chore(deps): update dependency js-yaml to v4.2.0 [security] #3747
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker CI | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| permissions: | ||
| contents: read | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | ||
| jobs: | ||
| request: | ||
| runs-on: ubuntu-24.04 | ||
| outputs: | ||
| run: ${{ steps.filter.outputs.run }} | ||
| steps: | ||
| - uses: envoyproxy/toolshed/actions/github/should-run@5171ddd579f53dcef432bc54e16e2d2c90864968 # actions-v0.4.13 | ||
| id: filter | ||
| with: | ||
| config: | | ||
| paths: | ||
| - 'docker/build/**' | ||
| - 'docker/echo/**' | ||
| - '.github/workflows/docker.yml' | ||
| - '.github/docker-manifests.yml' | ||
| - 'docker/build/VERSION.txt' | ||
| - 'docker-assets.yaml' | ||
| - 'BINS_VERSION.txt' | ||
| build: | ||
| runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }} | ||
| needs: request | ||
| if: >- | ||
| github.repository_owner == 'envoyproxy' | ||
| && fromJSON(needs.request.outputs.run || 'false') | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: | ||
| - amd64 | ||
| - arm64 | ||
| name: build (${{ matrix.arch }}) | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | ||
| - name: Get docker version | ||
| id: docker-version | ||
| shell: bash | ||
| run: | | ||
| TAG_VERSION=$(cat ./docker/build/VERSION.txt) | ||
| echo "version=${TAG_VERSION}" >> $GITHUB_OUTPUT | ||
| - name: Get bins version | ||
| id: bins-version | ||
| uses: envoyproxy/toolshed/actions/jq@5171ddd579f53dcef432bc54e16e2d2c90864968 # actions-v0.4.13 | ||
| with: | ||
| input: BINS_VERSION.txt | ||
| input-format: yaml-path | ||
| filter: | | ||
| . as $bins_version | ||
| | { | ||
| bins_version: $bins_version, | ||
| is_dev: (if ($bins_version | endswith("-dev")) then "true" else "false" end), | ||
| candidate_tag: "bins-v\($bins_version)" | ||
| } | ||
| - name: Get latest bins release | ||
| uses: envoyproxy/toolshed/actions/github/release/latest@5171ddd579f53dcef432bc54e16e2d2c90864968 # actions-v0.4.13 | ||
| id: latest-bins-release | ||
| if: ${{ fromJSON(steps.bins-version.outputs.value).is_dev == 'true' }} | ||
| with: | ||
| pattern: ^bins- | ||
| - name: Select echo release tag | ||
| id: release-tag | ||
| shell: bash | ||
| env: | ||
| BINS_VER: ${{ fromJSON(steps.bins-version.outputs.value).bins_version }} | ||
| IS_DEV: ${{ fromJSON(steps.bins-version.outputs.value).is_dev }} | ||
| CANDIDATE_TAG: ${{ fromJSON(steps.bins-version.outputs.value).candidate_tag }} | ||
| LATEST_BINS_TAG: ${{ steps.latest-bins-release.outputs.tag }} | ||
| run: | | ||
| if [[ "${IS_DEV}" == "true" ]]; then | ||
| RELEASE_TAG="${LATEST_BINS_TAG}" | ||
| echo "NOTE: bins-version is dev (${BINS_VER}); using fallback release '${RELEASE_TAG}'" | ||
| else | ||
| RELEASE_TAG="${CANDIDATE_TAG}" | ||
| fi | ||
| echo "tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT | ||
| - name: Get cargo metadata for echo | ||
| id: cargo-meta | ||
| shell: bash | ||
| working-directory: rust/echo | ||
| run: | | ||
| cargo metadata --no-deps --format-version=1 > "${RUNNER_TEMP}/echo-cargo-metadata.json" | ||
| echo "path=${RUNNER_TEMP}/echo-cargo-metadata.json" >> $GITHUB_OUTPUT | ||
