diff --git a/.github/actions/do_ci/action.yml b/.github/actions/do_ci/action.yml deleted file mode 100644 index 55275ed22c04..000000000000 --- a/.github/actions/do_ci/action.yml +++ /dev/null @@ -1,75 +0,0 @@ -inputs: - target: - required: true - type: string - rbe: - type: boolean - default: true - managed: - type: boolean - default: true - - auth_bazel_rbe: - type: string - default: '' - - bazel_extra: - type: string - default: - bazel_rbe_jobs: - type: number - default: 75 - - command_prefix: - type: string - default: ./ci/run_envoy_docker.sh - command_ci: - type: string - default: ./ci/do_ci.sh - catch-errors: - type: boolean - default: false - error-match: - type: string - default: | - ERROR - warning-match: - type: string - default: | - WARNING - notice-match: - type: string - default: | - NOTICE - - env: - type: string - - GITHUB_TOKEN: - required: true - -runs: - using: composite - steps: - - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.1.0 - name: 'Run CI target ${{ inputs.target }}' - with: - catch-errors: ${{ inputs.catch-errors }} - container-command: ${{ inputs.command_prefix }} - command-prefix: ${{ inputs.command_ci }} - command: ${{ inputs.target }} - source: ${{ inputs.env }} - error-match: ${{ inputs.error-match }} - notice-match: ${{ inputs.notice-match }} - warning-match: ${{ inputs.warning-match }} - env: - GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }} - ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }} - ENVOY_RBE: ${{ inputs.rbe != 'false' && 1 || '' }} - GCP_SERVICE_ACCOUNT_KEY: ${{ inputs.rbe && inputs.auth_bazel_rbe || '' }} - BAZEL_BUILD_EXTRA_OPTIONS: >- - --config=remote-ci - ${{ inputs.bazel_extra }} - ${{ inputs.rbe != 'false' && format('--jobs={0}', inputs.bazel_rbe_jobs) || '' }} - BAZEL_FAKE_SCM_REVISION: ${{ github.event_name == 'pull_request' && 'e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9' || '' }} - CI_TARGET_BRANCH: ${{ github.event_name == 'pull_request' && github.event.base.ref || github.ref }} diff --git a/.github/actions/publish/release/setup/action.yml b/.github/actions/publish/release/setup/action.yml index 4e0935710d2d..9660078fceb2 100644 --- a/.github/actions/publish/release/setup/action.yml +++ b/.github/actions/publish/release/setup/action.yml @@ -16,7 +16,7 @@ runs: env: REF: ${{ inputs.ref }} shell: bash - - uses: envoyproxy/toolshed/gh-actions/fetch@actions-v0.0.10 + - uses: envoyproxy/toolshed/gh-actions/fetch@actions-v0.1.1 id: fetch with: url: "${{ steps.url.outputs.base }}/release.signed.tar.zst" diff --git a/.github/actions/verify/examples/setup/action.yml b/.github/actions/verify/examples/setup/action.yml index 18f3205721ce..7384eb281d0d 100644 --- a/.github/actions/verify/examples/setup/action.yml +++ b/.github/actions/verify/examples/setup/action.yml @@ -16,15 +16,15 @@ runs: env: REF: ${{ inputs.ref }} shell: bash - - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10 + - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1 with: url: "${{ steps.url.outputs.base }}/envoy.tar" variant: dev - - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10 + - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1 with: url: "${{ steps.url.outputs.base }}/envoy-contrib.tar" variant: contrib-dev - - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10 + - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1 with: url: "${{ steps.url.outputs.base }}/envoy-google-vrp.tar" variant: google-vrp-dev diff --git a/.github/workflows/_ci.yml b/.github/workflows/_ci.yml index 91072b9cd5d3..5c6de10324d0 100644 --- a/.github/workflows/_ci.yml +++ b/.github/workflows/_ci.yml @@ -15,7 +15,9 @@ on: managed: type: boolean default: true - + runs-on: + default: ubuntu-22.04 + type: string auth_bazel_rbe: type: string default: '' @@ -105,7 +107,7 @@ concurrency: jobs: do_ci: if: ${{ ! inputs.skip }} - runs-on: ubuntu-22.04 + runs-on: ${{ inputs.runs-on }} name: ${{ inputs.command_ci }} ${{ inputs.target }} steps: - if: ${{ inputs.cache_build_image }} @@ -114,29 +116,18 @@ jobs: with: image_tag: ${{ inputs.cache_build_image }} - - name: Check workflow context - id: context - run: | - if [[ "${{ inputs.trusted }}" != "false" && -n "${{ secrets.app_id }}" && -n "${{ secrets.app_key }}" ]]; then - echo "use_appauth=true" >> $GITHUB_OUTPUT - fi - - if: ${{ steps.context.outputs.use_appauth == 'true' }} - name: Fetch token for app auth - id: appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.1.1 - with: - app_id: ${{ secrets.app_id }} - key: ${{ secrets.app_key }} - - - uses: actions/checkout@v4 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.1.1 + id: checkout name: Checkout Envoy repository with: - fetch-depth: ${{ ! inputs.trusted && inputs.repo_fetch_depth || 0 }} - # WARNING: This allows untrusted code to run!!! - # If this is set, then anything before or after in the job should be regarded as - # compromised. - ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }} - token: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }} + app_id: ${{ inputs.trusted && secrets.app_id || '' }} + app_key: ${{ inputs.trusted && secrets.app_key || '' }} + config: | + fetch-depth: ${{ ! inputs.trusted && inputs.repo_fetch_depth || 0 }} + # WARNING: This allows untrusted code to run!!! + # If this is set, then anything before or after in the job should be regarded as + # compromised. + ref: ${{ ! inputs.trusted && inputs.repo_ref || github.ref }} # If we are in a trusted CI run then the provided commit _must_ be either the latest for # this branch, or an antecdent. @@ -148,6 +139,7 @@ jobs: git checkout "${{ inputs.repo_ref }}" if: ${{ inputs.trusted }} name: Check provided ref + shell: bash - name: Add safe directory run: git config --global --add safe.directory /__w/envoy/envoy @@ -158,6 +150,7 @@ jobs: echo "disk space at beginning of build:" df -h name: "Check disk space at beginning" + shell: bash - if: ${{ inputs.run_pre }} name: Run pre action ${{ inputs.run_pre && format('({0})', inputs.run_pre) || '' }} @@ -166,23 +159,28 @@ jobs: uses: ${{ inputs.run_pre }} with: ${{ inputs.run_pre_with }} - - uses: ./.github/actions/do_ci - name: Do CI + - uses: envoyproxy/toolshed/gh-actions/github/run@5a3993152f00cc3f7c364d97b2a339fff606b0fc + name: 'Run CI target ${{ inputs.target }}' with: - target: ${{ inputs.target }} - rbe: ${{ inputs.rbe }} - managed: ${{ inputs.managed }} - auth_bazel_rbe: ${{ inputs.auth_bazel_rbe }} - bazel_extra: ${{ inputs.bazel_extra }} - bazel_rbe_jobs: ${{ inputs.bazel_rbe_jobs }} - command_prefix: ${{ inputs.command_prefix }} - command_ci: ${{ inputs.command_ci }} catch-errors: ${{ inputs.catch-errors }} + container-command: ${{ inputs.command_prefix }} + command-prefix: ${{ inputs.command_ci }} + command: ${{ inputs.target }} + source: ${{ inputs.env }} error-match: ${{ inputs.error-match }} notice-match: ${{ inputs.notice-match }} warning-match: ${{ inputs.warning-match }} - env: ${{ inputs.env }} - GITHUB_TOKEN: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }} + env: + GITHUB_TOKEN: ${{ steps.checkout.outputs.token != '' && steps.checkout.outputs.token || secrets.GITHUB_TOKEN }} + ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }} + ENVOY_RBE: ${{ inputs.rbe != 'false' && 