Merge branch 'main' of github-agrawroh:envoyproxy/envoy into feat-dm-bts-11

Author: agrawroh

.github/config.yml

@@ -110,6 +110,7 @@ checks:
     - precheck-external
     - precheck-format
     - precheck-publish
+    - precheck-publish-config
     required: true
     # yamllint disable rule:line-length
     advice:
@@ -358,6 +359,9 @@ run:
   precheck-publish:
     paths:
     - "**/*"
+  precheck-publish-config:
+    paths:
+    - "**/*"
   release:
     paths:
     - .bazelrc

.github/workflows/_check_coverage.yml

@@ -24,8 +24,6 @@ concurrency:
 
 jobs:
   coverage:
-    secrets:
-      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       actions: read
       contents: read
@@ -45,26 +43,68 @@ jobs:
       rbe: true
       request: ${{ inputs.request }}
       runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }}
-      steps-post: |
-        - uses: envoyproxy/toolshed/actions/gcs/artefact/sync@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
-          with:
-            bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }}
-            path: generated/${{ matrix.target }}/html
-            path-upload: ${{ matrix.target }}
-            sha: ${{ fromJSON(inputs.request).request.sha }}
-            redirect: >-
-              ${{ vars.GCS_ARTIFACT_PREFIX
-                  && format('{0}-', vars.GCS_ARTIFACT_PREFIX)
-              }}${{ fromJSON(inputs.request).request.pr
-                    || fromJSON(inputs.request).request.target-branch }}
+      steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
       timeout-minutes: 180
+      upload-name: ${{ matrix.target }}
+      upload-path: generated/${{ matrix.target }}/html
       trusted: ${{ inputs.trusted }}
     strategy:
       fail-fast: false
       matrix:
         include:
         - target: coverage
           name: Coverage
+          upload-name: coverage
+          upload-path: generated/coverage/html
+          steps-post: |
+            - uses: envoyproxy/toolshed/actions/jq@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+              with:
+                output-path: generated/coverage/html/gcs-metadata.json
+                input-format: yaml
+                input: |
+                  bucket: ${{
+                    inputs.trusted
+                    && vars.GCS_ARTIFACT_BUCKET_POST
+                    || vars.GCS_ARTIFACT_BUCKET_PRE }}
+                  sha: ${{ fromJSON(inputs.request).request.sha }}
+                  path_upload: coverage
+                  redirect: ${{
+                    vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX)
+                    }}${{ fromJSON(inputs.request).request.pr
+                          || fromJSON(inputs.request).request.target-branch }}
+            - shell: bash
+              run: |
+                ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated
         - target: fuzz_coverage
           name: Fuzz coverage
+          steps-post: |
+            - uses: envoyproxy/toolshed/actions/jq@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+              with:
+                output-path: generated/fuzz_coverage/html/gcs-metadata.json
+                input-format: yaml
+                input: |
+                  bucket: ${{
+                    inputs.trusted
+                    && vars.GCS_ARTIFACT_BUCKET_POST
+                    || vars.GCS_ARTIFACT_BUCKET_PRE }}
+                  sha: ${{ fromJSON(inputs.request).request.sha }}
+                  path_upload: fuzz_coverage
+                  redirect: ${{
+                    vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX)
+                    }}${{ fromJSON(inputs.request).request.pr
+                          || fromJSON(inputs.request).request.target-branch }}
+            - shell: bash
+              run: |
+                ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated
+
+  upload:
+    secrets:
+      gcp-key: ${{ secrets.gcp-key }}
+    if: >-
+      !cancelled()
+    needs: coverage
+    uses: ./.github/workflows/_upload_gcs.yml
+    with:
+      artifacts: |
+        ["coverage", "fuzz_coverage"]

.github/workflows/_precheck_publish.yml

@@ -23,8 +23,6 @@ concurrency:
 
