diff --git a/.github/workflows/build-envoy-image-ci.yaml b/.github/workflows/build-envoy-image-ci.yaml index 9c9f49b63..8b44c34ca 100644 --- a/.github/workflows/build-envoy-image-ci.yaml +++ b/.github/workflows/build-envoy-image-ci.yaml @@ -1,7 +1,7 @@ name: CI Build & Push on: pull_request_target: - types: [opened, synchronize, reopened] + types: [ opened, synchronize, reopened ] permissions: # To be able to access the repository with `actions/checkout` @@ -15,126 +15,126 @@ jobs: name: Build and push multi-arch images runs-on: ubuntu-latest-64-cores-256gb steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - - name: Cache Docker layers - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: /tmp/buildx-cache - key: docker-cache-${{ github.head_ref }} - restore-keys: docker-cache-main - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }} - password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }} - - - name: Checkout PR - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.event.pull_request.head.sha }} - persist-credentials: false - - - name: Prep for build - run: | - echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION - echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV - echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV - echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV - - - name: Checking if cilium-envoy-builder image exists - id: cilium-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: PR Multi-arch build & push of Builder image (dev) - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' - id: docker_build_builder_ci - with: - provenance: false - context: . - file: ./Dockerfile.builder - platforms: linux/amd64,linux/arm64 - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} - - - name: CI Builder Image Digest - if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' - shell: bash - run: | - echo "Digests:" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}" - - - name: PR Multi-arch build & push of cilium-envoy - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_build_ci - with: - provenance: false - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64 - build-args: | - BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest - BAZEL_BUILD_OPTS=--remote_upload_local_results=false - cache-from: type=local,src=/tmp/buildx-cache - cache-to: type=local,dest=/tmp/buildx-cache,mode=max - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} - - - name: Install Cosign - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.6.0 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - - name: Generate SBOM - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - run: | - bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} - - - name: Attach SBOM to container images - run: | - cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}" - image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom" - docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}" - - - name: Envoy binary version check - shell: bash - run: | - envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version) - expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//') - echo ${envoy_version} - [[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]] - - - name: CI Image Digest - shell: bash - run: | - echo "Digests:" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}" + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + + - name: Cache Docker layers + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: /tmp/buildx-cache + key: docker-cache-${{ github.head_ref }} + restore-keys: docker-cache-main + + - name: Login to quay.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }} + password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }} + + - name: Checkout PR + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + + - name: Prep for build + run: | + echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION + echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV + echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV + echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV + + - name: Checking if cilium-envoy-builder image exists + id: cilium-builder-tag-in-repositories + shell: bash + run: | + if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then + echo exists="true" >> $GITHUB_OUTPUT + else + echo exists="false" >> $GITHUB_OUTPUT + fi + + - name: PR Multi-arch build & push of Builder image (dev) + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' + id: docker_build_builder_ci + with: + provenance: false + context: . + file: ./Dockerfile.builder + platforms: linux/amd64,linux/arm64 + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} + + - name: CI Builder Image Digest + if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' + shell: bash + run: | + echo "Digests:" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }}@${{ steps.docker_build_builder_ci.outputs.digest }}" + + - name: PR Multi-arch build & push of cilium-envoy + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_build_ci + with: + provenance: false + context: . + file: ./Dockerfile + platforms: linux/amd64,linux/arm64 + build-args: | + BUILDER_BASE=quay.io/cilium/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ github.base_ref }}-archive-latest + BAZEL_BUILD_OPTS=--remote_upload_local_results=false + cache-from: type=local,src=/tmp/buildx-cache + cache-to: type=local,dest=/tmp/buildx-cache,mode=max + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} + + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Sign Container Image + run: | + cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} + + - name: Install Bom + shell: bash + env: + # renovate: datasource=github-releases depName=kubernetes-sigs/bom + BOM_VERSION: v0.6.0 + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + - name: Generate SBOM + shell: bash + # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed + run: | + bom generate -o sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} + + - name: Attach SBOM to container images + run: | + cosign attach sbom --sbom sbom_cilium-envoy_${{ github.event.pull_request.head.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${{ steps.docker_build_ci.outputs.digest }} + + - name: Sign SBOM Image + run: | + docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}" + image_name="quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${docker_build_ci_digest/:/-}.sbom" + docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" + cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy-dev@${docker_build_ci_sbom_digest}" + + - name: Envoy binary version check + shell: bash + run: | + envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }} cilium-envoy --version) + expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//') + echo ${envoy_version} + [[ "${envoy_version}" == *"${{ github.event.pull_request.head.sha }}/$expected_version"* ]] + + - name: CI Image Digest + shell: bash + run: | + echo "Digests:" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy-dev:${{ github.event.pull_request.head.sha }}@${{ steps.docker_build_ci.outputs.digest }}" diff --git a/.github/workflows/build-envoy-images-release.yaml b/.github/workflows/build-envoy-images-release.yaml index 8f8c41992..df5bfe513 100644 --- a/.github/workflows/build-envoy-images-release.yaml +++ b/.github/workflows/build-envoy-images-release.yaml @@ -2,7 +2,7 @@ name: Refresh test & build cache & build latest on: push: branches: - - main + - v1.30 permissions: # To be able to access the repository with `actions/checkout` @@ -16,236 +16,235 @@ jobs: name: Build test cache and push images runs-on: ubuntu-latest-64-cores-256gb steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_ENVOY_USERNAME }} - password: ${{ secrets.QUAY_ENVOY_PASSWORD }} - - - name: Checkout source - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Prep for build - run: | - echo "${{ github.sha }}" >SOURCE_VERSION - echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV - echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV - echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder.tests | awk '{ print $3 }')" >> $GITHUB_ENV - - - name: Checking if cilium-envoy-builder:test image exists - id: cilium-builder-test-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Multi-arch build & push of Builder image (test) - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - if: steps.cilium-builder-test-tag-in-repositories.outputs.exists == 'false' - id: docker_build_builder_test - with: - provenance: false - context: . - file: ./Dockerfile.builder.tests - platforms: linux/amd64,linux/arm64 - push: true - tags: | - quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} - quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-latest - - - name: Multi-arch update integration test archive - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_tests_ci_build - with: - context: . - file: ./Dockerfile.tests - target: builder-archive - platforms: linux/amd64,linux/arm64 - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest - COPY_CACHE_EXT=.new - BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75" - BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest - - - name: Cache Docker layers - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: /tmp/buildx-cache - key: docker-cache-tests - - - name: Clear cache - run: rm -rf /tmp/buildx-cache/* - - - name: Run integration tests on amd64 to update docker cache - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_tests_ci_cache_update - with: - provenance: false - context: . - file: ./Dockerfile.tests - platforms: linux/amd64 - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest - BAZEL_BUILD_OPTS=--remote_upload_local_results=false - BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 - cache-to: type=local,dest=/tmp/buildx-cache,mode=max - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy:latest-testlogs + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + + - name: Login to quay.