envoy: Update envoy 1.27.x to 1.28.3 #54891
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image CI Build | |
# Any change in triggers needs to be reflected in the concurrency group. | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
push: | |
branches: | |
- v1.13 | |
- ft/v1.13/** | |
permissions: | |
# To be able to access the repository with `actions/checkout` | |
contents: read | |
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication | |
id-token: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
cancel-in-progress: true | |
jobs: | |
build-and-push-prs: | |
name: Build and Push Images | |
runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} | |
strategy: | |
matrix: | |
include: | |
- name: cilium | |
dockerfile: ./images/cilium/Dockerfile | |
- name: operator-aws | |
dockerfile: ./images/operator/Dockerfile | |
- name: operator-azure | |
dockerfile: ./images/operator/Dockerfile | |
- name: operator-alibabacloud | |
dockerfile: ./images/operator/Dockerfile | |
- name: operator-generic | |
dockerfile: ./images/operator/Dockerfile | |
- name: hubble-relay | |
dockerfile: ./images/hubble-relay/Dockerfile | |
- name: clustermesh-apiserver | |
dockerfile: ./images/clustermesh-apiserver/Dockerfile | |
- name: docker-plugin | |
dockerfile: ./images/cilium-docker-plugin/Dockerfile | |
steps: | |
- name: Checkout default branch (trusted) | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
ref: ${{ github.event.repository.default_branch }} | |
persist-credentials: false | |
- name: Set Environment Variables | |
uses: ./.github/actions/set-env-variables | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
- name: Login to quay.io for CI | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME_CI }} | |
password: ${{ secrets.QUAY_PASSWORD_CI }} | |
- name: Getting image tag | |
id: tag | |
run: | | |
if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
echo ::set-output name=tag::${{ github.event.pull_request.head.sha }} | |
else | |
echo ::set-output name=tag::${{ github.sha }} | |
fi | |
# Warning: since this is a privileged workflow, subsequent workflow job | |
# steps must take care not to execute untrusted code. | |
- name: Checkout pull request branch (NOT TRUSTED) | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
persist-credentials: false | |
ref: ${{ steps.tag.outputs.tag }} | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
# v1.13 branch pushes | |
- name: Install Bom | |
shell: bash | |
run: | | |
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom | |
sudo mv ./bom /usr/local/bin/bom | |
sudo chmod +x /usr/local/bin/bom | |
- name: CI Build ${{ matrix.name }} | |
if: ${{ github.event_name != 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_v1_13 | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
# Only push when the event name was a GitHub push, this is to avoid | |
# re-pushing the image tags when we only want to re-create the Golang | |
# docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
push: ${{ github.event_name == 'push' }} | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13 | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
target: release | |
build-args: | | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: CI race detection Build ${{ matrix.name }} | |
if: ${{ github.event_name != 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_v1_13_detect_race_condition | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
# Only push when the event name was a GitHub push, this is to avoid | |
# re-pushing the image tags when we only want to re-create the Golang | |
# docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
push: ${{ github.event_name == 'push' }} | |
platforms: linux/amd64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13-race | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
target: release | |
build-args: | | |
BASE_IMAGE=quay.io/cilium/cilium-runtime:4fdb76b835db7543f6d4f680ca6e259685c8fc80@sha256:8ec55d0bb443466de1dea19122ff53b6914320a8172c024886ed737e3b24215d | |
LOCKDEBUG=1 | |
RACE=1 | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: CI Unstripped Binaries Build ${{ matrix.name }} | |
if: ${{ github.event_name != 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_v1_13_unstripped | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
# Only push when the event name was a GitHub push, this is to avoid | |
# re-pushing the image tags when we only want to re-create the Golang | |
# docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
push: ${{ github.event_name == 'push' }} | |
platforms: linux/amd64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13-unstripped | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
target: release | |
build-args: | | |
NOSTRIP=1 | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: Sign Container Images | |
if: ${{ github.event_name != 'pull_request_target' }} | |
run: | | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13.outputs.digest }} | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13_detect_race_condition.outputs.digest }} | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13_unstripped.outputs.digest }} | |
- name: Generate SBOM | |
if: ${{ github.event_name != 'pull_request_target' }} | |
shell: bash | |
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed | |
# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 | |
run: | | |
bom generate -o sbom_ci_v1_13_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
bom generate -o sbom_ci_v1_13_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
bom generate -o sbom_ci_v1_13_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
- name: Attach SBOM to Container Images | |
if: ${{ github.event_name != 'pull_request_target' }} | |
