From 09a5097dc12abc9ded9655f60f6577c3e82693f3 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:54:59 -0600 Subject: [PATCH 1/9] :construction_worker: Update CI workflow with permission check and dep pins Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- .github/workflows/ci.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 504b866..cd1ab1d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,6 +5,10 @@ on: pull_request: branches: [ "main" ] +# Least privilege permissions +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -15,11 +19,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Sets up a specific version of Python - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} From 2e8b5c28a0f0a41b01fa782d5ff65b391fce33ed Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 11:01:03 -0600 Subject: [PATCH 2/9] :construction_worker: Add security scan workflow Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- .github/workflows/security-scans.yaml | 357 ++++++++++++++++++++++++++ 1 file changed, 357 insertions(+) create mode 100644 .github/workflows/security-scans.yaml diff --git a/.github/workflows/security-scans.yaml b/.github/workflows/security-scans.yaml new file mode 100644 index 0000000..dc3582f --- /dev/null +++ b/.github/workflows/security-scans.yaml @@ -0,0 +1,357 @@ +# Security Scans - Comprehensive security checks +# +# Phases: +# - Phase A: Dependency Review, Shellcheck, YAML lint, Hadolint +# - Phase B: Python security (Bandit) +# - Phase C: Container/IaC (Trivy) +# - Phase D: CodeQL, Action pinning +# +name: Security Scans + +on: + pull_request: + branches: [main] + +# Jobs request only what they need through explicit permissions +permissions: {} + +jobs: + # ============================================================================ + # Phase A: Basic Security Checks + # ============================================================================ + + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: List dependency manifests + # This project should primarily be using pyproject.toml over requirements.txt + # but we can check all in case they happen to be added. + run: | + echo "=== Searching for dependency manifests ===" + echo "" + MANIFESTS=$(find . -type f \( \ + -name "pyproject.toml" -o \ + -name "uv.lock" -o \ + -name "requirements*.txt" \ + \) 2>/dev/null | grep -v node_modules | grep -v ".git/" | sort || true) + + if [ -z "$MANIFESTS" ]; then + echo "No dependency manifests found in this repository." + else + echo "Found manifests:" + echo "$MANIFESTS" + echo "" + echo "Total: $(echo "$MANIFESTS" | wc -l | tr -d ' ') manifest files" + fi + + - name: Dependency Review + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 + with: + # Fail on moderate or higher severity vulnerabilities + fail-on-severity: moderate + # Block strong copyleft licenses that could affect project licensing + deny-licenses: GPL-3.0, AGPL-3.0 + + shellcheck: + name: Shell Script Lint + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Install shellcheck + run: | + sudo apt-get update + sudo apt-get install -y shellcheck + + - name: Find shell scripts + id: find-scripts + run: | + echo "=== Finding shell scripts ===" + SCRIPTS=$(find . -type f \( -name "*.sh" -o -name "*.bash" \) 2>/dev/null | grep -v ".git/" | grep -v "node_modules/" || true) + if [ -z "$SCRIPTS" ]; then + echo "No shell scripts found" + echo "has_scripts=false" >> "$GITHUB_OUTPUT" + else + echo "Found scripts:" + echo "$SCRIPTS" + echo "has_scripts=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run shellcheck + if: steps.find-scripts.outputs.has_scripts == 'true' + run: | + echo "=== Running shellcheck ===" + FAILED=0 + for script in $(find . -type f \( -name "*.sh" -o -name "*.bash" \) 2>/dev/null | grep -v ".git/" | grep -v "node_modules/"); do + echo "Checking: $script" + if ! shellcheck -e SC1091 "$script"; then + FAILED=1 + fi + echo "" + done + + if [ $FAILED -eq 1 ]; then + echo "ERROR: Some scripts failed shellcheck" + exit 1 + fi + + echo "All scripts passed shellcheck" + + yamllint: + name: YAML Lint + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Install yamllint + run: pip install yamllint + + - name: Create config + run: | + cat > .yamllint.yaml << 'EOF' + extends: relaxed + rules: + line-length: + max: 150 + level: warning + truthy: + check-keys: false # Allow 'on:' in workflows + document-start: disable + comments: + min-spaces-from-content: 1 + indentation: + spaces: 2 + indent-sequences: whatever # Allow GitHub Actions style + EOF + + - name: Lint