c60fa84424..0000000000000 --- a/.github/workflows/_cve_fetch.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Dependency/Fetch CVE data - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cve-key: - required: true - inputs: - cve-data-path: - default: tools/dependency/cve_data - type: string - scheduled: - default: false - type: boolean - - -jobs: - cve-data: - name: Fetch CVE data - runs-on: ubuntu-24.04 - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Set vars - id: vars - run: | - echo "cve-data-path=${{ inputs.cve-data-path }}" > $GITHUB_OUTPUT - DAY=$(date +%u) - if [[ "$DAY" == 7 && "${{ inputs.scheduled }}" == "true" ]]; then - echo "weekly_run=true" >> $GITHUB_OUTPUT - export OVERWRITE_ALL_CVE_DATA=1 - else - echo "weekly_run=false" >> $GITHUB_OUTPUT - fi - - uses: envoyproxy/toolshed/actions/gcp/setup@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Setup GCP - with: - key: ${{ secrets.gcs-cve-key }} - - name: Create CVE data directory - run: | - mkdir -p ${{ steps.vars.outputs.cve-data-path }} - - name: Download (sync) from GCS bucket - run: | - gsutil -mq rsync \ - "gs://${{ vars.GCS_CVE_BUCKET }}" \ - "${{ steps.vars.outputs.cve-data-path }}" - - name: Run CVE fetcher - run: | - bazel run --config=ci //tools/dependency:cve_update - - name: Upload (sync) to GCS bucket - run: | - gsutil \ - -mq rsync \ - -dr ${{ steps.vars.outputs.cve-data-path }} \ - "gs://${{ vars.GCS_CVE_BUCKET }}" diff --git a/.github/workflows/_cve_scan.yml b/.github/workflows/_cve_scan.yml deleted file mode 100644 index 0237e10b812af..0000000000000 --- a/.github/workflows/_cve_scan.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Dependency/Fetch CVE data - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cve-key: - required: true - inputs: - cve-data-path: - default: tools/dependency/cve_data - type: string - scheduled: - default: false - type: boolean - - -jobs: - cve-data: - name: Scan dependencies for CVEs - runs-on: ubuntu-24.04 - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Set vars - id: vars - run: | - echo "cve-data-path=${{ inputs.cve-data-path }}" > $GITHUB_OUTPUT - - uses: envoyproxy/toolshed/actions/gcp/setup@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Setup GCP - with: - key: ${{ secrets.gcs-cve-key }} - - name: Create CVE data directory - run: | - mkdir -p ${{ steps.vars.outputs.cve-data-path }} - - name: Download (sync) from GCS bucket - run: | - gsutil -mq rsync \ - "gs://${{ vars.GCS_CVE_BUCKET }}" \ - "${{ steps.vars.outputs.cve-data-path }}" - - name: Run CVE dependency scanner - run: | - bazel test --config=ci --config=cves //tools/dependency:cve_test diff --git a/.github/workflows/_finish.yml b/.github/workflows/_finish.yml deleted file mode 100644 index 1efa76fafe928..0000000000000 --- a/.github/workflows/_finish.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Workflow/complete - -permissions: - contents: read - - -on: - # Do not run untrusted code here - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - needs: - type: string - required: true - template-check-text: - type: string - default: | - ## \($icon) Check run finished (\($outcome.name) \($outcome.icon)) - - ## The check run can be viewed here: - - # \($icon) \($run_link) - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - complete: - runs-on: ${{ fromJSON(fromJSON(inputs.needs).load.outputs.request).config.ci.agent-ubuntu }} - permissions: - actions: read - contents: read - steps: - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Incoming data - id: needs - with: - input: | - check_name: ${{ fromJSON(inputs.needs).load.outputs.check-name }} - repo: ${{ github.repository }} - run_id: ${{ github.run_id }} - outcomes: ${{ toJSON(fromJSON(inputs.needs).*.result) }} - load: ${{ toJSON(fromJSON(inputs.needs).load.outputs) }} - input-format: yaml - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - filter: | - .repo as $repo - | .run_id as $run_id - | .needs as $result - | .check_name as $check_name - | .load as $load - | $load["check-id"] as $check_id - | $load["run-id"] as $workflow_id - | (.load.request | fromjson) as $request - | $request.config.envoy.icon as $icon - | .outcomes - | if any(. == "failure") then - {name: "failure", icon: ":x:"} - elif any(. == "cancelled") then - {name: "cancelled", icon: ""} - elif all(. == "skipped") then - {name: "skipped", icon: ""} - else - {name: "success", icon: ":heavy_check_mark:"} - end - | . as $outcome - | "\($request.check.name) (\($request.summary.title))" as $run_link_text - | "[\($run_link_text)](https://github.com/\($repo)/actions/runs/\($run_id))" as $run_link - | "${{ inputs.template-check-text }}" as $text - | {"summary-title": "\($icon) \($request.check.name) complete (\($outcome.name))", - "check-id": $check_id, - conclusion: $outcome.name, - checks: { - ($check_name): { - name: $request.check.name, - head_sha: $request.request.sha, - status: "completed", - conclusion: $outcome.name, - external_id: "\($run_id)", - output: { - title: "\($request.check.name) (\($outcome.name))", - summary: "Check has finished", - text: $text}}}} - - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Print summary - with: - input: ${{ toJSON(steps.needs.outputs.value).summary-title }} - filter: | - "## \(.)" - options: -Rr - output-path: GITHUB_STEP_SUMMARY - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/actions/github/checks@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Update check - with: - action: update - checks: ${{ toJSON(fromJSON(steps.needs.outputs.value).checks) }} - token: ${{ steps.appauth.outputs.token }} - - # This is necessary to ensure that any retests have their checks updated - - name: Fail the job - if: ${{ fromJSON(steps.needs.outputs.value).conclusion != 'success' }} - run: | - exit 1 diff --git a/.github/workflows/_load.yml b/.github/workflows/_load.yml deleted file mode 100644 index 989bde97cd3db..0000000000000 --- a/.github/workflows/_load.yml +++ /dev/null @@ -1,165 +0,0 @@ -name: Request/load - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - - inputs: - agent-ubuntu: - type: string - default: ubuntu-24.04 - check-name: - type: string - required: true - check-title: - type: string - default: - head-sha: - type: string - default: - run-id: - type: string - default: ${{ github.event.workflow_run.id }} - runs-after: - type: boolean - default: false - template-request-summary: - type: string - default: | - ## \($linkedTitle) - - \($summary) - - \($extra) - - outputs: - build-image: - value: ${{ jobs.request.outputs.build-image }} - build-image-mobile: - value: ${{ jobs.request.outputs.build-image-mobile }} - check-id: - value: ${{ jobs.request.outputs.check-id }} - check-name: - value: ${{ inputs.check-name }} - request: - value: ${{ jobs.request.outputs.request }} - run-id: - value: ${{ inputs.run-id }} - trusted: - value: ${{ jobs.request.outputs.trusted }} - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - request: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - runs-on: ubuntu-24.04 - permissions: - actions: read - contents: read - pull-requests: read - outputs: - build-image: ${{ toJSON(fromJSON(steps.request-output.outputs.value).request.build-image) }} - build-image-mobile: ${{ fromJSON(steps.request-output.outputs.value).request.build-image-mobile }} - check-id: ${{ fromJSON(steps.request-output.outputs.value).check.check-id }} - request: ${{ steps.request-output.outputs.value }} - trusted: ${{ fromJSON(steps.request-output.outputs.value).request.trusted }} - skip: ${{ fromJSON(steps.request-output.outputs.value).check.action != 'RUN' }} - steps: - - run: | - gh api \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "/repos/${GH_REPO}/actions/runs/${RUN_ID}" \ - | jq '.' - RUNID=$(gh run view "${RUN_ID}" --repo "${GH_REPO}" --json databaseId | jq -r '.databaseId') - echo "value=${RUNID}" >> "$GITHUB_OUTPUT" - id: run-id - if: ${{ inputs.runs-after == true }} - env: - GH_TOKEN: ${{ github.token }} - RUN_ID: ${{ inputs.run-id }} - GH_REPO: ${{ github.repository }} - - # Load env data - # Handle any failure in triggering job - # Remove any `checks` we dont care about - # Prepare a check request - - uses: envoyproxy/toolshed/actions/github/env/load@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Load env - id: data - with: - run-id: ${{ steps.run-id.outputs.value || inputs.run-id }} - check-name: ${{ inputs.check-name }} - head-sha: ${{ inputs.head-sha }} - env: - GH_TOKEN: ${{ github.token }} - - # Update the check - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/actions/github/checks@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Update check - if: ${{ fromJSON(steps.data.outputs.data).data.check.action == 'RUN' }} - with: - action: update - checks: ${{ toJSON(fromJSON(steps.data.outputs.data).checks) }} - token: ${{ steps.appauth.outputs.token }} - - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Print request summary - with: - input: | - action: ${{ fromJSON(steps.data.outputs.data).data.check.action }} - summary: ${{ toJSON(fromJSON(steps.data.outputs.data).data.summary) }} - input-format: yaml - output-path: GITHUB_STEP_SUMMARY - options: -r - filter: | - .action as $action - | .summary as $summary - | if ($action != "RUN") then - "### ${{ github.workflow }} was skipped" - else "" end - | . as $extra - | $summary["linked-title"] as $linkedTitle - | $summary.summary as $summary - | "${{ inputs.template-request-summary }}" - - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: request-output - name: Load request - with: - input: | - check: ${{ toJSON(fromJSON(steps.data.outputs.data).data.check) }} - config: ${{ toJSON(fromJSON(steps.data.outputs.data).data.config) }} - request: ${{ toJSON(fromJSON(steps.data.outputs.data).data.request) }} - run: ${{ toJSON(fromJSON(steps.data.outputs.data).data.run) }} - summary_title: ${{ fromJSON(steps.data.outputs.data).data.summary.title }} - input-format: yaml - filter: | - . - | .summary = {title: .summary_title} - | del(.request.message, .summary_title) - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} diff --git a/.github/workflows/_load_env.yml b/.github/workflows/_load_env.yml deleted file mode 100644 index e7ca999ee13cb..0000000000000 --- a/.github/workflows/_load_env.yml +++ /dev/null @@ -1,113 +0,0 @@ -name: Request/load - -permissions: - contents: read - -on: - workflow_call: - secrets: - lock-app-id: - required: true - lock-app-key: - required: true - - inputs: - branch-name: - type: string - default: main - cache-docker: - type: boolean - default: true - config-file: - type: string - default: ./.github/config.yml - event-name: - type: string - default: ${{ github.workflow }} - event-type: - type: string - default: ${{ github.event_name == 'workflow_dispatch' && 'dispatch' || 'scheduled' }} - trusted: - type: boolean - default: true - - outputs: - build-image: - value: ${{ jobs.request.outputs.build-image }} - build-image-mobile: - value: ${{ jobs.request.outputs.build-image-mobile }} - request: - value: ${{ jobs.request.outputs.request }} - trusted: - value: ${{ jobs.request.outputs.trusted }} - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - request: - runs-on: ubuntu-24.04 - outputs: - build-image: ${{ toJSON(fromJSON(steps.env.outputs.data).request.build-image) }} - build-image-mobile: ${{ fromJSON(steps.env.outputs.data).request.build-image-mobile }} - request: ${{ steps.env.outputs.data }} - trusted: true - steps: - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout - name: Checkout Envoy repository - - name: Generate environment variables - uses: envoyproxy/toolshed/actions/envoy/ci/env@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: env - with: - branch-name: ${{ inputs.branch-name }} - config-file: ${{ inputs.config-file }} - started: ${{ steps.started.outputs.value }} - token: ${{ secrets.GITHUB_TOKEN }} - vars: ${{ toJSON(vars) }} - trusted: ${{ inputs.trusted }} - - - name: Request summary - id: summary - uses: envoyproxy/toolshed/actions/github/env/summary@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} - base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} - event-name: ${{ inputs.event-name }} - event-type: ${{ inputs.event-type }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - output-path: GITHUB_STEP_SUMMARY - data: ${{ steps.env.outputs.data }} - tables: ${{ toJSON(fromJSON(steps.env.outputs.data).config.tables) }} - icon: ${{ fromJSON(steps.env.outputs.data).config.envoy.icon }} - message: ${{ fromJSON(steps.env.outputs.data).request.message }} - ref: ${{ fromJSON(steps.env.outputs.data).request.ref }} - sha: ${{ fromJSON(steps.env.outputs.data).request.sha }} - target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - - cache: - secrets: - app-id: ${{ secrets.lock-app-id }} - app-key: ${{ secrets.lock-app-key }} - uses: ./.github/workflows/_request_cache_docker.yml - needs: request - if: ${{ inputs.cache-docker }} - with: - caches: ${{ needs.request.outputs.caches }} - image-tag: ${{ fromJSON(needs.request.outputs.build-image).default }} diff --git a/.github/workflows/_mobile_container_ci.yml b/.github/workflows/_mobile_container_ci.yml deleted file mode 100644 index bd7d1eb7024c5..0000000000000 --- a/.github/workflows/_mobile_container_ci.yml +++ /dev/null @@ -1,175 +0,0 @@ -name: Mobile CI - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - app-key: - rbe-key: - ssh-key-extra: - inputs: - args: - type: string - bind-mount: - type: boolean - default: true - catch-errors: - type: boolean - default: false - checkout-extra: - type: string - default: - command: - type: string - default: bazel - concurrency-suffix: - type: string - default: -mobile - container: - type: string - container-output: - type: string - default: - container-command: - type: string - default: >- - docker run - --volume=${PWD}:/source - --volume=${TMP_ENTRYPOINT}:/tmp/mobile-entrypoint.sh - --volume=/tmp/mobile-cache:/root/.cache - --volume=/tmp/container-output:/tmp/container-output - --workdir=/source/mobile - --entrypoint=/tmp/mobile-entrypoint.sh - -e GITHUB_TOKEN - -e CC - -e CXX - -e BAZEL_BUILD_OPTION_LIST - -e MOBILE_DOCS_CHECKOUT_DIR - diskspace-hack: - type: boolean - default: false - diskspace-hack-paths: - type: string - default: - downloads: - type: string - default: - entrypoint: - type: string - default: - entrypoint-DEFAULT: - type: string - default: | - #!