envoyproxy · phlax · Oct 25, 2025 · Oct 24, 2025
@@ -61,7 +61,7 @@ jobs:
       timeout-minutes: 120
       trusted: ${{ inputs.trusted }}
       upload-name: release.${{ inputs.arch }}
-      upload-path: envoy/${{ inputs.arch }}/bin/
+      upload-path: container/envoy/${{ inputs.arch }}/bin/
 
   docker:
     permissions:
@@ -79,7 +79,7 @@ jobs:
       cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }}
       concurrency-suffix: -${{ inputs.arch }}
       downloads: |
-        release.${{ inputs.arch }}: envoy/${{ inputs.arch }}/bin/
+        release.${{ inputs.arch }}: container/envoy/${{ inputs.arch }}/bin/
       request: ${{ inputs.request }}
       source: |
         export NO_BUILD_SETUP=1
@@ -92,7 +92,7 @@ jobs:
         # export DOCKER_FORCE_OCI_OUTPUT=true
       trusted: ${{ inputs.trusted }}
       upload-name: oci.${{ inputs.arch }}
-      upload-path: envoy/${{ inputs.arch }}/build_images
+      upload-path: container/envoy/${{ inputs.arch }}/build_images
       runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }}
 
   distribution:
@@ -112,7 +112,7 @@ jobs:
       bazel-extra: >-
         --config=remote-cache-envoy-engflow
       downloads: |
-        release.${{ inputs.arch }}: release/${{ inputs.arch }}/bin/
+        release.${{ inputs.arch }}: container/release/${{ inputs.arch }}/bin/
       target: distribution
       target-suffix: ${{ inputs.arch }}
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
@@ -125,4 +125,4 @@ jobs:
       runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }}
       trusted: ${{ inputs.trusted }}
       upload-name: packages.${{ inputs.arch }}
-      upload-path: envoy/${{ inputs.arch }}
+      upload-path: container/envoy/${{ inputs.arch }}
@@ -59,22 +59,22 @@ jobs:
         --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       downloads: |
-        packages.arm64: envoy/arm64/
-        packages.x64: envoy/x64/
-        release.arm64: envoy/arm64/bin/
-        release.x64: envoy/x64/bin/
+        packages.arm64: container/envoy/arm64/
+        packages.x64: container/envoy/x64/
+        release.arm64: container/envoy/arm64/bin/
+        release.x64: container/envoy/x64/bin/
       gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }}
       import-gpg: true
       request: ${{ inputs.request }}
       source: |
         export NO_BUILD_SETUP=1
       trusted: ${{ inputs.trusted }}
       upload-name: release.signed
-      upload-path: envoy/release.signed.tar.zst
+      upload-path: container/envoy/release.signed.tar.zst
       steps-pre: |
         - run: |
             mkdir distribution/custom
-            cp -a %{{ runner.temp }}/envoy/x64 %{{ runner.temp }}/envoy/arm64 distribution/custom
+            cp -a %{{ runner.temp }}/container/envoy/x64 %{{ runner.temp }}/container/envoy/arm64 distribution/custom
           shell: bash
 
   container:
@@ -114,7 +114,7 @@ jobs:
       rbe: false
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       downloads: |
-        release.signed: release.signed
+        release.signed: container/release.signed
       gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }}
       source: ${{ matrix.source }}
       request: ${{ inputs.request }}

@@ -55,8 +55,8 @@ jobs:
         - name: examples
           target: verify_examples
           downloads: |
-            oci.arm64: build_images
-            oci.x64: build_images
+            oci.arm64: container/build_images
+            oci.x64: container/build_images
           rbe: false
           source: |
             export NO_BUILD_SETUP=1
@@ -75,7 +75,7 @@ jobs:
                 for image in "${IMAGES[@]}"; do
                     src_name="$(echo ${image} | cut -d: -f1)"
                     dest_name="$(echo ${image} | cut -d: -f2)"
-                    src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar"
+                    src="oci-archive:%{{ runner.temp }}/container/build_images/${src_name}.amd64.tar"
                     dest="docker-daemon:envoyproxy/envoy:${dest_name}"
                     echo "Copy image: ${src} ${dest}"
                     skopeo copy -q "${src}" "${dest}"
@@ -110,7 +110,7 @@ jobs:
         - name: distroless
           target: verify-distroless
           downloads: |
-            oci.x64: build_images
+            oci.x64: container/build_images
           rbe: false
           source: |
             export NO_BUILD_SETUP=1
@@ -121,7 +121,7 @@ jobs:
                 for image in "${IMAGES[@]}"; do
                     src_name="$(echo ${image} | cut -d: -f1)"
                     dest_name="$(echo ${image} | cut -d: -f2)"
-                    src="oci-archive:%{{ runner.temp }}/build_images/${src_name}.amd64.tar"
+                    src="oci-archive:%{{ runner.temp }}/container/build_images/${src_name}.amd64.tar"
                     dest="docker-daemon:envoyproxy/envoy:${dest_name}"
                     echo "Copy image: ${src} ${dest}"
                     skopeo copy -q "${src}" "${dest}"
@@ -146,7 +146,7 @@ jobs:
       container-command: ./ci/run_envoy_docker.sh
       concurrency-suffix: -${{ matrix.arch || 'x64' }}
       downloads: |
-        release.signed: release.signed
+        release.signed: container/release.signed
       gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }}
       rbe: ${{ matrix.rbe && matrix.rbe || false }}
       request: ${{ inputs.request }}
@@ -164,14 +164,15 @@ jobs:
           shell: bash
         - run: |
             TEMP_DIR=$(mktemp -d)
-            zstd --stdout -d %{{ runner.temp }}/release.signed/release.signed.tar.zst | tar --warning=no-timestamp -xf - -C "${TEMP_DIR}"
+            zstd --stdout -d %{{ runner.temp }}/container/release.signed/release.signed.tar.zst \
+                | tar --warning=no-timestamp -xf - -C "${TEMP_DIR}"
             mkdir ${TEMP_DIR}/debs
             tar xf ${TEMP_DIR}/bin/debs.tar.gz -C ${TEMP_DIR}/debs
             mkdir -p ${TEMP_DIR}/distribution/deb
             cp -a ${TEMP_DIR}/debs/*_${DEB_ARCH}* ${TEMP_DIR}/distribution/deb
             cp -a ${TEMP_DIR}/signing.key ${TEMP_DIR}/distribution
-            mkdir -p %{{ runner.temp }}/distribution/${ARCH}
-            tar czf %{{ runner.temp }}/distribution/${ARCH}/packages.${ARCH}.tar.gz -C ${TEMP_DIR}/distribution .
+            mkdir -p %{{ runner.temp }}/container/distribution/${ARCH}
+            tar czf %{{ runner.temp }}/container/distribution/${ARCH}/packages.${ARCH}.tar.gz -C ${TEMP_DIR}/distribution .
           shell: bash
 
