github/ci: Assorted cleanups

.github/actions/publish/release/setup/action.yml

@@ -16,7 +16,7 @@ runs:
     env:
       REF: ${{ inputs.ref }}
     shell: bash
-  - uses: envoyproxy/toolshed/gh-actions/fetch@actions-v0.0.10
+  - uses: envoyproxy/toolshed/gh-actions/fetch@actions-v0.1.1
     id: fetch
     with:
       url: "${{ steps.url.outputs.base }}/release.signed.tar.zst"

.github/actions/verify/examples/setup/action.yml

@@ -16,15 +16,15 @@ runs:
     env:
       REF: ${{ inputs.ref }}
     shell: bash
-  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10
+  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1
     with:
       url: "${{ steps.url.outputs.base }}/envoy.tar"
       variant: dev
-  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10
+  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1
     with:
       url: "${{ steps.url.outputs.base }}/envoy-contrib.tar"
       variant: contrib-dev
-  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.0.10
+  - uses: envoyproxy/toolshed/gh-actions/docker/fetch@actions-v0.1.1
     with:
       url: "${{ steps.url.outputs.base }}/envoy-google-vrp.tar"
       variant: google-vrp-dev

.github/workflows/_ci.yml

@@ -15,7 +15,9 @@ on:
       managed:
         type: boolean
         default: true
-
+      runs-on:
+        default: ubuntu-22.04
+        type: string
       auth_bazel_rbe:
         type: string
         default: ''
@@ -105,7 +107,7 @@ concurrency:
 jobs:
   do_ci:
     if: ${{ ! inputs.skip }}
-    runs-on: ubuntu-22.04
+    runs-on: ${{ inputs.runs-on }}
     name: ${{ inputs.command_ci }} ${{ inputs.target }}
     steps:
     - if: ${{ inputs.cache_build_image }}
@@ -114,29 +116,18 @@ jobs:
       with:
         image_tag: ${{ inputs.cache_build_image }}
 
-    - name: Check workflow context
-      id: context
-      run: |
-        if [[ "${{ inputs.trusted }}" != "false" && -n "${{ secrets.app_id }}" && -n "${{ secrets.app_key }}" ]]; then
-            echo "use_appauth=true" >> $GITHUB_OUTPUT
-        fi
-    - if: ${{ steps.context.outputs.use_appauth == 'true' }}
-      name: Fetch token for app auth
-      id: appauth
-      uses: envoyproxy/toolshed/gh-actions/[email protected]
-      with:
-        app_id: ${{ secrets.app_id }}
-        key: ${{ secrets.app_key }}
-
-    - uses: actions/checkout@v4
+    - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
+      id: checkout
       name: Checkout Envoy repository
       with:
-        fetch-depth: ${{ ! inputs.trusted && inputs.repo_fetch_depth || 0 }}
-        # WARNING: This allows untrusted code to run!!!
-        #  If this is set, then anything before or after in the job should be regarded as
-        #  compromised.
-        ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }}
-        token: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }}
+        app_id: ${{ inputs.trusted && secrets.app_id || '' }}
+        app_key: ${{ inputs.trusted && secrets.app_key || '' }}
+        config: |
+          fetch-depth: ${{ ! inputs.trusted && inputs.repo_fetch_depth || 0 }}
+          # WARNING: This allows untrusted code to run!!!
+          #  If this is set, then anything before or after in the job should be regarded as
+          #  compromised.
+          ref: ${{ ! inputs.trusted && inputs.repo_ref || github.ref }}
 
     # If we are in a trusted CI run then the provided commit _must_ be either the latest for
     # this branch, or an antecdent.
@@ -148,6 +139,7 @@ jobs:
         git checkout "${{ inputs.repo_ref }}"
       if: ${{ inputs.trusted }}
       name: Check provided ref
+      shell: bash
 
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
@@ -158,6 +150,7 @@ jobs:
         echo "disk space at beginning of build:"
         df -h
       name: "Check disk space at beginning"
+      shell: bash
 
     - if: ${{ inputs.run_pre }}
       name: Run pre action ${{ inputs.run_pre && format('({0})', inputs.run_pre) || '' }}
@@ -166,23 +159,28 @@ jobs:
         uses: ${{ inputs.run_pre }}
         with: ${{ inputs.run_pre_with }}
 