/bin/bash -e - export PATH=/opt/llvm/bin:$PATH - if command -v git >/dev/null 2>&1; then - git config --global --add safe.directory /source - fi - exec "$@" - error-match: - type: string - default: | - ERROR - error: - Error: - notice-match: - type: string - default: | - NOTICE - Streaming build results - output-path: - type: string - default: /tmp/container-output - rbe: - type: boolean - default: true - ref: - type: string - request: - type: string - required: true - runs-on: - type: string - skip: - type: boolean - default: false - source: - type: string - default: - steps-pre: - type: string - steps-pre-name: - type: string - steps-post: - type: string - default: - steps-post-name: - type: string - target: - type: string - required: true - temp-dir: - type: string - timeout-minutes: - type: number - trusted: - type: boolean - default: false - upload-name: - type: string - upload-path: - type: string - warning-match: - type: string - default: | - WARNING - warning: - Warning: - - -jobs: - ci: - uses: ./.github/workflows/_run.yml - name: ${{ inputs.target }} - permissions: - actions: read - contents: read - packages: read - secrets: - ssh-key-extra: ${{ secrets.ssh-key-extra }} - with: - args: ${{ inputs.args }} - rbe: ${{ inputs.rbe }} - bind-mount: ${{ inputs.bind-mount }} - bind-mounts: | - - src: /mnt/container-cache - target: /tmp/mobile-cache - chown: "runner:runner" - # This always just caches the main build image, the mobile one is layered on top - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - catch-errors: ${{ inputs.catch-errors }} - container-command: ${{ inputs.container-command }} ${{ inputs.container || fromJSON(inputs.request).request.build-image.default }} - container-output: ${{ inputs.container-output }} - command: ${{ inputs.command }} - concurrency-suffix: ${{ inputs.concurrency-suffix }} - diskspace-hack: ${{ inputs.diskspace-hack }} - diskspace-hack-paths: ${{ inputs.diskspace-hack-paths }} - docker-ipv6: false - entrypoint: ${{ inputs.entrypoint || inputs.entrypoint-DEFAULT }} - downloads: ${{ inputs.downloads }} - error-match: ${{ inputs.error-match }} - notice-match: ${{ inputs.notice-match }} - output-path: ${{ inputs.output-path }} - request: ${{ inputs.request }} - source: ${{ inputs.source }} - steps-pre: ${{ inputs.steps-pre }} - steps-post: ${{ inputs.steps-post }} - target: ${{ inputs.target }} - timeout-minutes: ${{ inputs.timeout-minutes }} - trusted: ${{ fromJSON(inputs.request).request.trusted }} - upload-name: ${{ inputs.upload-name }} - upload-path: ${{ inputs.upload-path }} - warning-match: ${{ inputs.warning-match }} diff --git a/.github/workflows/_precheck_deps.yml b/.github/workflows/_precheck_deps.yml deleted file mode 100644 index cdd1d274c5d4c..0000000000000 --- a/.github/workflows/_precheck_deps.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Precheck/deps - -permissions: - contents: read - -on: - workflow_call: - inputs: - dependency-review: - type: boolean - default: false - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-deps - cancel-in-progress: true - - -jobs: - deps: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.target }} - with: - bazel-cache: true - bazel-extra: '--config=rbe' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - request: ${{ inputs.request }} - error-match: | - ERROR - error: - Error: - rbe: true - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - matrix: - include: - - target: deps - - dependency-review: - runs-on: ubuntu-24.04 - if: ${{ inputs.dependency-review }} - steps: - - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ fromJSON(inputs.request).request.sha }} - persist-credentials: false - - name: Dependency Review - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/_precheck_format.yml b/.github/workflows/_precheck_format.yml deleted file mode 100644 index ae63eb19277fc..0000000000000 --- a/.github/workflows/_precheck_format.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Precheck/format - -permissions: - contents: read - -on: - workflow_call: - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-format - cancel-in-progress: true - - -jobs: - format: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name || matrix.target }} - with: - bazel-cache: true - bazel-extra: '--config=rbe' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - request: ${{ inputs.request }} - # format needs aspell, and format-api requires git - docker-ci: false - error-match: | - ERROR - error: - Error: - rbe: true - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - upload-name: ${{ matrix.upload-name }} - upload-path: ${{ matrix.upload-path }} - strategy: - fail-fast: false - matrix: - include: - - target: format - upload-name: fix_format.diff - upload-path: /home/runner/work/_temp/container/fix_format.diff - diskpace-hack-paths: | - /opt/hostedtoolcache - - target: format-api - upload-name: fix_proto_format.diff - upload-path: /home/runner/work/_temp/container/fix_proto_format.diff diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml deleted file mode 100644 index fb346c37b7793..0000000000000 --- a/.github/workflows/_precheck_publish.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Precheck/publish - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcp-key: - required: true - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-publish - cancel-in-progress: true - - -jobs: - publish: - permissions: - actions: read - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name || matrix.target }} - with: - arch: ${{ matrix.arch }} - bazel-cache: ${{ matrix.bazel-cache != 'DISABLE' }} - bazel-cache-output-base: ${{ matrix.bazel-cache-output-base || 'base' }} - bazel-extra: ${{ matrix.bazel-extra || '--config=rbe' }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ matrix.target }}${{ matrix.arch && format('-{0}', matrix.arch) || '' }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - timeout-minutes: ${{ matrix.timeout-minutes || 120 }} - error-match: | - ERROR - error: - Error: - skip: ${{ matrix.skip != false && true || false }} - steps-post: ${{ matrix.steps-post }} - target: ${{ matrix.target }} - target-suffix: ${{ matrix.target-suffix }} - trusted: ${{ inputs.trusted }} - upload-name: ${{ matrix.upload-name }} - upload-path: ${{ matrix.upload-path }} - strategy: - fail-fast: false - matrix: - include: - - target: release.test_only - name: Release (x64) - target-suffix: x64 - arch: x64 - rbe: true - - target: release.test_only - name: Release (arm64) - target-suffix: arm64 - arch: arm64 - rbe: true - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - timeout-minutes: 180 - - target: config - name: Config - bazel-cache: true - bazel-cache-output-base: docs - rbe: true - skip: ${{ ! fromJSON(inputs.request).run.precheck-publish-config }} - - target: docs - name: Docs - bazel-cache: true - bazel-cache-output-base: docs - bazel-extra: >- - --config=rbe - --config=docs-ci - rbe: true - upload-name: docs - upload-path: generated/docs - steps-post: | - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - output-path: generated/docs/gcs-metadata.json - input-format: yaml - input: | - bucket: ${{ - inputs.trusted - && vars.GCS_ARTIFACT_BUCKET_POST - || vars.GCS_ARTIFACT_BUCKET_PRE }} - sha: ${{ fromJSON(inputs.request).request.sha }} - path_upload: docs - redirect: ${{ - vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX) - }}${{ fromJSON(inputs.request).request.pr - || fromJSON(inputs.request).request.target-branch }} - - shell: bash - run: | - ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated - - upload: - secrets: - gcp-key: ${{ secrets.gcp-key }} - if: >- - !cancelled() - needs: publish - uses: ./.github/workflows/_upload_gcs.yml - with: - artifacts: | - ["docs"] diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml deleted file mode 100644 index 9c21b91cd31fb..0000000000000 --- a/.github/workflows/_publish_build.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Build - -permissions: - contents: read - -on: - workflow_call: - secrets: - gpg-key: - required: true - gpg-key-password: - required: true - inputs: - arch: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ inputs.arch }}-${{ github.event.workflow.id }}-publish - cancel-in-progress: true - - -jobs: - binary: - permissions: - actions: read - contents: read - packages: read - name: Binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - bazel-cache: true - bazel-extra: >- - --config=rbe - target: release.server_only - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - rbe: true - request: ${{ inputs.request }} - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - timeout-minutes: 120 - trusted: ${{ inputs.trusted }} - upload-name: release.${{ inputs.arch }} - upload-path: container/envoy/${{ inputs.arch }}/bin/ - - docker: - permissions: - actions: read - contents: read - packages: read - name: Docker OCI - needs: - - binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - target: docker - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - downloads: | - release.${{ inputs.arch }}: container/envoy/${{ inputs.arch }}/bin/ - request: ${{ inputs.request }} - source: | - export NO_BUILD_SETUP=1 - export ENVOY_DOCKER_IN_DOCKER=1 - export ENVOY_DOCKER_SAVE_IMAGE=true - export ENVOY_OCI_DIR=build_images - trusted: ${{ inputs.trusted }} - upload-name: oci.${{ inputs.arch }} - upload-path: container/envoy/${{ inputs.arch }}/build_images - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - - distribution: - permissions: - actions: read - contents: read - packages: read - secrets: - gpg-key: ${{ secrets.gpg-key }} - gpg-key-password: ${{ secrets.gpg-key-password }} - name: Packages - needs: - - binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - bazel-cache: true - bazel-extra: >- - --config=remote-cache - downloads: | - release.${{ inputs.arch }}: container/release/${{ inputs.arch }}/bin/ - target: distribution - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - docker-ci: false - import-gpg: true - rbe: false - request: ${{ inputs.request }} - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - trusted: ${{ inputs.trusted }} - upload-name: packages.${{ inputs.arch }} - upload-path: container/envoy/${{ inputs.arch }} diff --git a/.github/workflows/_publish_release.yml b/.github/workflows/_publish_release.yml deleted file mode 100644 index b683abd1bf3b1..0000000000000 --- a/.github/workflows/_publish_release.yml +++ /dev/null @@ -1,152 +0,0 @@ -name: Publish - -permissions: - contents: read - -on: - workflow_call: - secrets: - dockerhub-password: - dockerhub-username: - ENVOY_CI_SYNC_APP_ID: - ENVOY_CI_SYNC_APP_KEY: - ENVOY_CI_PUBLISH_APP_ID: - ENVOY_CI_PUBLISH_APP_KEY: - gpg-key: - required: true - gpg-key-password: - required: true - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-publish - cancel-in-progress: true - - -jobs: - sign: - permissions: - actions: read - contents: read - packages: read - secrets: - gpg-key: ${{ secrets.gpg-key }} - gpg-key-password: ${{ secrets.gpg-key-password }} - if: ${{ vars.ENVOY_CI_RELEASE || github.repository == 'envoyproxy/envoy' }} - name: Sign packages - uses: ./.github/workflows/_run.yml - with: - target: release.signed - bazel-extra: >- - --config=rbe - --noremote_upload_local_results - --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz - --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz - --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst - --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - downloads: | - packages.arm64: container/envoy/arm64/ - packages.x64: container/envoy/x64/ - release.arm64: container/envoy/arm64/bin/ - release.x64: container/envoy/x64/bin/ - import-gpg: true - request: ${{ inputs.request }} - source: | - export NO_BUILD_SETUP=1 - trusted: ${{ inputs.trusted }} - upload-name: release.signed - upload-path: container/envoy/release.signed.tar.zst - steps-pre: | - - run: | - mkdir distribution/custom - cp -a %{{ runner.temp }}/container/envoy/x64 %{{ runner.temp }}/container/envoy/arm64 distribution/custom - shell: bash - - container: - secrets: - dockerhub-username: ${{ secrets.dockerhub-username }} - dockerhub-password: ${{ secrets.dockerhub-password }} - permissions: - actions: read - contents: read - packages: read - name: Publish container images - uses: ./.github/workflows/_publish_release_container.yml - with: - dockerhub-repo: ${{ vars.DOCKERHUB_REPO || 'envoy' }} - dev: ${{ fromJSON(inputs.request).request.version.dev }} - sha: ${{ fromJSON(inputs.request).request.sha }} - target-branch: ${{ fromJSON(inputs.request).request.target-branch }} - trusted: ${{ inputs.trusted }} - version-major: ${{ fromJSON(inputs.request).request.version.major }} - version-minor: ${{ fromJSON(inputs.request).request.version.minor }} - version-patch: ${{ fromJSON(inputs.request).request.version.patch }} - - release: - secrets: - app-id: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }} - app-key: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }} - permissions: - actions: read - contents: read - packages: read - needs: - - container - - sign - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - target: ${{ matrix.target }} - bazel-cache: true - rbe: false - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - downloads: | - release.signed: container/release.signed - source: ${{ matrix.source }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: publish - name: github - - docs: - # For normal commits to Envoy main this will trigger an update in the website repo, - # which will update its envoy dep shas, and rebuild the website for the latest docs - # - # For commits that create a release, it instead triggers an update in the archive repo, - # which builds a static version of the docs for the release and commits it to the archive. - # In turn the archive repo triggers an update in the website so the new release docs are - # included in the published site - if: ${{ inputs.trusted && github.repository == 'envoyproxy/envoy' }} - runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} - needs: - - release - steps: - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: appauth - with: - app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} - key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/actions/dispatch@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - ref: main - repository: ${{ fromJSON(inputs.request).request.version.dev && 'envoyproxy/envoy-website' || 'envoyproxy/archive' }} - token: ${{ steps.appauth.outputs.token }} - workflow: envoy-sync.yaml - inputs: | - commit_sha: ${{ fromJSON(inputs.request).request.version.dev && github.sha || '' }} diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml deleted file mode 100644 index 0979fb032b5e4..0000000000000 --- a/.github/workflows/_publish_release_container.yml +++ /dev/null @@ -1,234 +0,0 @@ -name: Publish (containers) - -permissions: - contents: read - -on: - workflow_call: - secrets: - dockerhub-password: - dockerhub-username: - inputs: - dev: - required: true - type: boolean - default: true - dockerhub-repo: - required: true - default: envoy - type: string - sha: - required: true - type: string - target-branch: - required: true - type: string - trusted: - required: true - type: boolean - version-major: - required: false - type: number - version-minor: - required: false - type: number - version-patch: - required: false - type: number - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-publish-release-container - cancel-in-progress: true - - -jobs: - push-manifests: - name: Create manifests (${{ inputs.trustred && 'dry run' || 'push' }}) - runs-on: ubuntu-24.04 - permissions: - contents: read - packages: read - steps: - - name: Generate manifest configuration (dev) - id: dev-config - if: ${{ inputs.dev && inputs.target-branch == 'main' }} - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - input-format: yaml - filter: >- - {manifests: .