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_ENVOY_USERNAME }} + password: ${{ secrets.QUAY_ENVOY_PASSWORD }} + + - name: Checkout source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Prep for build + run: | + echo "${{ github.sha }}" >SOURCE_VERSION + echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV + echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV + echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder.tests | awk '{ print $3 }')" >> $GITHUB_ENV + + - name: Checking if cilium-envoy-builder:test image exists + id: cilium-builder-test-tag-in-repositories + shell: bash + run: | + if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then + echo exists="true" >> $GITHUB_OUTPUT + else + echo exists="false" >> $GITHUB_OUTPUT + fi + + - name: Multi-arch build & push of Builder image (test) + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + if: steps.cilium-builder-test-tag-in-repositories.outputs.exists == 'false' + id: docker_build_builder_test + with: + provenance: false + context: . + file: ./Dockerfile.builder.tests + platforms: linux/amd64,linux/arm64 + push: true + tags: | + quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} + quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ github.base_ref }} + + - name: Multi-arch update integration test archive + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_tests_ci_build + with: + context: . + file: ./Dockerfile.tests + target: builder-archive + platforms: linux/amd64,linux/arm64 + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest + COPY_CACHE_EXT=.new + BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75" + BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ github.ref_name }}-archive-latest + + - name: Cache Docker layers + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: /tmp/buildx-cache + key: docker-cache-tests-${{ github.ref_name }} + + - name: Clear cache + run: rm -rf /tmp/buildx-cache/* + + - name: Run integration tests on amd64 to update docker cache + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_tests_ci_cache_update + with: + provenance: false + context: . + file: ./Dockerfile.tests + platforms: linux/amd64 + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-${{ env.BUILDER_DOCKER_HASH }} + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest + BAZEL_BUILD_OPTS=--remote_upload_local_results=false + BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 + cache-to: type=local,dest=/tmp/buildx-cache,mode=max + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy:latest-testlogs build-cache-and-push-images: timeout-minutes: 360 name: Build cache and push images runs-on: ubuntu-latest-64-cores-256gb steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_ENVOY_USERNAME }} - password: ${{ secrets.QUAY_ENVOY_PASSWORD }} - - - name: Checkout source - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Prep for build - run: | - echo "${{ github.sha }}" >SOURCE_VERSION - echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV - echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV - echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV - echo "SOURCE_TIMESTAMP=$(git log -1 --pretty=format:"%ct" .)" >> $GITHUB_ENV - - - name: Checking if cilium-envoy-builder image exists - id: cilium-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Multi-arch build & push of Builder image - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' - id: docker_build_builder - with: - provenance: false - context: . - file: ./Dockerfile.builder - platforms: linux/amd64,linux/arm64 - push: true - tags: | - quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} - quay.io/${{ github.repository_owner }}/cilium-envoy-builder:latest - - name: Multi-arch build & push of build artifact archive - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - with: - context: . - file: ./Dockerfile - target: builder-archive - platforms: linux/amd64,linux/arm64 - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest - COPY_CACHE_EXT=.new - BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75" - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest - - - name: Cache Docker layers - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: /tmp/buildx-cache - key: docker-cache-main - - - name: Clear cache - run: | - rm -rf /tmp/buildx-cache/* - docker buildx prune -f - - - name: Multi-arch build & push main latest - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_build_cd - with: - provenance: false - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64 - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} - BAZEL_BUILD_OPTS=--remote_upload_local_results=false - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest - cache-to: type=local,dest=/tmp/buildx-cache,mode=max - push: true - tags: | - quay.io/${{ github.repository_owner }}/cilium-envoy:latest - quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} - quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }} - quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }} - quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }} - - - name: Install Cosign - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }} - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.6.0 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - - name: Generate SBOM - shell: bash - run: | - bom generate -o sbom_cilium-envoy_${{ github.