From 93f83d021b3a242ea3bd24e0ff2fee66dcd7d78d Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Fri, 5 Dec 2025 11:22:52 +0000
Subject: [PATCH 01/13] Fix istio proxy build after moving Envoy to hermteic
 toolchain

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc      |  5 +----
 WORKSPACE     | 31 ++++++++++++++++++++++++++-----
 envoy.bazelrc | 14 +++-----------
 3 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/.bazelrc b/.bazelrc
index 2c12247f25f..78dfc239c2e 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -17,7 +17,7 @@ build:remote --remote_timeout=7200
 build:linux --config=clang-local
 
 # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb
-build:linux --action_env=PATH=/usr/lib/llvm/bin:/usr/local/bin:/bin:/usr/bin
+build:linux --action_env=PATH=/usr/local/bin:/bin:/usr/bin
 
 # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs.
 build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
@@ -50,9 +50,6 @@ build:debug -c dbg
 build --cxxopt -Wformat
 build --cxxopt -Wformat-security
 
-build:clang --host_action_env=CC=
-build:clang --host_action_env=CXX=
-
 # CI sanitizer configuration
 #
 build:clang-asan-ci --config=asan
diff --git a/WORKSPACE b/WORKSPACE
index 5668d248e92..564bcdb4b4d 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 2025-12-02
-ENVOY_SHA = "44b00e0264cfcdbbc593998a407b3f957ec28c77"
+# Commit date: 2025-12-03
+ENVOY_SHA = "1caf0d7396786bac7f4fcf7b9d291ed761191b68"
 
-ENVOY_SHA256 = "1c8bc33cf9b758604042212d69d8bc37f41991facc43ed139d070b6b94aeddb0"
+ENVOY_SHA256 = "10df99872f4f4c24c456970fdbedae1a25ecf2de4d4db57a34cd271f46fc7ac0"
 
 ENVOY_ORG = "envoyproxy"
 
@@ -82,6 +82,27 @@ load("@envoy//bazel:repo.bzl", "envoy_repo")
 
 envoy_repo()
 
-load("@envoy//bazel:toolchains.bzl", "envoy_toolchains")
+load("@envoy_repo//:compiler.bzl", "LLVM_PATH")
+load("@envoy_toolshed//repository:utils.bzl", "arch_alias")
+load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain")
 
-envoy_toolchains()
+register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain")
+
+arch_alias(
+    name = "clang_platform",
+    aliases = {
+        "amd64": "@envoy//bazel/platforms/rbe:linux_x64",
+        "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64",
+    },
+)
+
+llvm_toolchain(
+    name = "llvm_toolchain",
+    cxx_standard = {"": "c++20"},
+    llvm_version = "18.1.8",
+    toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {},
+)
+
+load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains")
+
+llvm_register_toolchains()
diff --git a/envoy.bazelrc b/envoy.bazelrc
index bced9359e23..b4856e811a7 100644
--- a/envoy.bazelrc
+++ b/envoy.bazelrc
@@ -45,12 +45,6 @@ build --incompatible_merge_fixed_and_default_shell_env
 # A workaround for slow ICU download.
 build --http_timeout_scaling=6.0
 
-# Pass CC, CXX and LLVM_CONFIG variables from the environment.
-# We assume they have stable values, so this won't cause action cache misses.
-build --action_env=CC --host_action_env=CC
-build --action_env=CXX --host_action_env=CXX
-build --action_env=LLVM_CONFIG --host_action_env=LLVM_CONFIG
-
 # Allow stamped caches to bust when local filesystem changes.
 # Requires setting `BAZEL_VOLATILE_DIRTY` in the env.
 build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY
@@ -99,7 +93,6 @@ build:linux --cxxopt=-fsized-deallocation --host_cxxopt=-fsized-deallocation
 build:linux --conlyopt=-fexceptions
 build:linux --fission=dbg,opt
 build:linux --features=per_object_debug_info
-build:linux --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold
 
 # macOS
 build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin
@@ -114,15 +107,14 @@ build:macos --cxxopt=-Wno-nullability-completeness
 