} - input: | - - name: ${{ inputs.dockerhub-repo }} - tag: dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy.{arch}.tar - additional-tags: - - dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib.{arch}.tar - additional-tags: - - contrib-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-debug-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-debug.{arch}.tar - additional-tags: - - contrib-debug-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-distroless-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-distroless.{arch}.tar - additional-tags: - - contrib-distroless-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: debug-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-debug.{arch}.tar - additional-tags: - - debug-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: distroless-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-distroless.{arch}.tar - additional-tags: - - distroless-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: google-vrp-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - artifact-pattern: envoy-google-vrp.{arch}.tar - additional-tags: - - google-vrp-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: tools-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-tools.{arch}.tar - additional-tags: - - tools-dev-${{ github.sha }} - - - name: Generate manifest configuration (release) - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: release-config - if: ${{ ! inputs.dev || ! inputs.target-branch != 'main' }} - with: - input-format: yaml - filter: >- - .version as $v - | {manifests: - [.manifests[] - | select( - (.tag | test("contrib-distroless") | not) - or ($v.major > 1 or ($v.major == 1 and $v.minor >= 37)))]} - input: | - version: - major: ${{ inputs.version-major }} - minor: ${{ inputs.version-minor }} - manifests: - - name: ${{ inputs.dockerhub-repo }} - tag: v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy.{arch}.tar - additional-tags: - - v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib.{arch}.tar - additional-tags: - - contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-debug.{arch}.tar - additional-tags: - - contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-distroless.{arch}.tar - additional-tags: - - contrib-distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-debug.{arch}.tar - additional-tags: - - debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-distroless.{arch}.tar - additional-tags: - - distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - artifact-pattern: envoy-google-vrp.{arch}.tar - additional-tags: - - google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-tools.{arch}.tar - additional-tags: - - tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - - name: Collect and push OCI artifacts - uses: envoyproxy/toolshed/actions/oci/collector@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - artifacts-pattern: oci.* - manifest-config: ${{ steps.dev-config.outputs.value || steps.release-config.outputs.value }} - dry-run: ${{ ! inputs.trusted || (inputs.target-branch != 'main' && inputs.dev) }} - dockerhub-username: ${{ inputs.trusted && secrets.dockerhub-username || '' }} - dockerhub-password: ${{ inputs.trusted && secrets.dockerhub-password || '' }} diff --git a/.github/workflows/_publish_verify.yml b/.github/workflows/_publish_verify.yml deleted file mode 100644 index 61dd96ca92846..0000000000000 --- a/.github/workflows/_publish_verify.yml +++ /dev/null @@ -1,194 +0,0 @@ -name: Verify - -permissions: - contents: read - -on: - workflow_call: - inputs: - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-verify - cancel-in-progress: true - - -jobs: - examples: - permissions: - actions: read - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - bazel-cache: false - bazel-extra: ${{ matrix.bazel-extra || '--config=rbe' }} - cache-build-image: ${{ matrix.cache-build-image }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ${{ matrix.container-command }} - concurrency-suffix: -${{ matrix.arch || 'x64' }} - downloads: ${{ matrix.downloads }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - source: ${{ matrix.source }} - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - name: examples - target: verify_examples - downloads: | - oci.arm64: container/build_images - oci.x64: container/build_images - rbe: false - source: | - export NO_BUILD_SETUP=1 - steps-pre: | - - run: | - # Install expected host packages - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -qq update -y - sudo apt-get -qq install -y --no-install-recommends expect gettext yq whois - shell: bash - - run: | - IMAGES=( - envoy:dev - envoy-contrib:contrib-dev - envoy-google-vrp:google-vrp-dev) - RUNNER_TEMP="%{{ runner.temp }}" - . ./.github/workflows/docker_utils.sh - skopeo_copy "${IMAGES[*]}" - shell: bash - - run: docker images | grep envoy - shell: bash - - distroless: - permissions: - actions: read - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - bazel-extra: ${{ matrix.bazel-extra || '--config=rbe' }} - cache-build-image: ${{ matrix.cache-build-image }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ${{ matrix.container-command }} - concurrency-suffix: -${{ matrix.arch || 'x64' }} - downloads: ${{ matrix.downloads }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - source: ${{ matrix.source }} - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - name: distroless - target: verify-distroless - downloads: | - oci.x64: container/build_images - rbe: false - source: | - export NO_BUILD_SETUP=1 - steps-pre: | - - id: version-support - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - input: | - version_major: ${{ fromJSON(inputs.request).request.version.major }} - version_minor: ${{ fromJSON(inputs.request).request.version.minor }} - input-format: yaml - filter: | - . - | {contrib_distroless: ( - .version_major > 1 or (.version_major == 1 and .version_minor >= 37))} - - env: - CONTRIB_DISTROLESS: %{{ fromJSON(steps.version-support.outputs.value).contrib_distroless }} - run: | - IMAGES=() - IMAGES+=(envoy-distroless:distroless-dev) - if [[ "$CONTRIB_DISTROLESS" == "true" ]]; then - IMAGES+=(envoy-contrib-distroless:contrib-distroless-dev) - fi - RUNNER_TEMP="%{{ runner.temp }}" - . ./.github/workflows/docker_utils.sh - skopeo_copy "${IMAGES[*]}" - shell: bash - - run: docker images | grep envoy - shell: bash - - distro: - permissions: - actions: read - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - arch: ${{ matrix.arch }} - bazel-extra: ${{ matrix.bazel-extra || '--config=rbe' }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ./ci/run_envoy_docker.sh - concurrency-suffix: -${{ matrix.arch || 'x64' }} - downloads: | - release.signed: container/release.signed - rbe: ${{ matrix.rbe && matrix.rbe || false }} - request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on }} - source: | - export NO_BUILD_SETUP=1 - export ENVOY_DOCKER_IN_DOCKER=1 - target: ${{ matrix.target }} - target-suffix: ${{ matrix.arch }} - trusted: ${{ inputs.trusted }} - steps-pre: | - - run: | - echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV - echo DEB_ARCH=${{ matrix.arch == 'arm64' && 'arm64' || 'amd64' }} >> $GITHUB_ENV - shell: bash - - run: | - TEMP_DIR=$(mktemp -d) - zstd --stdout -d %{{ runner.temp }}/container/release.signed/release.signed.tar.zst \ - | tar --warning=no-timestamp -xf - -C "${TEMP_DIR}" - mkdir ${TEMP_DIR}/debs - tar xf ${TEMP_DIR}/bin/debs.tar.gz -C ${TEMP_DIR}/debs - mkdir -p ${TEMP_DIR}/distribution/deb - cp -a ${TEMP_DIR}/debs/*_${DEB_ARCH}* ${TEMP_DIR}/distribution/deb - cp -a ${TEMP_DIR}/signing.key ${TEMP_DIR}/distribution - mkdir -p %{{ runner.temp }}/container/distribution/${ARCH} - tar czf %{{ runner.temp }}/container/distribution/${ARCH}/packages.${ARCH}.tar.gz -C ${TEMP_DIR}/distribution . - shell: bash - - strategy: - fail-fast: false - matrix: - include: - - - name: verify_distro_x64 - target: verify_distro - arch: x64 - rbe: true - - - name: verify_distro_arm64 - target: verify_distro - arch: arm64 - bazel-extra: >- - --config=remote-cache - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml deleted file mode 100644 index b2272cb63abd5..0000000000000 --- a/.github/workflows/_request.yml +++ /dev/null @@ -1,241 +0,0 @@ -name: Request/incoming - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - lock-app-id: - required: true - lock-app-key: - required: true - - # Defaults are set .github/config.yml on the `main` branch. - inputs: - # TODO: move this to .github/config.yml - cache-bazel-hash-paths: - type: string - default: | - WORKSPACE - bazel/repository_locations.bzl - api/bazel/repository_locations.bzl - .bazelversion - .github/workflows/_request_cache_bazel.yml - config-file: - type: string - default: ./.github/config.yml - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env-prime - cancel-in-progress: true - -env: - CI_DEBUG: ${{ (vars.CI_DEBUG || vars.RUNNER_DEBUG) && true || false }} - - -jobs: - incoming: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - runs-on: ubuntu-24.04 - permissions: - actions: read - contents: read - pull-requests: read - outputs: - env: ${{ steps.data.outputs.value }} - caches: ${{ steps.caches.outputs.value }} - config: ${{ steps.config.outputs.config }} - steps: - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout - name: Checkout Envoy repository (requested) - with: - pr: ${{ github.event.number }} - branch: ${{ github.base_ref || github.ref_name }} - config: | - fetch-depth: ${{ startsWith(github.event_name, 'pull_request') && 1 || 2 }} - path: requested - # This step *LOOKS AT* the repo at the point requested - # Its essential that this _job_ *MUST NOT EXECUTE ANY CODE FROM THE CHECKED OUT REPO* - # *ALL* variables collected should be treated as untrusted and should be sanitized before - # use - - name: Generate environment variables from commit - uses: envoyproxy/toolshed/actions/envoy/ci/request@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: env - with: - branch-name: ${{ steps.checkout.outputs.branch-name }} - config-file: ${{ inputs.config-file }} - merge-commit: ${{ steps.checkout.outputs.merge-commit }} - started: ${{ steps.started.outputs.value }} - token: ${{ secrets.GITHUB_TOKEN }} - vars: ${{ toJSON(vars) }} - working-directory: requested - - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout-target - name: Checkout Envoy repository (target branch) - with: - branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - config: | - fetch-depth: 1 - path: target - - uses: envoyproxy/toolshed/actions/hashfiles@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: bazel-cache-hash - name: Bazel cache hash - with: - files: ${{ inputs.cache-bazel-hash-paths }} - working-directory: target - - - name: Request summary - id: summary - uses: envoyproxy/toolshed/actions/github/env/summary@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} - base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - output-path: GITHUB_STEP_SUMMARY - pr: ${{ github.event.number }} - data: ${{ steps.env.outputs.data }} - tables: ${{ toJSON(fromJSON(steps.env.outputs.data).config.tables) }} - icon: ${{ fromJSON(steps.env.outputs.data).config.envoy.icon }} - message: ${{ fromJSON(steps.env.outputs.data).request.message }} - ref: ${{ fromJSON(steps.env.outputs.data).request.ref }} - sha: ${{ fromJSON(steps.env.outputs.data).request.sha }} - target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - - - id: cache-id-bazel-x64 - uses: envoyproxy/toolshed/actions/github/artifact/cache/id@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - name: ${{ steps.bazel-cache-hash.outputs.value }}-x64 - wf-path: .github/workflows/request.yml - - id: cache-id-bazel-arm64 - uses: envoyproxy/toolshed/actions/github/artifact/cache/id@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - name: ${{ steps.bazel-cache-hash.outputs.value }}-arm64 - wf-path: .github/workflows/request.yml - - id: cache-id-bazel-docs-x64 - uses: envoyproxy/toolshed/actions/github/artifact/cache/id@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - name: ${{ steps.bazel-cache-hash.outputs.value }}-docs-x64 - wf-path: .github/workflows/request.yml - - id: cache-id-bazel-external-x64 - uses: envoyproxy/toolshed/actions/github/artifact/cache/id@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - name: ${{ steps.bazel-cache-hash.outputs.value }}-external-x64 - wf-path: .github/workflows/request.yml - - - name: Environment data - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: data - with: - input: | - cache: - bazel: - hash: ${{ steps.bazel-cache-hash.outputs.value }} - arm64: ${{ steps.cache-id-bazel-arm64.outputs.id || '' }} - x64: ${{ steps.cache-id-bazel-x64.outputs.id || '' }} - docs-x64: ${{ steps.cache-id-bazel-docs-x64.outputs.id || '' }} - external-x64: ${{ steps.cache-id-bazel-external-x64.outputs.id || '' }} - env: ${{ steps.env.outputs.data }} - title: ${{ steps.summary.outputs.title }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - summary: ${{ steps.summary.outputs.summary }} - input-format: yaml - filter: | - .title as $title - | .cache as $cache - | .env.config.envoy.icon as $icon - | .link as $link - | "\($icon) Request ([\($title)](\($link)))" as $linkedTitle - | .summary as $summary - | .env - | .config.ci.cache = $cache - | .summary = { - $summary, - $title, - $link, - "linked-title": $linkedTitle} - | del(.config.tables) - - # TODO(phlax): shift this to ci/request action above - - name: Check Docker cache (x64) - id: cache-exists-docker-x64 - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - lookup-only: true - path: /tmp/cache - key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }} - - name: Check Docker cache (arm64) - id: cache-exists-docker-arm64 - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - lookup-only: true - path: /tmp/cache - key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }}-arm64 - - name: Caches - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: caches - with: - input-format: yaml - input: | - bazel: - x64: ${{ steps.cache-id-bazel-x64.outputs.id || '' }} - arm64: ${{ steps.cache-id-bazel-arm64.outputs.id || '' }} - docs-x64: ${{ steps.cache-id-bazel-docs-x64.outputs.id || '' }} - external-x64: ${{ steps.cache-id-bazel-external-x64.outputs.id || '' }} - docker: - x64: ${{ steps.cache-exists-docker-x64.outputs.cache-hit || 'false' }} - arm64: ${{ steps.cache-exists-docker-arm64.outputs.cache-hit || 'false' }} - target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - filter: | - .