Update Envoy and dependencies (istio#4)

jwendell · Sep 27, 2024 · 9b04a14 · 9b04a14
1 parent 6b01f59
commit 9b04a14
Show file tree

Hide file tree

Showing 486 changed files with 1,733 additions and 29,572 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -21,7 +21,7 @@ load("//bazel:repositories.bzl", "define_envoy_implementation")
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 09/06/24
+# Commit date: 09/26/24
 ENVOY_SHA = "210816523a0d71fda4cce7a3635e29ae7ea02615"
 
 ENVOY_SHA256 = "ac110c1de3ec048a99fe2bb14af94ddbd0c83e44882342d7d8b1cf3a3327772c"
@@ -30,8 +30,8 @@ ENVOY_ORG = "envoyproxy"
 
 ENVOY_REPO = "envoy"
 
-OPENSSL_ENVOY_SHA = "d4d677ddca38c5d3bff3dddcd0237d6f05f673a0"
-OPENSSL_ENVOY_SHA256 = "88b6be3623e500aff1065f039a22e531ae519f141743989ff0afd271299e0225"
+OPENSSL_ENVOY_SHA = "ad678813863651e2eaf169df518acdd148acf6ae"
+OPENSSL_ENVOY_SHA256 = "d245d1d7d6b65d44a662ce9d52fefd75a091d56aa37822638545229f19400a5d"
 OPENSSL_ENVOY_ORG = "envoyproxy"
 OPENSSL_ENVOY_REPO = "envoy-openssl"
 

diff --git a/ossm/vendor/base_pip3/aiohappyeyeballs/BUILD.bazel b/ossm/vendor/base_pip3/aiohappyeyeballs/BUILD.bazel
@@ -0,0 +1,28 @@
+load("@bazel_skylib//lib:selects.bzl", "selects")
+
+package(default_visibility = ["//visibility:public"])
+
+alias(
+    name = "aiohappyeyeballs",
+    actual = ":pkg",
+)
+
+alias(
+    name = "pkg",
+    actual = "@base_pip3_aiohappyeyeballs//:pkg",
+)
+
+alias(
+    name = "whl",
+    actual = "@base_pip3_aiohappyeyeballs//:whl",
+)
+
+alias(
+    name = "data",
+    actual = "@base_pip3_aiohappyeyeballs//:data",
+)
+
+alias(
+    name = "dist_info",
+    actual = "@base_pip3_aiohappyeyeballs//:dist_info",
+)
diff --git a/ossm/vendor/base_pip3/requirements.bzl b/ossm/vendor/base_pip3/requirements.bzl
diff --git a/ossm/vendor/envoy/.azure-pipelines/pipelines.yml b/ossm/vendor/envoy/.azure-pipelines/pipelines.yml
@@ -3,9 +3,6 @@ trigger:
     include:
     - "main"
     - "release/v*"
-  tags:
-    include:
-    - "v*"
 
 
 # PR build config is manually overridden in Azure pipelines UI with different secrets

diff --git a/ossm/vendor/envoy/.azure-pipelines/stage/prechecks.yml b/ossm/vendor/envoy/.azure-pipelines/stage/prechecks.yml
@@ -15,6 +15,15 @@ parameters:
 - name: authGCP
   type: string
   default: ""
+- name: authGithubWorkflow
+  type: string
+  default: ""
+- name: authGithubWorkflowAppId
+  type: string
+  default: ""
+- name: authGithubWorkflowInstallId
+  type: string
+  default: ""
 - name: authGPGPassphrase
   type: string
   default: ""
@@ -34,6 +43,11 @@ parameters:
   type: string
   default: true
 
+- name: publishGithubRelease
+  displayName: "Publish Github release"
+  type: string
+  default: false
+
 # Timeout/s
 - name: timeoutPrechecks
   type: number
@@ -219,10 +233,51 @@ jobs:
   #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
   condition: |
     and(
-      eq(variables['Build.Reason'], 'PullRequest'),
       in(dependencies.prechecks.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'),
+      in(dependencies.precheck_release_x64.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'),
       in(dependencies.precheck_release_arm64.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'))
   steps:
-  - checkout: none
+  - task: DownloadSecureFile@1
+    name: WorkflowTriggerKey
+    displayName: 'Download workflow trigger key'
+    inputs:
+      secureFile: '${{ parameters.authGithubWorkflow }}'
   - bash: |
-      echo "Prechecked"
+      set -e
+      KEY="$(cat $(WorkflowTriggerKey.secureFilePath) | base64 -w0)"
+      echo "##vso[task.setvariable variable=value;isoutput=true]$KEY"
+    name: key
+  - template: ../ci.yml
+    parameters:
+      ciTarget: verify.trigger
+      cacheName: verify-trigger
+      authGithub: "$(key.value)"
+      cacheVersion: $(cacheKeyBazel)
+      publishEnvoy: false
+      publishTestResults: false
+      env:
+        ENVOY_REPO: $(Build.Repository.Name)
+        ${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
+          ENVOY_HEAD_REF: "$(Build.SourceBranch)"
+          ENVOY_BRANCH: "$(System.PullRequest.TargetBranch)"
+          ENVOY_COMMIT: "$(System.PullRequest.SourceCommitId)"
+        ${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
+          ENVOY_HEAD_REF: "$(Build.SourceBranchName)"
+          ENVOY_BRANCH: "$(Build.SourceBranch)"
+        # github auth
+        GITHUB_APP_ID: ${{ parameters.authGithubWorkflowAppId }}
+        GITHUB_INSTALL_ID: ${{ parameters.authGithubWorkflowInstallId }}
+        # rbe env
+        GCS_ARTIFACT_BUCKET: ${{ parameters.bucketGCP }}
+      stepsPre:
+      - bash: |
+          set -e
+          if [[ "$BUILD_REASON" == "PullRequest" ]]; then
+              DOWNLOAD_PATH="$(git rev-parse HEAD | head -c7)"
+          else
+              DOWNLOAD_PATH="${SYSTEM_PULLREQUEST_PULLREQUESTNUMBER:-${BUILD_SOURCEBRANCHNAME}}"
+          fi
+          curl -sLO "https://storage.googleapis.com/${{ parameters.bucketGCP }}/${DOWNLOAD_PATH}/release/release.signed.tar.zst"
+          mkdir -p $(Build.StagingDirectory)/release.signed
+          mv release.signed.tar.zst $(Build.StagingDirectory)/release.signed
+        displayName: Fetch signed release