-    - uses: ./.github/actions/do_ci
-      name: Do CI
+    - uses: envoyproxy/toolshed/gh-actions/github/run@5a3993152f00cc3f7c364d97b2a339fff606b0fc
+      name: 'Run CI target ${{ inputs.target }}'
       with:
-        target: ${{ inputs.target }}
-        rbe: ${{ inputs.rbe }}
-        managed: ${{ inputs.managed }}
-        auth_bazel_rbe: ${{ inputs.auth_bazel_rbe }}
-        bazel_extra: ${{ inputs.bazel_extra }}
-        bazel_rbe_jobs: ${{ inputs.bazel_rbe_jobs }}
-        command_prefix: ${{ inputs.command_prefix }}
-        command_ci: ${{ inputs.command_ci }}
         catch-errors: ${{ inputs.catch-errors }}
+        container-command: ${{ inputs.command_prefix }}
+        command-prefix: ${{ inputs.command_ci }}
+        command: ${{ inputs.target }}
+        source: ${{ inputs.env }}
         error-match: ${{ inputs.error-match }}
         notice-match: ${{ inputs.notice-match }}
         warning-match: ${{ inputs.warning-match }}
-        env: ${{ inputs.env }}
-        GITHUB_TOKEN: ${{ steps.context.outputs.use_appauth == 'true' && steps.appauth.outputs.token || secrets.GITHUB_TOKEN }}
+      env:
+        GITHUB_TOKEN: ${{ steps.checkout.outputs.token != '' && steps.checkout.outputs.token || secrets.GITHUB_TOKEN }}
+        ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}
+        ENVOY_RBE: ${{ inputs.rbe != 'false' && 1 || '' }}
+        GCP_SERVICE_ACCOUNT_KEY: ${{ inputs.rbe && inputs.auth_bazel_rbe || '' }}
+        BAZEL_BUILD_EXTRA_OPTIONS: >-
+          --config=remote-ci
+          ${{ inputs.bazel_extra }}
+          ${{ inputs.rbe != 'false' && format('--jobs={0}', inputs.bazel_rbe_jobs) || '' }}
+        BAZEL_FAKE_SCM_REVISION: ${{ github.event_name == 'pull_request' && 'e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9' || '' }}
+        CI_TARGET_BRANCH: ${{ github.event_name == 'pull_request' && github.event.base.ref || github.ref }}
 
     - if: ${{ inputs.run_post }}
       name: Run post action ${{ inputs.run_pre && format('({0})', inputs.run_post) || '' }}
@@ -197,3 +195,4 @@ jobs:
         echo
         du -ch "${{ runner.temp }}" | grep -E "[0-9]{2,}M|[0-9]G"
       name: "Check disk space at end"
+      shell: bash

.github/workflows/envoy-dependency.yml

@@ -95,18 +95,15 @@ jobs:
     name: Update build image (PR)
     runs-on: ubuntu-22.04
     steps:
-    - name: Fetch token for app auth
-      id: appauth
-      uses: envoyproxy/toolshed/gh-actions/[email protected]
-      with:
-        app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
-        key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
-    - uses: actions/checkout@v4
+    - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
+      id: checkout
       name: Checkout Envoy repository
       with:
-        path: envoy
-        fetch-depth: 0
-        token: ${{ steps.appauth.outputs.token }}
+        config: |
+          path: envoy
+          fetch-depth: 0
+        app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
+        app_key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
     - uses: actions/checkout@v4
       name: Checkout Envoy build tools repository
       with:
@@ -178,5 +175,5 @@ jobs:
 
           Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>
         title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`'
-        GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}
+        GITHUB_TOKEN: ${{ steps.checkout.outputs.token }}
         working-directory: envoy

.github/workflows/envoy-prechecks.yml

@@ -16,7 +16,6 @@ on:
     - 'WORKSPACE'
     - '.github/workflows/envoy-prechecks.yml'
     - '.github/workflows/_*.yml'
-    - '.github/actions/do_ci/action.yml'
 
 concurrency:
   group: ${{ github.event.inputs.head_ref || github.run_id }}-${{ github.workflow }}

