You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Migrate all reusable workflow logic (the _*.yml set rooted at request.yml/_request.yml) from envoyproxy/envoy into envoyproxy/toolshed as cross-repo reusable workflows.
This is a tracker / bot ticket — scope is large and invasive but unblocks several things at once.
Why
Resolves Scorecard Pinned-Dependencies alert (envoy code-scanning #2630). Once the workflows live in toolshed, references from envoy become genuine cross-repo uses: and can be SHA-pinned (slotting into the existing toolshed bump automation).
Cross-branch consistency by construction. Today request.yml exists on every release branch and pins _request.yml@main. Moving the logic out makes each branch's choice of dispatcher version explicit (a SHA) instead of implicit ("whatever's on envoy@main right now").
Smaller pull_request_target blast radius. Dispatch logic stops living in the same repo where untrusted PRs land — structurally impossible for an envoy PR to alter the dispatcher.
Reuse. Mirror repos / downstream consumers can import the same workflows cleanly.
Envoy keeps only its own workflows (envoy-*.yml, mobile-*.yml, codeql-*.yml, scorecard.yml, etc.). The shared CI primitives live with the rest of toolshed.
Scope — workflows to migrate
Entry point + all _*.yml reusable workflows it pulls in (directly or transitively):
Entry / dispatch
request.yml (the per-branch caller — stays in envoy but becomes a thin wrapper calling toolshed)
Inventory & dependency walk. Starting from request.yml, recursively resolve every uses: ./.github/workflows/_*.yml and every action invocation, producing the full transitive set + a graph.
Port to toolshed. Move the _*.yml files into envoyproxy/toolshed/.github/workflows/ (consider a naming scheme — e.g. envoy-ci-*.yml — to avoid collision with toolshed's existing workflows). Rewrite local uses: ./.github/workflows/_x.yml → uses: envoyproxy/toolshed/.github/workflows/envoy-ci-x.yml@<sha>.
Audit secrets/permissions. Each reusable workflow's secrets: and permissions: blocks must be preserved exactly; cross-repo reusable workflows require explicit secrets: passthrough at every layer. Verify nothing implicitly relied on same-repo ${{ secrets.* }} access.
Audit pull_request_target semantics. Confirm caller-context behavior (token, github.event, env) is unchanged when the called workflow lives in another repo.
Rewrite envoy callers. Update envoy's request.yml and any other top-level workflows to point at toolshed-hosted SHAs. Local ./ paths remain only for envoy-specific glue.
Document in toolshed. Add usage docs + a changelog entry; the workflows become a public contract.
Roll out across branches.main first, then each active release/v* branch (each gets its own pinned SHA — that's the whole point).
Delete migrated _*.yml from envoy once green on all branches.
Toolshed already has its own .github/workflows/ — need a naming convention to avoid collision and to make ownership obvious.
_run.yml is large and parameter-heavy; wide blast radius if its interface drifts during the move. Port verbatim first, refactor later.
pull_request_target + cross-repo reusable workflows: behavior is supported but worth a smoke test on a throwaway branch before flipping main.
Some _*.yml already reference toolshed actions at pinned SHAs (e.g. envoyproxy/toolshed/actions/...@<sha>). Those references should be re-pinned to whatever toolshed SHA the migrated workflows land at, to keep a consistent toolshed version per branch.
request.yml lives on every branch and calls _request.yml@main — the new wrapper should call envoyproxy/toolshed/.github/workflows/envoy-ci-request.yml@<sha> per branch, with the SHA bumped by the existing toolshed automation.
Status
Bot-driven dependency walk + inventory confirmed
Workflows ported to toolshed
Envoy request.yml rewritten on main
Envoy request.yml rewritten on active release/v* branches
Summary
Migrate all reusable workflow logic (the
_*.ymlset rooted atrequest.yml/_request.yml) fromenvoyproxy/envoyintoenvoyproxy/toolshedas cross-repo reusable workflows.This is a tracker / bot ticket — scope is large and invasive but unblocks several things at once.
Why
Pinned-Dependenciesalert (envoy code-scanning #2630). Once the workflows live in toolshed, references from envoy become genuine cross-repouses:and can be SHA-pinned (slotting into the existing toolshed bump automation).request.ymlexists on every release branch and pins_request.yml@main. Moving the logic out makes each branch's choice of dispatcher version explicit (a SHA) instead of implicit ("whatever's on envoy@main right now").pull_request_targetblast radius. Dispatch logic stops living in the same repo where untrusted PRs land — structurally impossible for an envoy PR to alter the dispatcher.envoy-*.yml,mobile-*.yml,codeql-*.yml,scorecard.yml, etc.). The shared CI primitives live with the rest of toolshed.Scope — workflows to migrate
Entry point + all
_*.ymlreusable workflows it pulls in (directly or transitively):Entry / dispatch
Load / run / finish (the "_load shit" + harness)
Full directory: .github/workflows/. Bot should re-walk this list at execution time — set may have drifted.
What stays in envoy
Repo-specific top-level workflows only —
request.yml(thin wrapper),envoy-*.yml,mobile-*.yml,codeql-*.yml,scorecard.yml,command.yml,pr_notifier.yml,stale.yml,toolchain-test.yml,copilot-setup-steps.yml, etc. All_*.ymlmove out.Check / precheck / publish / misc reusable
Migration plan (for the bot)
request.yml, recursively resolve everyuses: ./.github/workflows/_*.ymland every action invocation, producing the full transitive set + a graph._*.ymlfiles intoenvoyproxy/toolshed/.github/workflows/(consider a naming scheme — e.g.envoy-ci-*.yml— to avoid collision with toolshed's existing workflows). Rewrite localuses: ./.github/workflows/_x.yml→uses: envoyproxy/toolshed/.github/workflows/envoy-ci-x.yml@<sha>.secrets:andpermissions:blocks must be preserved exactly; cross-repo reusable workflows require explicitsecrets:passthrough at every layer. Verify nothing implicitly relied on same-repo${{ secrets.* }}access.pull_request_targetsemantics. Confirm caller-context behavior (token,github.event, env) is unchanged when the called workflow lives in another repo.request.ymland any other top-level workflows to point at toolshed-hosted SHAs. Local./paths remain only for envoy-specific glue.mainfirst, then each activerelease/v*branch (each gets its own pinned SHA — that's the whole point)._*.ymlfrom envoy once green on all branches.Risks / things to watch
.github/workflows/— need a naming convention to avoid collision and to make ownership obvious._run.ymlis large and parameter-heavy; wide blast radius if its interface drifts during the move. Port verbatim first, refactor later.pull_request_target+ cross-repo reusable workflows: behavior is supported but worth a smoke test on a throwaway branch before flippingmain._*.ymlalready reference toolshed actions at pinned SHAs (e.g.envoyproxy/toolshed/actions/...@<sha>). Those references should be re-pinned to whatever toolshed SHA the migrated workflows land at, to keep a consistent toolshed version per branch.request.ymllives on every branch and calls_request.yml@main— the new wrapper should callenvoyproxy/toolshed/.github/workflows/envoy-ci-request.yml@<sha>per branch, with the SHA bumped by the existing toolshed automation.Status
request.ymlrewritten onmainrequest.ymlrewritten on activerelease/v*branches_*.ymlremoved from envoy/cc @phlax — bot will pick this up.