From 36e9a9463050e950ae9ecf45153b505be1d88c90 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Tue, 29 Apr 2025 14:18:09 +0000
Subject: [PATCH 1/2] Switch coverage CI targets to EngFlow

Currently Envoy CI uses different RBE backends for different CI targets.
EngFlow is one of available backends and we want to migrate most if not
all targets to EngFlow.

Other than just making the overall CI setup simpler, EngFlow appear to
offer more powerful build grid machines at the moment, plus some
additional nice features like automatically scaling memory when build
tasks don't fit into available memory.

One specific reason why I'd like to migrate coverage targets to EngFlow
is because I want to switch them to static linking to workaround a bug
in Clang/LLVM source-based coverage (see llvm/llvm-project#32849).

With currently used Google RBE backend we are having issues with
fuzzing coverage tests, as fuzzing tests include a lot of extensions and
together with coverage instrumentation it pushes linker memory footrpint
way to high and causing OOMs.

Our approach to solving this particular problem is two-fold:

1. I want to migrate to EngFlow that can offer bigger machines
   (and it aligns with the general direction for Envoy CI to migrate to
   EngFlow.
2. I want to optimize our fuzzing targets a little bit by cutting out
   some unnecessary bits and reducing the number of libraries that
   linker need to link together (on top of reducing the amount of time
   it takes to build things and similar benefits).

This particular PR takes care of the first part.

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .github/workflows/_check_coverage.yml | 6 +-----
 .github/workflows/envoy-checks.yml    | 1 -
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml
index 1068c7723fc01..34f9315579ca9 100644
--- a/.github/workflows/_check_coverage.yml
+++ b/.github/workflows/_check_coverage.yml
@@ -8,8 +8,6 @@ on:
     secrets:
       gcs-cache-key:
         required: true
-      gcp-key:
-        required: true
 
     inputs:
       gcs-cache-bucket:
@@ -31,14 +29,13 @@ jobs:
   coverage:
     secrets:
       gcs-cache-key: ${{ secrets.gcs-cache-key }}
-      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       contents: read
       packages: read
     uses: ./.github/workflows/_run.yml
     name: ${{ matrix.name ||matrix.target }}
     with:
-      # bazel-extra: '--config=remote-envoy-engflow'
+      bazel-extra: '--config=remote-envoy-engflow'
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       concurrency-suffix: -${{ matrix.target }}
       diskspace-hack: ${{ matrix.diskspace-hack && true || false }}
@@ -50,7 +47,6 @@ jobs:
         lower than limit
       gcs-cache-bucket: ${{ inputs.gcs-cache-bucket }}
       rbe: true
-      rbe-google: true
       request: ${{ inputs.request }}
       runs-on: ${{ fromJSON(inputs.request).config.ci.agent-ubuntu }}
       steps-post: |
diff --git a/.github/workflows/envoy-checks.yml b/.github/workflows/envoy-checks.yml
index 20cf7be8eadbc..263d4b5f95a7d 100644
--- a/.github/workflows/envoy-checks.yml
+++ b/.github/workflows/envoy-checks.yml
@@ -64,7 +64,6 @@ jobs:
   coverage:
     secrets:
       gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }}
-      gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read

From c7de280bb2b37470a9108eb10355f25e35619fe1 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Tue, 29 Apr 2025 22:33:13 +0000
Subject: [PATCH 2/2] Return back gcp-key attribute - it's needed to upload
 coverage reports

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .github/workflows/_check_coverage.yml | 3 +++
 .github/workflows/envoy-checks.yml    | 1 +
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml
index 34f9315579ca9..3c7efad54299c 100644
--- a/.github/workflows/_check_coverage.yml
+++ b/.github/workflows/_check_coverage.yml
@@ -8,6 +8,8 @@ on:
     secrets:
       gcs-cache-key:
         required: true
+      gcp-key:
+        required: true
 
     inputs:
       gcs-cache-bucket:
@@ -29,6 +31,7 @@ jobs:
   coverage:
     secrets:
       gcs-cache-key: ${{ secrets.gcs-cache-key }}
+      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/envoy-checks.yml b/.github/workflows/envoy-checks.yml
index 263d4b5f95a7d..20cf7be8eadbc 100644
--- a/.github/workflows/envoy-checks.yml
+++ b/.github/workflows/envoy-checks.yml
@@ -64,6 +64,7 @@ jobs:
   coverage:
     secrets:
       gcs-cache-key: ${{ secrets.GCS_CACHE_KEY }}
+      gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read