YAML files + run: | + echo "=== Linting YAML files ===" + yamllint -c .yamllint.yaml \ + .github/workflows/ \ + resources/config/ \ + plugins/ || true + + echo "" + echo "=== Summary ===" + yamllint -c .yamllint.yaml -f parsable \ + .github/workflows/ resources/config/ plugins/ 2>&1 > /tmp/yamllint_output.txt || true + ERROR_COUNT=$(grep -c ":error:" /tmp/yamllint_output.txt 2>/dev/null || echo "0") + WARNING_COUNT=$(grep -c ":warning:" /tmp/yamllint_output.txt 2>/dev/null || echo "0") + echo "Errors: $ERROR_COUNT" + echo "Warnings: $WARNING_COUNT" + + # Fail only on errors (not warnings) + if [ "$ERROR_COUNT" -gt 0 ] 2>/dev/null; then + echo "" + echo "ERROR: YAML files have syntax errors. Please fix them." + exit 1 + fi + + hadolint: + name: Dockerfile Lint + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Find Dockerfiles + id: find-dockerfiles + run: | + DOCKERFILES=$(find . -name "Dockerfile*" -o -name "Containerfile*" -type f 2>/dev/null | grep -v node_modules | grep -v ".git/" || true) + if [ -z "$DOCKERFILES" ]; then + echo "No Dockerfiles found" + echo "has_dockerfiles=false" >> "$GITHUB_OUTPUT" + else + echo "Found Dockerfiles:" + echo "$DOCKERFILES" + echo "has_dockerfiles=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run Hadolint + if: steps.find-dockerfiles.outputs.has_dockerfiles == 'true' + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: "**/Dockerfile*" + recursive: true + failure-threshold: warning + # Common ignores for development Dockerfiles + ignore: DL3008,DL3013,DL3018,DL3059 + + # ============================================================================ + # Phase B: Python Security + # ============================================================================ + + bandit: + name: Python Security (Bandit) + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + with: + python-version: '3.11' + + - name: Install Bandit + run: pip install bandit[toml] + + - name: Run Bandit security scan + run: | + echo "=== Bandit Python Security Scan ===" + echo "" + + # Run Bandit - scan main code (excluding tests and examples) + echo "--- Checking for HIGH severity issues in main code ---" + HIGH_ISSUES=$(bandit -r src/ plugins/ \ + --severity-level high \ + --confidence-level high \ + --exclude '**/tests/*,**/.venv/*,**/examples/*' \ + -f json 2>/dev/null | jq '.results | length' 2>/dev/null || echo "0") + + # Main adapter code + if [ "$HIGH_ISSUES" -gt 0 ]; then + echo "Found $HIGH_ISSUES HIGH severity issues in main code:" + bandit -r src/ plugins/ \ + --severity-level high \ + --confidence-level high \ + --exclude '**/tests/*,**/.venv/*,**/examples/*' \ + -f txt + echo "" + echo "ERROR: HIGH severity security issues found. Please fix them." + exit 1 + fi + + # Show all issues (including examples) for visibility + echo "" + echo "--- Full scan (informational) ---" + bandit -r src/ plugins/ \ + --severity-level medium \ + --confidence-level medium \ + --exclude '**/tests/*,**/.venv/*' \ + -f txt || true + + echo "" + echo "No HIGH severity issues found in main code." + + # ============================================================================ + # Phase C: Container/IaC Security + # ============================================================================ + + trivy-fs: + name: Trivy Filesystem Scan + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + # Show all dependency vulnerabilities (informational) + - name: Show all dependency vulnerabilities (informational) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + ignore-unfixed: true + format: 'table' + + # Check for CRITICAL and HIGH vulnerabilities (informational on PRs) + - name: Check for CRITICAL and HIGH dependency vulnerabilities + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH' + exit-code: '0' + ignore-unfixed: true + format: 'table' + + - name: Run Trivy config scan (IaC) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'config' + scan-ref: '.' + severity: 'CRITICAL,HIGH,MEDIUM' + # Focus on main adapter code + skip-dirs: 'plugins/examples' + exit-code: '1' + format: 'table' + + # ============================================================================ + # Phase D: Advanced Security + # ============================================================================ + + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 + with: + languages: python + queries: security-extended + + - name: Autobuild + uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3 + with: + category: "/language:python" + + action-pinning: + name: Verify Action Pinning + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Check for unpinned GitHub Actions + run: | + echo "=== Checking for unpinned GitHub Actions ===" + echo "" + echo "Pinning to SHAs prevents supply chain attacks." + echo "" + + UNPINNED=$(grep -rh "uses:" .github/workflows/ | grep -v "#" | grep -E "@v[0-9]|@main|@master" | sort -u || true) + + if [ -n "$UNPINNED" ]; then + echo "::warning::Found actions not pinned to SHA commits:" + echo "" + echo "$UNPINNED" + echo "" + echo "To pin an action, replace:" + echo " uses: actions/checkout@v6" + echo "With:" + echo " uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6" + echo "" + COUNT=$(echo "$UNPINNED" | wc -l | tr -d ' ') + echo "Total unpinned actions: $COUNT" + echo "" + echo "NOTE: This check is informational. Actions should be pinned incrementally." + else + echo "All actions are pinned to SHA commits!" + fi + + # Always exit 0 - this is informational only + exit 0 From 23a47dfa01f5bc7c17c6afbcc18ef92dc1294bb5 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 13:48:24 -0600 Subject: [PATCH 3/9] :lock: Switch to non-root user Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- Dockerfile | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3b59426..69920ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,9 @@ #FROM python:3.12.12 FROM public.ecr.aws/docker/library/python:3.12.12-slim +# Set shell options for safer script execution +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + # Build argument to specify which plugin examples to include dependencies for # Comma-separated list of plugin names (e.g., "nemo" or "nemo,other_plugin") ARG PLUGIN_DEPS="" @@ -12,6 +15,9 @@ RUN apt-get update \ COPY --from=docker.io/astral/uv:latest /uv /uvx /bin/ +# Create non-root user for running the application with home directory +RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser + # Set working directory WORKDIR /app @@ -32,14 +38,14 @@ COPY plugins ./plugins/ # Or for multiple: docker build --build-arg PLUGIN_DEPS="nemo,other_plugin" -t plugins-adapter . RUN if [ -n "$PLUGIN_DEPS" ]; then \ echo "Installing dependencies for plugins: $PLUGIN_DEPS"; \ - echo "$PLUGIN_DEPS" | tr ',' '\n' | while read plugin; do \ + echo "$PLUGIN_DEPS" | tr ',' '\n' | while read -r plugin; do \ plugin=$(echo "$plugin" | xargs); \ if [ -n "$plugin" ]; then \ plugin_dir="plugins/examples/$plugin"; \ req_file="$plugin_dir/pyproject.toml"; \ if [ -f "$req_file" ]; then \ echo "Installing dependencies from $plugin_dir"; \ - uv pip install --no-cache $plugin_dir; \ + uv pip install --no-cache "$plugin_dir"; \ else \ echo "Warning: No pyproject.toml found for plugin '$plugin' at $req_file"; \ fi; \ @@ -49,6 +55,17 @@ RUN if [ -n "$PLUGIN_DEPS" ]; then \ echo "No plugin dependencies specified (use --build-arg PLUGIN_DEPS=\"plugin1,plugin2\" to include)"; \ fi +# Change ownership of app directory and home directory to non-root user +RUN chown -R appuser:appuser /app && \ + mkdir -p /home/appuser/.cache && \ + chown -R appuser:appuser /home/appuser + +# Switch to non-root user +USER appuser + +# Set environment variable for uv cache +ENV UV_CACHE_DIR=/home/appuser/.cache/uv + # Expose the gRPC port EXPOSE 50052 From 4cefb169fbe9e7a59a05fb0c3147417931fa0657 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 13:58:15 -0600 Subject: [PATCH 4/9] :lock: Set security context Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- Dockerfile | 3 ++- ext-proc.yaml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 69920ab..c8c28d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,8 @@ RUN apt-get update \ COPY --from=docker.io/astral/uv:latest /uv /uvx /bin/ # Create non-root user for running the application with home directory -RUN groupadd -r appuser && useradd -r -g appuser -m -d /home/appuser appuser +# Using UID/GID 1000 to match Kubernetes securityContext +RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m -d /home/appuser appuser # Set working directory WORKDIR /app diff --git a/ext-proc.yaml b/ext-proc.yaml index 47f898f..a5c6872 100644 --- a/ext-proc.yaml +++ b/ext-proc.yaml @@ -27,12 +27,30 @@ spec: labels: app: plugins-adapter spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: plugins-adapter image: plugins-adapter:0.1.0 # command: ["bash", "-c","--"] # args: ["while true; do sleep 3600; done"] # imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault env: - name: PLUGINS_SERVER_HOST value: "0.0.0.0" From 5fea9e6a116c5060a781efe612d969c65c8b7e49 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:11:41 -0600 Subject: [PATCH 5/9] :wrench: Skip readOnly for now Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- .trivyignore | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..52b846d --- /dev/null +++ b/.trivyignore @@ -0,0 +1,17 @@ +# Trivy Ignore File +# This file contains exceptions for Trivy security scans with justifications + +# KSV-0014: readOnlyRootFilesystem should be true +# Justification: Setting readOnlyRootFilesystem to true requires additional complexity. +# The container already runs as non-root (UID 1000) with no privilege escalation and +# all capabilities dropped, providing strong security. The writable filesystem is +# needed for uv to manage the Python virtual environment at runtime. +# Risk: LOW - Non-root user and dropped capabilities prevent most attack vectors +# +# Alternative solutions if read-only filesystem is required: +# 1. Init container: Copy .venv to emptyDir volume before main container starts +# 2. System-wide install: Install Python packages system-wide instead of venv +# 3. Pre-built venv volume: Use a PersistentVolume with pre-populated venv +# 4. Distroless image: Use distroless Python image with packages baked in +# 5. uv --frozen flag: Use uv run --frozen to prevent runtime venv modifications +AVD-KSV-0014 From c518b1551c38bde78e5860f6d2b6aead957df1f1 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:38:28 -0600 Subject: [PATCH 6/9] :lock: Update shell script Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- plugins/examples/nemocheck_external/run-server.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/examples/nemocheck_external/run-server.sh b/plugins/examples/nemocheck_external/run-server.sh index 2e6c727..ade3365 100755 --- a/plugins/examples/nemocheck_external/run-server.sh +++ b/plugins/examples/nemocheck_external/run-server.sh @@ -36,4 +36,4 @@ fi PLUGINS_CONFIG_PATH=${PLUGINS_CONFIG_PATH:-./resources/plugins/config.yaml} echo "✓ Using plugin config from: ${PLUGINS_CONFIG_PATH}" -python ${API_SERVER_SCRIPT} +python "${API_SERVER_SCRIPT}" From bba107174086e99ea5daea497c6afa69ceeaa339 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:43:21 -0600 Subject: [PATCH 7/9] :wrench: Disale shellcheck for proto build script for now Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- proto-build.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/proto-build.sh b/proto-build.sh index 89a1c88..a53ad92 100755 --- a/proto-build.sh +++ b/proto-build.sh @@ -1,17 +1,22 @@ #!/bin/bash +# shellcheck disable=all +# Latest envoy_data_plane may cause issues, skipping shellcheck for now +# to confirm this still can otherwise work + +set -euo pipefail uv sync --group proto cd .. git clone git@github.com:cetanu/envoy_data_plane.git -cd envoy_data_plane +cd envoy_data_plane || exit python build.py -cd .. +cd .. || exit rm -rf plugins-adapter/src/envoy || true cp -r envoy_data_plane/src/envoy_data_plane_pb2/envoy plugins-adapter/src/ #envoy xds folders git clone https://github.com/cncf/xds.git -rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa +rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa cp -rf xds/python/xds xds/python/validate xds/python/udpa plugins-adapter/src/ -cd plugins-adapter +cd plugins-adapter || exit From ff3259631b731b97dc76fa0e1b943e243f11dbfe Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 15:03:04 -0600 Subject: [PATCH 8/9] :green_heart: Proto build with latest envoy_data_plane Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- proto-build.sh | 46 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/proto-build.sh b/proto-build.sh index a53ad92..3ff67aa 100755 --- a/proto-build.sh +++ b/proto-build.sh @@ -1,22 +1,54 @@ #!/bin/bash -# shellcheck disable=all -# Latest envoy_data_plane may cause issues, skipping shellcheck for now -# to confirm this still can otherwise work +# Proto Build Script for envoy_data_plane +# +# This script builds protocol buffer files from the envoy_data_plane repository. +# +# Tested and working with: +# envoy_data_plane commit: 86181df8ddb05f1d07994e58374fb93139d2bb70 +# +# Dependencies: +# - betterproto2==0.9.1 +# - betterproto2_compiler==0.9.0 +# - structlog, requests, grpcio-tools set -euo pipefail +# Sync proto dependencies first in the current project uv sync --group proto + cd .. git clone git@github.com:cetanu/envoy_data_plane.git cd envoy_data_plane || exit + +# Checkout the specific commit that is known to work +ENVOY_DATA_PLANE_COMMIT="86181df8ddb05f1d07994e58374fb93139d2bb70" +git checkout "$ENVOY_DATA_PLANE_COMMIT" + +# Install