| - name: Get echo version | ||
| id: echo-version | ||
| uses: envoyproxy/toolshed/actions/jq@5171ddd579f53dcef432bc54e16e2d2c90864968 # actions-v0.4.13 | ||
| with: | ||
| input: ${{ steps.cargo-meta.outputs.path }} | ||
| input-format: json-path | ||
| options: -r | ||
| filter: .packages[0].version | ||
| - name: Get echo asset information (${{ matrix.arch }}) | ||
| id: echo-asset | ||
| uses: envoyproxy/toolshed/actions/jq@5171ddd579f53dcef432bc54e16e2d2c90864968 # actions-v0.4.13 | ||
| with: | ||
| input: docker-assets.yaml | ||
| input-format: yaml-path | ||
| filter: | | ||
| .assets["toolshed-echo"] | ||
| | .repository as $repo | ||
| | .files[] | ||
| | select(.architectures | index("${{ matrix.arch }}")) | ||
| | (.asset | ||
| | gsub("\\{echo-version\\}"; "${{ steps.echo-version.outputs.value }}") | ||
| | gsub("\\{arch\\}"; "${{ matrix.arch }}")) as $asset_name | ||
| | { | ||
| url: "https://github.com/\($repo)/releases/download/${{ steps.release-tag.outputs.tag }}/\($asset_name)", | ||
| checksum_url: "https://github.com/\($repo)/releases/download/${{ steps.release-tag.outputs.tag }}/\(.["checksum-asset"])", | ||
| dest: .dest, | ||
| mode: .mode, | ||
| asset: $asset_name | ||
| } | ||
| - name: Download and verify echo binary (${{ matrix.arch }}) | ||
| shell: bash | ||
| env: | ||
| ASSET_URL: ${{ fromJSON(steps.echo-asset.outputs.value).url }} | ||
| CHECKSUM_URL: ${{ fromJSON(steps.echo-asset.outputs.value).checksum_url }} | ||
| DEST: ${{ fromJSON(steps.echo-asset.outputs.value).dest }} | ||
| MODE: ${{ fromJSON(steps.echo-asset.outputs.value).mode }} | ||
| ASSET_NAME: ${{ fromJSON(steps.echo-asset.outputs.value).asset }} | ||
| run: | | ||
| set -euo pipefail | ||
| case "${ASSET_NAME}" in | ||
| (""|*[!A-Za-z0-9._-]*) | ||
| echo "Invalid asset name: ${ASSET_NAME}" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
| case "${DEST}" in | ||
| (docker/echo/*) | ||
| case "${DEST}" in | ||
| (*..*|*//*) | ||
| echo "Invalid destination: ${DEST}" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
| ;; | ||
| (*) | ||
| echo "Invalid destination: ${DEST}" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
| mkdir -p "$(dirname "${DEST}")" | ||
| curl -fsSL "${ASSET_URL}" -o "${DEST}" | ||
| curl -fsSL "${CHECKSUM_URL}" -o "${RUNNER_TEMP}/checksums.txt.asc" | ||
| sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----/,/^-----BEGIN PGP SIGNATURE-----/p' \ | ||
| "${RUNNER_TEMP}/checksums.txt.asc" \ | ||
| | sed '1,/^$/d' \ | ||
| | sed '/^-----BEGIN PGP SIGNATURE-----/,$d' \ | ||
| > "${RUNNER_TEMP}/checksums.txt" | ||
| ( | ||
| cd "$(dirname "${DEST}")" && \ | ||
| grep " ${ASSET_NAME}"'$' "${RUNNER_TEMP}/checksums.txt" \ | ||
| | sed "s| ${ASSET_NAME}"'$'"| $(basename "${DEST}")|" \ | ||
| | sha256sum -c - | ||
| ) | ||
| chmod "${MODE}" "${DEST}" | ||
| - name: Get echo asset info (${{ matrix.arch }}) | ||
| id: echo-asset | ||
| shell: bash | ||
| run: | | ||
| RELEASE_TAG=$(yq '.assets["toolshed-echo"]["release-tag"]' docker-assets.yaml) | ||
| VERSION=$(yq '.assets["toolshed-echo"].version' docker-assets.yaml) | ||
| ARCH=${{ matrix.arch }} | ||
