Added workflow to perform scheduled auto merge from upstream envoy

This commit copies the workflow file and associated script from the
previous default branch to the new default branch, because Github only
executes workflows from the default branch.

Signed-off-by: Ted Poole <[email protected]>

Author: tedjpoole

.github/workflows/envoy-sync-scheduled.yaml

@@ -0,0 +1,53 @@
+name: Sync from Upstream (Scheduled)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 1 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  sync:
+    if: github.repository == 'envoyproxy/envoy-openssl'
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        branch_name:
+          - release/v1.32
+          - release/v1.28
+    steps:
+    - id: appauth
+      uses: envoyproxy/toolshed/gh-actions/[email protected]
+      with:
+        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
+        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}
+
+    # Checkout the branch we're merging into
+    - name: "Checkout ${{ github.repository }}[${{ matrix.branch_name }}]"
+      uses: actions/checkout@v4
+      with:
+        token: ${{ steps.appauth.outputs.token }}
+        ref: ${{ matrix.branch_name }}
+        fetch-depth: 0
+
+    # Configure the git user info on the repository
+    - run: git config user.name "${{ github.actor }}"
+    - run: git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+
+    # Checkout & run the script from the default branch
+    - name: 'Checkout ci/envoy-sync-receive.sh'
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.repository.default_branch }}
+        sparse-checkout: 'ci/envoy-sync-receive.sh'
+        sparse-checkout-cone-mode: false
+        path: '.script'
+    - run: .script/ci/envoy-sync-receive.sh ${{ matrix.branch_name }}
+      env:
+          GH_TOKEN: ${{ steps.appauth.outputs.token }}

README.md

@@ -31,6 +31,30 @@ repository, with the addition of:
 Note that the initial `release/v1.26` branch is *not* intended for production.
 It is anticipated that `release/v1.28` will be the first branch to reach production.
 
+## Synchronizing
+
+Since this repository is primarily a copy of the [envoyproxy/envoy](https://github.com/envoyproxy/envoy) repository,
+the process of keeping this repository in sync with the regular envoy repository is automated.
+
+This automation is implemented by the
+[envoy-sync-scheduled.yaml](.github/workflows/envoy-sync-scheduled.yaml)
+workflow which executes on a daily schedule. For each of the branches listed in
+the workflow's strategy matrix, a merge is attempted from the [envoyproxy/envoy](https://github.com/envoyproxy/envoy)
+repository into the identically named branch in this repository.
+
+- If the merge is successful, it:
+  - pushes the feature branch to the repository
+  - creates the associated pull request if it doesn't already exist
+  - closes the associated issue if it already exists
+- If the merge is unsuccessful, it:
+  - leaves the associated pull request untouched if it already exists
+  - creates the associated issue issue if it doesn't already exist
+  - adds a comment on the associated issue to describe the merge fail
+
+Note that the feature branches created by this automation are named
+`auto-merge-<branch-name>`. These repeatable names allow the workflow to reuse &
+update existing branches and pull requests, rather than creating new ones each time.
+
 ## Building
 
 The process for building envoy-openssl is very similar to building regular envoy, wherever possible

