diff --git a/.github/workflows/POLICY.md b/.github/workflows/POLICY.md deleted file mode 100644 index c52488cd22efe..0000000000000 --- a/.github/workflows/POLICY.md +++ /dev/null @@ -1,59 +0,0 @@ -# Envoy Github workflows - -## Trusted workflows - -Github workflows that are **not** triggered by a `pull_request` generally run with -the repository context/permissions. - -In various ways, these workflows can be triggered as the result of a `pull_request` -and/or be made to run untrusted code (ie PR code). - -This can be useful, but carries significant risks. - -In particular this can effect: - -- `pull_request_target` -- `workflow_run` -- `workflow_dispatch` - -Do not use these trigger events unless they are required. - -## Restrict global permissions and secrets in trusted workflows - -If a job requires specific permissions, these should be added on per-job basis. - -Global permissions should be set as follows: - -```yaml -permissions: - contents: read -``` - -Likewise, any secrets that a job requires should be set per-job. - -## Restrict access to `workflow_dispatch` - -It is important to restrict who can trigger these types of workflow. - -Do not allow any bots or app users to do so, unless this is specifically required. - -For example, you could add a `job` condition to prevent any bots from triggering the workflow: - -```yaml - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} -``` - -## Trusted/untrusted CI jobs - -If a trusted workflow is used to run untrusted code, then the entire job that runs this code -should be treated as untrusted. - -In this case, it is **essential** to ensure: - -- no write permissions in the untrusted job -- no secrets in the untrusted job diff --git a/.github/workflows/README.md b/.github/workflows/README.md deleted file mode 100644 index 743c7f39acdd0..0000000000000 --- a/.github/workflows/README.md +++ /dev/null @@ -1,198 +0,0 @@ -## CI configuration - -CI is configured in .github/config.yml. - -The configuration is per-branch and in this way different branches can have a different -runtime configuration. - -In a pull request only 2 things are read from the config.yml submitted in the request: - -- version -- build image - -As these can change the way the CI runs they are allowed to change. No other configuration -is read from the pull request itself. - -### Checks - -Which checks should run against a commit or PR is configured under the `checks` key. - -The names of these checks should match any checks that are set to required for the repo, -and if a check is required this should be set in the config to ensure the check is marked -as skipped if the related runs are skipped. - -### Runs - -This controls which workflows run, and where necessary which jobs in the workflows. - -This paths can be configured with glob matches to match changed files. - -Paths are always matched for PRs. - -For push requests the config can be set to: - -- always (default): Always runs -- paths: Runs when paths match -- never: Doesnt run on pushes - -## CI requests - -### All CI is requested - -Whether triggered by push event or a pull_request all CI should be viewed as "requested". - -This is very important as it means we can treat incoming triggers in much the same way -as we might handle an incoming web request. - -Much like a web request, CI requests may be "trusted" or "untrusted" and as a consequence -have more or less capability or access. - -Again, much like web requests, CI requests cannot be assumed to be safe. - -Any incoming data - critically data over which a user has the capability to change should -be treated in the same way that user data is handled in a web request. - -Failure to do this opens our CI up to many of the same attacks you might expect in a web scenario -- mostly injection attacks of various sorts. - -### Requests are always made _from_ the triggering branch - -The only CI workflow that is required/used on any branch other than `main` is `request.yml`. - -This file contains any custom configurations required by the branch - for example, build images. - -The request workflow on any branch always delegates to the `_request.yml` on `main`. - -The `_request.yml` workflow contains all required configuration for handling an incoming request. - -All other CI listens for the request workflow to run, and then runs with the requested/parsed data. - -### CI is always run _in_ the context of main - -Other than updating configurations in any given `request.yml` - no CI workflows are parsed -anywhere other than in the context of `main`. - -This means that **all** changes must be made to the `main` workflows for _any_ branch _and_ for PRs. - -Like branch CI, PRs also run in the context of `main` - making changes to these files in a PR will have -no effect until/unless they are landed on the `main` branch. - -### Lifecycle of a CI request - -#### Incoming request: - -Requests can be triggered by a `push` to `main` or a release branch or from a -`pull_request_target` to those branches. - -The `request.yml` file handles this and *must* live on every branch. - -This wf then calls the reusable `_request.yml` workflow, typically on `main`, but -branches can pin this if required. - -#### Request is handled by `_request.yml` workflow: - -This workflow initially reads the `.github/config.yml` from the target branch. - -It uses this to decide which CI and which checks need to be run, and collects information -about the CI request. - -This can be configured on a per-branch basis, by editing the file on the branch. - -This also holds the authoritative build image information. - -Users can request a CI run in a PR with custom build images by editing the config.yml file -on the relevant branch. CI will allow this but flag the change. - -Likewise the version is checked at this stage, and CI flags if it has changed. - -No other CI vars should be editable by users in a PR. - -#### CI check runs *on main* listen for incoming requests and run if required: - -These checks *always* run on `main` but with the repo checked out for the branch or the PR. - -If branches require custom CI this can be added in the relevant file *on main* with -a condition to only trigger for relevant target branch. - -#### Checks are completed at the end of each CI run: - -Currently this reports only on the overall outcome of the CI run and updates the check. - -We can add eg Slack reporting here to notify on failed `main` runs. - -#### Retesting - -PR CI can be retested by issuing `/retest` on the PR. - -This finds the checks related to the latest request and restarts them if they are -failed or cancelled. - -Links on the request page link to the original checks, but the checks themselves will -offer a `reload` button to refresh to the latest version. - -## Branch CI - -All CI is run on `main` - branch CI included. - -The CI will checkout the correct commits and run the CI at that point. - -This means that the CI on `main` should always be able to run the current supported branches. - -There are possible workaround for custom branch CI but the better path is to ensure legacy support -in current `main` or backport any required changes. - -## CI caching - -Currently only x86 Docker images are cached. - -Github has a hard per-repo limit of 10GB cache for CI which is LRU cycled when exceeded. - -This should just be enough to store x86 and arm Docker images for most of our release branches -but will not leave anything to spare. - -We can probably set up a bucket cache for bazel and other caching but this will need to be -done separately for un/trusted CI. - -### Cache mutex - -Due to shortcomings in Github's concurrency algorithm we are using a mutex lock that -is currently stored in the (private) https://github.com/envoyproxy/ci-mutex repository. - -The lock allows CI jobs to wait while the cache is being primed rather than all jobs attempting -to prime the cache simultaneously. - -## Development, testing and CI - -Any Github workflows that use the repository context (`pull_request_target`, `workflow_run`, etc) -**are not tested in Pull Requests** - -This means that changes to CI must be tested/verified in the (private) staging repository. - -### CI enabling vars - -The CI workflows and actions are receptive to certain environment variables being set. - -`ENVOY_CI`: this allows CI to run in non-`envoyproxy/envoy` repos -`ENVOY_MOBILE_CI`: this allows mobile CI to be run in non-`envoyproxy/envoy` repos -`ENVOY_MACOS_CI`: this allows macOS CI to be run in non-`envoyproxy/envoy` repos -`ENVOY_WINDOWS_CI`: this allows Windows CI to be run in non-`envoyproxy/envoy` repos - -With these flags activated the CI runs will respect the normal conditions for running. - -### CI override vars - -The CI workflows will also trigger for specific run settings. - -For example: - -`ENVOY_CI_RUN_MOBILE_ANDROID` would trigger the android CI irrespective of files changed, etc. - -These correspond to the run names as configured in config.yml - for example: - -`ENVOY_CI_RUN_BUILD_MACOS` would ensure the `build-macos` run is triggered. - -### Debugging CI - -Setting `CI_DEBUG` will provide a large amount of runtime information. - -Generally this does not want to be set in a production context. diff --git a/.github/workflows/_check_build.yml b/.github/workflows/_check_build.yml deleted file mode 100644 index 8eddc447b1701..0000000000000 --- a/.github/workflows/_check_build.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Check/build - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-build - cancel-in-progress: true - - -jobs: - build: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name ||matrix.target }} - with: - bazel-extra: '--config=remote-envoy-engflow' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - diskspace-hack: ${{ matrix.diskspace-hack || false }} - error-match: | - ERROR - error: - Error: - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: true - request: ${{ inputs.request }} - target: ${{ matrix.target }} - timeout-minutes: 180 - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: api - name: API - - target: compile_time_options - name: Compile time options - - target: gcc - name: GCC - diskspace-hack: true diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml deleted file mode 100644 index 12b7c6380fc63..0000000000000 --- a/.github/workflows/_check_coverage.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: Check/coverage - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - gcp-key: - required: true - - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-coverage - cancel-in-progress: true - - -jobs: - coverage: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - gcp-key: ${{ secrets.gcp-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name ||matrix.target }} - with: - bazel-extra: '--config=remote-envoy-engflow' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - diskspace-hack: ${{ matrix.diskspace-hack && true || false }} - diskspace-hack-paths: ${{ matrix.diskspace-hack-paths }} - error-match: | - ERROR - error: - Error: - lower than limit - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: true - request: ${{ inputs.request }} - runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} - steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 - with: - bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} - path: generated/${{ matrix.target }}/html - path-upload: ${{ matrix.target }} - sha: ${{ fromJSON(inputs.request).request.sha }} - redirect: >- - ${{ vars.GCS_ARTIFACT_PREFIX - && format('{0}-', vars.GCS_ARTIFACT_PREFIX) - }}${{ fromJSON(inputs.request).request.pr - || fromJSON(inputs.request).request.target-branch }} - target: ${{ matrix.target }} - timeout-minutes: 180 - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: coverage - name: Coverage - diskspace-hack: true - diskspace-hack-paths: | - /opt/hostedtoolcache - - target: fuzz_coverage - name: Fuzz coverage diff --git a/.github/workflows/_check_san.yml b/.github/workflows/_check_san.yml deleted file mode 100644 index 82f06b5626fcf..0000000000000 --- a/.github/workflows/_check_san.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Check/san - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-asan - cancel-in-progress: true - - -jobs: - san: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.target }} - with: - bazel-extra: '--config=remote-envoy-engflow' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - request: ${{ inputs.request }} - error-match: | - ERROR - error: - Error: - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: ${{ matrix.rbe }} - target: ${{ matrix.target }} - timeout-minutes: 180 - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: asan - rbe: true - - target: msan - rbe: true - - target: tsan - rbe: true diff --git a/.github/workflows/_cve_fetch.yml b/.github/workflows/_cve_fetch.yml deleted file mode 100644 index 2f9c924b1d834..0000000000000 --- a/.github/workflows/_cve_fetch.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Dependency/Fetch CVE data - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cve-key: - required: true - inputs: - cve-data-path: - default: tools/dependency/cve_data - type: string - scheduled: - default: false - type: boolean - - -jobs: - cve-data: - name: Fetch CVE data - runs-on: ubuntu-24.04 - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set vars - id: vars - run: | - echo "cve-data-path=${{ inputs.cve-data-path }}" > $GITHUB_OUTPUT - DAY=$(date +%u) - if [[ "$DAY" == 7 && "${{ inputs.scheduled }}" == "true" ]]; then - echo "weekly_run=true" >> $GITHUB_OUTPUT - export OVERWRITE_ALL_CVE_DATA=1 - else - echo "weekly_run=false" >> $GITHUB_OUTPUT - fi - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 - name: Setup GCP - with: - key: ${{ secrets.gcs-cve-key }} - - name: Create CVE data directory - run: | - mkdir -p ${{ steps.vars.outputs.cve-data-path }} - - name: Download (sync) from GCS bucket - run: | - gsutil -mq rsync \ - "gs://${{ vars.GCS_CVE_BUCKET }}" \ - "${{ steps.vars.outputs.cve-data-path }}" - - name: Run CVE fetcher - run: | - bazel run --config=ci //tools/dependency:cve_update - - name: Upload (sync) to GCS bucket - run: | - gsutil \ - -mq rsync \ - -dr ${{ steps.vars.outputs.cve-data-path }} \ - "gs://${{ vars.GCS_CVE_BUCKET }}" diff --git a/.github/workflows/_cve_scan.yml b/.github/workflows/_cve_scan.yml deleted file mode 100644 index 974fd387c778b..0000000000000 --- a/.github/workflows/_cve_scan.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Dependency/Fetch CVE data - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cve-key: - required: true - inputs: - cve-data-path: - default: tools/dependency/cve_data - type: string - scheduled: - default: false - type: boolean - - -jobs: - cve-data: - name: Scan dependencies for CVEs - runs-on: ubuntu-24.04 - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set vars - id: vars - run: | - echo "cve-data-path=${{ inputs.cve-data-path }}" > $GITHUB_OUTPUT - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.25 - name: Setup GCP - with: - key: ${{ secrets.gcs-cve-key }} - - name: Create CVE data directory - run: | - mkdir -p ${{ steps.vars.outputs.cve-data-path }} - - name: Download (sync) from GCS bucket - run: | - gsutil -mq rsync \ - "gs://${{ vars.GCS_CVE_BUCKET }}" \ - "${{ steps.vars.outputs.cve-data-path }}" - - name: Run CVE dependency scanner - run: | - bazel test --config=ci --config=cves //tools/dependency:cve_test diff --git a/.github/workflows/_finish.yml b/.github/workflows/_finish.yml deleted file mode 100644 index fd01ca27761aa..0000000000000 --- a/.github/workflows/_finish.