| SHA256=$(yq ".assets[\"toolshed-echo\"].sha256.${ARCH}" docker-assets.yaml) | ||
| echo "release-tag=${RELEASE_TAG}" >> "$GITHUB_OUTPUT" | ||
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | ||
| echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT" | ||
| - name: Download and verify echo binary (${{ matrix.arch }}) | ||
| shell: bash | ||
| run: | | ||
| RELEASE_TAG="${{ steps.echo-asset.outputs.release-tag }}" | ||
| VERSION="${{ steps.echo-asset.outputs.version }}" | ||
| SHA256="${{ steps.echo-asset.outputs.sha256 }}" | ||
| ARCH=${{ matrix.arch }} | ||
| URL="https://github.com/envoyproxy/toolshed/releases/download/${RELEASE_TAG}/echo-${VERSION}-${ARCH}" | ||
| echo "Downloading ${URL}" | ||
| curl -fsSL "${URL}" -o docker/echo/toolshed-echo | ||
| echo "${SHA256} docker/echo/toolshed-echo" | sha256sum -c - | ||
| chmod +x docker/echo/toolshed-echo | ||
| - name: Build Docker image (debian-${{ matrix.arch }}) | ||
| run: | | ||
| cd docker/build | ||
| export OS_FAMILY=linux | ||
| export OS_DISTRO=debian | ||
| export CONTAINER_SHA=v${{ steps.docker-version.outputs.version }} | ||
| export CONTAINER_TAG=v${{ steps.docker-version.outputs.version }} | ||
| export BUILD_TOOLS_PLATFORMS=${{ matrix.arch == 'amd64' && 'linux/amd64' || 'linux/arm64' }} | ||
| export SAVE_OCI=true | ||
| export LOAD_IMAGE=true | ||
| ./push.sh | ||
| echo "::group::Docker images" | ||
| docker images | grep envoy-build || echo "No envoy-build images found" | ||
| echo "::endgroup::" | ||
| shell: bash | ||
| - name: Build echo Docker image (${{ matrix.arch }}) | ||
| run: | | ||
| ECHO_VER="${{ steps.echo-asset.outputs.version }}" | ||
| ARCH=${{ matrix.arch }} | ||
| OCI_OUTPUT=docker/build/oci-output | ||
| IMAGE_TAG=envoyproxy/toolshed-echo:v${ECHO_VER}-${ARCH} | ||
| # Save OCI tarball for publishing | ||
| docker buildx build docker/echo \ | ||
| --build-arg ECHO_BIN=toolshed-echo \ | ||
| --platform linux/${ARCH} \ | ||
| --output "type=oci,dest=${OCI_OUTPUT}/toolshed-echo-v${ECHO_VER}-${ARCH}.tar" | ||
| # Load into daemon for smoke-testing | ||
| docker buildx build docker/echo \ | ||
| --build-arg ECHO_BIN=toolshed-echo \ | ||
| --platform linux/${ARCH} \ | ||
| --tag "${IMAGE_TAG}" \ | ||
| --load | ||
| rm docker/echo/toolshed-echo | ||
| echo "::group::Echo image" | ||
| docker images | grep toolshed-echo || echo "No toolshed-echo image found" | ||
| echo "::endgroup::" | ||
| shell: bash | ||
| - name: Upload OCI artifacts | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: | ||
| name: oci-debian-${{ matrix.arch }} | ||
| path: docker/build/oci-output/*.tar | ||
| retention-days: 1 | ||
| if-no-files-found: error | ||
| - name: Test Docker image | ||
| run: | | ||
| IMAGE_TAG="envoyproxy/envoy-build:ci-v${{ steps.docker-version.outputs.version }}-${{ matrix.arch }}" | ||
| echo "Testing main image: $IMAGE_TAG" | ||
| echo "Attempting to run container and read build-id..." | ||
| if BUILD_ID=$(docker run --rm --entrypoint /bin/cat "$IMAGE_TAG" /.build-id 2>&1); then | ||
| echo "Build ID: $BUILD_ID" | ||
| EXPECTED_ID="ci-v${{ steps.docker-version.outputs.version }}" | ||
| if [[ "$BUILD_ID" == "$EXPECTED_ID" ]]; then | ||