 # Common flags for Clang (shared between all clang variants)
 common:clang-common --linkopt=-fuse-ld=lld
-common:clang-common --action_env=BAZEL_COMPILER=clang
-common:clang-common --action_env=LDFLAGS="-fuse-ld=lld"
-common:clang-common --action_env=CC=clang --host_action_env=CC=clang
-common:clang-common --action_env=CXX=clang++ --host_action_env=CXX=clang++
+common:clang-common --@toolchains_llvm//toolchain/config:compiler-rt=false
+common:clang-common --@toolchains_llvm//toolchain/config:libunwind=false
 
 # Clang with libc++ (default)
 common:clang --config=clang-common
 common:clang --config=libc++
 common:clang --host_platform=@clang_platform
+common:clang --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
 
 # Clang installed to non-standard location (ie not /opt/llvm/)
 common:clang-local --config=clang-common

From 740a17fcad40ccb4bc91330467d3bd6914018e2a Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Tue, 9 Dec 2025 10:50:13 +0000
Subject: [PATCH 02/13] Switch to --config=clang from --config=clang-local

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.bazelrc b/.bazelrc
index 78dfc239c2e..7cbfcd1d131 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -14,7 +14,7 @@ build:remote --remote_timeout=7200
 # ========================================
 
 # Enable libc++ and C++20 by default.
-build:linux --config=clang-local
+build:linux --config=clang
 
 # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb
 build:linux --action_env=PATH=/usr/local/bin:/bin:/usr/bin

From 48b187746541a1085129e7f4ac850d41096a9b53 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Fri, 12 Dec 2025 13:47:48 +0000
Subject: [PATCH 03/13] Override default sysroot to use one with glibc 2.28

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index 564bcdb4b4d..e3d538cc86d 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 2025-12-03
-ENVOY_SHA = "1caf0d7396786bac7f4fcf7b9d291ed761191b68"
+# Commit date: 2025-12-11
+ENVOY_SHA = "1f29f29b6ff37aa7cb87135cc28bc058a623b629"
 
-ENVOY_SHA256 = "10df99872f4f4c24c456970fdbedae1a25ecf2de4d4db57a34cd271f46fc7ac0"
+ENVOY_SHA256 = "cc634a5541c5b39ebd1b9d3538f4c8f897cab77ac04033ebd361d72e2f35021a"
 
 ENVOY_ORG = "envoyproxy"
 
@@ -64,7 +64,7 @@ envoy_bazel_dependencies()
 
 load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra")
 
-envoy_dependencies_extra(ignore_root_user_error = True)
+envoy_dependencies_extra(ignore_root_user_error = True, glibc_version = "2.28")
 
 load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies")
 

From 702b2e48a7e9cf1d355342af8646a4bd6b6e14ba Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Fri, 12 Dec 2025 14:35:03 +0000
Subject: [PATCH 04/13] Fix WOKSPACE formatting

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/WORKSPACE b/WORKSPACE
index e3d538cc86d..82f2887609c 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -64,7 +64,10 @@ envoy_bazel_dependencies()
 
 load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra")
 
-envoy_dependencies_extra(ignore_root_user_error = True, glibc_version = "2.28")
+envoy_dependencies_extra(
+    glibc_version = "2.28",
+    ignore_root_user_error = True,
+)
 
 load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies")
 

From cadcf77b532e80bbcd311884ed4378299da65fff Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Mon, 15 Dec 2025 11:40:20 +0000
Subject: [PATCH 05/13] Explicitly specify sysroot path in the llvm_toolchain
 rule

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/WORKSPACE b/WORKSPACE
index 82f2887609c..6167f7f94fb 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -103,6 +103,10 @@ llvm_toolchain(
     name = "llvm_toolchain",
     cxx_standard = {"": "c++20"},
     llvm_version = "18.1.8",
+    sysroot = {
+	    "linux-x86_64": "@sysroot_linux_amd64//:sysroot",
+	    "linux-aarch64": "@sysroot_linux_arm64//:sysroot",
+    },
     toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {},
 )
 

From 292f757d3022a13873a23acf3279445782d60a64 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Mon, 15 Dec 2025 11:44:06 +0000
Subject: [PATCH 06/13] Fix formatting