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Workflow/complete - -permissions: - contents: read - - -on: - # Do not run untrusted code here - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - needs: - type: string - required: true - template-check-text: - type: string - default: | - ## \($icon) Check run finished (\($outcome.name) \($outcome.icon)) - - ## The check run can be viewed here: - - # \($icon) \($run_link) - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - complete: - runs-on: ${{ fromJSON(fromJSON(inputs.needs).load.outputs.request).config.ci.agent-ubuntu }} - permissions: - actions: read - contents: read - steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - name: Incoming data - id: needs - with: - input: | - check_name: ${{ fromJSON(inputs.needs).load.outputs.check-name }} - repo: ${{ github.repository }} - run_id: ${{ github.run_id }} - outcomes: ${{ toJSON(fromJSON(inputs.needs).*.result) }} - load: ${{ toJSON(fromJSON(inputs.needs).load.outputs) }} - input-format: yaml - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - filter: | - .repo as $repo - | .run_id as $run_id - | .needs as $result - | .check_name as $check_name - | .load as $load - | $load["check-id"] as $check_id - | $load["run-id"] as $workflow_id - | (.load.request | fromjson) as $request - | $request.config.envoy.icon as $icon - | .outcomes - | if any(. == "failure") then - {name: "failure", icon: ":x:"} - elif any(. == "cancelled") then - {name: "cancelled", icon: ""} - elif all(. == "skipped") then - {name: "skipped", icon: ""} - else - {name: "success", icon: ":heavy_check_mark:"} - end - | . as $outcome - | "\($request.check.name) (\($request.summary.title))" as $run_link_text - | "[\($run_link_text)](https://github.com/\($repo)/actions/runs/\($run_id))" as $run_link - | "${{ inputs.template-check-text }}" as $text - | {"summary-title": "\($icon) \($request.check.name) complete (\($outcome.name))", - "check-id": $check_id, - conclusion: $outcome.name, - checks: { - ($check_name): { - name: $request.check.name, - head_sha: $request.request.sha, - status: "completed", - conclusion: $outcome.name, - external_id: "\($run_id)", - output: { - title: "\($request.check.name) (\($outcome.name))", - summary: "Check has finished", - text: $text}}}} - - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - name: Print summary - with: - input: ${{ toJSON(steps.needs.outputs.value).summary-title }} - filter: | - "## \(.)" - options: -Rr - output-path: GITHUB_STEP_SUMMARY - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 - name: Update check - with: - action: update - checks: ${{ toJSON(fromJSON(steps.needs.outputs.value).checks) }} - token: ${{ steps.appauth.outputs.token }} - - # This is necessary to ensure that any retests have their checks updated - - name: Fail the job - if: ${{ fromJSON(steps.needs.outputs.value).conclusion != 'success' }} - run: | - exit 1 diff --git a/.github/workflows/_load.yml b/.github/workflows/_load.yml deleted file mode 100644 index 3fe651821c320..0000000000000 --- a/.github/workflows/_load.yml +++ /dev/null @@ -1,163 +0,0 @@ -name: Request/load - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - - inputs: - agent-ubuntu: - type: string - default: ubuntu-24.04 - check-name: - type: string - required: true - check-title: - type: string - default: - head-sha: - type: string - default: - run-id: - type: string - default: ${{ github.event.workflow_run.id }} - runs-after: - type: boolean - default: false - template-request-summary: - type: string - default: | - ## \($linkedTitle) - - \($summary) - - \($extra) - - outputs: - build-image: - value: ${{ jobs.request.outputs.build-image }} - build-image-mobile: - value: ${{ jobs.request.outputs.build-image-mobile }} - check-id: - value: ${{ jobs.request.outputs.check-id }} - check-name: - value: ${{ inputs.check-name }} - request: - value: ${{ jobs.request.outputs.request }} - run-id: - value: ${{ inputs.run-id }} - trusted: - value: ${{ jobs.request.outputs.trusted }} - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - request: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - runs-on: ubuntu-24.04 - permissions: - actions: read - contents: read - pull-requests: read - outputs: - build-image: ${{ toJSON(fromJSON(steps.request-output.outputs.value).request.build-image) }} - build-image-mobile: ${{ fromJSON(steps.request-output.outputs.value).request.build-image-mobile }} - check-id: ${{ fromJSON(steps.request-output.outputs.value).check.check-id }} - request: ${{ steps.request-output.outputs.value }} - trusted: ${{ fromJSON(steps.request-output.outputs.value).request.trusted }} - skip: ${{ fromJSON(steps.request-output.outputs.value).check.action != 'RUN' }} - steps: - - run: | - gh api \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/${{ github.repository }}/actions/runs/${{ inputs.run-id }} \ - | jq '.' - RUNID=$(gh run view ${{ inputs.run-id }} --repo ${{ github.repository }} --json databaseId | jq -r '.databaseId') - echo "value=${RUNID}" >> "$GITHUB_OUTPUT" - id: run-id - if: ${{ inputs.runs-after == true }} - env: - GH_TOKEN: ${{ github.token }} - - # Load env data - # Handle any failure in triggering job - # Remove any `checks` we dont care about - # Prepare a check request - - uses: envoyproxy/toolshed/gh-actions/github/env/load@actions-v0.3.23 - name: Load env - id: data - with: - run-id: ${{ steps.run-id.outputs.value || inputs.run-id }} - check-name: ${{ inputs.check-name }} - head-sha: ${{ inputs.head-sha }} - env: - GH_TOKEN: ${{ github.token }} - - # Update the check - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 - name: Update check - if: ${{ fromJSON(steps.data.outputs.data).data.check.action == 'RUN' }} - with: - action: update - checks: ${{ toJSON(fromJSON(steps.data.outputs.data).checks) }} - token: ${{ steps.appauth.outputs.token }} - - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - name: Print request summary - with: - input: | - action: ${{ fromJSON(steps.data.outputs.data).data.check.action }} - summary: ${{ toJSON(fromJSON(steps.data.outputs.data).data.summary) }} - input-format: yaml - output-path: GITHUB_STEP_SUMMARY - options: -r - filter: | - .action as $action - | .summary as $summary - | if ($action != "RUN") then - "### ${{ github.workflow }} was skipped" - else "" end - | . as $extra - | $summary["linked-title"] as $linkedTitle - | $summary.summary as $summary - | "${{ inputs.template-request-summary }}" - - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: request-output - name: Load request - with: - input: | - check: ${{ toJSON(fromJSON(steps.data.outputs.data).data.check) }} - config: ${{ toJSON(fromJSON(steps.data.outputs.data).data.config) }} - request: ${{ toJSON(fromJSON(steps.data.outputs.data).data.request) }} - run: ${{ toJSON(fromJSON(steps.data.outputs.data).data.run) }} - summary_title: ${{ fromJSON(steps.data.outputs.data).data.summary.title }} - input-format: yaml - filter: | - . - | .summary = {title: .summary_title} - | del(.request.message, .summary_title) - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} diff --git a/.github/workflows/_load_env.yml b/.github/workflows/_load_env.yml deleted file mode 100644 index f82003f9ecc5b..0000000000000 --- a/.github/workflows/_load_env.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: Request/load - -permissions: - contents: read - -on: - workflow_call: - secrets: - lock-app-id: - required: true - lock-app-key: - required: true - - inputs: - branch-name: - type: string - default: main - cache-docker: - type: boolean - default: true - config-file: - type: string - default: ./.github/config.yml - event-name: - type: string - default: ${{ github.workflow }} - event-type: - type: string - default: ${{ github.event_name == 'workflow_dispatch' && 'dispatch' || 'scheduled' }} - trusted: - type: boolean - default: true - - outputs: - build-image: - value: ${{ jobs.request.outputs.build-image }} - build-image-mobile: - value: ${{ jobs.request.outputs.build-image-mobile }} - request: - value: ${{ jobs.request.outputs.request }} - trusted: - value: ${{ jobs.request.outputs.trusted }} - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG && true || false }} - - -jobs: - request: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - runs-on: ubuntu-24.04 - outputs: - build-image: ${{ toJSON(fromJSON(steps.env.outputs.data).request.build-image) }} - build-image-mobile: ${{ fromJSON(steps.env.outputs.data).request.build-image-mobile }} - request: ${{ steps.env.outputs.data }} - trusted: true - steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout - name: Checkout Envoy repository - - name: Generate environment variables - uses: envoyproxy/toolshed/gh-actions/envoy/ci/env@actions-v0.3.23 - id: env - with: - branch-name: ${{ inputs.branch-name }} - config-file: ${{ inputs.config-file }} - started: ${{ steps.started.outputs.value }} - token: ${{ secrets.GITHUB_TOKEN }} - vars: ${{ toJSON(vars) }} - trusted: ${{ inputs.trusted }} - - - name: Request summary - id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 - with: - actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} - base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} - event-name: ${{ inputs.event-name }} - event-type: ${{ inputs.event-type }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - output-path: GITHUB_STEP_SUMMARY - data: ${{ steps.env.outputs.data }} - tables: ${{ toJSON(fromJSON(steps.env.outputs.data).config.tables) }} - icon: ${{ fromJSON(steps.env.outputs.data).config.envoy.icon }} - message: ${{ fromJSON(steps.env.outputs.data).request.message }} - ref: ${{ fromJSON(steps.env.outputs.data).request.ref }} - sha: ${{ fromJSON(steps.env.outputs.data).request.sha }} - target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - - cache: - secrets: - app-id: ${{ secrets.lock-app-id }} - app-key: ${{ secrets.lock-app-key }} - uses: ./.github/workflows/_request_cache_docker.yml - needs: request - if: ${{ inputs.cache-docker }} - with: - request: ${{ toJSON(needs.request.outputs) }} - image-tag: ${{ fromJSON(needs.request.outputs.build-image).default }} diff --git a/.github/workflows/_mobile_container_ci.yml b/.github/workflows/_mobile_container_ci.yml deleted file mode 100644 index 244785eb9fc13..0000000000000 --- a/.github/workflows/_mobile_container_ci.yml +++ /dev/null @@ -1,158 +0,0 @@ -name: Mobile CI - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - app-key: - rbe-key: - ssh-key-extra: - inputs: - args: - type: string - catch-errors: - type: boolean - default: false - checkout-extra: - type: string - default: - command: - type: string - default: ./bazelw - concurrency-suffix: - type: string - default: -mobile - container: - type: string - container-output: - type: string - default: - container-command: - type: string - default: >- - docker run - --volume=${PWD}:/source - --volume=${TMP_ENTRYPOINT}:/tmp/mobile-entrypoint.sh - --volume=/tmp/cache:/root/.cache - --volume=/tmp/container-output:/tmp/container-output - --workdir=/source/mobile - --entrypoint=/tmp/mobile-entrypoint.sh - -e GITHUB_TOKEN - -e CC - -e CXX - -e BAZEL_BUILD_OPTION_LIST - -e MOBILE_DOCS_CHECKOUT_DIR - diskspace-hack: - type: boolean - default: false - downloads: - type: string - default: - entrypoint: - type: string - default: - entrypoint-DEFAULT: - type: string - default: | - #!/bin/bash -e - export PATH=/opt/llvm/bin:$PATH - exec "$@" - error-match: - type: string - default: | - ERROR - error: - Error: - notice-match: - type: string - default: | - NOTICE - Streaming build results - output-path: - type: string - default: /tmp/container-output - rbe: - type: boolean - default: true - ref: - type: string - request: - type: string - required: true - runs-on: - type: string - skip: - type: boolean - default: false - source: - type: string - default: - steps-pre: - type: string - steps-pre-name: - type: string - steps-post: - type: string - default: - steps-post-name: - type: string - target: - type: string - required: true - temp-dir: - type: string - timeout-minutes: - type: number - trusted: - type: boolean - default: false - upload-name: - type: string - upload-path: - type: string - warning-match: - type: string - default: | - WARNING - warning: - Warning: - - -jobs: - ci: - uses: ./.github/workflows/_run.yml - name: ${{ inputs.target }} - permissions: - contents: read - packages: read - secrets: - ssh-key-extra: ${{ secrets.ssh-key-extra }} - with: - args: ${{ inputs.args }} - rbe: ${{ inputs.rbe }} - # This always just caches the main build image, the mobile one is layered on top - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - catch-errors: ${{ inputs.catch-errors }} - container-command: ${{ inputs.container-command }} ${{ inputs.container || fromJSON(inputs.request).request.build-image.default }} - container-output: ${{ inputs.container-output }} - command: ${{ inputs.command }} - concurrency-suffix: ${{ inputs.concurrency-suffix }} - docker-ipv6: false - entrypoint: ${{ inputs.entrypoint || inputs.entrypoint-DEFAULT }} - downloads: ${{ inputs.downloads }} - error-match: ${{ inputs.error-match }} - notice-match: ${{ inputs.notice-match }} - output-path: ${{ inputs.output-path }} - request: ${{ inputs.request }} - source: ${{ inputs.source }} - steps-pre: ${{ inputs.steps-pre }} - steps-post: ${{ inputs.steps-post }} - target: ${{ inputs.target }} - timeout-minutes: ${{ inputs.timeout-minutes }} - trusted: ${{ fromJSON(inputs.request).request.trusted }} - upload-name: ${{ inputs.upload-name }} - upload-path: ${{ inputs.upload-path }} - warning-match: ${{ inputs.warning-match }} diff --git a/.github/workflows/_precheck_deps.yml b/.github/workflows/_precheck_deps.yml deleted file mode 100644 index a816809832bd6..0000000000000 --- a/.github/workflows/_precheck_deps.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Precheck/deps - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - inputs: - dependency-review: - type: boolean - default: false - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-deps - cancel-in-progress: true - - -jobs: - deps: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.target }} - with: - bazel-extra: '--config=remote-envoy-engflow' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - diskspace-hack: true - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - request: ${{ inputs.request }} - error-match: | - ERROR - error: - Error: - rbe: ${{ matrix.rbe }} - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - matrix: - include: - - target: deps - rbe: false - - dependency-review: - runs-on: ubuntu-24.04 - if: ${{ inputs.dependency-review }} - steps: - - name: Checkout Repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ fromJSON(inputs.request).request.sha }} - persist-credentials: false - - name: Dependency Review - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/_precheck_format.yml b/.github/workflows/_precheck_format.yml deleted file mode 100644 index a12e254320280..0000000000000 --- a/.github/workflows/_precheck_format.