| echo "✓ Build ID is correct" | ||
| else | ||
| echo "✗ Build ID mismatch: expected '$EXPECTED_ID', got '$BUILD_ID'" | ||
| exit 1 | ||
| fi | ||
| else | ||
| echo "ERROR: Failed to run container or read build-id" | ||
| echo "Docker run output: $BUILD_ID" | ||
| echo "Checking if image exists:" | ||
| docker images | grep -E "(REPOSITORY|envoy-build.*ci-v)" | ||
| echo "Trying docker inspect:" | ||
| docker image inspect "$IMAGE_TAG" 2>&1 | head -20 || echo "Inspect failed" | ||
| exit 1 | ||
| fi | ||
| shell: bash | ||
| - name: Test echo Docker image (HTTP) | ||
| run: | | ||
| ARCH=${{ matrix.arch }} | ||
| ECHO_VER="${{ steps.echo-asset.outputs.version }}" | ||
| IMAGE_TAG="envoyproxy/toolshed-echo:v${ECHO_VER}-${ARCH}" | ||
| echo "Testing echo image: $IMAGE_TAG" | ||
| docker run -d --name toolshed-echo-test -p 18787:8787 "${IMAGE_TAG}" | ||
| # Wait for server to start | ||
| for i in $(seq 1 10); do | ||
| if curl -sf http://localhost:18787/ > /tmp/echo-http.json; then | ||
| break | ||
| fi | ||
| echo "Waiting for echo server... (attempt $i)" | ||
| sleep 1 | ||
| done | ||
| echo "HTTP response:" | ||
| cat /tmp/echo-http.json | ||
| if grep -q '"method"' /tmp/echo-http.json; then | ||
| echo "✓ HTTP smoke test passed" | ||
| else | ||
| echo "✗ HTTP smoke test failed — unexpected response" | ||
| docker logs toolshed-echo-test || true | ||
| exit 1 | ||
| fi | ||
| docker rm -f toolshed-echo-test | ||
| shell: bash | ||
| - name: Test echo Docker image (HTTPS) | ||
| run: | | ||
| ARCH=${{ matrix.arch }} | ||
| ECHO_VER="${{ steps.echo-asset.outputs.version }}" | ||
| IMAGE_TAG="envoyproxy/toolshed-echo:v${ECHO_VER}-${ARCH}" | ||
| CERT=$(pwd)/rust/echo/snakeoil/tls.cert | ||
| KEY=$(pwd)/rust/echo/snakeoil/tls.key | ||
| echo "Testing echo image TLS: $IMAGE_TAG" | ||
| docker run -d --name toolshed-echo-tls-test \ | ||
| -p 18443:8443 \ | ||
| -v "${CERT}:/etc/ssl/echo/tls.cert:ro" \ | ||
| -v "${KEY}:/etc/ssl/echo/tls.key:ro" \ | ||
| -e ECHO_TLS_CERT=/etc/ssl/echo/tls.cert \ | ||
| -e ECHO_TLS_KEY=/etc/ssl/echo/tls.key \ | ||
| -e ECHO_HTTPS_HOST=:: \ | ||
| -e ECHO_HTTPS_PORT=8443 \ | ||
| "${IMAGE_TAG}" | ||
| # Wait for server to start | ||
| for i in $(seq 1 10); do | ||
| if curl -skf https://localhost:18443/ > /tmp/echo-https.json; then | ||
| break | ||
| fi | ||
| echo "Waiting for echo TLS server... (attempt $i)" | ||
| sleep 1 | ||
| done | ||
| echo "HTTPS response:" | ||
| cat /tmp/echo-https.json | ||
| if grep -q '"method"' /tmp/echo-https.json; then | ||
| echo "✓ HTTPS smoke test passed" | ||
| else | ||
| echo "✗ HTTPS smoke test failed — unexpected response" | ||
| docker logs toolshed-echo-tls-test || true | ||
| exit 1 | ||
| fi | ||
| docker rm -f toolshed-echo-tls-test | ||
| shell: bash | ||
| status: | ||
| runs-on: ubuntu-24.04 | ||
| if: >- | ||
| always() | ||
| && github.event_name == 'pull_request' | ||
| name: Docker | ||
| needs: | ||
| - request | ||
| - build | ||
| steps: | ||
| - run: | | ||
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | ||
| echo "One or more jobs failed or were cancelled" | ||
| exit 1 | ||
| fi | ||
| echo "All required jobs passed or were skipped" | ||