Merge remote-tracking branch 'upstream/main' into pr-44665

Signed-off-by: Adam Buran <aburan28@gmail.com>

# Conflicts:
#	source/common/io/io_uring_impl.cc

Author: aburan28

.bazelrc

@@ -143,7 +143,6 @@ build:gcc --cxxopt=-Wno-nonnull-compare
 build:gcc --cxxopt=-Wno-trigraphs
 build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
 build:gcc --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform
-build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
 build:gcc --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold
 
 # libc++ - default for clang
@@ -438,8 +437,8 @@ common:engflow-common --grpc_keepalive_time=60s
 common:engflow-common --grpc_keepalive_timeout=30s
 common:engflow-common --remote_cache_compression
 # Recover from transient gRPC failures (e.g. UNAVAILABLE: io exception) talking to engflow.
-common:engflow-common --remote_retries=5
-common:engflow-common --remote_retry_max_delay=10s
+common:engflow-common --remote_retries=10
+common:engflow-common --remote_retry_max_delay=60s
 # Recover when blobs are evicted from the CAS mid-build (common during patch releases).
 common:engflow-common --experimental_remote_cache_eviction_retries=5
 

.devcontainer/setup.sh

@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 
-echo "build --config=clang" >> user.bazelrc
+if [[ ! -f user.bazelrc ]] || ! grep -Fxq 'build --config=clang' user.bazelrc; then
+  echo -e "build --config=clang" >> user.bazelrc
+fi
 
 # Ideally we want this line so bazel doesn't pollute things outside of the devcontainer, but some of
 # API tooling (proto_sync) depends on symlink like bazel-bin.

.github/config.yml

@@ -4,16 +4,16 @@ build-image:
   repo: docker.io/envoyproxy/envoy-build
   repo-gcr: gcr.io/envoy-ci/envoy-build
   # default ci caching (ci)
-  sha: 20656853fae51927cda557e7af80ccff175f5de6f84bd0f092cd8672b2a6e0fe
-  sha-ci: 20656853fae51927cda557e7af80ccff175f5de6f84bd0f092cd8672b2a6e0fe
-  sha-devtools: 6e7a82d4f1ba040f4ebef0c1aae00cdbd205ff7a1284c20cc20984fdfa4a91d8
-  sha-docker: 85b6c3e76f093d9c9d10a968b5615cc8d82f38d7aef311100d542e4d640f5a74
-  sha-gcc: 439e870260c1599646d05b8b5d3bf1b6dd585c2e3cdac78dcb9f4081564c27fd
-  sha-mobile: bd1338a8951376211e4f4f6ff3171675670c4c582b0966f1d247abd3ba6a8a67
-  sha-worker: 25a68eff24b7414a346977d545687b87851d1c5746c466798050fa12fc5d0686
+  sha: 1f67d403defd45e9dd312645122fdee70a16911fdd614378d274c31f27c518b3
+  sha-ci: 1f67d403defd45e9dd312645122fdee70a16911fdd614378d274c31f27c518b3
+  sha-devtools: 8e21fd13f52323f9e16fa4cf3030d5b6a7f28b1d82343735a425be961651da05
+  sha-docker: c290f5f548906d3a426be5c0200e19942a794c3bbb11c6d6257f5529702d7f78
+  sha-gcc: 2a12bbcd5e95bc037bae5dfb2eb6361e55faf737098cbf90b4378e2345d9eecf
+  sha-mobile: cf77d069ffcff08e01e9472c6b0bad608e861ede2bc1c7cb7eb68f7c8e419bce
+  sha-worker: 482b9906428e68a65101a1b27abf81f69dfd1b4377f66283866110bfd8127ea3
   # TODO: remove this dupe (currently used by ci request handler)
-  mobile-sha: bd1338a8951376211e4f4f6ff3171675670c4c582b0966f1d247abd3ba6a8a67
-  tag: 86873047235e9b8232df989a5999b9bebf9db69c
+  mobile-sha: cf77d069ffcff08e01e9472c6b0bad608e861ede2bc1c7cb7eb68f7c8e419bce
+  tag: v0.1.3
 
 config:
   envoy:

.github/workflows/_check_build.yml

@@ -6,6 +6,7 @@ permissions:
 on:
   workflow_call:
     secrets:
+      dockerhub-token:
       slack-bot-token:
     inputs:
       request:
@@ -23,6 +24,7 @@ concurrency:
 jobs:
   build:
     secrets:
+      dockerhub-token: ${{ secrets.dockerhub-token }}
       slack-bot-token: ${{ secrets.slack-bot-token }}
     permissions:
       actions: read
@@ -42,6 +44,7 @@ jobs:
         Error:
       rbe: true
       request: ${{ inputs.request }}
+      catch-errors: ${{ matrix.catch-errors || false }}
       skip: ${{ matrix.skip != false && true || false }}
       slack-channel: ${{ matrix.slack-channel || '' }}
       target: ${{ matrix.target }}
@@ -61,4 +64,5 @@ jobs:
         - target: openssl
           name: OpenSSL
           skip: ${{ ! fromJSON(inputs.request).run.check-build-openssl }}
+          catch-errors: true
           slack-channel: '#envoy-openssl'

.github/workflows/_check_coverage.yml

@@ -6,6 +6,7 @@ permissions:
 on:
   workflow_call:
     secrets:
+      dockerhub-token:
       gcp-key:
         required: true
 
@@ -24,6 +25,8 @@ concurrency:
 
 jobs:
   coverage:
+    secrets:
+      dockerhub-token: ${{ secrets.dockerhub-token }}
     permissions:
       actions: read
       contents: read
@@ -58,7 +61,7 @@ jobs:
           upload-name: coverage
           upload-path: generated/coverage/html
           steps-post: |
-            - uses: envoyproxy/toolshed/actions/jq@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+            - uses: envoyproxy/toolshed/actions/jq@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
               with:
                 output-path: generated/coverage/html/gcs-metadata.json
                 input-format: yaml
@@ -79,7 +82,7 @@ jobs:
         - target: fuzz_coverage
           name: Fuzz coverage
           steps-post: |
-            - uses: envoyproxy/toolshed/actions/jq@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+            - uses: envoyproxy/toolshed/actions/jq@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
               with:
                 output-path: generated/fuzz_coverage/html/gcs-metadata.json
                 input-format: yaml

.github/workflows/_check_runtime.yml

@@ -5,6 +5,8 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      dockerhub-token:
     inputs:
       request:
         type: string
@@ -20,6 +22,8 @@ concurrency:
 
 jobs:
   runtime:
+    secrets:
+      dockerhub-token: ${{ secrets.dockerhub-token }}
     permissions:
       actions: read
       contents: read

.github/workflows/_check_san.yml

@@ -5,6 +5,8 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      dockerhub-token:
     inputs:
       request:
         type: string
@@ -20,6 +22,8 @@ concurrency:
 
 jobs:
   san:
+    secrets:
+      dockerhub-token: ${{ secrets.dockerhub-token }}
     permissions:
       actions: read
       contents: read

.github/workflows/_cve_fetch.yml

@@ -35,7 +35,7 @@ jobs:
         else
             echo "weekly_run=false" >> $GITHUB_OUTPUT
         fi
-    - uses: envoyproxy/toolshed/actions/gcp/setup@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/gcp/setup@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Setup GCP
       with:
         key: ${{ secrets.gcs-cve-key }}

.github/workflows/_cve_scan.yml

@@ -28,7 +28,7 @@ jobs:
       id: vars
       run: |
         echo "cve-data-path=${{ inputs.cve-data-path }}" > $GITHUB_OUTPUT
-    - uses: envoyproxy/toolshed/actions/gcp/setup@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/gcp/setup@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Setup GCP
       with:
         key: ${{ secrets.gcs-cve-key }}

.github/workflows/_finish.yml

@@ -36,7 +36,7 @@ jobs:
       actions: read
       contents: read
     steps:
-    - uses: envoyproxy/toolshed/actions/jq@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/jq@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Incoming data
       id: needs
       with:
@@ -87,21 +87,21 @@ jobs:
                    summary: "Check has finished",
                    text: $text}}}}
 
-    - uses: envoyproxy/toolshed/actions/jq@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/jq@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Print summary
       with:
         input: ${{ toJSON(steps.needs.outputs.value).summary-title }}
         filter: |
           "## \(.)"
         options: -Rr
         output-path: GITHUB_STEP_SUMMARY
-    - uses: envoyproxy/toolshed/actions/appauth@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/appauth@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Appauth
       id: appauth
       with:
         app_id: ${{ secrets.app-id }}
         key: ${{ secrets.app-key }}
-    - uses: envoyproxy/toolshed/actions/github/checks@3c6fada5be38699cba49c9883d731ebe503d0b9d  # v0.4.10
+    - uses: envoyproxy/toolshed/actions/github/checks@1f5b552c6749502b885cb8cf23549b929e745547  # actions-v0.4.17
       name: Update check
       with:
         action: update