auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (34 commits)
  build(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#36152)
  build(deps): bump setuptools from 74.1.2 to 75.1.0 in /tools/base (#36176)
  build(deps): bump slack-sdk from 3.32.0 to 3.33.0 in /tools/base (#36175)
  Remove most binds for abseil and migrate abseil external_deps to deps (#36171)
  code-cleanup: move static string declaration scope (#35987)
  OAuth2: add a nonce to the state parameter (#35919)
  contrib: upgrade go version to 1.23 (#36149)
  router: removing an exception (#35605)
  repo: Sync version histories (#36157)
  release/ci: Dont run on tags (#36146)
  release/ci: Skip build tests on publishing run (#36145)
  quic: batch packet testing (#36061)
  mobile: Make Android proxy tests hermetic (#36129)
  threads: Improve PosixThreadFactory method signatures (#36103)
  proxy_filter: Fix the CONNECT implementation when the hostname contains a port number (#36072)
  docker/release: Bump Ubuntu image -> adbb901 (#36097)
  vpp: Additional fix for build file mangling (#36120)
  [Geoip+ci] Fix flaky release check in ci (#36118)
  build(deps): update envoyproxy/toolshed requirement to actions-v0.2.35 (#36111)
  coverage: Adjust the coverage threshold for common/posix (#36108)
  ...

.azure-pipelines/pipelines.yml

@@ -3,9 +3,6 @@ trigger:
     include:
     - "main"
     - "release/v*"
-  tags:
-    include:
-    - "v*"
 
 
 # PR build config is manually overridden in Azure pipelines UI with different secrets

.azure-pipelines/stages.yml

@@ -63,6 +63,7 @@ stages:
       authGPGPath: $(MaintainerGPGKey.secureFilePath)
       bucketGCP: $(GcsArtifactBucket)
       publishGithubRelease: variables['PUBLISH_GITHUB_RELEASE']
+      runBuild: stageDependencies.env.repo.outputs['run.releaseTests']
       runPrechecks: stageDependencies.env.repo.outputs['run.releaseTests']
 
 - stage: check

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -73,4 +73,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7

.github/workflows/codeql-push.yml

@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
       with:
         languages: cpp
 
@@ -108,4 +108,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93  # codeql-bundle-v3.26.6
+      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7

.github/workflows/envoy-sync.yml

@@ -7,6 +7,8 @@ on:
   push:
     branches:
     - main
+    - release/v1.28
+    - release/v1.31
   workflow_dispatch:
 
 concurrency:
@@ -19,6 +21,7 @@ jobs:
     if: >-
       ${{
           github.repository == 'envoyproxy/envoy'
+          && (github.ref_name == 'main')
           && (github.event.push
               || !contains(github.actor, '[bot]'))
       }}
@@ -42,3 +45,32 @@ jobs:
         ref: main
         token: ${{ steps.appauth.outputs.token }}
         workflow: envoy-sync.yaml
+
+  sync-release:
+    runs-on: ubuntu-22.04
+    if: >-
+      ${{
+          github.repository == 'envoyproxy/envoy'
+          && contains(fromJSON('["main", "release/v1.28", "release/v1.31"]'), github.ref_name)
+          && (github.event.push
+              || !contains(github.actor, '[bot]'))
+      }}
+    strategy:
+      fail-fast: false
+      matrix:
+        downstream:
+        - envoy-openssl
+    steps:
+    - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.35
+      id: appauth
+      with:
+        app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+        key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }}
+    - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.2.35
+      with:
+        repository: "envoyproxy/${{ matrix.downstream }}"
+        ref: release/v1.28
+        token: ${{ steps.appauth.outputs.token }}
+        workflow: envoy-sync-receive.yaml
+        inputs: |
+          branch: ${{ github.ref_name }}

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93  # v3.26.6
+      uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
       with:
         sarif_file: results.sarif

api/BUILD

@@ -382,6 +382,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "@com_github_cncf_xds//xds/core/v3:pkg",
+        "@com_github_cncf_xds//xds/data/orca/v3:pkg",
         "@com_github_cncf_xds//xds/type/matcher/v3:pkg",
         "@com_github_cncf_xds//xds/type/v3:pkg",
     ],

api/bazel/repository_locations.bzl

@@ -52,9 +52,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/xds",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "555b57ec207be86f811fb0c04752db6f85e3d7e2",
-        sha256 = "0c8c4f0f67fed967b51049f7d5e2ca7a9bd433970a29c88e272c8665328172f5",
-        release_date = "2024-04-23",
+        version = "b4127c9b8d78b77423fd25169f05b7476b6ea932",
+        sha256 = "aa5f1596bbef3f277dcf4700e4c1097b34301ae66f3b79cd731e3adfbaff2f8f",
+        release_date = "2024-09-05",
         strip_prefix = "xds-{version}",
         urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/cluster/v3/cluster.proto