 jobs:
   publish:
-    secrets:
-      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       actions: read
       contents: read
@@ -47,10 +45,13 @@ jobs:
         ERROR
         error:
         Error:
+      skip: ${{ matrix.skip != false && true || false }}
       steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
       target-suffix: ${{ matrix.target-suffix }}
       trusted: ${{ inputs.trusted }}
+      upload-name: ${{ matrix.upload-name }}
+      upload-path: ${{ matrix.upload-path }}
     strategy:
       fail-fast: false
       matrix:
@@ -72,6 +73,7 @@ jobs:
           bazel-cache: true
           bazel-cache-output-base: docs
           rbe: true
+          skip: ${{ ! fromJSON(inputs.request).run.precheck-publish-config }}
         - target: docs
           name: Docs
           bazel-cache: true
@@ -80,15 +82,35 @@ jobs:
             --config=rbe
             --config=docs-ci
           rbe: true
+          upload-name: docs
+          upload-path: generated/docs
           steps-post: |
-            - uses: envoyproxy/toolshed/actions/gcs/artefact/sync@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+            - uses: envoyproxy/toolshed/actions/jq@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
               with:
-                bucket: ${{ inputs.trusted && vars.GCS_ARTIFACT_BUCKET_POST || vars.GCS_ARTIFACT_BUCKET_PRE }}
-                path: generated/docs
-                path-upload: docs
-                sha: ${{ fromJSON(inputs.request).request.sha }}
-                redirect: >-
-                  ${{ vars.GCS_ARTIFACT_PREFIX
-                      && format('{0}-', vars.GCS_ARTIFACT_PREFIX)
-                  }}${{ fromJSON(inputs.request).request.pr
-                        || fromJSON(inputs.request).request.target-branch }}
+                output-path: generated/docs/gcs-metadata.json
+                input-format: yaml
+                input: |
+                  bucket: ${{
+                    inputs.trusted
+                    && vars.GCS_ARTIFACT_BUCKET_POST
+                    || vars.GCS_ARTIFACT_BUCKET_PRE }}
+                  sha: ${{ fromJSON(inputs.request).request.sha }}
+                  path_upload: docs
+                  redirect: ${{
+                    vars.GCS_ARTIFACT_PREFIX && format('{0}-', vars.GCS_ARTIFACT_PREFIX)
+                    }}${{ fromJSON(inputs.request).request.pr
+                          || fromJSON(inputs.request).request.target-branch }}
+            - shell: bash
+              run: |
+                ln -sf %{{ github.workspace }}/generated %{{ runner.temp }}/generated
+
+  upload:
+    secrets:
+      gcp-key: ${{ secrets.gcp-key }}
+    if: >-
+      !cancelled()
+    needs: publish
+    uses: ./.github/workflows/_upload_gcs.yml
+    with:
+      artifacts: |
+        ["docs"]

.github/workflows/_publish_release_container.yml

@@ -141,8 +141,17 @@ jobs:
       with:
         input-format: yaml
         filter: >-
-          {manifests: .}
+          .version as $v
+          | {manifests:
+              [.manifests[]
+               | select(
+                   (.tag | test("contrib-distroless") | not)
+                   or ($v.major > 1 or ($v.major == 1 and $v.minor >= 37)))]}
         input: |
+          version:
+            major: ${{ inputs.version-major }}
+            minor: ${{ inputs.version-minor }}
+          manifests:
           - name: ${{ inputs.dockerhub-repo }}
             tag: v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }}
             registry: docker.io/envoyproxy

.github/workflows/_request.yml

@@ -202,6 +202,18 @@ jobs:
           docker:
             x64: ${{ steps.cache-exists-docker-x64.outputs.cache-hit || 'false' }}
             arm64: ${{ steps.cache-exists-docker-arm64.outputs.cache-hit || 'false' }}
+          target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }}
+        filter: |
+          .["target-branch"] as $branch
+          | if ($branch | test("^release/v[0-9]+\\.[0-9]+$")) then
+              ($branch | sub("^release/v"; "") + ".0") as $version_str
+              | ($version_str | utils::version) as $version
+              | if ($version.major < 1 or ($version.major == 1 and $version.minor <= 37)) then
+                  .bazel["docs-x64"] = "skip"
+                  | .bazel["external-x64"] = "skip"
+                else . end
+            else . end
+          | del(.["target-branch"])
 
   cache:
     permissions:

.github/workflows/_request_cache.yml

@@ -52,7 +52,7 @@ jobs:
     secrets:
       app-id: ${{ secrets.app-id }}
       app-key: ${{ secrets.app-key }}
-    name: ${{ matrix.name || matrix.target }}
+    name: ${{ matrix.name }}
     uses: ./.github/workflows/_request_cache_bazel.yml
     with:
       arch: ${{ matrix.arch || 'x64' }}

.github/workflows/_request_cache_bazel.yml

@@ -55,7 +55,8 @@ jobs:
       ${{
         (inputs.output-base == 'base'
          && ! fromJSON(inputs.caches).bazel[inputs.arch])
-        || ! fromJSON(inputs.caches).bazel[format('{0}-{1}', inputs.output-base, inputs.arch)]
+        || (inputs.output-base != 'base'
+            && ! fromJSON(inputs.caches).bazel[format('{0}-{1}', inputs.output-base, inputs.arch)])
       }}
     steps:
     - uses: envoyproxy/toolshed/actions/bind-mounts@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1