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Precheck/format - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-format - cancel-in-progress: true - - -jobs: - format: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name || matrix.target }} - with: - bazel-extra: '--config=remote-envoy-engflow' - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - concurrency-suffix: -${{ matrix.target }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - request: ${{ inputs.request }} - error-match: | - ERROR - error: - Error: - rbe: true - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - upload-name: ${{ matrix.upload-name }} - upload-path: ${{ matrix.upload-path }} - strategy: - fail-fast: false - matrix: - include: - - target: format - upload-name: fix_format.diff - upload-path: /home/runner/work/_temp/fix_format.diff - - target: format-api - upload-name: fix_proto_format.diff - upload-path: /home/runner/work/_temp/fix_proto_format.diff diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml deleted file mode 100644 index a4de52c443d23..0000000000000 --- a/.github/workflows/_precheck_publish.yml +++ /dev/null @@ -1,91 +0,0 @@ -name: Precheck/publish - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcp-key: - required: true - gcs-cache-key: - required: true - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}-publish - cancel-in-progress: true - - -jobs: - publish: - secrets: - gcp-key: ${{ secrets.gcp-key }} - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - uses: ./.github/workflows/_run.yml - name: ${{ matrix.name || matrix.target }} - with: - arch: ${{ matrix.arch }} - bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ matrix.target }}${{ matrix.arch && format('-{0}', matrix.arch) || '' }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - timeout-minutes: ${{ matrix.timeout-minutes || 120 }} - error-match: | - ERROR - error: - Error: - steps-post: ${{ matrix.steps-post }} - target: ${{ matrix.target }} - target-suffix: ${{ matrix.target-suffix }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: release.test_only - name: Release (x64) - target-suffix: x64 - arch: x64 - rbe: true - - target: release.test_only - name: Release (arm64) - target-suffix: arm64 - arch: arm64 - rbe: true - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - timeout-minutes: 180 - - target: docs - name: Docs - bazel-extra: >- - --config=remote-envoy-engflow - --config=docs-ci - rbe: true - steps-post: | - - uses: envoyproxy/toolshed/gh-actions/gcs/artefact/sync@actions-v0.3.23 - with: - bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }} - path: generated/docs - path-upload: docs - sha: ${{ fromJSON(inputs.request).request.sha }} - redirect: >- - ${{ vars.GCS_ARTIFACT_PREFIX - && format('{0}-', vars.GCS_ARTIFACT_PREFIX) - }}${{ fromJSON(inputs.request).request.pr - || fromJSON(inputs.request).request.target-branch }} diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml deleted file mode 100644 index 562025c33a249..0000000000000 --- a/.github/workflows/_publish_build.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: Build - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - gpg-key: - required: true - gpg-key-password: - required: true - inputs: - arch: - type: string - required: true - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ inputs.arch }}-${{ github.event.workflow.id }}-publish - cancel-in-progress: true - - -jobs: - binary: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - name: Binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - bazel-extra: >- - --config=remote-envoy-engflow - target: release.server_only - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: true - request: ${{ inputs.request }} - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - timeout-minutes: 120 - trusted: ${{ inputs.trusted }} - upload-name: release.${{ inputs.arch }} - upload-path: envoy/${{ inputs.arch }}/bin/ - - docker: - permissions: - contents: read - packages: read - name: Docker OCI - needs: - - binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - target: docker - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - downloads: | - release.${{ inputs.arch }}: envoy/${{ inputs.arch }}/bin/ - request: ${{ inputs.request }} - source: | - export NO_BUILD_SETUP=1 - export ENVOY_DOCKER_IN_DOCKER=1 - export ENVOY_DOCKER_SAVE_IMAGE=true - export ENVOY_OCI_DIR=build_images - - # export DOCKER_BUILD_PLATFORM=${{ inputs.arch == 'x64' && 'linux/amd64' || 'linux/arm64' }} - # export DOCKER_LOAD_IMAGES=true - # export DOCKER_FORCE_OCI_OUTPUT=true - trusted: ${{ inputs.trusted }} - upload-name: oci.${{ inputs.arch }} - upload-path: envoy/${{ inputs.arch }}/build_images - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - - distribution: - permissions: - contents: read - packages: read - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - gpg-key: ${{ secrets.gpg-key }} - gpg-key-password: ${{ secrets.gpg-key-password }} - name: Packages - needs: - - binary - uses: ./.github/workflows/_run.yml - with: - arch: ${{ inputs.arch }} - bazel-extra: >- - --config=remote-cache-envoy-engflow - downloads: | - release.${{ inputs.arch }}: release/${{ inputs.arch }}/bin/ - target: distribution - target-suffix: ${{ inputs.arch }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} - concurrency-suffix: -${{ inputs.arch }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - import-gpg: true - rbe: false - request: ${{ inputs.request }} - runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} - trusted: ${{ inputs.trusted }} - upload-name: packages.${{ inputs.arch }} - upload-path: envoy/${{ inputs.arch }} diff --git a/.github/workflows/_publish_release.yml b/.github/workflows/_publish_release.yml deleted file mode 100644 index cec064eedf541..0000000000000 --- a/.github/workflows/_publish_release.yml +++ /dev/null @@ -1,160 +0,0 @@ -name: Publish - -permissions: - contents: read - -on: - workflow_call: - secrets: - dockerhub-password: - dockerhub-username: - ENVOY_CI_SYNC_APP_ID: - ENVOY_CI_SYNC_APP_KEY: - ENVOY_CI_PUBLISH_APP_ID: - ENVOY_CI_PUBLISH_APP_KEY: - gcs-cache-key: - required: true - gpg-key: - required: true - gpg-key-password: - required: true - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-publish - cancel-in-progress: true - - -jobs: - sign: - permissions: - contents: read - packages: read - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - gpg-key: ${{ secrets.gpg-key }} - gpg-key-password: ${{ secrets.gpg-key-password }} - if: ${{ github.repository == 'envoyproxy/envoy-ci-staging' }} - name: Sign packages - uses: ./.github/workflows/_run.yml - with: - target: release.signed - bazel-extra: >- - --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz - --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz - --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst - --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - diskspace-hack: true - downloads: | - packages.arm64: envoy/arm64/ - packages.x64: envoy/x64/ - release.arm64: envoy/arm64/bin/ - release.x64: envoy/x64/bin/ - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - import-gpg: true - request: ${{ inputs.request }} - source: | - export NO_BUILD_SETUP=1 - trusted: ${{ inputs.trusted }} - upload-name: release.signed - upload-path: envoy/release.signed.tar.zst - steps-pre: | - - run: | - mkdir distribution/custom - cp -a %{{ runner.temp }}/envoy/x64 %{{ runner.temp }}/envoy/arm64 distribution/custom - shell: bash - - container: - secrets: - dockerhub-username: ${{ secrets.dockerhub-username }} - dockerhub-password: ${{ secrets.dockerhub-password }} - permissions: - contents: read - packages: read - name: Publish container images - uses: ./.github/workflows/_publish_release_container.yml - with: - dockerhub-repo: ${{ vars.DOCKERHUB_REPO || 'envoy' }} - dev: ${{ fromJSON(inputs.request).request.version.dev }} - sha: ${{ fromJSON(inputs.request).request.sha }} - target-branch: ${{ fromJSON(inputs.request).request.target-branch }} - trusted: ${{ inputs.trusted }} - version-major: ${{ fromJSON(inputs.request).request.version.major }} - version-minor: ${{ fromJSON(inputs.request).request.version.minor }} - version-patch: ${{ fromJSON(inputs.request).request.version.patch }} - - release: - secrets: - app-id: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }} - app-key: ${{ inputs.trusted && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }} - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - needs: - - container - - sign - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - target: ${{ matrix.target }} - rbe: false - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - downloads: | - release.signed: release.signed - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - source: ${{ matrix.source }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - target: publish - name: github - source: | - export ENVOY_COMMIT=${{ fromJSON(inputs.request).request.sha }} - export ENVOY_REPO=${{ github.repository }} - export ENVOY_PUBLISH_DRY_RUN=${{ (fromJSON(inputs.request).request.version.dev || ! inputs.trusted) && 1 || '' }} - - docs: - # For normal commits to Envoy main this will trigger an update in the website repo, - # which will update its envoy dep shas, and rebuild the website for the latest docs - # - # For commits that create a release, it instead triggers an update in the archive repo, - # which builds a static version of the docs for the release and commits it to the archive. - # In turn the archive repo triggers an update in the website so the new release docs are - # included in the published site - if: ${{ inputs.trusted && github.repository == 'envoyproxy/envoy' }} - runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }} - needs: - - release - steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - with: - app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} - key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 - with: - ref: main - repository: ${{ fromJSON(inputs.request).request.version.dev && 'envoyproxy/envoy-website' || 'envoyproxy/archive' }} - token: ${{ steps.appauth.outputs.token }} - workflow: envoy-sync.yaml - inputs: | - commit_sha: ${{ fromJSON(inputs.request).request.version.dev && github.sha || '' }} diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml deleted file mode 100644 index e5452e5f8426b..0000000000000 --- a/.github/workflows/_publish_release_container.yml +++ /dev/null @@ -1,189 +0,0 @@ -name: Publish (containers) - -permissions: - contents: read - -on: - workflow_call: - secrets: - dockerhub-password: - dockerhub-username: - inputs: - dev: - required: true - type: boolean - default: true - dockerhub-repo: - required: true - default: envoy - type: string - sha: - required: true - type: string - target-branch: - required: true - type: string - trusted: - required: true - type: boolean - version-major: - required: false - type: number - version-minor: - required: false - type: number - version-patch: - required: false - type: number - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-publish-release-container - cancel-in-progress: true - - -jobs: - push-manifests: - name: Create manifests (${{ inputs.trustred && 'dry run' || 'push' }}) - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: read - steps: - - name: Generate manifest configuration (dev) - id: dev-config - if: ${{ inputs.dev && inputs.target-branch == 'main' }} - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 - with: - input-format: yaml - filter: >- - {manifests: .} - input: | - - name: ${{ inputs.dockerhub-repo }} - tag: dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy.{arch}.tar - additional-tags: - - dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib.{arch}.tar - additional-tags: - - contrib-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-debug-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-debug.{arch}.tar - additional-tags: - - contrib-debug-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: distroless-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-distroless.{arch}.tar - additional-tags: - - distroless-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: google-vrp-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - artifact-pattern: envoy-google-vrp.{arch}.tar - additional-tags: - - google-vrp-dev-${{ github.sha }} - - name: ${{ inputs.dockerhub-repo }} - tag: tools-dev - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-tools.{arch}.tar - additional-tags: - - tools-dev-${{ github.sha }} - - - name: Generate manifest configuration (release) - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.24 - id: release-config - if: ${{ ! inputs.dev || ! inputs.target-branch != 'main' }} - with: - input-format: yaml - filter: >- - {manifests: .} - input: | - - name: ${{ inputs.dockerhub-repo }} - tag: v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy.{arch}.tar - additional-tags: - - v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib.{arch}.tar - additional-tags: - - contrib-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-contrib-debug.{arch}.tar - additional-tags: - - contrib-debug-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-distroless.{arch}.tar - additional-tags: - - distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - artifact-pattern: envoy-google-vrp.{arch}.tar - additional-tags: - - google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - name: ${{ inputs.dockerhub-repo }} - tag: tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} - registry: docker.io/envoyproxy - architectures: - - amd64 - - arm64 - artifact-pattern: envoy-tools.{arch}.tar - additional-tags: - - tools-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - - - name: Collect and push OCI artifacts - uses: envoyproxy/toolshed/gh-actions/oci/collector@555132e7108208a8a610af6e03c38c97c204119d - with: - artifacts-pattern: oci.