@@ -1162,14 +1162,13 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
-  // [#not-implemented-hide:]
-  // A list of metric names from ORCA load reports to propagate to LRS.
+  // A list of metric names from :ref:`ORCA load reports <envoy_v3_api_msg_.xds.data.orca.v3.OrcaLoadReport>` to propagate to LRS.
   //
   // If not specified, then ORCA load reports will not be propagated to LRS.
   //
   // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
   // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
-  // ``named_metrics`` field.
+  // :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
   //
   // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
   // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -30,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -296,6 +296,17 @@ message ExtAuthz {
   // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
   // name.
   google.protobuf.Struct filter_metadata = 28;
+
+  // When set to true, the filter will emit per-stream stats for access logging. The filter state
+  // key will be the same as the filter name.
+  //
+  // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
+  // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter
+  // state if a check request is actually made to an ext_authz service.
+  //
+  // If this is false the filter will not emit stats, but filter_metadata will still be respected if
+  // it has a value.
+  bool emit_filter_state_stats = 29;
 }
 
 // Configuration for buffering the request data.

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -27,7 +27,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#next-free-field: 6]
 message OAuth2Credentials {
-  // [#next-free-field: 6]
+  // [#next-free-field: 7]
   message CookieNames {
     // Cookie name to hold OAuth bearer token value. When the authentication server validates the
     // client and returns an authorization token back to the OAuth filter, no matter what format
@@ -52,6 +52,10 @@ message OAuth2Credentials {
     // Cookie name to hold the refresh token. Defaults to ``RefreshToken``.
     string refresh_token = 5
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // Cookie name to hold the nonce value. Defaults to ``OauthNonce``.
+    string oauth_nonce = 6
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
   }
 
   // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.

bazel/dependency_imports.bzl

@@ -18,7 +18,7 @@ load("@rules_rust//rust:defs.bzl", "rust_common")
 load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set")
 
 # go version for rules_go
-GO_VERSION = "1.22.5"
+GO_VERSION = "1.23.1"
 
 JQ_VERSION = "1.7"
 YQ_VERSION = "4.24.4"

bazel/external/quiche.BUILD

@@ -433,9 +433,6 @@ envoy_cc_library(
         "quiche/http2/adapter/oghttp2_session.h",
     ],
     copts = quiche_copts,
-    external_deps = [
-        "abseil_algorithm",
-    ],
     repository = "@envoy",
     deps = [
         ":http2_adapter_chunked_buffer",
@@ -457,6 +454,7 @@ envoy_cc_library(
         ":http2_no_op_headers_handler_lib",
         ":quiche_common_callbacks",
         ":spdy_core_http2_header_block_lib",
+        "@com_google_absl//absl/algorithm",
         "@com_google_absl//absl/cleanup",
     ],
 )
@@ -2296,13 +2294,11 @@ envoy_quic_cc_library(
     hdrs = [
         "quiche/quic/core/quic_connection_context.h",
     ],
-    external_deps = [
-        "abseil_str_format",
-    ],
     deps = [
         ":quic_platform_export",
         ":quiche_common_platform",
         ":quiche_common_text_utils_lib",
+        "@com_google_absl//absl/strings:str_format",
     ],
 )
 
@@ -2664,7 +2660,6 @@ envoy_quic_cc_library(
     hdrs = ["quiche/quic/core/crypto/proof_source_x509.h"],
     external_deps = [
         "ssl",
-        "abseil_node_hash_map",
     ],
     deps = [
         ":quic_core_crypto_certificate_view_lib",
@@ -2675,6 +2670,7 @@ envoy_quic_cc_library(
         ":quic_platform_base",
         ":quiche_common_endian_lib",
         "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/container:node_hash_map",
     ],
 )
 
@@ -5091,13 +5087,11 @@ envoy_cc_test(
 envoy_cc_library(
     name = "quiche_common_print_elements_lib",
     hdrs = ["quiche/common/print_elements.h"],
-    external_deps = [
-        "abseil_inlined_vector",
-    ],
     repository = "@envoy",
     tags = ["nofips"],
     deps = [
         ":quiche_common_platform_export",
+        "@com_google_absl//absl/container:inlined_vector",
     ],
 )
 