ci/envoy-sync-receive.sh

@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+#
+# Copyright Red Hat
+#
+# This script is invoked from .github/workflow/envoy-sync-*.yaml workflows.
+#
+# It merges the specified branch from the upstream envoyproxy/envoy repository
+# into the current branch in the current working directory.  It is assumed that
+# the calling workflow has already checked out the destination repository and
+# switched to the destination branch, in the current working directory before
+# invoking us.
+#
+# - If the merge is successful, it:
+#  - pushes the feature branch to the repository
+#  - creates the associated pull request if it doesn't already exist
+#  - closes the associated issue if it already exists
+#
+# -If the merge is unsuccessful, it:
+#  - leaves the associated pull request untouched if it already exists
+#  - creates the associated issue issue if it doesn't already exist
+#  - adds a comment on the associated issue to describe the merge fail
+#
+
+set -euo pipefail
+
+notice() { printf "::notice:: %s\n" "$1"; }
+
+SCRATCH="$(mktemp -d)"
+cleanup() {
+    local savexit=$?
+    rm -rf -- "${SCRATCH}"
+    exit "${savexit}"
+}
+trap 'cleanup' EXIT
+
+SRC_REPO_URL="https://github.com/envoyproxy/envoy.git"
+SRC_REPO_PATH="${SRC_REPO_URL/#*github.com?/}"
+SRC_REPO_PATH="${SRC_REPO_PATH/%.git/}"
+SRC_BRANCH_NAME="$1"
+SRC_HEAD_SHA="$(git ls-remote "${SRC_REPO_URL}" | awk "/\srefs\/heads\/${SRC_BRANCH_NAME/\//\\\/}$/{print \$1}")"
+
+DST_REPO_URL=$(git remote get-url origin)
+DST_REPO_PATH="${DST_REPO_URL/#*github.com?/}"
+DST_REPO_PATH="${DST_REPO_PATH/%.git/}"
+DST_BRANCH_NAME=$(git branch --show-current)
+DST_HEAD_SHA=$(git rev-parse HEAD)
+
+# Add the remote upstream repo and fetch the specified branch
+git remote remove upstream &> /dev/null || true
+git remote add -f -t "${SRC_BRANCH_NAME}" upstream "${SRC_REPO_URL}"
+
+# Compose text for pull request or issue title
+TITLE="auto-merge ${SRC_REPO_PATH}[${SRC_BRANCH_NAME}] "
+TITLE+="into ${DST_REPO_PATH}[${DST_BRANCH_NAME}]"
+
+# Create a new branch name for the merge. Deliberately don't include
+# any commit hash or timestamp in the name to ensure it is repeatable.
+# This ensures that each time we get invoked, due to an upstream change,
+# we accumulate the changes in the same branch and pull request, rather
+# than creating new ones that superceed the old one(s) each time.
+DST_NEW_BRANCH_NAME="auto-merge-$(echo "${SRC_BRANCH_NAME}" | tr /. -)"
+
+# Set the default remote for the gh command
+gh repo set-default "${DST_REPO_PATH}"
+
+# Perform the merge using --no-ff option to force creating a merge commit
+if git merge --no-ff --log=10000 --signoff -m "${TITLE}" \
+                "upstream/${SRC_BRANCH_NAME}" > "${SCRATCH}/mergeout"; then
+    DST_NEW_HEAD_SHA="$(git rev-parse HEAD)"
+    if [[ "${DST_NEW_HEAD_SHA}" != "${DST_HEAD_SHA}" ]]; then
+        git push --force origin "HEAD:${DST_NEW_BRANCH_NAME}"
+        PR_COUNT=$(gh pr list --head "${DST_NEW_BRANCH_NAME}" \
+                              --base "${DST_BRANCH_NAME}" \
+                              --state open | wc -l)
+        if [[ "${PR_COUNT}" == "0" ]]; then
+            PR_URL=$(gh pr create --head "${DST_NEW_BRANCH_NAME}" \
+                                  --base "${DST_BRANCH_NAME}" \
+                                  --title "${TITLE}" \
+                                  --body "Generated by $(basename "$0")")
+            MERGE_OUTCOME="Created ${PR_URL}"
+        else
+            PR_ID=$(gh pr list --head "${DST_NEW_BRANCH_NAME}" \
+                               --base "${DST_BRANCH_NAME}" \
+                               --state open | head -1 | cut -f1)
+            PR_URL="https://github.com/${DST_REPO_PATH}/pull/${PR_ID}"
+            MERGE_OUTCOME="Updated ${PR_URL}"
+        fi
+    else
+        MERGE_OUTCOME="No changes"
+    fi
+    notice "${TITLE} successful (${MERGE_OUTCOME})"
+    # Close any related issues with a comment describing why
+    for ISSUE_ID in $(gh issue list -S "${TITLE} failed" | cut -f1); do
+        ISSUE_URL="https://github.com/${DST_REPO_PATH}/issues/${ISSUE_ID}"
+        gh issue close "${ISSUE_URL}" --comment "Successful ${TITLE} (${MERGE_OUTCOME})"
+        notice "Closed ${ISSUE_URL}"
+    done
+else # merge fail
+    notice "${TITLE} failed"
+    ISSUE_COUNT=$(gh issue list -S "${TITLE} failed" | wc -l)
+    if [[ "${ISSUE_COUNT}" == "0" ]]; then
+        ISSUE_URL=$(gh issue create --title "${TITLE} failed" --body "${TITLE} failed")
+        ISSUE_ID="$(basename "${ISSUE_URL}")"
+        ISSUE_OUTCOME="Created"
+    else
+        ISSUE_ID="$(gh issue list -S "${TITLE} failed sort:created-asc" | tail -1 | cut -f1)"
+        ISSUE_URL="https://github.com/${DST_REPO_PATH}/issues/${ISSUE_ID}"
+        ISSUE_OUTCOME="Updated"
+    fi
+    COMMENT_URL=$(\
+        gh issue comment "${ISSUE_URL}" --body-file - <<-EOF
+			Failed to ${TITLE}
+			
+			Upstream   : [${SRC_HEAD_SHA}](https://github.com/${SRC_REPO_PATH}/commit/${SRC_HEAD_SHA})
+			Downstream : [${DST_HEAD_SHA}](https://github.com/${DST_REPO_PATH}/commit/${DST_HEAD_SHA})
+			
+			\`\`\`
+			$(cat "${SCRATCH}/mergeout" || true)
+			\`\`\`
+		EOF
+    )
+    notice "${ISSUE_OUTCOME} ISSUE#${ISSUE_ID} (${COMMENT_URL})"
+    exit 1
+fi