* - manifest-config: ${{ steps.dev-config.outputs.value || steps.release-config.outputs.value }} - dry-run: ${{ ! inputs.trusted || (inputs.target-branch != 'main' && inputs.dev) }} - dockerhub-username: ${{ inputs.trusted && secrets.dockerhub-username || '' }} - dockerhub-password: ${{ inputs.trusted && secrets.dockerhub-password || '' }} diff --git a/.github/workflows/_publish_verify.yml b/.github/workflows/_publish_verify.yml deleted file mode 100644 index 1f236fcf8020f..0000000000000 --- a/.github/workflows/_publish_verify.yml +++ /dev/null @@ -1,193 +0,0 @@ -name: Verify - -permissions: - contents: read - -on: - workflow_call: - secrets: - gcs-cache-key: - required: true - inputs: - gcs-cache-bucket: - type: string - required: true - request: - type: string - required: true - trusted: - type: boolean - required: true - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.event.inputs.head_ref - || github.run_id - }}-${{ github.event.workflow.id }}-verify - cancel-in-progress: true - - -jobs: - examples: - permissions: - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }} - cache-build-image: ${{ matrix.cache-build-image }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ${{ matrix.container-command }} - concurrency-suffix: -${{ matrix.arch || 'x64' }} - downloads: ${{ matrix.downloads }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - source: ${{ matrix.source }} - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - name: examples - target: verify_examples - downloads: | - oci.arm64: build_images - oci.x64: build_images - rbe: false - source: | - export NO_BUILD_SETUP=1 - steps-pre: | - - run: | - # Install expected host packages - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -qq update -y - sudo apt-get -qq install -y --no-install-recommends expect gettext yq whois - shell: bash - - run: | - IMAGES=( - envoy:dev - envoy-contrib:contrib-dev - envoy-google-vrp:google-vrp-dev) - for image in "${IMAGES[@]}"; do - src_name="$(echo ${image} | cut -d: -f1)" - dest_name="$(echo ${image} | cut -d: -f2)" - src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar" - dest="docker-daemon:envoyproxy/envoy:${dest_name}" - echo "Copy image: ${src} ${dest}" - skopeo copy -q "${src}" "${dest}" - done - shell: bash - - run: docker images | grep envoy - shell: bash - - distroless: - permissions: - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }} - cache-build-image: ${{ matrix.cache-build-image }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ${{ matrix.container-command }} - concurrency-suffix: -${{ matrix.arch || 'x64' }} - downloads: ${{ matrix.downloads }} - rbe: ${{ matrix.rbe }} - request: ${{ inputs.request }} - steps-pre: ${{ matrix.steps-pre }} - source: ${{ matrix.source }} - target: ${{ matrix.target }} - trusted: ${{ inputs.trusted }} - strategy: - fail-fast: false - matrix: - include: - - name: distroless - target: verify-distroless - downloads: | - oci.x64: build_images - rbe: false - source: | - export NO_BUILD_SETUP=1 - steps-pre: | - - run: | - IMAGES=( - envoy-distroless:distroless-dev) - for image in "${IMAGES[@]}"; do - src_name="$(echo ${image} | cut -d: -f1)" - dest_name="$(echo ${image} | cut -d: -f2)" - src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar" - dest="docker-daemon:envoyproxy/envoy:${dest_name}" - echo "Copy image: ${src} ${dest}" - skopeo copy -q "${src}" "${dest}" - done - shell: bash - - run: docker images | grep envoy - shell: bash - - distro: - secrets: - gcs-cache-key: ${{ secrets.gcs-cache-key }} - permissions: - contents: read - packages: read - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_run.yml - with: - arch: ${{ matrix.arch }} - bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }} - cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} - cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }} - container-command: ./ci/run_envoy_docker.sh - concurrency-suffix: -${{ matrix.arch || 'x64' }} - diskspace-hack: true - downloads: | - release.signed: release.signed - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - rbe: ${{ matrix.rbe && matrix.rbe || false }} - request: ${{ inputs.request }} - runs-on: ${{ matrix.runs-on }} - source: | - export NO_BUILD_SETUP=1 - export ENVOY_DOCKER_IN_DOCKER=1 - target: ${{ matrix.target }} - target-suffix: ${{ matrix.arch }} - trusted: ${{ inputs.trusted }} - steps-pre: | - - run: | - echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV - echo DEB_ARCH=${{ matrix.arch == 'arm64' && 'arm64' || 'amd64' }} >> $GITHUB_ENV - shell: bash - - run: | - TEMP_DIR=$(mktemp -d) - zstd --stdout -d %{{ runner.temp }}/release.signed/release.signed.tar.zst | tar --warning=no-timestamp -xf - -C "${TEMP_DIR}" - mkdir ${TEMP_DIR}/debs - tar xf ${TEMP_DIR}/bin/debs.tar.gz -C ${TEMP_DIR}/debs - mkdir -p ${TEMP_DIR}/distribution/deb - cp -a ${TEMP_DIR}/debs/*_${DEB_ARCH}* ${TEMP_DIR}/distribution/deb - cp -a ${TEMP_DIR}/signing.key ${TEMP_DIR}/distribution - mkdir -p %{{ runner.temp }}/distribution/${ARCH} - tar czf %{{ runner.temp }}/distribution/${ARCH}/packages.${ARCH}.tar.gz -C ${TEMP_DIR}/distribution . - shell: bash - - strategy: - fail-fast: false - matrix: - include: - - - name: verify_distro_x64 - target: verify_distro - arch: x64 - rbe: true - - - name: verify_distro_arm64 - target: verify_distro - arch: arm64 - bazel-extra: >- - --config=remote-cache-envoy-engflow - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} diff --git a/.github/workflows/_request.yml b/.github/workflows/_request.yml deleted file mode 100644 index 523bf4eb02278..0000000000000 --- a/.github/workflows/_request.yml +++ /dev/null @@ -1,222 +0,0 @@ -name: Request/incoming - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - lock-app-id: - required: true - lock-app-key: - required: true - gcs-cache-key: - required: true - - # Defaults are set .github/config.yml on the `main` branch. - inputs: - gcs-cache-bucket: - type: string - required: true - - cache-bazel-hash-paths: - type: string - default: | - WORKSPACE - **/*.bzl - config-file: - type: string - default: ./.github/config.yml - -concurrency: - group: | - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-env-prime - cancel-in-progress: true - -env: - CI_DEBUG: ${{ (vars.CI_DEBUG || vars.RUNNER_DEBUG) && true || false }} - - -jobs: - incoming: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - runs-on: ubuntu-24.04 - permissions: - contents: read - pull-requests: read - outputs: - env: ${{ steps.data.outputs.value }} - caches: ${{ steps.caches.outputs.value }} - config: ${{ steps.config.outputs.config }} - steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout - name: Checkout Envoy repository (requested) - with: - pr: ${{ github.event.number }} - branch: ${{ github.ref_name }} - config: | - fetch-depth: ${{ startsWith(github.event_name, 'pull_request') && 1 || 2 }} - path: requested - # This step *LOOKS AT* the repo at the point requested - # Its essential that this _job_ *MUST NOT EXECUTE ANY CODE FROM THE CHECKED OUT REPO* - # *ALL* variables collected should be treated as untrusted and should be sanitized before - # use - - name: Generate environment variables from commit - uses: envoyproxy/toolshed/gh-actions/envoy/ci/request@actions-v0.3.23 - id: env - with: - branch-name: ${{ steps.checkout.outputs.branch-name }} - config-file: ${{ inputs.config-file }} - merge-commit: ${{ steps.checkout.outputs.merge-commit }} - started: ${{ steps.started.outputs.value }} - token: ${{ secrets.GITHUB_TOKEN }} - vars: ${{ toJSON(vars) }} - working-directory: requested - - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout-target - name: Checkout Envoy repository (target branch) - with: - branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - config: | - fetch-depth: 1 - path: target - - uses: envoyproxy/toolshed/gh-actions/hashfiles@actions-v0.3.23 - id: bazel-cache-hash - name: Bazel cache hash - with: - files: ${{ inputs.cache-bazel-hash-paths }} - working-directory: target - - - name: Request summary - id: summary - uses: envoyproxy/toolshed/gh-actions/github/env/summary@actions-v0.3.23 - with: - actor: ${{ toJSON(fromJSON(steps.env.outputs.data).request.actor) }} - base-sha: ${{ fromJSON(steps.env.outputs.data).request.base-sha }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - output-path: GITHUB_STEP_SUMMARY - pr: ${{ github.event.number }} - data: ${{ steps.env.outputs.data }} - tables: ${{ toJSON(fromJSON(steps.env.outputs.data).config.tables) }} - icon: ${{ fromJSON(steps.env.outputs.data).config.envoy.icon }} - message: ${{ fromJSON(steps.env.outputs.data).request.message }} - ref: ${{ fromJSON(steps.env.outputs.data).request.ref }} - sha: ${{ fromJSON(steps.env.outputs.data).request.sha }} - target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }} - - - name: Environment data - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: data - with: - input: | - cache: - bazel: ${{ steps.bazel-cache-hash.outputs.value }} - env: ${{ steps.env.outputs.data }} - title: ${{ steps.summary.outputs.title }} - link: ${{ format('https://github.com/{0}/actions/runs/{1}', github.repository, github.run_id) }} - summary: ${{ steps.summary.outputs.summary }} - input-format: yaml - filter: | - .title as $title - | .cache as $cache - | .env.config.envoy.icon as $icon - | .link as $link - | "\($icon) Request ([\($title)](\($link)))" as $linkedTitle - | .summary as $summary - | .env - | .config.ci.cache = $cache - | .summary = { - $summary, - $title, - $link, - "linked-title": $linkedTitle} - | del(.config.tables) - - # TODO(phlax): shift this to ci/request action above - - name: Check Docker cache (x64) - id: cache-exists-docker-x64 - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - lookup-only: true - path: /tmp/cache - key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }} - - name: Check Docker cache (arm64) - id: cache-exists-docker-arm64 - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - lookup-only: true - path: /tmp/cache - key: ${{ fromJSON(steps.data.outputs.value).request.build-image.default }}-arm64 - - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 - name: Setup GCP - with: - key: ${{ secrets.gcs-cache-key }} - - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 - name: Check GCS bucket cache (x64) - id: cache-exists-bazel-x64 - with: - bucket: ${{ inputs.gcs-cache-bucket }} - key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-x64 - - uses: envoyproxy/toolshed/gh-actions/gcs/cache/exists@actions-v0.3.23 - name: Check GCS bucket cache (arm64) - id: cache-exists-bazel-arm64 - with: - bucket: ${{ inputs.gcs-cache-bucket }} - key: ${{ fromJSON(steps.data.outputs.value).config.ci.cache.bazel }}-arm64 - - - name: Caches - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: caches - with: - input-format: yaml - input: | - bazel: - x64: ${{ steps.cache-exists-bazel-x64.outputs.exists || 'false' }} - arm64: ${{ steps.cache-exists-bazel-arm64.outputs.exists || 'false' }} - docker: - x64: ${{ steps.cache-exists-docker-x64.outputs.cache-hit || 'false' }} - arm64: ${{ steps.cache-exists-docker-arm64.outputs.cache-hit || 'false' }} - - cache: - permissions: - contents: read - packages: read - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - needs: incoming - uses: ./.github/workflows/_request_cache.yml - secrets: - app-id: ${{ secrets.lock-app-id }} - app-key: ${{ secrets.lock-app-key }} - gcs-cache-key: ${{ secrets.gcs-cache-key }} - with: - caches: ${{ needs.incoming.outputs.caches }} - env: ${{ needs.incoming.outputs.env }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - - checks: - if: ${{ github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI }} - needs: incoming - uses: ./.github/workflows/_request_checks.yml - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - with: - env: ${{ needs.incoming.outputs.env }} diff --git a/.github/workflows/_request_cache.yml b/.github/workflows/_request_cache.yml deleted file mode 100644 index 919aa6c5b9eec..0000000000000 --- a/.github/workflows/_request_cache.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Request/cache - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - gcs-cache-key: - required: true - - inputs: - env: - type: string - required: true - caches: - type: string - required: true - gcs-cache-bucket: - type: string - required: true - - -jobs: - docker: - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - name: Docker/${{ matrix.arch }} - uses: ./.github/workflows/_request_cache_docker.yml - with: - arch: ${{ matrix.arch }} - cache-suffix: ${{ matrix.cache-suffix }} - caches: ${{ inputs.caches }} - image-tag: ${{ fromJSON(inputs.env).request.build-image.default }} - runs-on: ${{ matrix.runs-on }} - strategy: - fail-fast: false - matrix: - include: - - target: docker-x64 - arch: x64 - - target: docker-arm64 - arch: arm64 - cache-suffix: -arm64 - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - - bazel: - permissions: - contents: read - packages: read - secrets: - app-id: ${{ secrets.app-id }} - app-key: ${{ secrets.app-key }} - gcs-cache-key: ${{ secrets.gcs-cache-key }} - name: ${{ matrix.name || matrix.target }} - uses: ./.github/workflows/_request_cache_bazel.yml - with: - arch: ${{ matrix.arch || 'x64' }} - bazel-extra: ${{ matrix.bazel-extra }} - caches: ${{ inputs.caches }} - gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }} - request: ${{ inputs.env }} - runs-on: ${{ matrix.runs-on }} - targets: ${{ matrix.targets || '...' }} - strategy: - fail-fast: false - matrix: - include: - - name: Bazel (x64/cache) - bazel-extra: >- - --config=remote-envoy-engflow - - name: Bazel (arm64/cache) - arch: arm64 - runs-on: ${{ vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm' }} - bazel-extra: >- - --config=common-envoy-engflow - --config=cache-envoy-engflow - targets: >- - //test/... - //contrib/... - //source/... diff --git a/.github/workflows/_request_cache_bazel.yml b/.github/workflows/_request_cache_bazel.yml deleted file mode 100644 index 3c0f9b3facc73..0000000000000 --- a/.github/workflows/_request_cache_bazel.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: Request/Cache prime (bazel) - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - gcs-cache-key: - required: true - - inputs: - gcs-cache-bucket: - type: string - required: true - - arch: - type: string - default: x64 - bazel-extra: - type: string - default: >- - --config=remote-envoy-engflow - caches: - type: string - required: true - request: - type: string - required: true - runs-on: - type: string - default: - lock-repository: - type: string - default: envoyproxy/ci-mutex - targets: - type: string - default: ... - - -jobs: - bazel: - permissions: - contents: read - packages: read - runs-on: ${{ inputs.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - name: "[${{ inputs.arch }}] Prime Bazel cache" - if: ${{ ! fromJSON(inputs.caches).bazel[inputs.arch] }} - steps: - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout-target - name: Checkout Envoy repository (target branch) - with: - branch: ${{ fromJSON(inputs.request).request.target-branch }} - config: | - fetch-depth: 1 - - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - name: Appauth (mutex lock) - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 - name: Setup GCP - with: - key: ${{ secrets.gcs-cache-key }} - force-install: ${{ contains(fromJSON('["envoy-arm64-medium", "github-arm64-2c-8gb"]'), inputs.runs-on) }} - - run: | - # Simulate container build directory - sudo mkdir /build - sudo chown runner:docker /build - echo "GITHUB_TOKEN=${{ github.token }}" >> $GITHUB_ENV - - uses: envoyproxy/toolshed/gh-actions/cache/prime@actions-v0.3.23 - id: bazel-cache - name: Prime Bazel cache - with: - change-directory: false - # TODO(phlax): add loop for multiple targets - command: | - # Simulate container source directory - sudo mkdir /source - sudo chown runner:docker /source - cd /source - git clone "$GITHUB_WORKSPACE" . - - export BAZEL_BUILD_EXTRA_OPTIONS="--config=ci ${{ inputs.bazel-extra }}" - export ENVOY_CACHE_ROOT=/build/bazel_root - export ENVOY_CACHE_TARGETS=$(echo "${{ inputs.targets }}" | sed 's/ / + /g') - # ironically the repository_cache is just about the only thing you dont want to cache - export ENVOY_REPOSITORY_CACHE=/tmp/cache - ./ci/do_ci.sh cache-create - gcs-bucket: ${{ inputs.gcs-cache-bucket }} - key: ${{ fromJSON(inputs.request).config.ci.cache.bazel }}-${{ inputs.arch }} - lock-token: ${{ steps.appauth.outputs.token }} - lock-repository: ${{ inputs.lock-repository }} - mount-tmpfs: false - path: /build/bazel_root - run-as-sudo: false diff --git a/.github/workflows/_request_cache_docker.yml b/.github/workflows/_request_cache_docker.yml deleted file mode 100644 index ae8314e331c45..0000000000000 --- a/.github/workflows/_request_cache_docker.