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} - - - name: Attach SBOM to container images - run: | - cosign attach sbom --sbom sbom_cilium-envoy_${{ github.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_cd_digest="${{ steps.docker_build_cd.outputs.digest }}" - image_name="quay.io/${{ github.repository_owner }}/cilium-envoy:${docker_build_cd_digest/:/-}.sbom" - docker_build_cd_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy@${docker_build_cd_sbom_digest}" - - - name: Envoy binary version check - shell: bash - run: | - envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} cilium-envoy --version) - expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//') - echo ${envoy_version} - [[ "${envoy_version}" == *"${{ github.sha }}/$expected_version"* ]] - - - name: Release Image Digest - shell: bash - run: | - echo "Digests:" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" - echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + + - name: Login to quay.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_ENVOY_USERNAME }} + password: ${{ secrets.QUAY_ENVOY_PASSWORD }} + + - name: Checkout source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Prep for build + run: | + echo "${{ github.sha }}" >SOURCE_VERSION + echo "ENVOY_MINOR_RELEASE=$(cat ENVOY_VERSION | sed 's/envoy-\([0-9]\+\.[0-9]\+\)\..*/v\1/')" >> $GITHUB_ENV + echo "ENVOY_PATCH_RELEASE=$(cat ENVOY_VERSION | sed 's/^envoy-\([0-9]\+\.[0-9]\+\.[0-9]\+$\)/v\1/')" >> $GITHUB_ENV + echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV + echo "SOURCE_TIMESTAMP=$(git log -1 --pretty=format:"%ct" .)" >> $GITHUB_ENV + + - name: Checking if cilium-envoy-builder image exists + id: cilium-builder-tag-in-repositories + shell: bash + run: | + if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then + echo exists="true" >> $GITHUB_OUTPUT + else + echo exists="false" >> $GITHUB_OUTPUT + fi + + - name: Multi-arch build & push of Builder image + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + if: steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' + id: docker_build_builder + with: + provenance: false + context: . + file: ./Dockerfile.builder + platforms: linux/amd64,linux/arm64 + push: true + tags: | + quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} + quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ github.base_ref }} + - name: Multi-arch build & push of build artifact archive + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + with: + context: . + file: ./Dockerfile + target: builder-archive + platforms: linux/amd64,linux/arm64 + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest + COPY_CACHE_EXT=.new + BAZEL_BUILD_OPTS="--jobs=HOST_CPUS*.75" + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ github.ref_name }}-archive-latest + + - name: Cache Docker layers + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: /tmp/buildx-cache + key: docker-cache-${{ github.ref_name }} + + - name: Clear cache + run: | + rm -rf /tmp/buildx-cache/* + docker buildx prune -f + + - name: Multi-arch build & push ${{ github.ref_name }} latest + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_build_cd + with: + provenance: false + context: . + file: ./Dockerfile + platforms: linux/amd64,linux/arm64 + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:${{ env.BUILDER_DOCKER_HASH }} + BAZEL_BUILD_OPTS=--remote_upload_local_results=false + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:main-archive-latest + cache-to: type=local,dest=/tmp/buildx-cache,mode=max + push: true + tags: | + quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} + quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }} + quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }} + quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }} + + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Sign Container Image + run: | + cosign sign -y quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }} + + - name: Install Bom + shell: bash + env: + # renovate: datasource=github-releases depName=kubernetes-sigs/bom + BOM_VERSION: v0.6.0 + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + - name: Generate SBOM + shell: bash + run: | + bom generate -o sbom_cilium-envoy_${{ github.sha }}.spdx --format=json --image=quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} + + - name: Attach SBOM to container images + run: | + cosign attach sbom --sbom sbom_cilium-envoy_${{ github.sha }}.spdx quay.io/${{ github.repository_owner }}/cilium-envoy@${{ steps.docker_build_cd.outputs.digest }} + + - name: Sign SBOM Image + run: | + docker_build_cd_digest="${{ steps.docker_build_cd.outputs.digest }}" + image_name="quay.io/${{ github.repository_owner }}/cilium-envoy:${docker_build_cd_digest/:/-}.sbom" + docker_build_cd_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" + cosign sign -y "quay.io/${{ github.repository_owner }}/cilium-envoy@${docker_build_cd_sbom_digest}" + + - name: Envoy binary version check + shell: bash + run: | + envoy_version=$(docker run --rm quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }} cilium-envoy --version) + expected_version=$(echo ${{ env.ENVOY_PATCH_RELEASE }} | sed 's/^v//') + echo ${envoy_version} + [[ "${envoy_version}" == *"${{ github.sha }}/$expected_version"* ]] + + - name: Release Image Digest + shell: bash + run: | + echo "Digests:" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_MINOR_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" + echo "quay.io/${{ github.repository_owner }}/cilium-envoy:${{ env.ENVOY_PATCH_RELEASE }}-${{ env.SOURCE_TIMESTAMP }}-${{ github.sha }}@${{ steps.docker_build_cd.outputs.digest }}" diff --git a/.github/workflows/ci-check-format.yaml b/.github/workflows/ci-check-format.yaml index bb296457d..cd590bc32 100644 --- a/.github/workflows/ci-check-format.yaml +++ b/.github/workflows/ci-check-format.yaml @@ -1,7 +1,7 @@ name: CI check format on: pull_request_target: - types: [opened, synchronize, reopened] + types: [ opened, synchronize, reopened ] # By specifying the access of one of the scopes, all of those that are not specified are set to 'none'. permissions: @@ -14,45 +14,45 @@ jobs: name: Check source format runs-on: ubuntu-latest steps: - - name: Checkout PR Source Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.event.pull_request.head.sha }} - persist-credentials: false + - name: Checkout PR Source Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - - name: Prep for build - run: | - echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION - echo "ENVOY_VERSION=$(cat ENVOY_VERSION)" >> $GITHUB_ENV - echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV + - name: Prep for build + run: | + echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION + echo "ENVOY_VERSION=$(cat ENVOY_VERSION)" >> $GITHUB_ENV + echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder | awk '{ print $3 }')" >> $GITHUB_ENV - - name: Wait for cilium-envoy-builder to be available - timeout-minutes: 45 - shell: bash - run: until docker manifest inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &> /dev/null; do sleep 15s; done + - name: Wait for cilium-envoy-builder to be available + timeout-minutes: 45 + shell: bash + run: until docker manifest inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} &> /dev/null; do sleep 15s; done - - name: Check format - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_format_ciak - with: - target: format - provenance: false - context: . - file: ./Dockerfile - platforms: linux/amd64 - outputs: type=local,dest=check-format-results - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} - cache-from: type=local,src=/tmp/buildx-cache - push: false + - name: Check format + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_format_ciak + with: + target: format + provenance: false + context: . + file: ./Dockerfile + platforms: linux/amd64 + outputs: type=local,dest=check-format-results + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:${{ env.BUILDER_DOCKER_HASH }} + cache-from: type=local,src=/tmp/buildx-cache + push: false - - name: Check for failure - run: '! grep "^Format check failed" check-format-results/format-output.txt' + - name: Check for failure + run: '! grep "^Format check failed" check-format-results/format-output.txt' - - name: Upload Format results - if: failure() - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: check-format-results - path: check-format-results/format-output.txt - retention-days: 5 + - name: Upload Format results + if: failure() + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: check-format-results + path: check-format-results/format-output.txt + retention-days: 5 diff --git a/.github/workflows/ci-tests.yaml b/.github/workflows/ci-tests.yaml index ca75c9c24..533c7431f 100644 --- a/.github/workflows/ci-tests.yaml +++ b/.github/workflows/ci-tests.yaml @@ -1,7 +1,7 @@ name: CI run integration tests on: pull_request_target: - types: [opened, synchronize, reopened] + types: [ opened, synchronize, reopened ] # By specifying the access of one of the scopes, all of those that are not specified are set to 'none'. permissions: @@ -37,69 +37,69 @@ jobs: name: Run integration tests on amd64 runs-on: ubuntu-latest-64-cores-256gb steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }} - password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }} + - name: Login to quay.