1 || '' }} + GCP_SERVICE_ACCOUNT_KEY: ${{ inputs.rbe && inputs.auth_bazel_rbe || '' }} + BAZEL_BUILD_EXTRA_OPTIONS: >- + --config=remote-ci + ${{ inputs.bazel_extra }} + ${{ inputs.rbe != 'false' && format('--jobs={0}', inputs.bazel_rbe_jobs) || '' }} + BAZEL_FAKE_SCM_REVISION: ${{ github.event_name == 'pull_request' && 'e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9' || '' }} + CI_TARGET_BRANCH: ${{ github.event_name == 'pull_request' && github.event.base.ref || github.ref }} - if: ${{ inputs.run_post }} name: Run post action ${{ inputs.run_pre && format('({0})', inputs.run_post) || '' }} @@ -197,3 +195,4 @@ jobs: echo du -ch "${{ runner.temp }}" | grep -E "[0-9]{2,}M|[0-9]G" name: "Check disk space at end" + shell: bash diff --git a/.github/workflows/envoy-dependency.yml b/.github/workflows/envoy-dependency.yml index 5cb84a473b8c..facb70d4499c 100644 --- a/.github/workflows/envoy-dependency.yml +++ b/.github/workflows/envoy-dependency.yml @@ -95,18 +95,15 @@ jobs: name: Update build image (PR) runs-on: ubuntu-22.04 steps: - - name: Fetch token for app auth - id: appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.1.1 - with: - app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} - key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - - uses: actions/checkout@v4 + - uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.1.1 + id: checkout name: Checkout Envoy repository with: - path: envoy - fetch-depth: 0 - token: ${{ steps.appauth.outputs.token }} + config: | + path: envoy + fetch-depth: 0 + app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} + app_key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} - uses: actions/checkout@v4 name: Checkout Envoy build tools repository with: @@ -178,5 +175,5 @@ jobs: Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' - GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} + GITHUB_TOKEN: ${{ steps.checkout.outputs.token }} working-directory: envoy diff --git a/.github/workflows/envoy-prechecks.yml b/.github/workflows/envoy-prechecks.yml index 142f55f93a9d..856a1187cdb3 100644 --- a/.github/workflows/envoy-prechecks.yml +++ b/.github/workflows/envoy-prechecks.yml @@ -16,7 +16,6 @@ on: - 'WORKSPACE' - '.github/workflows/envoy-prechecks.yml' - '.github/workflows/_*.yml' - - '.github/actions/do_ci/action.yml' concurrency: group: ${{ github.event.inputs.head_ref || github.run_id }}-${{ github.workflow }} diff --git a/.github/workflows/envoy-release.yml b/.github/workflows/envoy-release.yml index a266e23eeb5c..256bf633ac14 100644 --- a/.github/workflows/envoy-release.yml +++ b/.github/workflows/envoy-release.yml @@ -59,6 +59,8 @@ jobs: with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} + committer-name: ${{ env.COMMITTER_NAME }} + committer-email: ${{ env.COMMITTER_EMAIL }} - run: | if [[ ! -s "changelogs/summary.md" ]]; then if [[ "${{ inputs.summary }}" == "false" ]]; then @@ -68,6 +70,9 @@ jobs: echo "::error::Changelog summary (changelogs/summary.md) is empty!" exit 1 fi + COMMITTER=$(git log -n 1 --format='%an <%ae>' -- changelogs/summary.md) + echo "committer=${COMMITTER}" >> $GITHUB_OUTPUT + id: changelog name: Check changelog summary - run: | BRANCHNAME="${GITHUB_REF_NAME#release/}" @@ -82,28 +87,30 @@ jobs: uses: envoyproxy/toolshed/gh-actions/email/validate@actions-v0.1.1 with: email: ${{ inputs.author }} + - uses: envoyproxy/toolshed/gh-actions/github/run@ffa33da04ea0b9528f666a49ff2f336fedf9fca4 + name: Create release + with: + source: | + BAZEL_ARGS=(--) + BAZEL_RUN_ARGS=(--config=ci) + if [[ -n "${{ inputs.author }}" ]]; then + BAZEL_ARGS+=( + "--release-author=${{ inputs.author }}" + "--signoff=${{ steps.changelog.outputs.committer }}") + else + BAZEL_ARGS+=("--release-author=${{ steps.changelog.outputs.committer }}") + fi + command: >- + bazel + run + "${BAZEL_RUN_ARGS[@]}" + @envoy_repo//:release + "${BAZEL_ARGS[@]}" - run: | - git config --global user.name ${{ env.COMMITTER_NAME }} - git config --global user.email ${{ env.COMMITTER_EMAIL }} - name: Configure committer - - run: | - BAZEL_ARGS=(-- -l debug -v debug) - BAZEL_RUN_ARGS=(--config=ci) - CHANGELOG_COMMITTER="$(git log -n 1 --format="%an <%ae>" -- changelogs/summary.md)" - if [[ -n "$AUTHOR" ]]; then - BAZEL_ARGS+=( - --release-author="${AUTHOR}" - --release-signoff="${CHANGELOG_COMMITTER}") - else - BAZEL_ARGS+=(--release-author="${CHANGELOG_COMMITTER}") - fi - bazel run "${BAZEL_RUN_ARGS[@]}" @envoy_repo//:release "${BAZEL_ARGS[@]}" VERSION=$(cat VERSION.txt) echo "version=v${VERSION}" >> $GITHUB_OUTPUT - name: Create release + name: Release version id: release - env: - AUTHOR: ${{ inputs.author }} - name: Create a PR uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.1.1 with: @@ -134,6 +141,8 @@ jobs: with: app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} + committer-name: ${{ env.COMMITTER_NAME }} + committer-email: ${{ env.COMMITTER_EMAIL }} - run: | BRANCHNAME="${GITHUB_REF_NAME#release/}" echo "name=${BRANCHNAME}" >> $GITHUB_OUTPUT @@ -142,16 +151,19 @@ jobs: id: branch env: GITHUB_REF_NAME: ${{ github.ref_name }} - - run: | - git config --global user.name ${{ env.COMMITTER_NAME }} - git config --global user.email ${{ env.COMMITTER_NAME }} - name: Configure committer - - run: | - bazel run --config=ci @envoy_repo//:sync + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.1.1 name: Sync version histories + with: + command: >- + bazel + run + --config=ci @envoy_repo//:sync + -- + --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>" - name: Create a PR uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.1.1 with: + append-commit-message: true base: ${{ github.ref_name }} commit: false body: | @@ -178,23 +190,18 @@ jobs: if: github.event_name == 'release' && endsWith(github.ref, '.0') name: Create release branch steps: - - name: Fetch token for app auth - id: appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.1.1 - with: - app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} - key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} - name: Checkout repository - uses: actions/checkout@v4 + uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.1.1 with: - token: ${{ steps.appauth.outputs.token }} + app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }} + app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }} + committer-name: ${{ env.COMMITTER_NAME }} + committer-email: ${{ env.COMMITTER_EMAIL }} - name: Create release branch run: | version="$(cut -d- -f1 < VERSION.txt | cut -d. -f-2)" release_branch="release/v${version}" commit_sha="$(git rev-parse HEAD)" - git config --global user.name "${{ env.COMMITTER_NAME }}" - git config --global user.email "${{ env.COMMITTER_EMAIL }}" echo "Creating ${release_branch} from ${commit_sha}" git checkout -b "$release_branch" bazel run @envoy_repo//:dev -- --patch diff --git a/tools/base/requirements.in b/tools/base/requirements.in index 160e6f0af407..c13d3a06eee0 100644 --- a/tools/base/requirements.in +++ b/tools/base/requirements.in @@ -10,7 +10,7 @@ colorama coloredlogs cryptography>=41.0.1 dependatool>=0.2.2 -envoy.base.utils>=0.4.27 +envoy.base.utils>=0.5.0 envoy.code.check>=0.5.8 envoy.dependency.check>=0.1.10 envoy.distribution.release>=0.0.9