.github/workflows/_run.yml

@@ -8,11 +8,8 @@ on:
     secrets:
       app-id:
       app-key:
-      dockerhub-password:
-      gcp-key:
       gpg-key:
       gpg-key-password:
-      rbe-key:
       ssh-key:
       ssh-key-extra:
     inputs:
@@ -376,12 +373,6 @@ jobs:
       name: Configure PR Bazel settings
       if: >-
         ${{ fromJSON(inputs.request).request.pr != '' }}
-    - uses: envoyproxy/toolshed/actions/gcp/setup@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
-      name: Setup GCP (artefacts)
-      id: gcp
-      with:
-        key: ${{ secrets.gcp-key }}
-        key-copy: ${{ inputs.rbe-google && runner.temp || '' }}
     - run: |
         echo "${{ vars.ENVOY_CI_BAZELRC }}" > repo.bazelrc
       if: ${{ vars.ENVOY_CI_BAZELRC }}
@@ -423,11 +414,8 @@ jobs:
         working-directory: ${{ inputs.working-directory }}
       env:
         GITHUB_TOKEN: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }}
-        DOCKERHUB_USERNAME: ${{ inputs.dockerhub-username }}
-        DOCKERHUB_PASSWORD: ${{ secrets.dockerhub-password }}
         ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}/container
         ENVOY_RBE: ${{ inputs.rbe == true && 1 || '' }}
-        RBE_KEY: ${{ secrets.rbe-key }}
         BAZEL_BUILD_EXTRA_OPTIONS: >-
           ${{ env.BAZEL_BUILD_EXTRA_OPTIONS }}
           --config=remote-ci

.github/workflows/_upload_gcs.yml

@@ -0,0 +1,48 @@
+name: Upload to GCS
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    secrets:
+      gcp-key:
+        required: true
+    inputs:
+      artifacts:
+        description: JSON array of artifacts to upload to GCS
+        type: string
+        required: true
+
+
+jobs:
+  upload:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        artifact: ${{ fromJSON(inputs.artifacts) }}
+    steps:
+    - uses: actions/download-artifact@v4.1.3
+      with:
+        name: ${{ matrix.artifact }}
+        path: ${{ matrix.artifact }}
+    - uses: envoyproxy/toolshed/actions/jq@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+      id: metadata
+      with:
+        input: ${{ matrix.artifact }}/gcs-metadata.json
+        input-format: json-path
+    - run: |
+        rm -rf ${{ matrix.artifact }}/gcs-metadata.json
+    - uses: envoyproxy/toolshed/actions/gcp/setup@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+      with:
+        key: ${{ secrets.gcp-key }}
+    - uses: envoyproxy/toolshed/actions/gcs/artefact/sync@35f9bcf37d0ceaedea0250da014348ce4bdf8d35  # v0.4.1
+      with:
+        bucket: ${{ fromJSON(steps.metadata.outputs.value).bucket }}
+        path: ${{ matrix.artifact }}
+        path-upload: ${{ matrix.artifact }}
+        sha: ${{ fromJSON(steps.metadata.outputs.value).sha }}
+        redirect: ${{ fromJSON(steps.metadata.outputs.value).redirect }}

.github/workflows/request.yml

@@ -28,7 +28,31 @@ concurrency:
 
 
 jobs:
+  # Envoy (and mirror repos) have an environment setup that requires maintainer approval
+  # to use it. This CI checks if the request is from a first-time contributor, and in that
+  # case it uses the environment and requires the permission to proceed.
+  authorize:
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy'
+          || (vars.ENVOY_CI && github.event_name != 'schedule')
+          || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}
+    runs-on: ubuntu-24.04
+    environment: >-
+      ${{ github.event_name == 'pull_request_target'
+          && github.event.pull_request.author_association != 'MEMBER'
+          && github.event.pull_request.author_association != 'COLLABORATOR'
+          && github.event.pull_request.author_association != 'CONTRIBUTOR'
+          && github.event.pull_request.author_association != 'OWNER'
+          && 'external-contributors'
+          || '' }}
+    steps:
+    - run: |
+        echo "Authorized"
+        echo "  Event: ${{ github.event_name }}"
+        echo "  Author association: ${{ github.event.pull_request.author_association }}"
+
   request:
+    needs: authorize
     permissions:
       actions: write
       contents: read