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: Request/cache (prime Docker) - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - caches: - type: string - required: true - image-tag: - type: string - required: true - - arch: - type: string - default: x64 - cache-suffix: - type: string - default: - runs-on: - type: string - default: - lock-repository: - type: string - default: envoyproxy/ci-mutex - -## Docker cache -# -# This workflow will only prime the cache, and should be done separately first, prior -# to any jobs that require it. -# -# For a job that does, you can restore with something like: -# -# steps: -# - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 -# with: -# key: "${{ needs.env.outputs.build-image }}" -# - - -jobs: - docker: - runs-on: ${{ inputs.runs-on || 'ubuntu-24.04' }} - name: "[${{ inputs.arch }}] Prime Docker cache" - if: ${{ ! fromJSON(inputs.caches).docker[inputs.arch] }} - steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - name: Appauth (mutex lock) - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/docker/cache/prime@actions-v0.3.23 - id: docker - name: Prime Docker cache (${{ inputs.image-tag }}${{ inputs.cache-suffix }}) - with: - image-tag: ${{ inputs.image-tag }} - key-suffix: ${{ inputs.cache-suffix }} - lock-token: ${{ steps.appauth.outputs.token }} - lock-repository: ${{ inputs.lock-repository }} - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: data - name: Cache data - with: - input-format: yaml - input: | - cached: ${{ steps.docker.outputs.cached }} - key: ${{ inputs.image-tag }}${{ inputs.cache-suffix }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 - name: Summary - with: - json: ${{ steps.data.outputs.value }} - output-path: GITHUB_STEP_SUMMARY - title: >- - Cache (Docker ${{ inputs.arch }}) diff --git a/.github/workflows/_request_checks.yml b/.github/workflows/_request_checks.yml deleted file mode 100644 index ab9748555ffe7..0000000000000 --- a/.github/workflows/_request_checks.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: Workflow start -# This workflow is only required for externally triggered jobs that need to manually -# set the check status for a commit/PR - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - required: true - app-key: - required: true - inputs: - details-url: - type: string - default: >- - https://github.com/envoyproxy/envoy/tree/main/.github/workflows - env: - type: string - required: true - run-summary: - type: string - default: >- - The check will start once any required jobs have completed and a VM becomes available - run-title: - type: string - default: >- - Waiting for check ... - skipped-summary: - type: string - default: >- - This check was not triggered in this CI run - skipped-title: - type: string - default: >- - Check was skipped - template-run-text: - type: string - default: | - ## \($icon) Check run pending - - ## Details of the check run will be provided here once it has started. - - ### Check started by - - -env: - CI_DEBUG: ${{ (vars.CI_DEBUG || vars.RUNNER_DEBUG) && true || false }} - - -jobs: - start: - runs-on: ${{ fromJSON(inputs.env).config.ci.agent-ubuntu }} - name: Start checks - steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: check-config - name: Prepare check data - with: - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - input: ${{ inputs.env }} - filter: | - . as $env - | .config.envoy.icon as $icon - | {} - | .["head_sha"] = $env.request.sha - | .details_url = "${{ inputs.details-url }}" - | {run: ., skipped: ., request: $env.summary.summary} - | .run.output.title = "${{ inputs.run-title }}" - | .run.output.summary = "${{ inputs.run-summary }}" - | .run.output.text = "${{ inputs.template-run-text }}" - | .run.status = "queued" - | .skipped.status = "completed" - | .skipped.conclusion = "skipped" - | .skipped.output.title = "${{ inputs.skipped-title }}" - | .skipped.output.summary = "${{ inputs.skipped-summary }}" - | .skipped.output.text = "" - - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - name: Appauth - id: appauth - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - - uses: envoyproxy/toolshed/gh-actions/github/checks@actions-v0.3.23 - name: Start checks - id: checks - with: - checks: ${{ toJSON(fromJSON(inputs.env).checks) }} - config: ${{ steps.check-config.outputs.value }} - text-extra: | - ## ${{ fromJSON(inputs.env).summary.linked-title }} - - ${{ fromJSON(inputs.env).summary.summary }} - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/json/table@actions-v0.3.23 - name: Summary - with: - collapse-open: true - json: | - {"checks": ${{ steps.checks.outputs.checks }}, - "config": ${{ toJSON(fromJSON(inputs.env).checks) }}} - filter: | - .checks - heading: >- - ${{ fromJSON(inputs.env).config.envoy.icon }} Checks - mutate-cells: | - .cell as $cell - | .row as $row - | .table as $table - | $cell - | if ($row | index($cell) == 0) then - $table.data.config[$cell].name - elif ($table.data.config[$row[0]].action != "SKIP") then - "[started](http://github.com/${{ github.repository }}/runs/\($cell))" - else "skipped" end - output-path: GITHUB_STEP_SUMMARY - title: Checks started/skipped - - - uses: envoyproxy/toolshed/gh-actions/github/env/save@actions-v0.3.23 - name: Save env - id: data - with: - env: ${{ inputs.env }} - env-filter: | - ${{ steps.checks.outputs.checks }} as $checksStarted - | .checks - |= with_entries( - if $checksStarted[.key] != "skipped" then - .value["check-id"] = $checksStarted[.key] - else . end) diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml deleted file mode 100644 index 8440c03855865..0000000000000 --- a/.github/workflows/_run.yml +++ /dev/null @@ -1,414 +0,0 @@ -name: Envoy CI - -permissions: - contents: read - -on: - workflow_call: - secrets: - app-id: - app-key: - dockerhub-password: - gcp-key: - gcs-cache-key: - gpg-key: - gpg-key-password: - rbe-key: - ssh-key: - ssh-key-extra: - inputs: - args: - type: string - arch: - type: string - bazel-extra: - type: string - bazel-rbe-jobs: - type: number - default: 200 - cache-build-image: - type: string - cache-build-image-key-suffix: - type: string - catch-errors: - type: boolean - default: false - checkout-extra: - type: string - concurrency-suffix: - type: string - default: - container-command: - type: string - default: ./ci/run_envoy_docker.sh - container-output: - type: string - default: - command: - type: string - default: ./ci/do_ci.sh - diskspace-hack: - type: boolean - default: false - diskspace-hack-paths: - type: string - default: - docker-ipv6: - default: true - type: boolean - dockerhub-username: - default: envoyproxy - type: string - downloads: - type: string - entrypoint: - type: string - default: - error-match: - type: string - default: | - ERROR - error: - Error: - fail-match: - type: string - gcs-cache-bucket: - type: string - import-gpg: - type: boolean - default: false - notice-match: - type: string - default: | - NOTICE - Streaming build results - output-path: - type: string - default: - rbe: - type: boolean - default: true - rbe-google: - type: boolean - default: false - repo-fetch-depth: - type: number - default: 1 - report-pre: - type: string - default: | - - run: | - # Pre build report - df -h > "${TMP_REPORT}/df-pre" - if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" ]]; then - exit 0 - fi - find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" -maxdepth 1 -type d \ - | rev \ - | cut -d/ -f1 \ - | rev \ - > "${TMP_REPORT}/shas-pre" - if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" ]]; then - exit 0 - fi - find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" -maxdepth 1 -type d \ - | rev \ - | cut -d/ -f1 \ - | rev \ - >> "${TMP_REPORT}/shas-pre" - shell: bash - report-post: - type: string - default: | - - run: | - # Post build report - df -h > "${TMP_REPORT}/df-post" - (du -ch "%{{ inputs.temp-dir || runner.temp }}" | grep -E "[0-9]{2,}M|[0-9]G" || :) > "${TMP_REPORT}/du-post" - if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" ]]; then - exit 0 - fi - find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" -maxdepth 1 -type d \ - | rev \ - | cut -d/ -f1 \ - | rev \ - > "${TMP_REPORT}/shas-post" - if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" ]]; then - exit 0 - fi - find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" -maxdepth 1 -type d \ - | rev \ - | cut -d/ -f1 \ - | rev \ - >> "${TMP_REPORT}/shas-post" - shell: bash - request: - type: string - required: true - runs-on: - type: string - default: - skip: - type: boolean - default: false - source: - type: string - summary-post: - type: string - default: | - - uses: envoyproxy/toolshed/gh-actions/envoy/run/summary@actions-v0.3.23 - with: - context: %{{ inputs.context }} - steps-pre: - type: string - steps-pre-name: - type: string - steps-post: - type: string - steps-post-name: - type: string - target: - type: string - required: true - target-name: - type: string - target-suffix: - type: string - temp-dir: - type: string - timeout-minutes: - type: number - default: 60 - trusted: - type: boolean - required: true - upload-name: - type: string - upload-path: - type: string - warning-match: - type: string - default: | - WARNING - warning: - Warning: - working-directory: - type: string - default: . - -concurrency: - group: >- - ${{ github.actor != 'trigger-release-envoy[bot]' - && github.head_ref - || github.run_id - }}-${{ github.workflow }}-${{ inputs.target }}${{ inputs.concurrency-suffix }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - ci: - permissions: - contents: read - packages: read - if: ${{ ! inputs.skip }} - runs-on: ${{ inputs.runs-on || fromJSON(inputs.request).config.ci.agent-ubuntu }} - name: ${{ inputs.target-suffix && format('[{0}] ', inputs.target-suffix) || '' }}${{ inputs.command }} ${{ inputs.target }} - timeout-minutes: ${{ inputs.timeout-minutes }} - steps: - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - id: started - name: Create timestamp - with: - options: -r - filter: | - now - # This controls which input vars are exposed to the run action (and related steps) - - uses: envoyproxy/toolshed/gh-actions/jq@actions-v0.3.23 - name: Context - id: context - with: - print-result: ${{ fromJSON(env.CI_DEBUG || 'false') && true || false }} - input: ${{ inputs.request }} - filter: | - . - | (.check // {name: "${{ github.workflow }}"}) as $check - | .config as $config - | if "${{ inputs.runs-on }}" != "" then - "${{ inputs.runs-on }}" - else .config.ci["agent-ubuntu"] end - | . as $runsOn - | {"target": "${{ inputs.target }}", - "catch-errors": ${{ inputs.catch-errors }}, - "runs-on": $runsOn, - "job-started": ${{ steps.started.outputs.value }}} - | . * {$config, $check} - - - - run: | - sudo mkdir -p /etc/docker - echo '{ - "ipv6": true, - "fixed-cidr-v6": "2001:db8:1::/64" - }' | sudo tee /etc/docker/daemon.json - sudo service docker restart - name: Configure Docker ipv6 - if: ${{ inputs.docker-ipv6 }} - - # Caches - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 - name: Setup GCP (cache) - if: ${{ inputs.gcs-cache-bucket }} - with: - key: ${{ secrets.gcs-cache-key }} - force-install: ${{ contains(fromJSON('["envoy-arm64-medium", "github-arm64-2c-8gb"]'), inputs.runs-on) }} - - uses: envoyproxy/toolshed/gh-actions/cache/restore@actions-v0.3.23 - if: ${{ inputs.gcs-cache-bucket }} - name: >- - Restore Bazel cache - (${{ fromJSON(inputs.request).config.ci.cache.bazel }}) - with: - gcs-bucket: ${{ inputs.gcs-cache-bucket }} - key: ${{ fromJSON(inputs.request).config.ci.cache.bazel }}-${{ inputs.arch || 'x64' }} - path: ${{ runner.temp }}/bazel_root - - # HACK/WORKAROUND for cache scope issue (https://github.com/envoyproxy/envoy/issues/37603) - - if: ${{ inputs.cache-build-image }} - id: cache-lookup - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - lookup-only: true - path: /tmp/cache - key: ${{ inputs.cache-build-image }}${{ inputs.cache-build-image-key-suffix }} - - if: ${{ inputs.cache-build-image && steps.cache-lookup.outputs.cache-hit == 'true' }} - name: Restore Docker cache ${{ inputs.cache-build-image && format('({0})', inputs.cache-build-image) || '' }} - uses: envoyproxy/toolshed/gh-actions/docker/cache/restore@actions-v0.3.23 - with: - image-tag: ${{ inputs.cache-build-image }} - key-suffix: ${{ inputs.cache-build-image-key-suffix }} - - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - name: Appauth - if: ${{ inputs.trusted }} - with: - app_id: ${{ secrets.app-id }} - key: ${{ secrets.app-key }} - # You cant use a secret as a condition so this always runs even if the app id/key are empty - # - the workaround is to allow the token to be passed through. - token: ${{ github.token }} - token-ok: true - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout - name: Checkout Envoy repository - with: - branch: ${{ fromJSON(inputs.request).request.target-branch }} - config: | - fetch-depth: ${{ inputs.repo-fetch-depth }} - # WARNING: This allows untrusted code to run!!! - # If this is set to run untrusted code, then anything before or after in the job should be regarded as - # compromisable. - ref: ${{ inputs.trusted && fromJSON(inputs.request).request.sha || fromJSON(inputs.request).request.ref }} - fetch-merge-commit: false - pr: ${{ fromJSON(inputs.request).request.pr }} - ssh-key: ${{ inputs.trusted && inputs.ssh-key || '' }} - token: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} - - # This is currently only use by mobile-docs and can be removed once they are updated to the newer website - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout-extra - name: Checkout extra repository (for publishing) - if: ${{ inputs.checkout-extra }} - with: - config: ${{ inputs.checkout-extra }} - ssh-key: ${{ inputs.trusted && inputs.ssh-key-extra || '' }} - - - name: Import GPG key - uses: envoyproxy/toolshed/gh-actions/gpg/import@actions-v0.3.23 - if: ${{ inputs.import-gpg }} - with: - key: ${{ secrets.gpg-key }} - passphrase: ${{ secrets.gpg-key-password }} - passphrase-path: "${{ runner.temp }}/gpg-passphrase" - configured-passphrase-path: /build/gpg-passphrase - - - run: | - echo "e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9" > .BAZEL_FAKE_SCM_REVISION - name: Configure PR Bazel settings - if: >- - ${{ fromJSON(inputs.request).request.pr != '' }} - - uses: envoyproxy/toolshed/gh-actions/gcp/setup@actions-v0.3.23 - name: Setup GCP (artefacts/rbe) - id: gcp - with: - key: ${{ secrets.gcp-key }} - key-copy: ${{ inputs.rbe-google && runner.temp || '' }} - - run: | - GCP_SERVICE_ACCOUNT_KEY_FILE="$(basename "${{ steps.gcp.outputs.key-copy-path }}")" - echo "GCP_SERVICE_ACCOUNT_KEY_PATH=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE}" >> "$GITHUB_ENV" - BAZEL_BUILD_EXTRA_OPTIONS="--google_credentials=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE} --config=rbe-google" - echo "BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS}" >> "$GITHUB_ENV" - if: ${{ steps.gcp.outputs.key-copy-path }} - name: Setup Google RBE - - run: | - echo "${{ vars.ENVOY_CI_BAZELRC }}" > repo.bazelrc - if: ${{ vars.ENVOY_CI_BAZELRC }} - name: Configure repo Bazel settings - - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 - name: Run CI ${{ inputs.command }} ${{ inputs.target }} - with: - args: ${{ inputs.args != '--' && inputs.args || inputs.target }} - catch-errors: ${{ inputs.catch-errors }} - command: ${{ inputs.command }} - container-command: ${{ env.CONTAINER_COMMAND || inputs.container-command }} - container-output: ${{ inputs.container-output }} - context: ${{ steps.context.outputs.value }} - diskspace-hack: ${{ inputs.diskspace-hack }} - diskspace-hack-paths: ${{ inputs.diskspace-hack-paths }} - downloads: ${{ inputs.downloads }} - entrypoint: ${{ inputs.entrypoint }} - error-match: ${{ inputs.error-match }} - fail-match: ${{ inputs.fail-match }} - notice-match: ${{ inputs.notice-match }} - output-path: ${{ inputs.output-path }} - report-name: >- - ci-report-${{ - inputs.target-suffix - && format('{0}-', inputs.target-suffix) - || '' }}${{ inputs.target-name || inputs.target }}.json - report-pre: ${{ inputs.report-pre }} - report-post: ${{ inputs.report-post }} - source: ${{ inputs.source }} - steps-pre: ${{ inputs.steps-pre }} - steps-pre-name: ${{ inputs.steps-pre-name }} - steps-post: ${{ inputs.steps-post }} - steps-post-name: ${{ inputs.steps-post-name }} - summary-post: ${{ inputs.summary-post }} - upload-name: ${{ inputs.upload-name }} - upload-path: ${{ inputs.upload-path }} - warning-match: ${{ inputs.warning-match }} - working-directory: ${{ inputs.working-directory }} - env: - GITHUB_TOKEN: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }} - DOCKERHUB_USERNAME: ${{ inputs.dockerhub-username }} - DOCKERHUB_PASSWORD: ${{ secrets.dockerhub-password }} - ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }} - ENVOY_RBE: ${{ inputs.rbe == true && 1 || '' }} - RBE_KEY: ${{ secrets.rbe-key }} - BAZEL_BUILD_EXTRA_OPTIONS: >- - ${{ env.BAZEL_BUILD_EXTRA_OPTIONS }} - --config=remote-ci - ${{ inputs.bazel-extra }} - ${{ inputs.rbe == true && format('--jobs={0}', inputs.bazel-rbe-jobs) || '' }} - ${{ github.event_name == 'schedule' && '--nocache_test_results' || '' }} - ${{ inputs.rbe == true && inputs.trusted && '--remote_execution_priority=1' || '' }} - CI_BRANCH: >- - ${{ inputs.trusted - && format('refs/heads/{0}', fromJSON(inputs.request).request.target-branch) - || '' }} - CI_SHA1: ${{ github.sha }} - CI_TARGET_BRANCH: ${{ fromJSON(inputs.request).request.target-branch }} - MOUNT_GPG_HOME: ${{ inputs.import-gpg && 1 || '' }} - ENVOY_DOCKER_OPTIONS: --network=host --security-opt seccomp=unconfined -v /dev/shm:/tmp/sandbox_base diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml deleted file mode 100644 index fb09e96cffbca..0000000000000 --- a/.github/workflows/codeql-daily.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: CodeQL/daily - -permissions: - contents: read - -on: - schedule: - - cron: '0 12 * * 4' - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - CodeQL-Build: - - permissions: - security-events: write # for github/codeql-action/analyze to upload SARIF results - pull-requests: read - strategy: - fail-fast: false - - # CodeQL runs on ubuntu-24.04 - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Free disk space - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 - # Override language selection by uncommenting this and choosing your languages - with: - languages: cpp - trap-caching: false - - - name: Install deps - shell: bash - run: | - sudo apt-get update --error-on=any - sudo apt-get install --yes \ - libtool libtinfo5 cmake automake autoconf make ninja-build curl unzip \ - virtualenv openjdk-11-jdk build-essential libc++1 - # Note: the llvm/clang version should match the version specifed in: - # - bazel/repository_locations.bzl - # - .github/workflows/codeql-push.yml - # - https://github.com/envoyproxy/envoy-build-tools/blob/main/build_container/build_container_ubuntu.sh#L84 - mkdir -p bin/clang18.1.8 - cd bin/clang18.1.8 - wget https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz - tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1 - - - name: Build - run: | - bazel/setup_clang.sh bin/clang18.1.8 - bazelisk shutdown - bazel build \ - -c fastbuild \ - --spawn_strategy=local \ - --discard_analysis_cache \ - --nouse_action_cache \ - --features="-layering_check" \ - --config=clang \ - --config=ci \ - //source/common/http/... - - - name: Clean Artifacts - run: | - git clean -xdf - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 - with: - trap-caching: false diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml deleted file mode 100644 index 60104adf03224..0000000000000 --- a/.github/workflows/codeql-push.yml +++ /dev/null @@ -1,117 +0,0 @@ -name: CodeQL/push - -permissions: - contents: read - -on: - push: - paths: - - include/** - - source/common/** - branches: - - main - pull_request: - branches: - - main - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -env: - SEARCH_FOLDER: //source/common/... - - -jobs: - CodeQL-Build: - permissions: - actions: read - contents: read - # for github/codeql-action/analyze to upload SARIF results - security-events: write - pull-requests: read - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 2 - - - name: Get build targets - run: | - # TODO(phlax): Shift this to an action - compare_head () { - while IFS= read -r line; do - if [[ -n "$line" ]]; then - bazel query "rdeps($SEARCH_FOLDER, $line, 1)" 2> /dev/null - fi - done < <(git diff --name-only HEAD "${1}" -- source/* include/*) - } - if [[ "$GIT_EVENT" == "pull_request" ]]; then - git fetch "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" main 2> /dev/null - TO_OTHER=FETCH_HEAD - else - TO_OTHER=HEAD^1 - fi - BUILD_TARGETS="$(compare_head "$TO_OTHER" | grep -v '\.cc\|\.h' | sort -u | head -n 3)" - echo 'BUILD_TARGETS<> $GITHUB_ENV - echo "$BUILD_TARGETS" >> $GITHUB_ENV - echo 'EOF' >> $GITHUB_ENV - env: - GIT_EVENT: ${{ github.event_name }} - - - name: Free disk space - if: ${{ env.BUILD_TARGETS != '' }} - uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23 - - - name: Initialize CodeQL - if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 - with: - languages: cpp - trap-caching: false - - - name: Install deps - if: ${{ env.BUILD_TARGETS != '' }} - shell: bash - run: | - sudo apt-get update --error-on=any - sudo apt-get install --yes \ - libtool libtinfo5 cmake automake autoconf make ninja-build curl \ - unzip virtualenv openjdk-11-jdk build-essential libc++1 - # Note: the llvm/clang version should match the version specifed in: - # - bazel/repository_locations.bzl - # - .github/workflows/codeql-daily.yml - # - https://github.com/envoyproxy/envoy-build-tools/blob/main/build_container/build_container_ubuntu.sh#L84 - mkdir -p bin/clang18.1.8 - cd bin/clang18.1.8 - wget https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz - tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1 - - - name: Build - if: ${{ env.BUILD_TARGETS != '' }} - run: | - bazel/setup_clang.sh bin/clang18.1.8 - bazel shutdown - bazel build \ - -c fastbuild \ - --spawn_strategy=local \ - --discard_analysis_cache \ - --nouse_action_cache \ - --features="-layering_check" \ - --config=clang \ - --config=ci \ - $BUILD_TARGETS - echo -e "Built targets...\n$BUILD_TARGETS" - - - name: Clean Artifacts - if: ${{ env.BUILD_TARGETS != '' }} - run: | - git clean -xdf - - - name: Perform CodeQL Analysis - if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # codeql-bundle-v3.29.2 - with: - trap-caching: false diff --git a/.github/workflows/command.yml b/.github/workflows/command.yml deleted file mode 100644 index 3e24c99bfc139..0000000000000 --- a/.github/workflows/command.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Command - -# NB: **ALL** commands should be permissionless and only use an app token or relevant secrets -# specific to their requirements! -permissions: - contents: read - -on: - issue_comment: - types: - - created - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - # For speed and _security_ only a single command (first matching) will be parsed/run from a comment - command: - name: Parse and run command - runs-on: ubuntu-24.04 - if: >- - ${{ - github.event.issue.pull_request - && (vars.ENVOY_CI - || github.repository == 'envoyproxy/envoy') - && github.actor != 'repokitteh-read-only[bot]' - && github.actor != 'dependabot[bot]' - }} - steps: - - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.3.23 - name: Parse command from comment - id: command - with: - text: ${{ github.event.comment.body }} - matching: >- - ^/(retest) - - # /retest - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - if: ${{ steps.command.outputs.command == 'retest' }} - id: appauth-retest - name: Appauth (retest) - with: - key: ${{ secrets.ENVOY_CI_APP_KEY }} - app_id: ${{ secrets.ENVOY_CI_APP_ID }} - - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.3.23 - if: ${{ steps.command.outputs.command == 'retest' }} - name: Retest - with: - token: ${{ steps.appauth-retest.outputs.token }} - azp_org: cncf - azp_token: ${{ secrets.AZP_TOKEN }} - comment-id: ${{ github.event.comment.id }} - pr-url: ${{ github.event.issue.pull_request.url }} - args: ${{ steps.command.outputs.args }} - app-owner: ci-envoy diff --git a/.github/workflows/envoy-checks.yml b/.github/workflows/envoy-checks.yml deleted file mode 100644 index 93fa1c3ba0530..0000000000000 --- a/.github/workflows/envoy-checks.yml +++ /dev/null @@ -1,126 +0,0 @@ -name: Envoy/Checks - -permissions: - contents: read - -on: - workflow_run: - workflows: - # Workaround issue with PRs not triggering tertiary workflows - - Request - # - Envoy/Prechecks - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - uses: ./.github/workflows/_load.yml - with: - check-name: checks - # head-sha: ${{ github.sha }} - - build: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_build.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-build }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - coverage: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_coverage.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-coverage }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - san: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Check (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_check_san.yml - if: ${{ fromJSON(needs.load.outputs.request).run.check-san }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.check-build - || fromJSON(needs.load.outputs.request).run.check-coverage - || fromJSON(needs.load.outputs.request).run.check-san) - needs: - - load - - build - - coverage - - san - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-cve.yml b/.github/workflows/envoy-cve.yml deleted file mode 100644 index 193cce9aca4d5..0000000000000 --- a/.github/workflows/envoy-cve.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Envoy/CVE - -permissions: - contents: read - -on: - schedule: - - cron: '0 8 * * *' - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: bazel - type: choice - options: - - scan - - fetch - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - fetch: - secrets: - gcs-cve-key: ${{ secrets.GCS_CVE_WRITE_KEY }} - if: >- - ((github.event_name == 'workflow_dispatch' - && inputs.task == 'fetch') - || (github.repository == 'envoyproxy/envoy' - && github.event_name == 'schedule')) - uses: ./.github/workflows/_cve_fetch.yml - with: - scheduled: ${{ github.event_name == 'schedule' }} - scan: - secrets: - gcs-cve-key: ${{ secrets.GCS_CVE_KEY }} - if: >- - github.event_name == 'workflow_dispatch' - && inputs.task == 'scan' - uses: ./.github/workflows/_cve_scan.yml diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml deleted file mode 100644 index a511a6e45fcde..0000000000000 --- a/.github/workflows/envoy-dependency.yml +++ /dev/null @@ -1,249 +0,0 @@ -name: Envoy/dependency - -permissions: - contents: read - -on: - schedule: - - cron: '0 8 * * *' - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: bazel - type: choice - options: - - bazel - - bazel-api - - build-image - - check - dependency: - description: Dependency to update (if applicable) - version: - description: Version to set (optional) - pr: - type: boolean - default: true - pr-message: - description: Additional message for PR, eg to fix an issue (optional) - -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -env: - COMMITTER_NAME: dependency-envoy[bot] - COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com - -jobs: - update-bazel: - if: >- - ${{ - github.event_name == 'workflow_dispatch' - && startsWith(inputs.task, 'bazel') - }} - name: > - Update dep - (${{ inputs.pr && 'PR/' || '' }} - ${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }} - /${{ inputs.dependency }} - /${{ inputs.version }}) - runs-on: ubuntu-24.04 - steps: - - id: appauth - name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} - key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - with: - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.23 - id: update - name: Update dependency (${{ inputs.dependency }}) - with: - input: | - dependency: ${{ inputs.dependency }} - task: ${{ inputs.task }} - version: "${{ inputs.version }}" - input-format: yaml - filter: | - .version as $version - | .dependency as $dependency - | .task as $task - | (try ($version | validate::sha(40) | .[:7]) - catch $version) as $version_short - | {} - | if $task == "bazel" then - . - | .task = "bazel" - | .target = "update" - else - . - | .task = "api/bazel" - | .target = "api-update" - end - | .task as $task - | .target as $target - | (" - echo \"Updating(\($task)): \($dependency) -> \($version_short)\" - bazel run --config=ci //bazel:\($target) \($dependency) \($version) - OUTPUT=\($version_short) - " | bash::output) - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.23 - name: Upload diff - with: - name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} - - name: Create a PR - if: ${{ inputs.pr }} - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 - with: - base: main - body: | - Created by Envoy dependency bot for @${{ github.actor }} - - ${{ inputs.pr-message }} - branch: >- - dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }} - commit-message: | - ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }} - - Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - title: >- - ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` - -> ${{ steps.update.outputs.output }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - update-build-image: - if: >- - ${{ - github.event_name == 'workflow_dispatch' - && github.event.inputs.task == 'build-image' - }} - name: Update build image (PR) - runs-on: ubuntu-24.04 - steps: - - id: appauth - name: Appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} - key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - id: checkout - name: Checkout Envoy repository - with: - config: | - path: envoy - fetch-depth: 0 - token: ${{ steps.appauth.outputs.token }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checkout Envoy build tools repository - with: - repository: envoyproxy/envoy-build-tools - path: build-tools - fetch-depth: 0 - - run: | - shas=( - tag - sha - mobile-sha - gcr-sha) - for sha in "${shas[@]}"; do - current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha") - echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT" - done - id: current - name: Current SHAs - working-directory: envoy - - run: | - if [[ -z "$CONTAINER_TAG" ]]; then - # get current build image version - CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker") - fi - echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT" - echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT" - env: - CONTAINER_TAG: ${{ inputs.version }} - id: build-tools - name: Build image SHA - working-directory: build-tools - - - name: Check Docker SHAs - id: build-images - uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.23 - with: - images: | - sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} - mobile-sha: envoyproxy/envoy-build-ubuntu:mobile-${{ steps.build-tools.outputs.tag }} - gcr-sha: gcr.io/envoy-ci/envoy-build:${{ steps.build-tools.outputs.tag }} - - - run: | - SHA_REPLACE=( - "$CURRENT_ENVOY_TAG:$ENVOY_TAG" - "$CURRENT_ENVOY_SHA:${{ fromJSON(steps.build-images.outputs.shas).sha }}" - "$CURRENT_ENVOY_MOBILE_SHA:${{ fromJSON(steps.build-images.outputs.shas).mobile-sha }}" - "$CURRENT_ENVOY_GCR_SHA:${{ fromJSON(steps.build-images.outputs.shas).gcr-sha }}") - echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT" - name: Find SHAs to replace - id: shas - env: - ENVOY_TAG: ${{ steps.build-tools.outputs.tag }} - CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }} - CURRENT_ENVOY_SHA: ${{ steps.current.outputs.sha }} - CURRENT_ENVOY_MOBILE_SHA: ${{ steps.current.outputs.mobile-sha }} - CURRENT_ENVOY_GCR_SHA: ${{ steps.current.outputs.gcr-sha }} - - run: | - echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}" - env: - SHA_REPLACE: ${{ steps.shas.outputs.replace }} - name: Update SHAs - working-directory: envoy - - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 - with: - base: main - body: Created by Envoy dependency bot - branch: dependency-envoy/build-image/${{ inputs.version || 'latest' }} - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - commit-message: | - deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}` - - Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> - title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - working-directory: envoy - - scheduled: - runs-on: ubuntu-24.04 - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || (!contains(github.actor, '[bot]') - && inputs.task == 'check')) - }} - permissions: - contents: read - issues: write - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Run dependency checker - run: | - TODAY_DATE=$(date -u -I"date") - export TODAY_DATE - bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c release_issues --fix - bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml deleted file mode 100644 index c09561e171778..0000000000000 --- a/.github/workflows/envoy-macos.yml +++ /dev/null @@ -1,105 +0,0 @@ -name: Envoy/macOS - -permissions: - contents: read - -on: - workflow_run: - workflows: - - Request - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - uses: ./.github/workflows/_load.yml - with: - check-name: macos - - macos: - permissions: - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.build-macos }} - needs: - - load - uses: ./.github/workflows/_run.yml - name: CI ${{ matrix.name || matrix.target }} - with: - command: - container-command: - docker-ipv6: false - request: ${{ needs.load.outputs.request }} - # TODO: Remove these hardcoded branches when no longer supported - runs-on: >- - ${{ (contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.31') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.32') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.33') - || contains(fromJSON(needs.load.outputs.request).request.target-branch, 'v1.34')) - && 'macos-14-xlarge' - || 'macos-15-xlarge' }} - source: ${{ matrix.source }} - steps-post: - steps-pre: ${{ matrix.steps-pre }} - target: ${{ matrix.target }} - target-name: ${{ matrix.target-name }} - timeout-minutes: 180 - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - strategy: - fail-fast: false - matrix: - include: - - target: ci/mac_ci_steps.sh - name: macOS - target-name: mac_ci_steps - source: | - source ./ci/mac_ci_setup.sh - _BAZEL_BUILD_EXTRA_OPTIONS=( - --remote_download_toplevel - --flaky_test_attempts=2 - --config=remote-cache-envoy-engflow - --config=ci) - export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]} - - request: - permissions: - actions: read - contents: read - pull-requests: read - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && fromJSON(needs.load.outputs.request).run.build-macos - needs: - - load - - macos - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-prechecks.yml b/.github/workflows/envoy-prechecks.yml deleted file mode 100644 index a34d48f863594..0000000000000 --- a/.github/workflows/envoy-prechecks.yml +++ /dev/null @@ -1,127 +0,0 @@ -name: Envoy/Prechecks - -permissions: - contents: read - -on: - workflow_run: - workflows: - - Request - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - uses: ./.github/workflows/_load.yml - with: - check-name: prechecks - - format: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_format.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-format }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - deps: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_deps.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-deps }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - dependency-review: ${{ github.event_name == 'pull_request_target' && github.repository == 'envoyproxy/envoy' }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - publish: - secrets: - gcp-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED - || secrets.GCP_SERVICE_ACCOUNT_KEY }} - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - name: Precheck (${{ needs.load.outputs.request && fromJSON(needs.load.outputs.request).summary.title || 'SKIPPED' }}) - uses: ./.github/workflows/_precheck_publish.yml - if: ${{ fromJSON(needs.load.outputs.request).run.precheck-publish }} - needs: - - load - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.precheck-format - || fromJSON(needs.load.outputs.request).run.precheck-deps - || fromJSON(needs.load.outputs.request).run.precheck-publish) - needs: - - load - - format - - deps - - publish - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-publish.yml b/.github/workflows/envoy-publish.yml deleted file mode 100644 index 780b1bb5512c2..0000000000000 --- a/.github/workflows/envoy-publish.yml +++ /dev/null @@ -1,173 +0,0 @@ -# This workflow is triggered by azp currently -# Once arm/x64 build jobs are shifted to github, this can be triggered -# by on: workflow_run -name: Envoy/Publish & verify - -permissions: - contents: read - -on: - workflow_run: - workflows: - # Workaround issue with PRs not triggering tertiary workflows - - Request - # - Envoy/Prechecks - types: - - completed - -concurrency: - group: >- - ${{ ((github.event.workflow_run.head_branch == 'main' - || startsWith(github.event.workflow_run.head_branch, 'release/v')) - && github.event.repository.full_name == github.repository) - && github.run_id - || github.event.workflow_run.head_branch }}-${{ github.event.repository.full_name }}-${{ github.workflow }} - cancel-in-progress: true - -env: - CI_DEBUG: ${{ vars.CI_DEBUG }} - - -jobs: - load: - secrets: - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - permissions: - actions: read - contents: read - packages: read - pull-requests: read - if: | - github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - uses: ./.github/workflows/_load.yml - with: - check-name: publish - # head-sha: ${{ github.sha }} - - build: - permissions: - contents: read - packages: read - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - gpg-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY - || secrets.ENVOY_GPG_SNAKEOIL_KEY }} - gpg-key-password: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD - || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} - if: ${{ fromJSON(needs.load.outputs.request).run.release || fromJSON(needs.load.outputs.request).run.verify }} - needs: - - load - uses: ./.github/workflows/_publish_build.yml - name: Build - strategy: - fail-fast: false - matrix: - arch: - - x64 - - arm64 - with: - arch: ${{ matrix.arch }} - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - release: - secrets: - dockerhub-password: ${{ secrets.DOCKERHUB_PASSWORD }} - dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} - ENVOY_CI_SYNC_APP_ID: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_SYNC_APP_ID - || '' }} - ENVOY_CI_SYNC_APP_KEY: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_SYNC_APP_KEY - || '' }} - ENVOY_CI_PUBLISH_APP_ID: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_PUBLISH_APP_ID - || '' }} - ENVOY_CI_PUBLISH_APP_KEY: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_CI_PUBLISH_APP_KEY - || '' }} - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - gpg-key: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY - || secrets.ENVOY_GPG_SNAKEOIL_KEY }} - gpg-key-password: >- - ${{ needs.load.outputs.trusted - && fromJSON(needs.load.outputs.trusted) - && secrets.ENVOY_GPG_MAINTAINER_KEY_PASSWORD - || secrets.ENVOY_GPG_SNAKEOIL_KEY_PASSWORD }} - permissions: - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.release }} - needs: - - load - - build - uses: ./.github/workflows/_publish_release.yml - name: Release - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - verify: - secrets: - gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }} - permissions: - contents: read - packages: read - if: ${{ fromJSON(needs.load.outputs.request).run.verify }} - needs: - - load - - build - - release - uses: ./.github/workflows/_publish_verify.yml - name: Verify - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - request: ${{ needs.load.outputs.request }} - trusted: ${{ needs.load.outputs.trusted && fromJSON(needs.load.outputs.trusted) || false }} - - request: - secrets: - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - permissions: - actions: read - contents: read - pull-requests: read - if: | - always() - && github.event.workflow_run.conclusion == 'success' - && github.event.workflow_run.repository.full_name == github.repository - && contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - && (fromJSON(needs.load.outputs.request).run.release - || fromJSON(needs.load.outputs.request).run.verify) - needs: - - load - - build - - release - - verify - uses: ./.github/workflows/_finish.yml - with: - needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml deleted file mode 100644 index abc8431bd22bf..0000000000000 --- a/.github/workflows/envoy-release.yml +++ /dev/null @@ -1,304 +0,0 @@ -name: Envoy/release - -permissions: - contents: read - -on: - release: - types: - - published - branches: - - main - - release/v* - workflow_dispatch: - inputs: - task: - description: Select a task - required: true - default: create-release - type: choice - options: - - create-release - - reopen-branch - - sync-version-histories - - deprecate-guards - dry-run: - type: boolean - default: false - pr: - type: boolean - default: true - description: Create a PR - pr-message: - description: Additional message for PR, eg to fix an issue or additional signoff (optional) - wip: - type: boolean - default: false - description: WIP - author: - description: >- - Author: User/email, eg 'Myname ' - (used by create-release, default: `changelogs/summary.md` last committer) - summary: - type: boolean - default: true - description: Use changelog summary (required to publish release) - -env: - COMMITTER_NAME: publish-envoy[bot] - COMMITTER_EMAIL: 140627008+publish-envoy[bot]@users.noreply.github.com - - -jobs: - ## Triggerable actions - - # Create a release commit, when landed this will publish. - create_release: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'create-release' - name: Create release - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - run: | - if [[ ! -s "changelogs/summary.md" ]]; then - if [[ "${{ inputs.summary }}" == "false" ]]; then - echo "::warning::Changelog summary (changelogs/summary.md) is empty!" - exit 0 - fi - echo "::error::Changelog summary (changelogs/summary.md) is empty!" - exit 1 - fi - COMMITTER=$(git log -n 1 --format='%an <%ae>' -- changelogs/summary.md) - echo "committer=${COMMITTER}" >> $GITHUB_OUTPUT - id: changelog - name: Check changelog summary - - if: ${{ inputs.author }} - name: Validate signoff email - uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.3.23 - with: - email: ${{ inputs.author }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 - name: Create release - with: - source: | - BAZEL_ARGS=(--) - BAZEL_RUN_ARGS=(--config=ci) - if [[ -n "${{ inputs.author }}" ]]; then - BAZEL_ARGS+=( - "--release-author=${{ inputs.author }}" - "--signoff=${{ steps.changelog.outputs.committer }}") - else - BAZEL_ARGS+=("--release-author=${{ steps.changelog.outputs.committer }}") - fi - command: >- - bazel - run - "${BAZEL_RUN_ARGS[@]}" - @envoy_repo//:release - "${BAZEL_ARGS[@]}" - - run: | - VERSION=$(cat VERSION.txt) - echo "version=v${VERSION}" >> $GITHUB_OUTPUT - name: Release version - id: release - - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 - with: - base: ${{ github.ref_name }} - commit: false - append-commit-message: true - body: | - Created by Envoy publish bot for @${{ github.actor }} - ${{ ! inputs.summary && ':warning: Created without changelog summary, this will need to be updated before publishing' || '' }} - branch: release/create/${{ steps.checkout.outputs.branch-name }} - diff-upload: release-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - wip: ${{ ! inputs.summary || inputs.wip }} - title: >- - [${{ (! inputs.summary || inputs.wip) && 'WIP/' || '' }}release/${{ steps.checkout.outputs.branch-name }}] - repo: Release ${{ steps.release.outputs.version }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - # Re-open a branch. - reopen-branch: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'reopen-branch' - name: Re-open branch - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.25 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.25 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.25 - name: Re-open branch - with: - command: >- - bazel - run - --config=ci - @envoy_repo//:dev - -- ${{ steps.checkout.outputs.branch-name != 'main' && '--patch' || '' }} - - run: | - VERSION=$(cat VERSION.txt | cut -d- -f1) - echo "version=v${VERSION}" >> $GITHUB_OUTPUT - name: Dev version - id: dev - - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.25 - with: - base: ${{ github.ref_name }} - commit: false - append-commit-message: true - body: | - Created by Envoy publish bot for @${{ github.actor }} - branch: release/dev/${{ steps.checkout.outputs.branch-name }} - diff-upload: release-dev-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - wip: ${{ ! inputs.summary || inputs.wip }} - title: >- - [dev/${{ steps.checkout.outputs.branch-name }}] - repo: Dev ${{ steps.dev.outputs.version }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - sync_version_histories: - runs-on: ubuntu-24.04 - if: github.event_name == 'workflow_dispatch' && inputs.task == 'sync-version-histories' - name: Sync version histories - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - strip-prefix: release/ - token: ${{ steps.appauth.outputs.token }} - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.3.23 - name: Sync version histories - with: - command: >- - bazel - run - --config=ci @envoy_repo//:sync - -- - --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - - name: Create a PR - uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.23 - with: - append-commit-message: true - base: ${{ github.ref_name }} - commit: false - body: | - Created by Envoy publish bot for @${{ github.actor }} - branch: release/sync/${{ steps.checkout.outputs.branch-name }} - diff-upload: version-histories-${{ steps.checkout.outputs.branch-name }} - diff-show: true - dry-run: ${{ ! inputs.pr }} - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - title: >- - ${{ steps.checkout.outputs.branch-name != 'main' && format('[{0}]', steps.checkout.outputs.branch-name) || '' }} - repo: Sync version histories - - deprecate_guards: - runs-on: ubuntu-24.04 - if: >- - ${{ (github.event_name == 'workflow_dispatch' - && inputs.task == 'deprecate-guards') - || (github.event_name == 'release' - && endsWith(github.ref, '.0')) }} - name: Deprecate guards - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - id: checkout - name: Checkout Envoy repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - with: - config: | - fetch-depth: 0 - - name: Run deprecation tool - run: | - bazel run --config=ci \ - //tools/deprecate_guards \ - -- \ - ${{ ! inputs.dry-run && ' --create-issues' || '' }} \ - ${{ github.repository != 'envoyproxy/envoy' - && format('--staging-repo {0}', github.repository) - || '' }} - env: - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} - - ## Triggered actions - - # On release to `main`: - # - fork the branch to a release branch - # - add an initial dev commit - # - remove anything unwanted - # - push branch - create_release_branch: - runs-on: ubuntu-24.04 - if: github.event_name == 'release' && endsWith(github.ref, '.0') - name: Create release branch - steps: - - id: appauth - name: App auth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - - - name: Checkout repository - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.23 - with: - committer-name: ${{ env.COMMITTER_NAME }} - committer-email: ${{ env.COMMITTER_EMAIL }} - token: ${{ steps.appauth.outputs.token }} - - name: Create release branch - run: | - version="$(cut -d- -f1 < VERSION.txt | cut -d. -f-2)" - release_branch="release/v${version}" - commit_sha="$(git rev-parse HEAD)" - echo "Creating ${release_branch} from ${commit_sha}" - git checkout -b "$release_branch" - bazel run @envoy_repo//:dev -- --patch - git rm -rf .github/workflows/mobile*yml - git commit . -m "repo: Remove mobile ci for release branch" - git log - git push origin "$release_branch" diff --git a/.github/workflows/envoy-security-check.yml b/.github/workflows/envoy-security-check.yml deleted file mode 100644 index 459c23d3bc15b..0000000000000 --- a/.github/workflows/envoy-security-check.yml +++ /dev/null @@ -1,127 +0,0 @@ -name: Security check - -# This workflow validates that workflow_run events are only triggered by authorized sources -# It will only run (and fail) if triggered by unauthorized events - -on: - workflow_run: - workflows: - - Request - types: - - completed - -permissions: - contents: read - - -jobs: - security: - permissions: - contents: read - pull-requests: write # For commenting on PRs - # Only run if this is a potential security violation - if: | - github.event.workflow_run.conclusion == 'success' - && (github.repository == 'envoyproxy/envoy' || vars.ENVOY_CI) - && ( - github.event.workflow_run.repository.full_name != github.repository - || !contains(fromJSON('["pull_request_target", "push", "schedule"]'), github.event.workflow_run.event) - ) - runs-on: ubuntu-24.04 - name: Security violation - ${{ matrix.action }} - strategy: - fail-fast: false - matrix: - include: - - action: log - - action: comment - - action: slack - steps: - # CI - - name: Log violation details - if: matrix.action == 'log' - run: | - echo "::error::SECURITY VIOLATION DETECTED" - echo "::error::Unauthorized workflow_run trigger attempt" - echo "" - echo "Details:" - echo "- Workflow triggered by: ${{ github.event.workflow_run.event }}" - echo "- Repository: ${{ github.event.workflow_run.repository.full_name }}" - echo "- Expected repository: ${{ github.repository }}" - echo "- Workflow run ID: ${{ github.event.workflow_run.id }}" - echo "- Actor: ${{ github.event.workflow_run.actor.login }}" - echo "- PR: ${{ github.event.workflow_run.pull_requests[0].number || 'N/A' }}" - echo "" - - # Check specific violation - if [[ "${{ github.event.workflow_run.repository.full_name }}" != "${{ github.repository }}" ]]; then - echo "::error::Violation: Workflow triggered from unauthorized repository" - fi - - ALLOWED_EVENTS='["pull_request_target", "push", "schedule"]' - EVENT="${{ github.event.workflow_run.event }}" - - if ! echo "$ALLOWED_EVENTS" | jq -e --arg event "$EVENT" 'contains([$event])' > /dev/null; then - echo "::error::Violation: Workflow triggered by unauthorized event type: $EVENT" - fi - - # PR - - name: Comment on PR - if: matrix.action == 'comment' && github.event.workflow_run.pull_requests[0] - uses: actions/github-script@v7 - with: - script: | - try { - const pr_number = context.payload.workflow_run.pull_requests[0].number; - const comment = ` - ## 🚨 **SECURITY VIOLATION DETECTED** 🚨 - - **UNAUTHORIZED WORKFLOW TRIGGER ATTEMPT** - - This pull request attempted to trigger protected workflows through unauthorized means. - - **VIOLATION DETAILS:** - - Event type: \`${{ github.event.workflow_run.event }}\` - - Repository: \`${{ github.event.workflow_run.repository.full_name }}\` - - Expected: \`${{ github.repository }}\` - - **THIS INCIDENT HAS BEEN LOGGED AND REPORTED.** - `; - - await github.rest.issues.createComment({ - owner: '${{ github.repository_owner }}', - repo: '${{ github.event.repository.name }}', - issue_number: pr_number, - body: comment - }); - } catch (error) { - console.error('Failed to comment on PR:', error); - } - - # SLACK - - name: Checkout repository (secure branch) - if: matrix.action == 'slack' - uses: actions/checkout@v4 - with: - # Explicitly checkout main to avoid malicious code - ref: main - - name: Notify Slack - if: matrix.action == 'slack' - run: | - cat > /tmp/security_violation.json <- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.ref_name == 'main') - && (github.event.push - || !contains(github.actor, '[bot]')) - }} - strategy: - fail-fast: false - matrix: - downstream: - - go-control-plane - - envoy-filter-example - - data-plane-api - - mobile-website - steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - with: - app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} - key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 - with: - repository: "envoyproxy/${{ matrix.downstream }}" - ref: main - token: ${{ steps.appauth.outputs.token }} - workflow: envoy-sync.yaml - - sync-release: - runs-on: ubuntu-24.04 - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && contains(fromJSON('["main", "release/v1.28", "release/v1.31"]'), github.ref_name) - && (github.event.push - || !contains(github.actor, '[bot]')) - }} - strategy: - fail-fast: false - matrix: - downstream: - - envoy-openssl - steps: - - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23 - id: appauth - with: - app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }} - key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }} - - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.3.23 - with: - repository: "envoyproxy/${{ matrix.downstream }}" - ref: release/v1.28 - token: ${{ steps.appauth.outputs.token }} - workflow: envoy-sync-receive.yaml - inputs: | - branch: ${{ github.ref_name }} diff --git a/.github/workflows/pr_notifier.yml b/.github/workflows/pr_notifier.yml deleted file mode 100644 index 438e8d007de27..0000000000000 --- a/.github/workflows/pr_notifier.yml +++ /dev/null @@ -1,37 +0,0 @@ -on: - pull_request: - branches: - - main - workflow_dispatch: - schedule: - - cron: '0 5 * * 1,2,3,4,5' - -permissions: - contents: read # to fetch code (actions/checkout) - -jobs: - pr_notifier: - permissions: - contents: read # to fetch code (actions/checkout) - statuses: read # for pr_notifier.py - pull-requests: read # for pr_notifier.py - name: PR Notifier - runs-on: ubuntu-24.04 - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Notify about PRs - run: | - ARGS=() - if [[ "${{ github.event_name }}" == 'pull_request' ]]; then - ARGS+=(--dry_run) - fi - bazel run --config=ci //tools/repo:notify -- "${ARGS[@]}" - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/request.yml b/.github/workflows/request.yml deleted file mode 100644 index 5e3b0f10ad361..0000000000000 --- a/.github/workflows/request.yml +++ /dev/null @@ -1,48 +0,0 @@ -# This file must live on every branch and pass necessary secrets and permissions -# to initiate the request -name: Request - -permissions: - contents: read - -on: - pull_request_target: - push: - branches: - - main - - release/v* - schedule: - - cron: '30 6 * * *' - -concurrency: - group: | - ${{ github.head_ref - || github.run_id - }}-${{ github.workflow }}-request - cancel-in-progress: true - - -jobs: - request: - permissions: - actions: read - contents: read - packages: read - # required to fetch merge commit - pull-requests: read - secrets: - # these are required to start checks - app-key: ${{ secrets.ENVOY_CI_APP_KEY }} - app-id: ${{ secrets.ENVOY_CI_APP_ID }} - lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }} - lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }} - gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }} - with: - gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} - # For branches this can be pinned to a specific version if required - # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read - uses: envoyproxy/envoy/.github/workflows/_request.yml@main - if: >- - ${{ github.repository == 'envoyproxy/envoy' - || (vars.ENVOY_CI && github.event_name != 'schedule') - || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index 40676cd78d81a..0000000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Scorecard supply-chain security -on: - branch_protection_rule: - schedule: - - cron: '33 13 * * 5' - push: - branches: - - "main" - -permissions: - contents: read - - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-24.04 - permissions: - security-events: write - id-token: write - - steps: - - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2 - with: - sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 28cd64da6269f..0000000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Prune stale - -permissions: - contents: read - -on: - workflow_dispatch: - schedule: - - cron: '0 */4 * * *' - -jobs: - prune_stale: - if: >- - ${{ - github.repository == 'envoyproxy/envoy' - && (github.event.schedule - || !contains(github.actor, '[bot]')) - }} - permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs - name: Prune stale - runs-on: ubuntu-24.04 - - steps: - - name: Prune Stale - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - # Different amounts of days for issues/PRs are not currently supported but there is a PR - # open for it: https://github.com/actions/stale/issues/214 - days-before-stale: 30 - days-before-close: 7 - stale-issue-message: > - This issue has been automatically marked as stale because it has not had activity in the - last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity - occurs. Thank you for your contributions. - close-issue-message: > - This issue has been automatically closed because it has not had activity in the - last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". - Thank you for your contributions. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had - activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please - feel free to give a status update now, ping for review, or re-open when it's ready. - Thank you for your contributions! - close-pr-message: > - This pull request has been automatically closed because it has not had - activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. - Thank you for your contributions! - stale-issue-label: 'stale' - exempt-issue-labels: 'no stalebot,help wanted' - stale-pr-label: 'stale' - exempt-pr-labels: 'no stalebot' - operations-per-run: 500 - ascending: true diff --git a/.github/workflows/toolchain-test.yml b/.github/workflows/toolchain-test.yml deleted file mode 100644 index 04c2c9ae3a64a..0000000000000 --- a/.github/workflows/toolchain-test.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Toolchain default behavior test - -permissions: - contents: read -on: - pull_request: - paths: - - .bazelrc - - .github/workflows/toolchain-test.yml - - ci/matrix/** - - tools/toolchain -concurrency: - group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - toolchain-test: - runs-on: ubuntu-22.04 - if: github.repository == 'envoyproxy/envoy' - strategy: - fail-fast: false - matrix: - include: - - name: "GCC only" - service: "gcc" - - name: "LLVM only" - service: "llvm" - - name: "Both GCC & LLVM" - service: "all" - - name: "No compilers" - service: "none" - name: "Test: ${{ matrix.name }}" - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Run matrix test - run: | - cd ci/matrix - export UID - docker compose run --rm --build ${{ matrix.service }} diff --git a/buildrpm/istio-envoy.spec b/buildrpm/istio-envoy.spec new file mode 100644 index 0000000000000..1da43ee4469fc --- /dev/null +++ b/buildrpm/istio-envoy.spec @@ -0,0 +1,36 @@ +# Generate devel rpm +%global with_devel 0 +# Build with debug info rpm +%global with_debug 0 + + +%if 0%{?with_debug} +%global _dwz_low_mem_die_limit 0 +%else +%global debug_package %{nil} +%endif + +%global _buildhost build-ol%{?oraclelinux}-%{?_arch}.oracle.com + +Name: istio-envoy +Version: 1.27.2 +Release: 1%{?dist} +Summary: Envoy is an L7 proxy and communication bus designed for large modern service oriented architectures. +License: Apache License 2.0 +Vendor: Oracle America +URL: https://github.com/istio/envoy +Source0: %{name}-%{version}.tar.bz2 + +%description +Envoy is a high performance C++ distributed proxy designed for single services and applications, +as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures + +%prep +%setup -q -n %{name}-%{version} + +%files +%license LICENSE + +%changelog +* Mon Oct 13 2025 Oracle Cloud Native Environment Authors - 1.27.2-1 +- Added Oracle specific files diff --git a/contrib/golang/filters/http/test/test_data/go.sum b/contrib/golang/filters/http/test/test_data/go.sum new file mode 100644 index 0000000000000..4888965fe553c --- /dev/null +++ b/contrib/golang/filters/http/test/test_data/go.sum @@ -0,0 +1,19 @@ +cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= +github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk= +github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= diff --git a/olm/jenkins/ci/Jenkinsfile b/olm/jenkins/ci/Jenkinsfile new file mode 100644 index 0000000000000..298a5ff313e0d --- /dev/null +++ b/olm/jenkins/ci/Jenkinsfile @@ -0,0 +1,25 @@ + +@Library('olcne-pipeline') _ +import com.oracle.olcne.pipeline.BranchPattern + +def postBuildOL8 = { + build(job: 'apps/olcne/istio/proxy/' + URLEncoder.encode(env.BRANCH_NAME), + parameters: [ + string(name: "BRANCH_NAME", value: env.BRANCH_NAME), + string(name: "PLATFORM_FILTER", value: 'ol8'), + booleanParam(name: "IS_MUXER_BUILD", value: true) + ], + ) +} + +olcnePipeline( + branchPattern: new BranchPattern(master: 'oracle/release/1.27.2', feature: '(?!^release/.*$)(^.*$)'), + platforms: ['ol8'], + architectures: ['x86_64', 'aarch64'], + yumOL8Repos: ['ol8_appstream', 'ol8_codeready_builder'], + customPlatformStages: [ + customPlatformSteps: [ + ol8: [container: [enabled: false], postBuild: [enabled: false, method: postBuildOL8]], + ], + ], +)