["target-branch"] as $branch - | if ($branch | test("^release/v[0-9]+\\.[0-9]+$")) then - ($branch | sub("^release/v"; "") + ".0") as $version_str - | ($version_str | utils::version) as $version - | if ($version.major < 1 or ($version.major == 1 and $version.minor <= 37)) then - .bazel["docs-x64"] = "skip" - | .bazel["external-x64"] = "skip" - else . end - else . end - | del(.["target-branch"]) - - cache: - permissions: - actions: write - contents: read - packages: read - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - needs: incoming - uses: ./.github/workflows/_request_cache.yml - secrets: - app-id: ${{ secrets.lock-app-id }} - app-key: ${{ secrets.lock-app-key }} - with: - caches: ${{ needs.incoming.outputs.caches }} - env: ${{ needs.incoming.outputs.env }} - - checks: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - needs: incoming - uses: ./.github/workflows/_request_checks.yml - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - with: - env: ${{ needs.incoming.outputs.env }} diff --git a/.github/workflows/_request_cache.yml b/.github/workflows/_request_cache.yml deleted file mode 100644 index 29c96a6f7e389..0000000000000 --- a/.github/workflows/_request_cache.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Request/cache - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - - inputs: - env: - type: string - required: true - caches: - type: string - required: true - - -jobs: - docker: - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - name: Docker/${{ matrix.arch }} - uses: ./.github/workflows/_request_cache_docker.yml - with: - arch: ${{ matrix.arch }} - cache-suffix: ${{ matrix.cache-suffix }} - caches: ${{ inputs.caches }} - image-tag: ${{ fromJSON(inputs.env).request.build-image.default }} - runs-on: ${{ matrix.runs-on }} - strategy: - fail-fast: false - matrix: - include: - - target: docker-x64 - arch: x64 - - target: docker-arm64 - arch: arm64 - cache-suffix: -arm64 - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - - bazel: - permissions: - actions: write - contents: read - packages: read - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - name: ${{ matrix.name }} - uses: ./.github/workflows/_request_cache_bazel.yml - with: - arch: ${{ matrix.arch || 'x64' }} - caches: ${{ inputs.caches }} - output-base: ${{ matrix.output-base || 'base' }} - request: ${{ inputs.env }} - runs-on: ${{ matrix.runs-on }} - targets: ${{ matrix.targets || '...' }} - working-dir: ${{ matrix.working-dir || '' }} - strategy: - fail-fast: false - matrix: - include: - - name: Bazel (x64/cache) - - name: Bazel (arm64/cache) - arch: arm64 - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - targets: >- - //test/... - //contrib/... - //source/... - - name: Bazel docs (x64/cache) - output-base: docs - targets: //:envoy-docs - working-dir: docs - - name: Bazel external (x64/cache) - output-base: external - targets: >- - @envoy//source/common/common:assert_lib - @envoy-docs - working-dir: bazel/tests/external diff --git a/.github/workflows/_request_cache_bazel.yml b/.github/workflows/_request_cache_bazel.yml deleted file mode 100644 index bf7e10462243e..0000000000000 --- a/.github/workflows/_request_cache_bazel.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: Request/Cache prime (bazel) - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - - inputs: - arch: - type: string - default: x64 - caches: - type: string - required: true - output-base: - type: string - default: base - request: - type: string - required: true - runs-on: - type: string - default: - lock-repository: - type: string - default: envoyproxy/ci-mutex - targets: - type: string - default: ... - working-dir: - type: string - default: "" - - -jobs: - bazel: - permissions: - actions: write - contents: read - packages: read - runs-on: ${{ inputs.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - name: >- - [${{ inputs.arch }}${{ - inputs.output-base != 'base' - && format('/{0}', inputs.output-base) - || '' - }}] Prime Bazel cache - if: >- - ${{ - (inputs.output-base == 'base' - && ! fromJSON(inputs.caches).bazel[inputs.arch]) - || (inputs.output-base != 'base' - && ! fromJSON(inputs.caches).bazel[format('{0}-{1}', inputs.output-base, inputs.arch)]) - }} - steps: - - uses: envoyproxy/toolshed/actions/bind-mounts@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - mounts: | - - src: /mnt/workspace - target: GITHUB_WORKSPACE - chown: "runner:runner" - - src: /mnt/workspace - target: /source - chown: "runner:docker" - # Simulate container build directory - - src: /mnt/build - target: /build - chown: "runner:docker" - - name: Free diskspace - uses: envoyproxy/toolshed/actions/diskspace@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: inputs.arch == 'x64' && github.event.repository.private - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout-target - name: Checkout Envoy repository (target branch) - with: - branch: ${{ fromJSON(inputs.request).request.target-branch }} - config: | - fetch-depth: 1 - - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: appauth - name: Appauth (mutex lock) - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - - uses: envoyproxy/toolshed/actions/cache/prime@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: bazel-cache - name: Prime Bazel cache - with: - artifact-name: >- - ${{ fromJSON(inputs.request).config.ci.cache.bazel.hash }}-${{ - inputs.output-base != 'base' - && format('{0}-', inputs.output-base) - || '' - }}${{ inputs.arch }} - artifact-wf-path: .github/workflows/request.yml - cache-type: artifact - change-directory: false - # TODO(phlax): add loop for multiple targets - command: | - # Simulate container source directory - cd /source - export BAZEL_BUILD_EXTRA_OPTIONS="--config=ci --config=rbe" - export ENVOY_CACHE_ROOT=/build/bazel_root - export ENVOY_CACHE_OUTPUT_BASE="${INPUT_OUTPUT_BASE}" - export ENVOY_CACHE_TARGETS=$(echo "${INPUT_TARGETS}" | sed 's/ / + /g') - export ENVOY_CACHE_WORKING_DIR="${INPUT_WORKING_DIR}" - # ironically the repository_cache is just about the only thing you dont want to cache - export ENVOY_REPOSITORY_CACHE=/tmp/cache - ./ci/do_ci.sh cache-create - key: >- - ${{ fromJSON(inputs.request).config.ci.cache.bazel.hash }}-${{ - inputs.output-base != 'base' - && format('{0}-', inputs.output-base) - || '' - }}${{ inputs.arch }} - lock-token: ${{ steps.appauth.outputs.token }} - lock-repository: ${{ inputs.lock-repository }} - mount-tmpfs: false - path: /build/bazel_root - run-as-sudo: false - env: - GITHUB_TOKEN: ${{ github.token }} - INPUT_OUTPUT_BASE: ${{ inputs.output-base }} - INPUT_TARGETS: ${{ inputs.targets }} - INPUT_WORKING_DIR: ${{ inputs.working-dir }} diff --git a/.github/workflows/_request_cache_docker.yml b/.github/workflows/_request_cache_docker.yml deleted file mode 100644 index 1e3664f255b0b..0000000000000 --- a/.github/workflows/_request_cache_docker.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: Request/cache (prime Docker) - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - caches: - type: string - required: true - image-tag: - type: string - required: true - - arch: - type: string - default: x64 - cache-suffix: - type: string - default: - runs-on: - type: string - default: - lock-repository: - type: string - default: envoyproxy/ci-mutex - -## Docker cache -# -# This workflow will only prime the cache, and should be done separately first, prior -# to any jobs that require it. -# -# For a job that does, you can restore with something like: -# -# steps: -# - uses: envoyproxy/toolshed/actions/docker/cache/restore@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 -# with: -# key: "${{ needs.env.outputs.build-image }}" -# - - -jobs: - docker: - runs-on: ${{ inputs.runs-on || 'ubuntu-24.04' }} - name: "[${{ inputs.arch }}] Prime Docker cache" - if: ${{ ! fromJSON(inputs.caches).docker[inputs.arch] }} - steps: - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: appauth - name: Appauth (mutex lock) - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/actions/docker/cache/prime@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: docker - name: Prime Docker cache (${{ inputs.image-tag }}${{ inputs.cache-suffix }}) - with: - image-tag: ${{ inputs.image-tag }} - key-suffix: ${{ inputs.cache-suffix }} - lock-token: ${{ steps.appauth.outputs.token }} - lock-repository: ${{ inputs.lock-repository }} - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: data - name: Cache data - with: - input-format: yaml - input: | - cached: ${{ steps.docker.outputs.cached }} - key: ${{ inputs.image-tag }}${{ inputs.cache-suffix }} - - uses: envoyproxy/toolshed/actions/json/table@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Summary - with: - json: ${{ steps.data.outputs.value }} - output-path: GITHUB_STEP_SUMMARY - title: >- - Cache (Docker ${{ inputs.arch }}) diff --git a/.github/workflows/_request_checks.yml b/.github/workflows/_request_checks.yml deleted file mode 100644 index 0a3a8c87c8740..0000000000000 --- a/.github/workflows/_request_checks.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: Workflow start -# This workflow is only required for externally triggered jobs that need to manually -# set the check status for a commit/PR - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - details-url: - type: string - default: >- - https://github.com/envoyproxy/envoy/tree/main/.github/workflows - env: - type: string - required: true - run-summary: - type: string - default: >- - The check will start once any required jobs have completed and a VM becomes available - run-title: - type: string - default: >- - Waiting for check ... - skipped-summary: - type: string - default: >- - This check was not triggered in this CI run - skipped-title: - type: string - default: >- - Check was skipped - template-run-text: - type: string - default: | - ## \($icon) Check run pending - - ## Details of the check run will be provided here once it has started. - - ### Check started by - - -env: - CI_DEBUG: ${{ (vars.CI_DEBUG || vars.RUNNER_DEBUG) && true || false }} - - -jobs: - start: - runs-on: ${{ fromJSON(inputs.env).config.ci.agent-ubuntu }} - name: Start checks - steps: - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: check-config - name: Prepare check data - with: - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - input: ${{ inputs.env }} - filter: | - . as $env - | .config.envoy.icon as $icon - | {} - | .["head_sha"] = $env.request.sha - | .details_url = "${{ inputs.details-url }}" - | {run: ., skipped: ., request: $env.summary.summary} - | .run.output.title = "${{ inputs.run-title }}" - | .run.output.summary = "${{ inputs.run-summary }}" - | .run.output.text = "${{ inputs.template-run-text }}" - | .run.status = "queued" - | .skipped.status = "completed" - | .skipped.conclusion = "skipped" - | .skipped.output.title = "${{ inputs.skipped-title }}" - | .skipped.output.summary = "${{ inputs.skipped-summary }}" - | .skipped.output.text = "" - - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/actions/github/checks@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Start checks - id: checks - with: - checks: ${{ toJSON(fromJSON(inputs.env).checks) }} - config: ${{ steps.check-config.outputs.value }} - text-extra: | - ## ${{ fromJSON(inputs.env).summary.linked-title }} - - ${{ fromJSON(inputs.env).summary.summary }} - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/actions/json/table@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Summary - with: - collapse-open: true - json: | - {"checks": ${{ steps.checks.outputs.checks }}, - "config": ${{ toJSON(fromJSON(inputs.env).checks) }}} - filter: | - .checks - heading: >- - ${{ fromJSON(inputs.env).config.envoy.icon }} Checks - mutate-cells: | - .cell as $cell - | .row as $row - | .table as $table - | $cell - | if ($row | index($cell) == 0) then - $table.data.config[$cell].name - elif ($table.data.config[$row[0]].action != "SKIP") then - "[started](http://github.com/${{ github.repository }}/runs/\($cell))" - else "skipped" end - output-path: GITHUB_STEP_SUMMARY - title: Checks started/skipped - - - uses: envoyproxy/toolshed/actions/github/env/save@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Save env - id: data - with: - env: ${{ inputs.env }} - env-filter: | - ${{ steps.checks.outputs.checks }} as $checksStarted - | .checks - |= with_entries( - if $checksStarted[.key] != "skipped" then - .value["check-id"] = $checksStarted[.key] - else . end) diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml deleted file mode 100644 index a09c8da32a9c0..0000000000000 --- a/.github/workflows/_run.yml +++ /dev/null @@ -1,445 +0,0 @@ -name: Envoy CI - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - app-key: - gpg-key: - gpg-key-password: - ssh-key: - ssh-key-extra: - inputs: - args: - type: string - arch: - type: string - bazel-cache: - type: boolean - default: false - bazel-cache-output-base: - type: string - default: base - bazel-extra: - type: string - bazel-rbe-jobs: - type: number - default: 200 - bind-mount: - type: boolean - default: true - bind-mounts: - type: string - default: | - - src: /mnt/docker - target: /var/lib/docker - rm: true - command-pre: sudo systemctl stop docker - command-post: sudo systemctl