@@ -5123,14 +5117,12 @@ envoy_cc_library(
     name = "quiche_common_text_utils_lib",
     srcs = ["quiche/common/quiche_text_utils.cc"],
     hdrs = ["quiche/common/quiche_text_utils.h"],
-    external_deps = [
-        "abseil_str_format",
-    ],
     repository = "@envoy",
     tags = ["nofips"],
     deps = [
         ":quiche_common_platform_export",
         "@com_google_absl//absl/hash",
+        "@com_google_absl//absl/strings:str_format",
     ],
 )
 

bazel/repositories.bzl

@@ -696,24 +696,8 @@ def _com_google_absl():
         patches = ["@envoy//bazel:abseil.patch"],
         patch_args = ["-p1"],
     )
-    native.bind(
-        name = "abseil_any",
-        actual = "@com_google_absl//absl/types:any",
-    )
-    native.bind(
-        name = "abseil_base",
-        actual = "@com_google_absl//absl/base:base",
-    )
 
-    # Bind for grpc.
-    native.bind(
-        name = "absl-base",
-        actual = "@com_google_absl//absl/base",
-    )
-    native.bind(
-        name = "abseil_btree",
-        actual = "@com_google_absl//absl/container:btree",
-    )
+    # keep these until jwt_verify_lib is updated.
     native.bind(
         name = "abseil_flat_hash_map",
         actual = "@com_google_absl//absl/container:flat_hash_map",
@@ -722,93 +706,15 @@ def _com_google_absl():
         name = "abseil_flat_hash_set",
         actual = "@com_google_absl//absl/container:flat_hash_set",
     )
-    native.bind(
-        name = "abseil_hash",
-        actual = "@com_google_absl//absl/hash:hash",
-    )
-    native.bind(
-        name = "abseil_hash_testing",
-        actual = "@com_google_absl//absl/hash:hash_testing",
-    )
-    native.bind(
-        name = "abseil_inlined_vector",
-        actual = "@com_google_absl//absl/container:inlined_vector",
-    )
-    native.bind(
-        name = "abseil_memory",
-        actual = "@com_google_absl//absl/memory:memory",
-    )
-    native.bind(
-        name = "abseil_node_hash_map",
-        actual = "@com_google_absl//absl/container:node_hash_map",
-    )
-    native.bind(
-        name = "abseil_node_hash_set",
-        actual = "@com_google_absl//absl/container:node_hash_set",
-    )
-    native.bind(
-        name = "abseil_str_format",
-        actual = "@com_google_absl//absl/strings:str_format",
-    )
     native.bind(
         name = "abseil_strings",
         actual = "@com_google_absl//absl/strings:strings",
     )
-    native.bind(
-        name = "abseil_int128",
-        actual = "@com_google_absl//absl/numeric:int128",
-    )
-    native.bind(
-        name = "abseil_optional",
-        actual = "@com_google_absl//absl/types:optional",
-    )
-    native.bind(
-        name = "abseil_synchronization",
-        actual = "@com_google_absl//absl/synchronization:synchronization",
-    )
-    native.bind(
-        name = "abseil_symbolize",
-        actual = "@com_google_absl//absl/debugging:symbolize",
-    )
-    native.bind(
-        name = "abseil_stacktrace",
-        actual = "@com_google_absl//absl/debugging:stacktrace",
-    )
-    native.bind(
-        name = "abseil_statusor",
-        actual = "@com_google_absl//absl/status:statusor",
-    )
-
-    # Require abseil_time as an indirect dependency as it is needed by the
-    # direct dependency jwt_verify_lib.
     native.bind(
         name = "abseil_time",
         actual = "@com_google_absl//absl/time:time",
     )
 
-    # Bind for grpc.
-    native.bind(
-        name = "absl-time",
-        actual = "@com_google_absl//absl/time:time",
-    )
-
-    native.bind(
-        name = "abseil_algorithm",
-        actual = "@com_google_absl//absl/algorithm:algorithm",
-    )
-    native.bind(
-        name = "abseil_variant",
-        actual = "@com_google_absl//absl/types:variant",
-    )
-    native.bind(
-        name = "abseil_status",
-        actual = "@com_google_absl//absl/status",
-    )
-    native.bind(
-        name = "abseil_cleanup",
-        actual = "@com_google_absl//absl/cleanup:cleanup",
-    )
-
 def _com_google_protobuf():
     external_http_archive(
         name = "rules_python",