     strategy:

@@ -36,7 +36,7 @@ on:
             target: GITHUB_WORKSPACE
             chown: "runner:runner"
           - src: /mnt/runner
-            target: RUNNER_TEMP/bazel_root
+            target: RUNNER_TEMP/container/bazel_root
             chown: "runner:runner"
       cache-build-image:
         type: string
@@ -115,22 +115,6 @@ on:
           - run: |
               # Pre build report
               df -h > "${TMP_REPORT}/df-pre"
-              if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" ]]; then
-                  exit 0
-              fi
-              find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" -maxdepth 1 -type d \
-                  | rev \
-                  | cut -d/ -f1 \
-                  | rev \
-                  > "${TMP_REPORT}/shas-pre"
-              if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" ]]; then
-                  exit 0
-              fi
-              find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" -maxdepth 1 -type d \
-                  | rev \
-                  | cut -d/ -f1 \
-                  | rev \
-                  >> "${TMP_REPORT}/shas-pre"
             shell: bash
       report-post:
         type: string
@@ -139,22 +123,6 @@ on:
               # Post build report
               df -h > "${TMP_REPORT}/df-post"
               (du -ch "%{{ inputs.temp-dir || runner.temp }}" | grep -E "[0-9]{2,}M|[0-9]G" || :) > "${TMP_REPORT}/du-post"
-              if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" ]]; then
-                  exit 0
-              fi
-              find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha256/" -maxdepth 1 -type d \
-                  | rev \
-                  | cut -d/ -f1 \
-                  | rev \
-                  > "${TMP_REPORT}/shas-post"
-              if [[ ! -e "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" ]]; then
-                  exit 0
-              fi
-              find "${ENVOY_DOCKER_BUILD_DIR}/repository_cache/content_addressable/sha384/" -maxdepth 1 -type d \
-                  | rev \
-                  | cut -d/ -f1 \
-                  | rev \
-                  >> "${TMP_REPORT}/shas-post"
             shell: bash
       request:
         type: string
@@ -260,6 +228,8 @@ jobs:
              "job-started": ${{ steps.started.outputs.value }}}
           | . * {$config, $check}
 
+    - run: |
+        mkdir ${{ runner.temp }}/container
     - uses: envoyproxy/toolshed/gh-actions/[email protected]
       if: inputs.bind-mount
       with:
@@ -295,7 +265,7 @@ jobs:
       with:
         gcs-bucket: ${{ inputs.gcs-cache-bucket }}
         key: ${{ fromJSON(inputs.request).config.ci.cache.bazel }}-${{ inputs.arch || 'x64' }}
-        path: ${{ runner.temp }}/bazel_root
+        path: ${{ runner.temp }}/container/bazel_root
 
     # HACK/WORKAROUND for cache scope issue (https://github.com/envoyproxy/envoy/issues/37603)
     - if: ${{ inputs.cache-build-image }}
@@ -354,7 +324,7 @@ jobs:
       with:
         key: ${{ secrets.gpg-key }}
         passphrase: ${{ secrets.gpg-key-password }}
-        passphrase-path: "${{ runner.temp }}/gpg-passphrase"
+        passphrase-path: "${{ runner.temp }}/container/gpg-passphrase"
         configured-passphrase-path: /build/gpg-passphrase
 
     - run: |
@@ -380,6 +350,8 @@ jobs:
       if: ${{ vars.ENVOY_CI_BAZELRC }}
       name: Configure repo Bazel settings
 
+    # NOTE: This is where untrusted code can be run!!!
+    #  It MUST be the last step in the workflow
     - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       name: Run CI ${{ inputs.command }} ${{ inputs.target }}
       with:
@@ -416,7 +388,7 @@ jobs:
         GITHUB_TOKEN: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }}
         DOCKERHUB_USERNAME: ${{ inputs.dockerhub-username }}
         DOCKERHUB_PASSWORD: ${{ secrets.dockerhub-password }}
-        ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}
+        ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}/container
         ENVOY_RBE: ${{ inputs.rbe == true && 1 || '' }}
         RBE_KEY: ${{ secrets.rbe-key }}
         BAZEL_BUILD_EXTRA_OPTIONS: >-