.github/workflows/envoy-sync.yaml

name: Sync Envoy

permissions:
  contents: read

on:
  workflow_dispatch:
    inputs:
      commit_sha:
        type: string
        required: true

concurrency:
  group: SYNC

jobs:
  sync:
    runs-on: ubuntu-22.04
    if: |
      ${{
          !contains(github.actor, '[bot]')
          || github.actor == 'sync-envoy[bot]'
      }}
    steps:
    - id: appauth
      uses: envoyproxy/toolshed/gh-actions/appauth@8a8f4f64d8bccc99427740197479c0a5353ca8de  # actions-v0.0.18
      with:
        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}

    # Checkout the repo
    - name: 'Checkout Repository (envoy-website)'
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
      with:
        ref: main
        token: ${{ steps.appauth.outputs.token  }}
        path: archive

    - run: |
        envoy_version="$(awk '/"envoy"/ { in_block=1 } in_block && /"version"/ { gsub(/[",]/, "", $2); print $2; in_block=0 }' archive/versions.bzl)"
        echo "envoy_version=${envoy_version}" >> "$GITHUB_OUTPUT"
      id: current
      name: Get current Envoy version

    # Checkout the Envoy repo
    - name: 'Checkout Repository (envoy)'
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
      with:
        repository: envoyproxy/envoy
        ref: main
        path: envoy
        fetch-depth: 0

    - run: |
        if [[ "${{ inputs.commit_sha }}" == "${{ steps.current.outputs.envoy_version }}" ]]; then
            echo "Envoy is already up-to-date (${{ inputs.commit_sha }})" >&2
            exit 0
        fi
        if ! git merge-base --is-ancestor "${{ inputs.commit_sha }}" HEAD; then
            echo "Provided Envoy sha (${{ inputs.commit_sha }}) is not an ancestor of main" >&2
            exit 1
        fi
        git checkout "${{ inputs.commit_sha }}"
        if ! git merge-base --is-ancestor "${{ steps.current.outputs.envoy_version }}" HEAD; then
            echo "Provided Envoy sha (${{ inputs.commit_sha }}) is not newer than " \
                 "the current sha (${{ steps.current.outputs.envoy_version }})" >&2
            exit 0
        fi
        echo "should_update=true" >> "$GITHUB_OUTPUT"
      id: state
      working-directory: envoy
      name: Check provided Envoy version

    - run: ./sync_envoy.sh
      if: ${{ steps.state.outputs.should_update == 'true' }}
      working-directory: archive
      env:
        ENVOY_SRC_DIR: ../envoy
        COMMITTER_NAME: "update-envoy[bot]"
        COMMITTER_EMAIL: "135279899+update-envoy[bot]@users.noreply.github.com"