run: | | |
cosign attach sbom --sbom sbom_ci_v1_13_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13.outputs.digest }} | |
cosign attach sbom --sbom sbom_ci_v1_13_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13_detect_race_condition.outputs.digest }} | |
cosign attach sbom --sbom sbom_ci_v1_13_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_v1_13_unstripped.outputs.digest }} | |
- name: Sign SBOM Images | |
if: ${{ github.event_name != 'pull_request_target' }} | |
run: | | |
docker_build_ci_v1_13_digest="${{ steps.docker_build_ci_v1_13.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_13_digest/:/-}.sbom" | |
docker_build_ci_v1_13_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_13_sbom_digest}" | |
docker_build_ci_v1_13_detect_race_condition_digest="${{ steps.docker_build_ci_v1_13_detect_race_condition.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_13_detect_race_condition_digest/:/-}.sbom" | |
docker_build_ci_v1_13_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_13_detect_race_condition_sbom_digest}" | |
docker_build_ci_v1_13_unstripped_digest="${{ steps.docker_build_ci_v1_13_unstripped.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_v1_13_unstripped_digest/:/-}.sbom" | |
docker_build_ci_v1_13_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_v1_13_unstripped_sbom_digest}" | |
- name: CI Image Releases digests | |
if: ${{ github.event_name != 'pull_request_target' }} | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13@${{ steps.docker_build_ci_v1_13.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13-race@${{ steps.docker_build_ci_v1_13_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:v1.13-unstripped@${{ steps.docker_build_ci_v1_13_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_v1_13.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_v1_13_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_v1_13_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
# PR updates | |
- name: CI Build ${{ matrix.name }} | |
if: ${{ github.event_name == 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_pr | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
target: release | |
build-args: | | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: CI Image Releases digests | |
if: ${{ github.event_name == 'pull_request_target' }} | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
- name: CI race detection Build ${{ matrix.name }} | |
if: ${{ github.event_name == 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_pr_detect_race_condition | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
push: true | |
platforms: linux/amd64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
target: release | |
build-args: | | |
BASE_IMAGE=quay.io/cilium/cilium-runtime:4fdb76b835db7543f6d4f680ca6e259685c8fc80@sha256:8ec55d0bb443466de1dea19122ff53b6914320a8172c024886ed737e3b24215d | |
LOCKDEBUG=1 | |
RACE=1 | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: CI Unstripped Binaries Build ${{ matrix.name }} | |
if: ${{ github.event_name == 'pull_request_target' }} | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
id: docker_build_ci_pr_unstripped | |
with: | |
provenance: false | |
context: . | |
file: ${{ matrix.dockerfile }} | |
push: true | |
platforms: linux/amd64 | |
tags: | | |
quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
target: release | |
build-args: | | |
NOSTRIP=1 | |
OPERATOR_VARIANT=${{ matrix.name }} | |
- name: Sign Container Images | |
if: ${{ github.event_name == 'pull_request_target' }} | |
run: | | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} | |
cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} | |
- name: Generate SBOM | |
if: ${{ github.event_name == 'pull_request_target' }} | |
shell: bash | |
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed | |
# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 | |
run: | | |
bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ | |
--image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped | |
- name: Attach SBOM to Container Images | |
if: ${{ github.event_name == 'pull_request_target' }} | |
run: | | |
cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} | |
cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} | |
cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} | |
- name: Sign SBOM Images | |
if: ${{ github.event_name == 'pull_request_target' }} | |
run: | | |
docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" | |
docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" | |
docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom" | |
docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}" | |
docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" | |
image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom" | |
docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" | |
cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}" | |
- name: CI Image Releases digests | |
if: ${{ github.event_name == 'pull_request_target' }} | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
# Upload artifact digests | |
- name: Upload artifact digests | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: image-digest ${{ matrix.name }} | |
path: image-digest | |
retention-days: 1 | |
image-digests: | |
if: ${{ always() }} | |
name: Display Digests | |
runs-on: ubuntu-22.04 | |
needs: build-and-push-prs | |
steps: | |
- name: Downloading Image Digests | |
shell: bash | |
run: | | |
mkdir -p image-digest/ | |
- name: Download digests of all images built | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
path: image-digest/ | |
- name: Image Digests Output | |
shell: bash | |
run: | | |
cd image-digest/ | |
find -type f | sort | xargs -d '\n' cat |