dependencies in the current uv environment (not a new one) +# These are needed by the envoy_data_plane build.py script +uv pip install --system structlog requests grpcio-tools betterproto2==0.9.1 betterproto2_compiler==0.9.0 + +# Run the build script directly (dependencies are now in the system/current environment) python build.py + cd .. || exit + +# The new structure outputs to src/envoy_data_plane_pb2 relative to envoy_data_plane directory rm -rf plugins-adapter/src/envoy || true cp -r envoy_data_plane/src/envoy_data_plane_pb2/envoy plugins-adapter/src/ -#envoy xds folders -git clone https://github.com/cncf/xds.git -rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa -cp -rf xds/python/xds xds/python/validate xds/python/udpa plugins-adapter/src/ +# Copy xds, validate, and udpa from the BUILD directory created by build.py +# The new build.py creates these in the BUILD subdirectory +if [ -d "envoy_data_plane/BUILD/xds" ]; then + rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa + cp -rf envoy_data_plane/BUILD/xds plugins-adapter/src/ 2>/dev/null || true + cp -rf envoy_data_plane/BUILD/validate plugins-adapter/src/ 2>/dev/null || true + cp -rf envoy_data_plane/BUILD/udpa plugins-adapter/src/ 2>/dev/null || true +else + # Fallback to old xds clone method if BUILD directory doesn't have them + git clone https://github.com/cncf/xds.git + rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa + cp -rf xds/python/xds xds/python/validate xds/python/udpa plugins-adapter/src/ +fi cd plugins-adapter || exit From 5ee5f7c0bd37d43353b2788bc252465d1005f675 Mon Sep 17 00:00:00 2001 From: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> Date: Tue, 10 Mar 2026 15:58:31 -0600 Subject: [PATCH 9/9] :recycle: Use existing dependencies Signed-off-by: Evaline Ju <69598118+evaline-ju@users.noreply.github.com> --- proto-build.sh | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/proto-build.sh b/proto-build.sh index 3ff67aa..cdc7a6c 100755 --- a/proto-build.sh +++ b/proto-build.sh @@ -6,14 +6,12 @@ # Tested and working with: # envoy_data_plane commit: 86181df8ddb05f1d07994e58374fb93139d2bb70 # -# Dependencies: -# - betterproto2==0.9.1 -# - betterproto2_compiler==0.9.0 -# - structlog, requests, grpcio-tools +# Dependencies are managed in pyproject.toml [dependency-groups.proto]: set -euo pipefail -# Sync proto dependencies first in the current project +# Sync proto dependencies from pyproject.toml +# This installs all dependencies needed by envoy_data_plane build.py uv sync --group proto cd .. @@ -24,31 +22,20 @@ cd envoy_data_plane || exit ENVOY_DATA_PLANE_COMMIT="86181df8ddb05f1d07994e58374fb93139d2bb70" git checkout "$ENVOY_DATA_PLANE_COMMIT" -# Install dependencies in the current uv environment (not a new one) -# These are needed by the envoy_data_plane build.py script -uv pip install --system structlog requests grpcio-tools betterproto2==0.9.1 betterproto2_compiler==0.9.0 - -# Run the build script directly (dependencies are now in the system/current environment) +# Run the build script (dependencies already installed via uv sync) python build.py cd .. || exit -# The new structure outputs to src/envoy_data_plane_pb2 relative to envoy_data_plane directory +# Copy the compiled envoy protobuf files rm -rf plugins-adapter/src/envoy || true cp -r envoy_data_plane/src/envoy_data_plane_pb2/envoy plugins-adapter/src/ -# Copy xds, validate, and udpa from the BUILD directory created by build.py -# The new build.py creates these in the BUILD subdirectory -if [ -d "envoy_data_plane/BUILD/xds" ]; then - rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa - cp -rf envoy_data_plane/BUILD/xds plugins-adapter/src/ 2>/dev/null || true - cp -rf envoy_data_plane/BUILD/validate plugins-adapter/src/ 2>/dev/null || true - cp -rf envoy_data_plane/BUILD/udpa plugins-adapter/src/ 2>/dev/null || true -else - # Fallback to old xds clone method if BUILD directory doesn't have them - git clone https://github.com/cncf/xds.git - rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa - cp -rf xds/python/xds xds/python/validate xds/python/udpa plugins-adapter/src/ -fi +# The envoy_data_plane build.py only generates envoy protobufs in _pb2 format +# For xds, validate, and udpa, we need to get them from the xds repository +# which provides pre-compiled Python files +git clone https://github.com/cncf/xds.git +rm -rf plugins-adapter/src/xds plugins-adapter/src/validate plugins-adapter/src/udpa +cp -rf xds/python/xds xds/python/validate xds/python/udpa plugins-adapter/src/ cd plugins-adapter || exit