.github/workflows/envoy-release.yml

@@ -59,6 +59,8 @@ jobs:
       with:
         app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
         app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
+        committer-name: ${{ env.COMMITTER_NAME }}
+        committer-email: ${{ env.COMMITTER_EMAIL }}
     - run: |
         if [[ ! -s "changelogs/summary.md" ]]; then
             if [[ "${{ inputs.summary }}" == "false" ]]; then
@@ -68,6 +70,9 @@ jobs:
             echo "::error::Changelog summary (changelogs/summary.md) is empty!"
             exit 1
         fi
+        COMMITTER=$(git log -n 1 --format='%an <%ae>' -- changelogs/summary.md)
+        echo "committer=${COMMITTER}" >> $GITHUB_OUTPUT
+      id: changelog
       name: Check changelog summary
     - run: |
         BRANCHNAME="${GITHUB_REF_NAME#release/}"
@@ -82,28 +87,30 @@ jobs:
       uses: envoyproxy/toolshed/gh-actions/email/[email protected]
       with:
         email: ${{ inputs.author }}
+    - uses: envoyproxy/toolshed/gh-actions/github/run@ffa33da04ea0b9528f666a49ff2f336fedf9fca4
+      name: Create release
+      with:
+        source: |
+          BAZEL_ARGS=(--)
+          BAZEL_RUN_ARGS=(--config=ci)
+          if [[ -n "${{ inputs.author }}" ]]; then
+              BAZEL_ARGS+=(
+                  "--release-author=${{ inputs.author }}"
+                  "--signoff=${{ steps.changelog.outputs.committer }}")
+          else
+              BAZEL_ARGS+=("--release-author=${{ steps.changelog.outputs.committer }}")
+          fi
+        command: >-
+          bazel
+          run
+          "${BAZEL_RUN_ARGS[@]}"
+          @envoy_repo//:release
+          "${BAZEL_ARGS[@]}"
     - run: |
-        git config --global user.name ${{ env.COMMITTER_NAME }}
-        git config --global user.email ${{ env.COMMITTER_EMAIL }}
-      name: Configure committer
-    - run: |
-        BAZEL_ARGS=(-- -l debug -v debug)
-        BAZEL_RUN_ARGS=(--config=ci)
-        CHANGELOG_COMMITTER="$(git log -n 1 --format="%an <%ae>" -- changelogs/summary.md)"
-        if [[ -n "$AUTHOR" ]]; then
-            BAZEL_ARGS+=(
-                --release-author="${AUTHOR}"
-                --release-signoff="${CHANGELOG_COMMITTER}")
-        else
-            BAZEL_ARGS+=(--release-author="${CHANGELOG_COMMITTER}")
-        fi
-        bazel run "${BAZEL_RUN_ARGS[@]}" @envoy_repo//:release "${BAZEL_ARGS[@]}"
         VERSION=$(cat VERSION.txt)
         echo "version=v${VERSION}" >> $GITHUB_OUTPUT
-      name: Create release
+      name: Release version
       id: release
-      env:
-        AUTHOR: ${{ inputs.author }}
     - name: Create a PR
       uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       with:
@@ -134,6 +141,8 @@ jobs:
       with:
         app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
         app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
+        committer-name: ${{ env.COMMITTER_NAME }}
+        committer-email: ${{ env.COMMITTER_EMAIL }}
     - run: |
         BRANCHNAME="${GITHUB_REF_NAME#release/}"
         echo "name=${BRANCHNAME}" >> $GITHUB_OUTPUT
@@ -142,16 +151,19 @@ jobs:
       id: branch
       env:
         GITHUB_REF_NAME: ${{ github.ref_name }}
-    - run: |
-        git config --global user.name ${{ env.COMMITTER_NAME }}
-        git config --global user.email ${{ env.COMMITTER_NAME }}
-      name: Configure committer
-    - run: |
-        bazel run --config=ci @envoy_repo//:sync
+    - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       name: Sync version histories
+      with:
+        command: >-
+          bazel
+          run
+          --config=ci @envoy_repo//:sync
+          --
+          --signoff="${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>"
     - name: Create a PR
       uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       with:
+        append-commit-message: true
         base: ${{ github.ref_name }}
         commit: false
         body: |
@@ -178,23 +190,18 @@ jobs:
     if: github.event_name == 'release' && endsWith(github.ref, '.0')
     name: Create release branch
     steps:
-    - name: Fetch token for app auth
-      id: appauth
-      uses: envoyproxy/toolshed/gh-actions/[email protected]
-      with:
-        app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
-        key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.1.1
       with:
-        token: ${{ steps.appauth.outputs.token }}
+        app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
+        app_key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
+        committer-name: ${{ env.COMMITTER_NAME }}
+        committer-email: ${{ env.COMMITTER_EMAIL }}
     - name: Create release branch
       run: |
         version="$(cut -d- -f1 < VERSION.txt | cut -d. -f-2)"
         release_branch="release/v${version}"
         commit_sha="$(git rev-parse HEAD)"
-        git config --global user.name "${{ env.COMMITTER_NAME }}"
-        git config --global user.email "${{ env.COMMITTER_EMAIL }}"
         echo "Creating ${release_branch} from ${commit_sha}"
         git checkout -b "$release_branch"
         bazel run @envoy_repo//:dev -- --patch