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index 6167f7f94fb..529ed914fa3 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -104,8 +104,8 @@ llvm_toolchain(
     cxx_standard = {"": "c++20"},
     llvm_version = "18.1.8",
     sysroot = {
-	    "linux-x86_64": "@sysroot_linux_amd64//:sysroot",
-	    "linux-aarch64": "@sysroot_linux_arm64//:sysroot",
+        "linux-x86_64": "@sysroot_linux_amd64//:sysroot",
+        "linux-aarch64": "@sysroot_linux_arm64//:sysroot",
     },
     toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {},
 )

From b6576b910dcec41e8b6af6644acde2a56bdd5cad Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Mon, 15 Dec 2025 13:22:14 +0000
Subject: [PATCH 07/13] Bump up Envoy version to include liburing fix

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index 529ed914fa3..fcc19774f93 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 2025-12-11
-ENVOY_SHA = "1f29f29b6ff37aa7cb87135cc28bc058a623b629"
+# Commit date: 2025-12-12
+ENVOY_SHA = "8af856ea730c1738cd9e4b8db7d439bdbb121bd1"
 
-ENVOY_SHA256 = "cc634a5541c5b39ebd1b9d3538f4c8f897cab77ac04033ebd361d72e2f35021a"
+ENVOY_SHA256 = "3c178d4d8178455264080e9ded92881cfb2c521d2e2acff33ddfb0827a0471f9"
 
 ENVOY_ORG = "envoyproxy"
 

From 76f8560be4ba0f40d9a8bec3998e5db582551ad9 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Tue, 6 Jan 2026 15:21:12 +0000
Subject: [PATCH 08/13] Just use plain envoy_toolchain() without custom
 overrides

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 WORKSPACE | 25 ++-----------------------
 1 file changed, 2 insertions(+), 23 deletions(-)

diff --git a/WORKSPACE b/WORKSPACE
index fcc19774f93..94342387773 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -85,30 +85,9 @@ load("@envoy//bazel:repo.bzl", "envoy_repo")
 
 envoy_repo()
 
-load("@envoy_repo//:compiler.bzl", "LLVM_PATH")
-load("@envoy_toolshed//repository:utils.bzl", "arch_alias")
-load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain")
-
-register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain")
-
-arch_alias(
-    name = "clang_platform",
-    aliases = {
-        "amd64": "@envoy//bazel/platforms/rbe:linux_x64",
-        "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64",
-    },
-)
+load("@envoy//bazel:toolchains.bzl", "envoy_toolchains")
 
-llvm_toolchain(
-    name = "llvm_toolchain",
-    cxx_standard = {"": "c++20"},
-    llvm_version = "18.1.8",
-    sysroot = {
-        "linux-x86_64": "@sysroot_linux_amd64//:sysroot",
-        "linux-aarch64": "@sysroot_linux_arm64//:sysroot",
-    },
-    toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {},
-)
+envoy_toolchains()
 
 load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains")
 

From 8c064bf35f6ba12362559508e94145b9daea4eaa Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Wed, 7 Jan 2026 19:17:28 +0000
Subject: [PATCH 09/13] Temporarily add a few debugging flags for remote builds

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.bazelrc b/.bazelrc
index 7cbfcd1d131..1106f952fd3 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -8,7 +8,7 @@ import %workspace%/envoy.bazelrc
 
 # Overrides workspace_status_command
 build --workspace_status_command=bazel/bazel_get_workspace_status
-build:remote --remote_timeout=7200
+build:remote --remote_timeout=7200 --experimental_remote_cache_async --remote_grpc_log=path --verbose_failures
 # ========================================
 # Istio specific Bazel build/test options.
 # ========================================

From 88a84c03f6050551f53de51c8cdc109925754d06 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Wed, 7 Jan 2026 21:06:20 +0000
Subject: [PATCH 10/13] Tweak bazel parameters to reduce memory footprint and
 increase heap size

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc      | 2 +-
 envoy.bazelrc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.bazelrc b/.bazelrc
index 1106f952fd3..96f6f7c3de0 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -8,7 +8,7 @@ import %workspace%/envoy.bazelrc
 