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_ENVOY_USERNAME_DEV }} + password: ${{ secrets.QUAY_ENVOY_PASSWORD_DEV }} - - name: Cache Docker layers - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 - with: - path: /tmp/buildx-cache - key: docker-cache-tests - restore-keys: docker-cache-main + - name: Cache Docker layers + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: /tmp/buildx-cache + key: docker-cache-tests + restore-keys: docker-cache-main - - name: Checkout PR Source Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.event.pull_request.head.sha }} - persist-credentials: false + - name: Checkout PR Source Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - - name: Prep for build - run: | - echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION - echo "ENVOY_VERSION=$(cat ENVOY_VERSION)" >> $GITHUB_ENV - echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder.tests | awk '{ print $3 }')" >> $GITHUB_ENV + - name: Prep for build + run: | + echo "${{ github.event.pull_request.head.sha }}" >SOURCE_VERSION + echo "ENVOY_VERSION=$(cat ENVOY_VERSION)" >> $GITHUB_ENV + echo "BUILDER_DOCKER_HASH=$(git ls-tree --full-tree HEAD -- ./Dockerfile.builder.tests | awk '{ print $3 }')" >> $GITHUB_ENV - - name: Checking if cilium-envoy-builder image exists - id: cilium-builder-tests-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi + - name: Checking if cilium-envoy-builder image exists + id: cilium-builder-tests-tag-in-repositories + shell: bash + run: | + if docker buildx imagetools inspect quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} &>/dev/null; then + echo exists="true" >> $GITHUB_OUTPUT + else + echo exists="false" >> $GITHUB_OUTPUT + fi - - name: PR Multi-arch build & push of Builder image (dev) - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - if: steps.cilium-builder-tests-tag-in-repositories.outputs.exists == 'false' - id: docker_build_builder_tests_ci - with: - provenance: false - context: . - file: ./Dockerfile.builder.tests - platforms: linux/amd64,linux/arm64 - push: true - tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} + - name: PR Multi-arch build & push of Builder image (dev) + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + if: steps.cilium-builder-tests-tag-in-repositories.outputs.exists == 'false' + id: docker_build_builder_tests_ci + with: + provenance: false + context: . + file: ./Dockerfile.builder.tests + platforms: linux/amd64,linux/arm64 + push: true + tags: quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} - - name: Run integration tests on amd64 - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 - id: docker_tests_ci - with: - provenance: false - context: . - file: ./Dockerfile.tests - platforms: linux/amd64 - build-args: | - BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} - ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest - BAZEL_BUILD_OPTS=--remote_upload_local_results=false - BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 - cache-from: type=local,src=/tmp/buildx-cache - push: false + - name: Run integration tests on amd64 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + id: docker_tests_ci + with: + provenance: false + context: . + file: ./Dockerfile.tests + platforms: linux/amd64 + build-args: | + BUILDER_BASE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder-dev:test-${{ env.BUILDER_DOCKER_HASH }} + ARCHIVE_IMAGE=quay.io/${{ github.repository_owner }}/cilium-envoy-builder:test-main-archive-latest + BAZEL_BUILD_OPTS=--remote_upload_local_results=false + BAZEL_TEST_OPTS=--test_timeout=300 --local_test_jobs=1 --flaky_test_attempts=3 + cache-from: type=local,src=/tmp/buildx-cache + push: false diff --git a/.github/workflows/cilium-integration-tests.yaml b/.github/workflows/cilium-integration-tests.yaml index 0f524f7c6..e4c3e582b 100644 --- a/.github/workflows/cilium-integration-tests.yaml +++ b/.github/workflows/cilium-integration-tests.yaml @@ -2,14 +2,14 @@ name: Cilium Integration Tests on: push: branches: - - main + - v1.30 pull_request_target: types: - - opened - - reopened - - synchronize + - opened + - reopened + - synchronize branches: - - main + - v1.30 # By specifying the access of one of the scopes, all of those that are not specified are set to 'none'. permissions: @@ -31,142 +31,142 @@ jobs: if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' runs-on: ubuntu-latest steps: - - name: Prepare variables for pushes to main - if: github.event_name == 'push' - run: | - echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy" >> $GITHUB_ENV - echo "PROXY_TAG=${{ github.sha }}" >> $GITHUB_ENV - echo "PROXY_GITHUB_REPO=github.com/cilium/proxy" >> $GITHUB_ENV - - - name: Prepare variables for PR - if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' - run: | - echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy-dev" >> $GITHUB_ENV - echo "PROXY_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - echo "PROXY_GITHUB_REPO=github.com/${{github.event.pull_request.head.repo.full_name}}" >> $GITHUB_ENV - - - name: Checkout Cilium ${{ env.CILIUM_REPO_REF }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: ${{ env.CILIUM_REPO_OWNER }}/cilium # Be aware that this is the Cilium repository and not the one of the proxy itself! - ref: ${{ env.CILIUM_REPO_REF }} - persist-credentials: false - - - name: Extracting Cilium version - run: | - echo "CILIUM_IMAGE_TAG=v$(cat ./VERSION)" >> $GITHUB_ENV - - - name: Install Cilium CLI ${{ env.CILIUM_CLI_REF }} - run: | - versionPattern="^v[0-9]+\.[0-9]+\.[0-9]+$" - if [[ ${{ env.CILIUM_CLI_REF }} =~ $versionPattern ]]; then - curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${{ env.CILIUM_CLI_REF }}/cilium-linux-amd64.tar.gz{,.sha256sum} - sha256sum --check cilium-linux-amd64.tar.gz.sha256sum - sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin - rm cilium-linux-amd64.tar.gz{,.sha256sum} - else - cid=$(docker create quay.io/cilium/cilium-cli-ci:${{ env.CILIUM_CLI_REF }} ls) - sudo docker cp $cid:/usr/local/bin/cilium /usr/local/bin - docker rm $cid - fi - cilium version - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - config: '.github/kind-config.yaml' - cluster_name: 'kind' - - - name: Patch Cilium Agent Dockerfile - shell: bash - run: | - sed -i -E 's|(ARG CILIUM_ENVOY_IMAGE=)(quay\.io\/cilium\/cilium-envoy:)(.*)(@sha256:[0-9a-z]*)|\1${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }}|' ./images/cilium/Dockerfile - cat ./images/cilium/Dockerfile - if git diff --exit-code ./images/cilium/Dockerfile; then - echo "Dockerfile not modified" - exit 1 - fi - - - name: Install Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.3 - - - name: Redirect proxy module - shell: bash - if: env.PROXY_GITHUB_REPO != 'github.com/cilium/proxy' - run: echo "replace github.com/cilium/proxy => ${{ env.PROXY_GITHUB_REPO }} ${{ env.PROXY_TAG }}" >> go.mod - - - name: Update proxy module - shell: bash - if: env.PROXY_GITHUB_REPO == 'github.com/cilium/proxy' - run: go get ${{ env.PROXY_GITHUB_REPO }}@${{ env.PROXY_TAG }} - - - name: Vendor proxy module - shell: bash - run: | - go mod tidy && \ - go mod verify && \ - go mod vendor - - - name: Wait for Cilium Proxy image to be available - timeout-minutes: 45 - shell: bash - run: until docker manifest inspect ${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }} &> /dev/null; do sleep 15s; done - - - name: Build Cilium Agent & Operator with patched Cilium Proxy Image - shell: bash - run: DOCKER_IMAGE_TAG=${{ env.CILIUM_IMAGE_TAG }} make docker-cilium-image docker-operator-generic-image - - - name: Load Cilium Images into kind - shell: bash - run: | - kind load docker-image \ - --name kind \ - quay.io/cilium/operator-generic:${{ env.CILIUM_IMAGE_TAG }} \ - quay.io/cilium/cilium:${{ env.CILIUM_IMAGE_TAG }} - - - name: Install Cilium - timeout-minutes: 10 - shell: bash - run: | - cilium install \ - --chart-directory install/kubernetes/cilium \ - --helm-set bpf.monitorAggregation=none \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set image.repository=quay.io/cilium/cilium \ - --helm-set image.tag=${{ env.CILIUM_IMAGE_TAG }} \ - --helm-set image.useDigest=false \ - --helm-set image.pullPolicy=Never \ - --helm-set operator.image.repository=quay.io/cilium/operator \ - --helm-set operator.image.suffix= \ - --helm-set operator.image.tag=${{ env.CILIUM_IMAGE_TAG }} \ - --helm-set operator.image.useDigest=false \ - --helm-set operator.image.pullPolicy=Never \ - --helm-set debug.enabled=true \ - --helm-set debug.verbose=envoy - - cilium hubble enable - cilium status --wait - cilium hubble port-forward& - - - name: Execute Cilium L7 Connectivity Tests - shell: bash - run: cilium connectivity test --test=l7 - - - name: Gather Cilium system dump - if: failure() - shell: bash - run: cilium sysdump --output-filename cilium-integration-test-sysdump - - - - name: Upload Cilium system dump - if: failure() - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: cilium-integration-test-sysdump - path: cilium-integration-test-sysdump.zip - retention-days: 5 + - name: Prepare variables for pushes to ${{ github.base_ref }} + if: github.event_name == 'push' + run: | + echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy" >> $GITHUB_ENV + echo "PROXY_TAG=${{ github.sha }}" >> $GITHUB_ENV + echo "PROXY_GITHUB_REPO=github.com/cilium/proxy" >> $GITHUB_ENV + + - name: Prepare variables for PR + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + run: | + echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy-dev" >> $GITHUB_ENV + echo "PROXY_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "PROXY_GITHUB_REPO=github.com/${{github.event.pull_request.head.repo.full_name}}" >> $GITHUB_ENV + + - name: Checkout Cilium ${{ env.CILIUM_REPO_REF }} + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + repository: ${{ env.CILIUM_REPO_OWNER }}/cilium # Be aware that this is the Cilium repository and not the one of the proxy itself! + ref: ${{ env.CILIUM_REPO_REF }} + persist-credentials: false + + - name: Extracting Cilium version + run: | + echo "CILIUM_IMAGE_TAG=v$(cat ./VERSION)" >> $GITHUB_ENV + + - name: Install Cilium CLI ${{ env.CILIUM_CLI_REF }} + run: | + versionPattern="^v[0-9]+\.