start docker - - src: /mnt/workspace - target: GITHUB_WORKSPACE - chown: "runner:runner" - - src: /mnt/runner - target: RUNNER_TEMP/container/bazel_root - chown: "runner:runner" - cache-build-image: - type: string - cache-build-image-key-suffix: - type: string - catch-errors: - type: boolean - default: false - checkout-extra: - type: string - concurrency-suffix: - type: string - default: - container-command: - type: string - default: ./ci/run_envoy_docker.sh - container-output: - type: string - default: - command: - type: string - default: ./ci/do_ci.sh - diskspace-hack: - type: boolean - default: false - diskspace-hack-paths: - type: string - default: - docker-cpus: - type: number - default: 0 - docker-ci: - type: boolean - default: true - docker-ipv6: - default: true - type: boolean - dockerhub-username: - default: envoyproxy - type: string - downloads: - type: string - entrypoint: - type: string - default: - error-match: - type: string - default: | - ERROR - error: - Error: - fail-match: - type: string - import-gpg: - type: boolean - default: false - notice-match: - type: string - default: | - NOTICE - Streaming build results - output-path: - type: string - default: - rbe: - type: boolean - default: true - rbe-google: - type: boolean - default: false - report-pre: - type: string - default: | - - run: | - # Pre build report - df -h > "${TMP_REPORT}/df-pre" - shell: bash - report-post: - type: string - default: | - - run: | - # Post build report - df -h > "${TMP_REPORT}/df-post" - (du -ch "%{{ inputs.temp-dir || runner.temp }}" | grep -E "[0-9]{2,}M|[0-9]G" || :) > "${TMP_REPORT}/du-post" - shell: bash - request: - type: string - required: true - runs-on: - type: string - default: - skip: - type: boolean - default: false - source: - type: string - summary-post: - type: string - default: | - - uses: envoyproxy/toolshed/actions/envoy/run/summary@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - context: %{{ inputs.context }} - steps-pre: - type: string - steps-pre-name: - type: string - steps-post: - type: string - steps-post-name: - type: string - target: - type: string - required: true - target-name: - type: string - target-suffix: - type: string - temp-dir: - type: string - template-docker-configure: - type: string - default: | - sudo mkdir -p /etc/docker - echo '\(tojson)' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker - timeout-minutes: - type: number - default: 60 - trusted: - type: boolean - required: true - upload-name: - type: string - upload-path: - type: string - warning-match: - type: string - default: | - WARNING - warning: - Warning: - working-directory: - type: string - default: . - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-${{ inputs.target }}${{ inputs.concurrency-suffix }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - ci: - permissions: - actions: read - contents: read - packages: read - if: ${{ ! inputs.skip }} - runs-on: ${{ inputs.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - name: ${{ inputs.target-suffix && format('[{0}] ', inputs.target-suffix) || '' }}${{ inputs.command }} ${{ inputs.target }} - timeout-minutes: ${{ inputs.timeout-minutes }} - steps: - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - # This controls which input vars are exposed to the run action (and related steps) - - uses: envoyproxy/toolshed/actions/jq@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Context - id: context - with: - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - input: ${{ inputs.request }} - filter: | - . - | (.check // {name: "${{ github.workflow }}"}) as $check - | .config as $config - | if "${{ inputs.runs-on }}" != "" then - "${{ inputs.runs-on }}" - else .config.ci["agent-ubuntu"] end - | . as $runsOn - | {"target": "${{ inputs.target }}", - "catch-errors": ${{ inputs.catch-errors }}, - "runs-on": $runsOn, - "job-started": ${{ steps.started.outputs.value }}} - | . * {$config, $check} - - - run: | - mkdir "${RUNNER_TEMP}/container" - MNT_AVAILABLE=false - if mountpoint -q /mnt; then - MNT_AVAILABLE=true - USAGE="$(df --output=pcent /mnt | tail -n 1 | tr -d ' %')" - if [[ "$USAGE" -ge 100 ]]; then - echo "should-remnt=true" >> "$GITHUB_OUTPUT" - echo "::warning::Disk usage for /mnt is at 100% ... remounting" - fi - fi - echo "mnt-available=$MNT_AVAILABLE" >> "$GITHUB_OUTPUT" - id: disk - - uses: envoyproxy/toolshed/actions/github/remnt@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: steps.disk.outputs.should-remnt == 'true' - - uses: envoyproxy/toolshed/actions/bind-mounts@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: inputs.bind-mount && steps.disk.outputs.mnt-available == 'true' - with: - mounts: ${{ inputs.bind-mounts }} - - name: Free diskspace - uses: envoyproxy/toolshed/actions/diskspace@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: inputs.diskspace-hack || steps.disk.outputs.mnt-available != 'true' - with: - to_remove: ${{ inputs.diskspace-hack-paths }} - - run: | - mount - df -h - - - uses: envoyproxy/toolshed/actions/bson@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Configure Docker - if: runner.os == 'Linux' - with: - input-format: yaml - input: | - docker-ipv6: ${{ inputs.docker-ipv6 }} - filter: | - .["docker-ipv6"] as $ipv6 - | {"features": {"containerd-snapshotter": false}} - | if $ipv6 then - . + {"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64"} - else . end - | "${{ inputs.template-docker-configure }}" - - # Caches - - uses: envoyproxy/toolshed/actions/cache/restore@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: >- - fromJSON(inputs.bazel-cache) - name: >- - Restore Bazel cache - (${{ fromJSON(inputs.request).config.ci.cache.bazel.hash }}) - with: - artifact-id: >- - ${{ inputs.bazel-cache-output-base == 'docs' - && fromJSON(inputs.request).config.ci.cache.bazel['docs-x64'] - || (inputs.bazel-cache-output-base == 'external' - && fromJSON(inputs.request).config.ci.cache.bazel['external-x64'] - || (inputs.arch == 'arm64' - && fromJSON(inputs.request).config.ci.cache.bazel.arm64 - || fromJSON(inputs.request).config.ci.cache.bazel.x64)) }} - artifact-name: >- - ${{ fromJSON(inputs.request).config.ci.cache.bazel.hash }}-${{ - inputs.bazel-cache-output-base != 'base' - && format('{0}-', inputs.bazel-cache-output-base) - || '' - }}${{ inputs.arch || 'x64' }} - artifact-wf-path: .github/workflows/request.yml - cache-type: artifact - key: >- - ${{ fromJSON(inputs.request).config.ci.cache.bazel.hash }}-${{ - inputs.bazel-cache-output-base != 'base' - && format('{0}-', inputs.bazel-cache-output-base) - || '' - }}${{ inputs.arch || 'x64' }} - path: ${{ runner.temp }}/container/bazel_root - - # HACK/WORKAROUND for cache scope issue (https://github.com/envoyproxy/envoy/issues/37603) - - if: ${{ inputs.cache-build-image }} - id: cache-lookup - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 - with: - lookup-only: true - path: /tmp/cache - key: ${{ inputs.cache-build-image }}${{ inputs.cache-build-image-key-suffix }} - - if: ${{ inputs.cache-build-image && steps.cache-lookup.outputs.cache-hit == 'true' }} - name: Restore Docker cache ${{ inputs.cache-build-image && format('({0})', inputs.cache-build-image) || '' }} - uses: envoyproxy/toolshed/actions/docker/cache/restore@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - image-tag: ${{ inputs.cache-build-image }} - key-suffix: ${{ inputs.cache-build-image-key-suffix }} - - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: appauth - name: Appauth - if: ${{ inputs.trusted }} - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - # You cant use a secret as a condition so this always runs even if the app id/key are empty - # - the workaround is to allow the token to be passed through. - token: ${{ github.token }} - token-ok: true - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout - name: Checkout Envoy repository - with: - branch: ${{ fromJSON(inputs.request).request.target-branch }} - config: | - # WARNING: This allows untrusted code to run!!! - # If this is set to run untrusted code, then anything before or after in the job should be regarded as - # compromisable. - ref: ${{ inputs.trusted && fromJSON(inputs.request).request.sha || fromJSON(inputs.request).request.ref }} - fetch-merge-commit: false - pr: ${{ fromJSON(inputs.request).request.pr }} - ssh-key: ${{ inputs.trusted && inputs.ssh-key || '' }} - token: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} - - # This is currently only use by mobile-docs and can be removed once they are updated to the newer website - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout-extra - name: Checkout extra repository (for publishing) - if: ${{ inputs.checkout-extra }} - with: - config: ${{ inputs.checkout-extra }} - ssh-key: ${{ inputs.trusted && inputs.ssh-key-extra || '' }} - - - name: Import GPG key - uses: envoyproxy/toolshed/actions/gpg/import@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: ${{ inputs.import-gpg }} - with: - key: ${{ secrets.gpg-key }} - passphrase: ${{ secrets.gpg-key-password }} - passphrase-path: "${{ runner.temp }}/container/gpg-passphrase" - configured-passphrase-path: /build/gpg-passphrase - - - run: | - echo "e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9" > .BAZEL_FAKE_SCM_REVISION - name: Configure PR Bazel settings - if: >- - ${{ fromJSON(inputs.request).request.pr != '' }} - - run: | - echo "${BAZELRC_CONTENT}" > repo.bazelrc - if: ${{ vars.ENVOY_CI_BAZELRC }} - name: Configure repo Bazel settings - env: - BAZELRC_CONTENT: ${{ vars.ENVOY_CI_BAZELRC }} - - # NOTE: This is where untrusted code can be run!!! - # It MUST be the last step in the workflow - - uses: envoyproxy/toolshed/actions/github/run@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Run CI ${{ inputs.command }} ${{ inputs.target }} - with: - args: ${{ inputs.args != '--' && inputs.args || inputs.target }} - catch-errors: ${{ inputs.catch-errors }} - command: ${{ inputs.command }} - container-command: ${{ env.CONTAINER_COMMAND || inputs.container-command }} - container-output: ${{ inputs.container-output }} - context: ${{ steps.context.outputs.value }} - downloads: ${{ inputs.downloads }} - entrypoint: ${{ inputs.entrypoint }} - error-match: ${{ inputs.error-match }} - fail-match: ${{ inputs.fail-match }} - notice-match: ${{ inputs.notice-match }} - output-path: ${{ inputs.output-path }} - report-name: >- - ci-report-${{ - inputs.target-suffix - && format('{0}-', inputs.target-suffix) - || '' }}${{ inputs.target-name || inputs.target }}.json - report-pre: ${{ inputs.report-pre }} - report-post: ${{ inputs.report-post }} - source: ${{ inputs.source }} - steps-pre: ${{ inputs.steps-pre }} - steps-pre-name: ${{ inputs.steps-pre-name }} - steps-post: ${{ inputs.steps-post }} - steps-post-name: ${{ inputs.steps-post-name }} - summary-post: ${{ inputs.summary-post }} - upload-name: ${{ inputs.upload-name }} - upload-path: ${{ inputs.upload-path }} - warning-match: ${{ inputs.warning-match }} - working-directory: ${{ inputs.working-directory }} - env: - GITHUB_TOKEN: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} - ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}/container - ENVOY_RBE: ${{ inputs.rbe == true && 1 || '' }} - BAZEL_BUILD_EXTRA_OPTIONS: >- - ${{ env.BAZEL_BUILD_EXTRA_OPTIONS }} - --config=remote-ci - ${{ inputs.bazel-extra }} - ${{ inputs.rbe == true && format('--jobs={0}', inputs.bazel-rbe-jobs) || '' }} - ${{ github.event_name == 'schedule' && '--nocache_test_results' || '' }} - ${{ inputs.rbe == true && inputs.trusted && '--remote_execution_priority=1' || '' }} - CI_BRANCH: >- - ${{ inputs.trusted - && format('refs/heads/{0}', fromJSON(inputs.request).request.target-branch) - || '' }} - CI_SHA1: ${{ github.sha }} - CI_TARGET_BRANCH: ${{ fromJSON(inputs.request).request.target-branch }} - MOUNT_GPG_HOME: ${{ inputs.import-gpg && 1 || '' }} - ENVOY_DOCKER_CPUS: ${{ inputs.docker-cpus }} - ENVOY_DOCKER_CI: ${{ inputs.docker-ci && 'true' || '' }} - ENVOY_COMMIT: ${{ fromJSON(inputs.request).request.sha }} - ENVOY_REPO: ${{ github.repository }} - ENVOY_PUBLISH_DRY_RUN: ${{ (fromJSON(inputs.request).request.version.dev || ! inputs.trusted) && 1 || '' }} diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml new file mode 100644 index 0000000000000..44f79f4dd00b6 --- /dev/null +++ b/.github/workflows/build-and-release.yaml @@ -0,0 +1,59 @@ +name: Build and Release + +on: + push: + branches: [ main ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build-and-push: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + fetch-depth: 0 + + - name: Login to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: dockerbuildbot + password: ${{ secrets.DOCKERBUILDBOT_READ_PAT }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + with: + driver: cloud + endpoint: docker/platform-experience + install: true + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + with: + role-to-assume: "arn:aws:iam::710015040892:role/CicdEnvoy-20251021161123163100000002" + role-session-name: EnvoyCI + aws-region: us-east-1 + + - name: Login to ECR + run: | + aws ecr get-login-password | docker login --username AWS --password-stdin 710015040892.dkr.ecr.us-east-1.amazonaws.com + + - name: Get Current Git SHA + id: git_sha + run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" + + - name: Build and Push Docker Image + id: docker-build + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + with: + context: . + platforms: linux/amd64 + # push: true + build-args: | + VERSION=${{ steps.git_sha.outputs.sha }} + tags: | + 710015040892.dkr.ecr.us-east-1.amazonaws.com/infra-routing/envoy:${{ steps.git_sha.outputs.sha }} + diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml deleted file mode 100644 index 9e7b8ff9e6f82..0000000000000 --- a/.github/workflows/codeql-daily.yml +++ /dev/null @@ -1,95 +0,0 @@ -name: CodeQL/daily - -permissions: - contents: read - -on: - schedule: - - cron: '0 12 * * 4' - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - CodeQL-Build: - - permissions: - security-events: write # for github/codeql-action/analyze to upload SARIF results - pull-requests: read - strategy: - fail-fast: false - - # CodeQL runs on ubuntu-24.04 - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - - steps: - - - uses: envoyproxy/toolshed/actions/bind-mounts@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: | - ! github.event.repository.private - with: - mounts: | - - src: /mnt/workspace - target: GITHUB_WORKSPACE - chown: "runner:runner" - - src: /mnt/runner-home - target: /home/runner/.cache - chown: "runner:runner" - - name: Free disk space - if: | - env.BUILD_TARGETS != '' - && github.event.repository.private - uses: envoyproxy/toolshed/actions/diskspace@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - to_remove: | - /usr/local/.ghcup - /usr/local/lib/android - - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # codeql-bundle-v4.35.2 - with: - languages: cpp - trap-caching: false - config-file: ./.github/codeql/codeql-config.yml - - - name: Install deps - shell: bash - run: | - sudo apt-get update --error-on=any - sudo apt-get install --yes \ - libtool libtinfo5 automake autoconf curl unzip - # Note: the llvm/clang version should match the version specifed in: - # - bazel/repository_locations.bzl - # - .github/workflows/codeql-push.yml - # - https://github.com/envoyproxy/envoy-build-tools/blob/main/build_container/build_container_ubuntu.sh#L84 - mkdir -p bin/clang18.1.8 - cd bin/clang18.1.8 - wget -q https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz - tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1 - - - name: Build - run: | - bazelisk shutdown - bazel build \ - -c fastbuild \ - --repo_env=BAZEL_LLVM_PATH="$(realpath bin/clang18.1.8)" \ - --spawn_strategy=local \ - --discard_analysis_cache \ - --nouse_action_cache \ - --features="-layering_check" \ - --config=clang-local \ - --config=ci \ - //source/common/http/... - - - name: Clean Artifacts - run: | - git clean -xdf - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # codeql-bundle-v4.35.2 diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml deleted file mode 100644 index d6947b0ea36fb..0000000000000 --- a/.github/workflows/codeql-push.