 # Overrides workspace_status_command
 build --workspace_status_command=bazel/bazel_get_workspace_status
-build:remote --remote_timeout=7200 --experimental_remote_cache_async --remote_grpc_log=path --verbose_failures
+build:remote --remote_timeout=7200 --discard_analysis_cache --nokeep_state_after_build --notrack_incremental_state
 # ========================================
 # Istio specific Bazel build/test options.
 # ========================================
diff --git a/envoy.bazelrc b/envoy.bazelrc
index b4856e811a7..a3a991e8b8d 100644
--- a/envoy.bazelrc
+++ b/envoy.bazelrc
@@ -11,7 +11,7 @@
 # The number 3G is chosen heuristically to both support large VM and small VM with RBE.
 # Startup options cannot be selected via config.
 # TODO: Adding just to test android
-startup --host_jvm_args=-Xmx3g
+startup --host_jvm_args=-Xmx4g
 startup --host_jvm_args="-DBAZEL_TRACK_SOURCE_DIRECTORIES=1"
 
 

From af91a8e4ba05dd991443f6fc35c76c46652d2c93 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Wed, 7 Jan 2026 21:23:48 +0000
Subject: [PATCH 11/13] Return back the 3gb limit

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 envoy.bazelrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/envoy.bazelrc b/envoy.bazelrc
index a3a991e8b8d..b4856e811a7 100644
--- a/envoy.bazelrc
+++ b/envoy.bazelrc
@@ -11,7 +11,7 @@
 # The number 3G is chosen heuristically to both support large VM and small VM with RBE.
 # Startup options cannot be selected via config.
 # TODO: Adding just to test android
-startup --host_jvm_args=-Xmx4g
+startup --host_jvm_args=-Xmx3g
 startup --host_jvm_args="-DBAZEL_TRACK_SOURCE_DIRECTORIES=1"
 
 

From 88d3d845fc951e06c12aa2effb865b586e9c9ded Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Wed, 7 Jan 2026 21:39:57 +0000
Subject: [PATCH 12/13] Set heap to 4gb and remove memory optimization flags

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc      | 2 +-
 envoy.bazelrc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.bazelrc b/.bazelrc
index 96f6f7c3de0..7cbfcd1d131 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -8,7 +8,7 @@ import %workspace%/envoy.bazelrc
 
 # Overrides workspace_status_command
 build --workspace_status_command=bazel/bazel_get_workspace_status
-build:remote --remote_timeout=7200 --discard_analysis_cache --nokeep_state_after_build --notrack_incremental_state
+build:remote --remote_timeout=7200
 # ========================================
 # Istio specific Bazel build/test options.
 # ========================================
diff --git a/envoy.bazelrc b/envoy.bazelrc
index b4856e811a7..a3a991e8b8d 100644
--- a/envoy.bazelrc
+++ b/envoy.bazelrc
@@ -11,7 +11,7 @@
 # The number 3G is chosen heuristically to both support large VM and small VM with RBE.
 # Startup options cannot be selected via config.
 # TODO: Adding just to test android
-startup --host_jvm_args=-Xmx3g
+startup --host_jvm_args=-Xmx4g
 startup --host_jvm_args="-DBAZEL_TRACK_SOURCE_DIRECTORIES=1"
 
 

From 99fd63225b429a76ebf92498abdf437713f67996 Mon Sep 17 00:00:00 2001
From: Mikhail Krinkin <mkrinkin@microsoft.com>
Date: Wed, 7 Jan 2026 22:01:16 +0000
Subject: [PATCH 13/13] Reduce bazel memory consumption on CI by discarding
 unused caches

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
---
 .bazelrc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.bazelrc b/.bazelrc
index 7cbfcd1d131..f77abf6d4ea 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -21,6 +21,10 @@ build:linux --action_env=PATH=/usr/local/bin:/bin:/usr/bin
 
 # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs.
 build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
+# These flags reduce bazel memory consumption at the cost of slower incremental builds
+# CI builds are not incremental, since we build with a clean state, so the performance impact is not
+# relevant for CI
+build:remote-ci --discard_analysis_cache --nokeep_state_after_build --notrack_incremental_state
 
 # Enable path normalization by default.
 # See: https://github.com/envoyproxy/envoy/pull/6519