[0-9]+\.[0-9]+$" + if [[ ${{ env.CILIUM_CLI_REF }} =~ $versionPattern ]]; then + curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${{ env.CILIUM_CLI_REF }}/cilium-linux-amd64.tar.gz{,.sha256sum} + sha256sum --check cilium-linux-amd64.tar.gz.sha256sum + sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin + rm cilium-linux-amd64.tar.gz{,.sha256sum} + else + cid=$(docker create quay.io/cilium/cilium-cli-ci:${{ env.CILIUM_CLI_REF }} ls) + sudo docker cp $cid:/usr/local/bin/cilium /usr/local/bin + docker rm $cid + fi + cilium version + + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + version: ${{ env.KIND_VERSION }} + config: '.github/kind-config.yaml' + cluster_name: 'kind' + + - name: Patch Cilium Agent Dockerfile + shell: bash + run: | + sed -i -E 's|(ARG CILIUM_ENVOY_IMAGE=)(quay\.io\/cilium\/cilium-envoy:)(.*)(@sha256:[0-9a-z]*)|\1${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }}|' ./images/cilium/Dockerfile + cat ./images/cilium/Dockerfile + if git diff --exit-code ./images/cilium/Dockerfile; then + echo "Dockerfile not modified" + exit 1 + fi + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + # renovate: datasource=golang-version depName=go + go-version: 1.23.3 + + - name: Redirect proxy module + shell: bash + if: env.PROXY_GITHUB_REPO != 'github.com/cilium/proxy' + run: echo "replace github.com/cilium/proxy => ${{ env.PROXY_GITHUB_REPO }} ${{ env.PROXY_TAG }}" >> go.mod + + - name: Update proxy module + shell: bash + if: env.PROXY_GITHUB_REPO == 'github.com/cilium/proxy' + run: go get ${{ env.PROXY_GITHUB_REPO }}@${{ env.PROXY_TAG }} + + - name: Vendor proxy module + shell: bash + run: | + go mod tidy && \ + go mod verify && \ + go mod vendor + + - name: Wait for Cilium Proxy image to be available + timeout-minutes: 45 + shell: bash + run: until docker manifest inspect ${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }} &> /dev/null; do sleep 15s; done + + - name: Build Cilium Agent & Operator with patched Cilium Proxy Image + shell: bash + run: DOCKER_IMAGE_TAG=${{ env.CILIUM_IMAGE_TAG }} make docker-cilium-image docker-operator-generic-image + + - name: Load Cilium Images into kind + shell: bash + run: | + kind load docker-image \ + --name kind \ + quay.io/cilium/operator-generic:${{ env.CILIUM_IMAGE_TAG }} \ + quay.io/cilium/cilium:${{ env.CILIUM_IMAGE_TAG }} + + - name: Install Cilium + timeout-minutes: 10 + shell: bash + run: | + cilium install \ + --chart-directory install/kubernetes/cilium \ + --helm-set bpf.monitorAggregation=none \ + --helm-set loadBalancer.l7.backend=envoy \ + --helm-set tls.secretsBackend=k8s \ + --helm-set image.repository=quay.io/cilium/cilium \ + --helm-set image.tag=${{ env.CILIUM_IMAGE_TAG }} \ + --helm-set image.useDigest=false \ + --helm-set image.pullPolicy=Never \ + --helm-set operator.image.repository=quay.io/cilium/operator \ + --helm-set operator.image.suffix= \ + --helm-set operator.image.tag=${{ env.CILIUM_IMAGE_TAG }} \ + --helm-set operator.image.useDigest=false \ + --helm-set operator.image.pullPolicy=Never \ + --helm-set debug.enabled=true \ + --helm-set debug.verbose=envoy + + cilium hubble enable + cilium status --wait + cilium hubble port-forward& + + - name: Execute Cilium L7 Connectivity Tests + shell: bash + run: cilium connectivity test --test=l7 + + - name: Gather Cilium system dump + if: failure() + shell: bash + run: cilium sysdump --output-filename cilium-integration-test-sysdump + + + - name: Upload Cilium system dump + if: failure() + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: cilium-integration-test-sysdump + path: cilium-integration-test-sysdump.zip + retention-days: 5 diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml deleted file mode 100644 index 1dc0362e9..000000000 --- a/.github/workflows/renovate-config-validator.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: Validate Renovate configuration - -on: - pull_request: - paths: - - '.github/renovate.json5' - -jobs: - validate: - name: Validate Renovate configuration - runs-on: ubuntu-latest - steps: - - name: Checkout configuration - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # this step uses latest renovate slim release - - name: Validate configuration - run: > - docker run --rm --entrypoint "renovate-config-validator" - -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" - renovate/renovate:slim "/renovate.json5" -