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: CodeQL/push - -permissions: - contents: read - -on: - push: - paths: - - include/** - - source/common/** - branches: - - main - pull_request: - branches: - - main - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -env: - SEARCH_FOLDER: //source/common/... - - -jobs: - CodeQL-Build: - permissions: - actions: read - contents: read - # for github/codeql-action/analyze to upload SARIF results - security-events: write - pull-requests: read - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - steps: - - uses: envoyproxy/toolshed/actions/bind-mounts@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: | - ! github.event.repository.private - with: - mounts: | - - src: /mnt/workspace - target: GITHUB_WORKSPACE - chown: "runner:runner" - - src: /mnt/runner-cache - target: /home/runner/.cache - chown: "runner:runner" - - name: Free disk space - if: | - env.BUILD_TARGETS != '' - && github.event.repository.private - uses: envoyproxy/toolshed/actions/diskspace@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - to_remove: | - /usr/local/.ghcup - /usr/local/lib/android - - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 2 - - - name: Get build targets - run: | - # TODO(phlax): Shift this to an action - compare_head () { - while IFS= read -r line; do - if [[ -n "$line" ]]; then - bazel query "rdeps($SEARCH_FOLDER, $line, 1)" 2> /dev/null - fi - done < <(git diff --name-only HEAD "${1}" -- source/* include/*) - } - if [[ "$GIT_EVENT" == "pull_request" ]]; then - git fetch "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" main 2> /dev/null - TO_OTHER=FETCH_HEAD - else - TO_OTHER=HEAD^1 - fi - BUILD_TARGETS="$(compare_head "$TO_OTHER" | grep -v '\.cc\|\.h' | sort -u | head -n 3)" - echo 'BUILD_TARGETS<> $GITHUB_ENV - echo "$BUILD_TARGETS" >> $GITHUB_ENV - echo 'EOF' >> $GITHUB_ENV - env: - GIT_EVENT: ${{ github.event_name }} - - - name: Set default build target - if: ${{ env.BUILD_TARGETS == '' }} - run: | - echo "MINIMAL_BUILD_TARGET=//source/common/common:assert_lib" > $GITHUB_ENV - - - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # codeql-bundle-v4.35.2 - with: - languages: cpp - trap-caching: false - config-file: ./.github/codeql/codeql-config.yml - - - name: Install deps - shell: bash - run: | - sudo apt-get -qq update --error-on=any - sudo apt-get -qq install --yes \ - libtool libtinfo5 automake autoconf curl unzip - # Note: the llvm/clang version should match the version specifed in: - # - bazel/repository_locations.bzl - # - .github/workflows/codeql-daily.yml - # - https://github.com/envoyproxy/envoy-build-tools/blob/main/build_container/build_container_ubuntu.sh#L84 - mkdir -p bin/clang18.1.8 - cd bin/clang18.1.8 - wget -q https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz - tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1 - - - name: Build - run: | - bazel shutdown - bazel build \ - -c fastbuild \ - --repo_env=BAZEL_LLVM_PATH="$(realpath bin/clang18.1.8)" \ - --spawn_strategy=local \ - --discard_analysis_cache \ - --nouse_action_cache \ - --features="-layering_check" \ - --config=clang \ - --config=ci \ - ${BUILD_TARGETS:-${MINIMAL_BUILD_TARGET}} - echo -e "Built targets...\n${BUILD_TARGETS:-${MINIMAL_BUILD_TARGET}}" - - - name: Clean Artifacts - run: | - git clean -xdf - - - name: Perform CodeQL Analysis - # if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # codeql-bundle-v4.35.2 diff --git a/.github/workflows/command.yml b/.github/workflows/command.yml deleted file mode 100644 index 30466cae04104..0000000000000 --- a/.github/workflows/command.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Command - -# NB: **ALL** commands should be permissionless and only use an app token or relevant secrets -# specific to their requirements! -permissions: - contents: read - -on: - issue_comment: - types: - - created - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - # For speed and _security_ only a single command (first matching) will be parsed/run from a comment - command: - name: Parse and run command - runs-on: ubuntu-24.04 - if: >- - ${{ - github.event.issue.pull_request - && (vars.ENVOY_CI - || github.repository == 'envoyproxy/envoy') - && github.actor != 'repokitteh-read-only[bot]' - && github.actor != 'dependabot[bot]' - }} - steps: - - uses: envoyproxy/toolshed/actions/github/command@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Parse command from comment - id: command - with: - text: ${{ github.event.comment.body }} - matching: >- - ^/(retest) - - # /retest - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: ${{ steps.command.outputs.command == 'retest' }} - id: appauth-retest - name: Appauth (retest) - with: - key: ${{ secrets.ENVOY_CI_APP_KEY }} - app_id: ${{ secrets.ENVOY_CI_APP_ID }} - - uses: envoyproxy/toolshed/actions/retest@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - if: ${{ steps.command.outputs.command == 'retest' }} - name: Retest - with: - token: ${{ steps.appauth-retest.outputs.token }} - azp_org: cncf - azp_token: ${{ secrets.AZP_TOKEN }} - comment-id: ${{ github.event.comment.id }} - pr-url: ${{ github.event.issue.pull_request.url }} - args: ${{ steps.command.outputs.args }} - app-owner: ci-envoy - - # ACK /gemini commands with a rocket emoji reaction. - # The actual review/summary is handled natively by the Gemini Code Assist GitHub App. - gemini: - name: ACK Gemini command - runs-on: ubuntu-24.04 - if: >- - ${{ - github.event.issue.pull_request - && startsWith(github.event.comment.body, '/gemini') - && github.actor != 'gemini-code-assist[bot]' - }} - permissions: - pull-requests: write - steps: - - name: React with rocket emoji - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 - with: - comment-id: ${{ github.event.comment.id }} - reactions: rocket diff --git a/.github/workflows/envoy-checks.yml b/.github/workflows/envoy-checks.yml deleted file mode 100644 index 8ba40a47499bd..0000000000000 --- a/.github/workflows/envoy-checks.yml +++ /dev/null @@ -1,134 +0,0 @@ -name: Envoy/Checks - -permissions: - contents: read - -on: - workflow_run: - workflows: - # Workaround issue with PRs not triggering tertiary workflows - - Request - # - Envoy/Prechecks - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - uses: ./.github/workflows/_load.yml - with: - check-name: checks - # head-sha: ${{ github.sha }} - - build: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_build.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-build }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - coverage: - secrets: - gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_coverage.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-coverage }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - runtime: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_runtime.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-runtime }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - san: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_san.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-san }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.check-build - || fromJSON(needs.load.outputs.request).run.check-coverage - || fromJSON(needs.load.outputs.request).run.check-san) - needs: - - load - - build - - coverage - - runtime - - san - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-cve.yml b/.github/workflows/envoy-cve.yml deleted file mode 100644 index 193cce9aca4d5..0000000000000 --- a/.github/workflows/envoy-cve.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Envoy/CVE - -permissions: - contents: read - -on: - schedule: - - cron: '0 8 * * *' - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: bazel - type: choice - options: - - scan - - fetch - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - fetch: - secrets: - gcs-cve-key: ${{ secrets.GCS_CVE_WRITE_KEY }} - if: >- - ((github.event_name == 'workflow_dispatch' - && inputs.task == 'fetch') - || (github.repository == 'envoyproxy/envoy' - && github.event_name == 'schedule')) - uses: ./.github/workflows/_cve_fetch.yml - with: - scheduled: ${{ github.event_name == 'schedule' }} - scan: - secrets: - gcs-cve-key: ${{ secrets.GCS_CVE_KEY }} - if: >- - github.event_name == 'workflow_dispatch' - && inputs.task == 'scan' - uses: ./.github/workflows/_cve_scan.yml diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml deleted file mode 100644 index 6a286db746779..0000000000000 --- a/.github/workflows/envoy-dependency.yml +++ /dev/null @@ -1,262 +0,0 @@ -name: Envoy/dependency - -permissions: - contents: read - -on: - schedule: - - cron: '0 8 * * *' - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: bazel - type: choice - options: - - bazel - - bazel-api - - build-image - - check - dependency: - description: Dependency to update (if applicable) - version: - description: Version to set (optional) - pr: - type: boolean - default: true - pr-message: - description: Additional message for PR, eg to fix an issue (optional) - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -env: - COMMITTER_NAME: dependency-envoy[bot] - COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com - -jobs: - update-bazel: - if: >- - ${{ - github.event_name == 'workflow_dispatch' - && startsWith(inputs.task, 'bazel') - }} - name: > - Update dep - (${{ inputs.pr && 'PR/' || '' }} - ${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }} - /${{ inputs.dependency }} - /${{ inputs.version }}) - runs-on: ubuntu-24.04 - steps: - - id: appauth - name: Appauth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} - key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/actions/bson@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: update - name: Update dependency (${{ inputs.dependency }}) - with: - input: | - dependency: ${{ inputs.dependency }} - task: ${{ inputs.task }} - version: "${{ inputs.version }}" - input-format: yaml - filter: | - .version as $version - | .dependency as $dependency - | .task as $task - | (try ($version | validate::sha(40) | .[:7]) - catch $version) as $version_short - | {} - | if $task == "bazel" then - . - | .task = "bazel" - | .target = "update" - else - . - | .task = "api/bazel" - | .target = "api-update" - end - | .task as $task - | .target as $target - | (" - echo \"Updating(\($task)): \($dependency) -> \($version_short)\" - bazel run --config=ci //bazel:\($target) \($dependency) \($version) - OUTPUT=\($version_short) - " | bash::output) - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - uses: envoyproxy/toolshed/actions/upload/diff@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Upload diff - with: - name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} - - name: Create a PR - if: ${{ inputs.pr }} - uses: envoyproxy/toolshed/actions/github/pr@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - base: main - body: | - Created by Envoy dependency bot for @${{ github.actor }} - - ${{ inputs.pr-message }} - branch: >- - dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }} - commit-message: | - ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }} - - Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - title: >- - ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` - -> ${{ steps.update.outputs.output }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - update-build-image: - if: >- - ${{ - github.event_name == 'workflow_dispatch' - && github.event.inputs.task == 'build-image' - }} - name: Update build image (PR) - runs-on: ubuntu-24.04 - steps: - - id: appauth - name: Appauth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} - key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: checkout - name: Checkout Envoy repository - with: - config: | - path: envoy - fetch-depth: 0 - token: ${{ steps.appauth.outputs.token }} - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Checkout Envoy build tools repository - with: - repository: envoyproxy/envoy-build-tools - path: build-tools - fetch-depth: 0 - - run: | - shas=( - sha-ci - sha-devtools - sha-docker - sha-gcc - sha-mobile - sha-worker - mobile-sha - tag) - for sha in "${shas[@]}"; do - current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha") - echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT" - done - id: current - name: Current SHAs - working-directory: envoy - - run: | - if [[ -z "$CONTAINER_TAG" ]]; then - # get current build image version - CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker") - fi - echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT" - echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT" - env: - CONTAINER_TAG: ${{ inputs.version }} - id: build-tools - name: Build image SHA - working-directory: build-tools - - - name: Check Docker SHAs - id: build-images - uses: envoyproxy/toolshed/actions/docker/shas@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - images: | - sha-ci: docker.io/envoyproxy/envoy-build:ci-${{ steps.build-tools.outputs.tag }} - sha-devtools: docker.io/envoyproxy/envoy-build:devtools-${{ steps.build-tools.outputs.tag }} - sha-docker: docker.io/envoyproxy/envoy-build:docker-${{ steps.build-tools.outputs.tag }} - sha-gcc: docker.io/envoyproxy/envoy-build:gcc-${{ steps.build-tools.outputs.tag }} - sha-mobile: docker.io/envoyproxy/envoy-build:mobile-${{ steps.build-tools.outputs.tag }} - sha-worker: docker.io/envoyproxy/envoy-build:worker-${{ steps.build-tools.outputs.tag }} - - - run: | - SHA_REPLACE=( - "$CURRENT_ENVOY_TAG:$ENVOY_TAG" - "$CURRENT_ENVOY_SHA_CI:${{ fromJSON(steps.build-images.outputs.shas).sha-ci }}" - "$CURRENT_ENVOY_SHA_DEVTOOLS:${{ fromJSON(steps.build-images.outputs.shas).sha-devtools }}" - "$CURRENT_ENVOY_SHA_DOCKER:${{ fromJSON(steps.build-images.outputs.shas).sha-docker }}" - "$CURRENT_ENVOY_SHA_GCC:${{ fromJSON(steps.build-images.outputs.shas).sha-gcc }}" - "$CURRENT_ENVOY_SHA_MOBILE:${{ fromJSON(steps.build-images.outputs.shas).sha-mobile }}" - "$CURRENT_ENVOY_SHA_WORKER:${{ fromJSON(steps.build-images.outputs.shas).sha-worker }}") - echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT" - name: Find SHAs to replace - id: shas - env: - ENVOY_TAG: ${{ steps.build-tools.outputs.tag }} - CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }} - CURRENT_ENVOY_SHA_CI: ${{ steps.current.outputs.sha-ci }} - CURRENT_ENVOY_SHA_DEVTOOLS: ${{ steps.current.outputs.sha-devtools }} - CURRENT_ENVOY_SHA_DOCKER: ${{ steps.current.outputs.sha-docker }} - CURRENT_ENVOY_SHA_GCC: ${{ steps.current.outputs.sha-gcc }} - CURRENT_ENVOY_SHA_MOBILE: ${{ steps.current.outputs.sha-mobile }} - CURRENT_ENVOY_SHA_WORKER: ${{ steps.current.outputs.sha-worker }} - - run: | - echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}" - env: - SHA_REPLACE: ${{ steps.shas.outputs.replace }} - name: Update SHAs - working-directory: envoy - - name: Create a PR - uses: envoyproxy/toolshed/actions/github/pr@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - base: main - body: Created by Envoy dependency bot - branch: dependency-envoy/build-image/${{ inputs.version || 'latest' }} - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - commit-message: | - deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}` - - Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> - title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - working-directory: envoy - - scheduled: - runs-on: ubuntu-24.04 - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || (!contains(github.actor, '[bot]') - && inputs.task == 'check')) - }} - permissions: - contents: read - issues: write - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Run dependency checker - run: | - TODAY_DATE=$(date -u -I"date") - export TODAY_DATE - bazel run --config=ci //tools/dependency:check -- -c release_issues --fix - # bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml deleted file mode 100644 index 8fc8d4b9965d4..0000000000000 --- a/.github/workflows/envoy-macos.yml +++ /dev/null @@ -1,107 +0,0 @@ -name: Envoy/macOS - -permissions: - contents: read - -on: - workflow_run: - workflows: - - Request - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - uses: ./.github/workflows/_load.yml - with: - check-name: macos - - macos: - permissions: - actions: read - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.build-macos }} - needs: - - load - uses: ./.github/workflows/_run.yml - name: CI ${{ matrix.name || matrix.target }} - with: - bind-mount: false - command: - container-command: - docker-ipv6: false - request: ${{ needs.load.outputs.request }} - # TODO: Remove these hardcoded branches when no longer supported - runs-on: >- - ${{ (contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.31') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.32') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.33') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, '1.34')) - && 'macos-14-xlarge' - || 'macos-15-xlarge' }} - source: ${{ matrix.source }} - steps-post: - steps-pre: ${{ matrix.steps-pre }} - target: ${{ matrix.target }} - target-name: ${{ matrix.target-name }} - timeout-minutes: 180 - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - strategy: - fail-fast: false - matrix: - include: - - target: ci/mac_ci_steps.sh - name: macOS - target-name: mac_ci_steps - source: | - source ./ci/mac_ci_setup.sh - _BAZEL_BUILD_EXTRA_OPTIONS=( - --remote_download_toplevel - --flaky_test_attempts=2 - --config=remote-cache - --config=ci) - export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]} - - request: - permissions: - actions: read - contents: read - pull-requests: read - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && fromJSON(needs.load.outputs.request).run.build-macos - needs: - - load - - macos - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-prechecks.yml b/.github/workflows/envoy-prechecks.yml deleted file mode 100644 index b3b0b19c0b5f1..0000000000000 --- a/.github/workflows/envoy-prechecks.yml +++ /dev/null @@ -1,136 +0,0 @@ -name: Envoy/Prechecks - -permissions: - contents: read - -on: - workflow_run: - workflows: - - Request - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - uses: ./.github/workflows/_load.yml - with: - check-name: prechecks - - format: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_format.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-format }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - deps: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_deps.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-deps }} - needs: - - load - with: - dependency-review: ${{ github.event_name == 'pull_request_target' && github.repository == 'envoyproxy/envoy' }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - publish: - secrets: - gcp-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED - || secrets.GCP_SERVICE_ACCOUNT_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_publish.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-publish }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - external: - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_external.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-external }} - needs: - - load - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.precheck-format - || fromJSON(needs.load.outputs.request).run.precheck-deps - || fromJSON(needs.load.outputs.request).run.precheck-publish - || fromJSON(needs.load.outputs.request).run.precheck-external) - needs: - - load - - format - - deps - - publish - - external - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-publish.yml b/.github/workflows/envoy-publish.yml deleted file mode 100644 index 06cde48e512da..0000000000000 --- a/.github/workflows/envoy-publish.yml +++ /dev/null @@ -1,169 +0,0 @@ -# This workflow is triggered by azp currently -# Once arm/x64 build jobs are shifted to github, this can be triggered -# by on: workflow_run -name: Envoy/Publish & verify - -permissions: - contents: read - -on: - workflow_run: - workflows: - # Workaround issue with PRs not triggering tertiary workflows - - Request - # - Envoy/Prechecks - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - uses: ./.github/workflows/_load.yml - with: - check-name: publish - # head-sha: ${{ github.sha }} - - build: - permissions: - actions: read - contents: read - packages: read - secrets: - gpg-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY - || secrets.ENVOY_GPG_SNAKEOIL_KEY }} - gpg-key-password: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD - || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} - if: ${{ fromJSON(needs.load.outputs.request).run.release || fromJSON(needs.load.outputs.request).run.verify }} - needs: - - load - uses: ./.github/workflows/_publish_build.yml - name: Build - strategy: - fail-fast: false - matrix: - arch: - - x64 - - arm64 - with: - arch: ${{ matrix.arch }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - release: - secrets: - dockerhub-password: ${{ secrets.DOCKERHUB_PASSWORD }} - dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} - ENVOY_CI_SYNC_APP_ID: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_SYNC_APP_ID - || '' }} - ENVOY_CI_SYNC_APP_KEY: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_SYNC_APP_KEY - || '' }} - ENVOY_CI_PUBLISH_APP_ID: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_PUBLISH_APP_ID - || '' }} - ENVOY_CI_PUBLISH_APP_KEY: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_PUBLISH_APP_KEY - || '' }} - gpg-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY - || secrets.ENVOY_GPG_SNAKEOIL_KEY }} - gpg-key-password: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD - || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} - permissions: - actions: read - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.release }} - needs: - - load - - build - uses: ./.github/workflows/_publish_release.yml - name: Release - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - verify: - permissions: - actions: read - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.verify }} - needs: - - load - - build - - release - uses: ./.github/workflows/_publish_verify.yml - name: Verify - with: - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.release - || fromJSON(needs.load.outputs.request).run.verify) - needs: - - load - - build - - release - - verify - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml deleted file mode 100644 index f4008c077c650..0000000000000 --- a/.github/workflows/envoy-release.yml +++ /dev/null @@ -1,304 +0,0 @@ -name: Envoy/release - -permissions: - contents: read - -on: - release: - types: - - published - branches: - - main - - release/v* - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: create-release - type: choice - options: - - create-release - - reopen-branch - - sync-version-histories - - deprecate-guards - dry-run: - type: boolean - default: false - pr: - type: boolean - default: true - description: Create a PR - pr-message: - description: Additional message for PR, eg to fix an issue or additional signoff (optional) - wip: - type: boolean - default: false - description: WIP - author: - description: >- - Author: User/email, eg 'Myname ' - (used by create-release, default: `changelogs/summary.md` last committer) - summary: - type: boolean - default: true - description: Use changelog summary (required to publish release) - -env: - COMMITTER_NAME: publish-envoy[bot] - COMMITTER_EMAIL: 140627008+publish-envoy[bot]@users.noreply.github.com - - -jobs: - ## Triggerable actions - - # Create a release commit, when landed this will publish. - create_release: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'create-release' - name: Create release - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - run: | - if [[ ! -s "changelogs/summary.md" ]]; then - if [[ "${{ inputs.summary }}" == "false" ]]; then - echo "::warning::Changelog summary (changelogs/summary.md) is empty!" - exit 0 - fi - echo "::error::Changelog summary (changelogs/summary.md) is empty!" - exit 1 - fi - COMMITTER=$(git log -n 1 --format='%an <%ae>' -- changelogs/summary.md) - echo "committer=${COMMITTER}" >> $GITHUB_OUTPUT - id: changelog - name: Check changelog summary - - if: ${{ inputs.author }} - name: Validate signoff email - uses: envoyproxy/toolshed/actions/email/validate@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - email: ${{ inputs.author }} - - uses: envoyproxy/toolshed/actions/github/run@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Create release - with: - source: | - BAZEL_ARGS=(--) - BAZEL_RUN_ARGS=(--config=ci) - if [[ -n "${{ inputs.author }}" ]]; then - BAZEL_ARGS+=( - "--release-author=${{ inputs.author }}" - "--signoff=${{ steps.changelog.outputs.committer }}") - else - BAZEL_ARGS+=("--release-author=${{ steps.changelog.outputs.committer }}") - fi - command: >- - bazel - run - "${BAZEL_RUN_ARGS[@]}" - @envoy_repo//:release - "${BAZEL_ARGS[@]}" - - run: | - VERSION=$(cat VERSION.txt) - echo "version=v${VERSION}" >> $GITHUB_OUTPUT - name: Release version - id: release - - name: Create a PR - uses: envoyproxy/toolshed/actions/github/pr@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - base: ${{ github.ref_name }} - commit: false - append-commit-message: true - body: | - Created by Envoy publish bot for @${{ github.actor }} - ${{ ! inputs.summary && ':warning: Created without changelog summary, this will need to be updated before publishing' || '' }} - branch: release/create/${{ steps.checkout.outputs.branch-name }} - diff-upload: release-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - wip: ${{ ! inputs.summary || inputs.wip }} - title: >- - [${{ (! inputs.summary || inputs.wip) && 'WIP/' || '' }}release/${{ steps.checkout.outputs.branch-name }}] - repo: Release ${{ steps.release.outputs.version }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - # Re-open a branch. - reopen-branch: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'reopen-branch' - name: Re-open branch - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/actions/github/run@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Re-open branch - with: - command: >- - bazel - run - --config=ci - @envoy_repo//:dev - -- ${{ steps.checkout.outputs.branch-name != 'main' && '--patch' || '' }} - - run: | - VERSION=$(cat VERSION.txt | cut -d- -f1) - echo "version=v${VERSION}" >> $GITHUB_OUTPUT - name: Dev version - id: dev - - name: Create a PR - uses: envoyproxy/toolshed/actions/github/pr@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - base: ${{ github.ref_name }} - commit: false - append-commit-message: true - body: | - Created by Envoy publish bot for @${{ github.actor }} - branch: release/dev/${{ steps.checkout.outputs.branch-name }} - diff-upload: release-dev-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - wip: ${{ ! inputs.summary || inputs.wip }} - title: >- - [dev/${{ steps.checkout.outputs.branch-name }}] - repo: Dev ${{ steps.dev.outputs.version }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - sync_version_histories: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'sync-version-histories' - name: Sync version histories - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/actions/github/run@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - name: Sync version histories - with: - command: >- - bazel - run - --config=ci @envoy_repo//:sync - -- - --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - - name: Create a PR - uses: envoyproxy/toolshed/actions/github/pr@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - append-commit-message: true - base: ${{ github.ref_name }} - commit: false - body: | - Created by Envoy publish bot for @${{ github.actor }} - branch: release/sync/${{ steps.checkout.outputs.branch-name }} - diff-upload: version-histories-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - title: >- - ${{ steps.checkout.outputs.branch-name != 'main' && format('[{0}]', steps.checkout.outputs.branch-name) || '' }} - repo: Sync version histories - - deprecate_guards: - runs-on: ubuntu-24.04 - if: >- - ${{ (github.event_name == 'workflow_dispatch' - && inputs.task == 'deprecate-guards') - || (github.event_name == 'release' - && endsWith(github.ref, '.0')) }} - name: Deprecate guards - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - config: | - fetch-depth: 0 - - name: Run deprecation tool - run: | - bazel run --config=ci \ - //tools/deprecate_guards \ - -- \ - ${{ ! inputs.dry-run && ' --create-issues' || '' }} \ - ${{ github.repository != 'envoyproxy/envoy' - && format('--staging-repo {0}', github.repository) - || '' }} - env: - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - ## Triggered actions - - # On release to `main`: - # - fork the branch to a release branch - # - add an initial dev commit - # - remove anything unwanted - # - push branch - create_release_branch: - runs-on: ubuntu-24.04 - if: github.event_name == 'release' && endsWith(github.ref, '.0') - name: Create release branch - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - name: Checkout repository - uses: envoyproxy/toolshed/actions/github/checkout@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - token: ${{ steps.appauth.outputs.token }} - - name: Create release branch - run: | - version="$(cut -d- -f1 < VERSION.txt | cut -d. -f-2)" - release_branch="release/v${version}" - commit_sha="$(git rev-parse HEAD)" - echo "Creating ${release_branch} from ${commit_sha}" - git checkout -b "$release_branch" - bazel run @envoy_repo//:dev -- --patch - git rm -rf .github/workflows/mobile*yml - git commit . -m "repo: Remove mobile ci for release branch" - git log - git push origin "$release_branch" diff --git a/.github/workflows/envoy-security-check.yml b/.github/workflows/envoy-security-check.yml deleted file mode 100644 index ebd4912c0b29c..0000000000000 --- a/.github/workflows/envoy-security-check.yml +++ /dev/null @@ -1,127 +0,0 @@ -name: Security check - -# This workflow validates that workflow_run events are only triggered by authorized sources -# It will only run (and fail) if triggered by unauthorized events - -on: - workflow_run: - workflows: - - Request - types: - - completed - -permissions: - contents: read - - -jobs: - security: - permissions: - contents: read - pull-requests: write # For commenting on PRs - # Only run if this is a potential security violation - if: | - github.event.workflow_run.conclusion == 'success' - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - && ( - github.event.workflow_run.repository.full_name != github.repository - || !contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - ) - runs-on: ubuntu-24.04 - name: Security violation - ${{ matrix.action }} - strategy: - fail-fast: false - matrix: - include: - - action: log - - action: comment - - action: slack - steps: - # CI - - name: Log violation details - if: matrix.action == 'log' - run: | - echo "::error::SECURITY VIOLATION DETECTED" - echo "::error::Unauthorized workflow_run trigger attempt" - echo "" - echo "Details:" - echo "- Workflow triggered by: ${{ github.event.workflow_run.event }}" - echo "- Repository: ${{ github.event.workflow_run.repository.full_name }}" - echo "- Expected repository: ${{ github.repository }}" - echo "- Workflow run ID: ${{ github.event.workflow_run.id }}" - echo "- Actor: ${{ github.event.workflow_run.actor.login }}" - echo "- PR: ${{ github.event.workflow_run.pull_requests[0].number || 'N/A' }}" - echo "" - - # Check specific violation - if [[ "${{ github.event.workflow_run.repository.full_name }}" != "${{ github.repository }}" ]]; then - echo "::error::Violation: Workflow triggered from unauthorized repository" - fi - - ALLOWED_EVENTS='["pull_request_target", "push", "schedule"]' - EVENT="${{ github.event.workflow_run.event }}" - - if ! echo "$ALLOWED_EVENTS" | jq -e --arg event "$EVENT" 'contains([$event])' > /dev/null; then - echo "::error::Violation: Workflow triggered by unauthorized event type: $EVENT" - fi - - # PR - - name: Comment on PR - if: matrix.action == 'comment' && github.event.workflow_run.pull_requests[0] - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 - with: - script: | - try { - const pr_number = context.payload.workflow_run.pull_requests[0].number; - const comment = ` - ## 🚨 **SECURITY VIOLATION DETECTED** 🚨 - - **UNAUTHORIZED WORKFLOW TRIGGER ATTEMPT** - - This pull request attempted to trigger protected workflows through unauthorized means. - - **VIOLATION DETAILS:** - - Event type: \`${{ github.event.workflow_run.event }}\` - - Repository: \`${{ github.event.workflow_run.repository.full_name }}\` - - Expected: \`${{ github.repository }}\` - - **THIS INCIDENT HAS BEEN LOGGED AND REPORTED.** - `; - - await github.rest.issues.createComment({ - owner: '${{ github.repository_owner }}', - repo: '${{ github.event.repository.name }}', - issue_number: pr_number, - body: comment - }); - } catch (error) { - console.error('Failed to comment on PR:', error); - } - - # SLACK - - name: Checkout repository (secure branch) - if: matrix.action == 'slack' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - # Explicitly checkout main to avoid malicious code - ref: main - - name: Notify Slack - if: matrix.action == 'slack' - run: | - cat > /tmp/security_violation.json <- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.ref_name == 'main') - && (github.event.push - || !contains(github.actor, '[bot]')) - }} - strategy: - fail-fast: false - matrix: - downstream: - - go-control-plane - - envoy-filter-example - - data-plane-api - - mobile-website - steps: - - uses: envoyproxy/toolshed/actions/appauth@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - id: appauth - with: - app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} - key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/actions/dispatch@0f75902a4f8ed63a5b5f9e4336ef22048f6f5670 # v0.4.6 - with: - repository: "envoyproxy/${{ matrix.downstream }}" - ref: main - token: ${{ steps.appauth.outputs.token }} - workflow: envoy-sync.yaml diff --git a/.github/workflows/pr_notifier.yml b/.github/workflows/pr_notifier.yml deleted file mode 100644 index 11ec3988c4c80..0000000000000 --- a/.github/workflows/pr_notifier.yml +++ /dev/null @@ -1,37 +0,0 @@ -on: - pull_request: - branches: - - main - workflow_dispatch: - schedule: - - cron: '0 5 * * 1,2,3,4,5' - -permissions: - contents: read # to fetch code (actions/checkout) - -jobs: - pr_notifier: - permissions: - contents: read # to fetch code (actions/checkout) - statuses: read # for pr_notifier.py - pull-requests: read # for pr_notifier.py - name: PR Notifier - runs-on: ubuntu-24.04 - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Notify about PRs - run: | - ARGS=() - if [[ "${{ github.event_name }}" == 'pull_request' ]]; then - ARGS+=(--dry_run) - fi - bazel run --config=ci //tools/repo:notify -- "${ARGS[@]}" - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/request.yml b/.github/workflows/request.yml deleted file mode 100644 index 92253d32f47c4..0000000000000 --- a/.github/workflows/request.yml +++ /dev/null @@ -1,74 +0,0 @@ -# This file must live on every branch and pass necessary secrets and permissions -# to initiate the request -name: Request - -permissions: - contents: read - -on: - pull_request_target: - branches: - - main - - release/v* - - ci/testing - push: - branches: - - main - - release/v* - - ci/testing - schedule: - - cron: '30 6 * * *' - -concurrency: - group: | - ${{ github.head_ref - || github.run_id - }}-${{ github.workflow }}-request - cancel-in-progress: true - - -jobs: - # Envoy (and mirror repos) have an environment setup that requires maintainer approval - # to use it. This CI checks if the request is from a first-time contributor, and in that - # case it uses the environment and requires the permission to proceed. - authorize: - if: >- - ${{ github.repository == 'envoyproxy/envoy' - || (vars.ENVOY_CI && github.event_name != 'schedule') - || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }} - runs-on: ubuntu-24.04 - environment: >- - ${{ github.event_name == 'pull_request_target' - && github.event.pull_request.author_association != 'MEMBER' - && github.event.pull_request.author_association != 'COLLABORATOR' - && github.event.pull_request.author_association != 'CONTRIBUTOR' - && github.event.pull_request.author_association != 'OWNER' - && 'external-contributors' - || '' }} - steps: - - run: | - echo "Authorized" - echo " Event: ${{ github.event_name }}" - echo " Author association: ${{ github.event.pull_request.author_association }}" - - request: - needs: authorize - permissions: - actions: write - contents: read - packages: read - # required to fetch merge commit - pull-requests: read - secrets: - # these are required to start checks - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }} - lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }} - # For branches this can be pinned to a specific version if required - # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read - uses: envoyproxy/envoy/.github/workflows/_request.yml@main - if: >- - ${{ github.repository == 'envoyproxy/envoy' - || (vars.ENVOY_CI && github.event_name != 'schedule') - || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index d5aac896d7e09..0000000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Scorecard supply-chain security -on: - branch_protection_rule: - schedule: - - cron: '33 13 * * 5' - push: - branches: - - "main" - -permissions: - contents: read - - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-24.04 - if: github.repository == 'envoyproxy/envoy' - permissions: - security-events: write - id-token: write - - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - - name: "Upload artifact" - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 - with: - sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index c20b5721a04c8..0000000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Prune stale - -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - - cron: '0 */4 * * *' - -jobs: - prune_stale: - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} - permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs - name: Prune stale - runs-on: ubuntu-24.04 - - steps: - - name: Prune Stale - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - # Different amounts of days for issues/PRs are not currently supported but there is a PR - # open for it: https://github.com/actions/stale/issues/214 - days-before-stale: 30 - days-before-close: 7 - stale-issue-message: > - This issue has been automatically marked as stale because it has not had activity in the - last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity - occurs. Thank you for your contributions. - close-issue-message: > - This issue has been automatically closed because it has not had activity in the - last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". - Thank you for your contributions. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had - activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please - feel free to give a status update now, ping for review, or re-open when it's ready. - Thank you for your contributions! - close-pr-message: > - This pull request has been automatically closed because it has not had - activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. - Thank you for your contributions! - stale-issue-label: 'stale' - exempt-issue-labels: 'no stalebot,help wanted' - stale-pr-label: 'stale' - exempt-pr-labels: 'no stalebot' - operations-per-run: 500 - ascending: true diff --git a/.github/workflows/toolchain-test.yml b/.github/workflows/toolchain-test.yml deleted file mode 100644 index 7d726bfc5ad77..0000000000000 --- a/.github/workflows/toolchain-test.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Toolchain default behavior test - -permissions: - contents: read -on: - pull_request: - paths: - - .bazelrc - - .github/workflows/toolchain-test.yml - - ci/matrix/** - - tools/toolchain -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - toolchain-test: - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - strategy: - fail-fast: false - matrix: - include: - - name: "GCC only" - service: "gcc" - - name: "LLVM only" - service: "llvm" - - name: "Both GCC & LLVM" - service: "all" - - name: "No compilers" - service: "none" - name: "Test: ${{ matrix.name }}" - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Run matrix test - run: | - cd ci/matrix - export UID - docker compose run --rm --build ${{ matrix.service }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000..9ae5adfb364ce --- /dev/null +++ b/Dockerfile @@ -0,0 +1,31 @@ +# STAGE: build +FROM envoyproxy/envoy-build-ubuntu:f4a881a1205e8e6db1a57162faf3df7aed88eae8@sha256:b10346fe2eee41733dbab0e02322c47a538bf3938d093a5daebad9699860b814 AS build +WORKDIR /source +# COPY /home/cybercyst/.cache/envoy-bazel /root/.cache/envoy-bazel +COPY . . +ENV ENVOY_DOCKER_BUILD_DIR=/build +RUN ls -Rall && \ + ./ci/do_ci.sh release.server_only && \ + # ./ci/do_ci.sh distribution && \ + ls -Rall ${ENVOY_DOCKER_BUILD_DIR} + +# STAGE: binary +FROM scratch AS binary +# COPY distribution/docker/docker-entrypoint.sh / +COPY configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml +# See https://github.com/docker/buildx/issues/510 for why this _must_ be this way +ARG TARGETPLATFORM +ENV TARGETPLATFORM="${TARGETPLATFORM:-linux/amd64}" +COPY --from=build "${TARGETPLATFORM}/release.tar.zst" /usr/local/bin/ + +# STAGE: envoy-distroless +FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:a1922debbf4ff2cc245d7c0d1e2021cfcee35fe24afae7505aeec59f7e7802f6 AS envoy-distroless +EXPOSE 10000 +ENTRYPOINT ["/usr/local/bin/envoy"] +CMD ["-c", "/etc/envoy/envoy.yaml"] +COPY --from=binary --chown=0:0 --chmod=755 \ + /etc/envoy /etc/envoy +COPY --from=binary --chown=0:0 --chmod=644 \ + /etc/envoy/envoy.yaml /etc/envoy/envoy.yaml +COPY --from=binary --chown=0:0 --chmod=755 \ + /usr/local/bin/envoy /usr/local/bin/