DNM - OpenSSL in main

.bazelrc

@@ -38,6 +38,8 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
 build --copt=-Wno-deprecated-declarations
 build --define envoy_mobile_listener=enabled
+# Default to BoringSSL. Use --config=openssl to switch to OpenSSL.
+build --define=ssl=boringssl
 build --experimental_repository_downloader_retries=2
 build --experimental_cc_static_library
 build --enable_platform_specific_config
@@ -491,3 +493,7 @@ try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc
+
+# OpenSSL-specific configuration (use with --config=openssl)
+# To use the default BoringSSL backend, simply don't specify this config
+try-import %workspace%/openssl/openssl.bazelrc

.github/workflows/envoy-openssl-auto-merge.yml

@@ -0,0 +1,70 @@
+name: Auto-merge Bot PRs
+
+on:
+  workflow_run:
+    workflows: ["OpenSSL testing"]
+    types:
+    - completed
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  enable-auto-merge:
+    if: |
+      github.repository == 'envoyproxy/envoy-openssl'
+      && github.event.workflow_run.conclusion == 'success'
+      && github.event.workflow_run.repository.full_name == github.repository
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Get PR info
+      id: pr
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const prs = context.payload.workflow_run.pull_requests;
+          if (prs.length === 0) {
+            core.notice("No pull request associated with this workflow_run (likely from a fork). Skipping workflow.");
+            // Explicitly set a flag so next steps can check
+            core.setOutput("skip", "true");
+            return;
+          }
+          const prNumber = prs[0].number;
+          const { data: pr } = await github.rest.pulls.get({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            pull_number: prNumber
+          });
+          core.setOutput("pr_number", pr.number);
+          core.setOutput("pr_author", pr.user.login);
+          core.setOutput("labels", pr.labels.map(l => l.name).join(","));
+
+    - name: Print info
+      if: ${{ steps.pr.outputs.skip != 'true' }}
+      run: |
+        echo "PR author: ${{ steps.pr.outputs.pr_author }}"
+        echo "Labels: ${{ steps.pr.outputs.labels }}"
+        if [[ "${{ steps.pr.outputs.pr_author }}" != "update-openssl-envoy[bot]" ]]; then
+          echo "::notice title=Skip reason::PR author is not update-openssl-envoy[bot]"
+        fi
+        if [[ "${{ steps.pr.outputs.labels }}" != *"auto-merge"* ]]; then
+          echo "::notice title=Skip reason::Label 'auto-merge' not found"
+        fi
+
+    - name: Merge PR
+      if: ${{ steps.pr.outputs.skip != 'true' && contains(steps.pr.outputs.labels, 'auto-merge') && steps.pr.outputs.pr_author == 'update-openssl-envoy[bot]' }}
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const prNumber = parseInt('${{ steps.pr.outputs.pr_number }}');
+          await github.rest.pulls.merge({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            pull_number: prNumber,
+            merge_method: 'merge'
+          });
+          core.notice(`✅ PR #${prNumber} merged automatically.`);

.github/workflows/envoy-openssl.yml

@@ -0,0 +1,58 @@
+name: OpenSSL testing
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+
+jobs:
+  openssl:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 180
+    permissions:
+      contents: read
+      packages: read
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy-openssl' }}
+    steps:
+    - name: Free disk space
+      uses: envoyproxy/toolshed/gh-actions/[email protected]
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - run: |
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh dev @bssl-compat//test/... //test/...'
+      env:
+        BAZEL_BUILD_EXTRA_OPTIONS: >-
+          --config=rbe
+          --config=bes
+          --config=remote-ci
+          --config=openssl
+        ENVOY_RBE: 1
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  boringssl:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 180
+    permissions:
+      contents: read
+      packages: read
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy-openssl' }}
+    steps:
+    - name: Free disk space
+      uses: envoyproxy/toolshed/gh-actions/[email protected]
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - run: |
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh dev //test/...'
+      env:
+        BAZEL_BUILD_EXTRA_OPTIONS: >-
+          --config=rbe
+          --config=bes
+          --config=remote-ci
+        ENVOY_RBE: 1
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/envoy-sync-scheduled.yaml

@@ -0,0 +1,54 @@
+name: Sync from Upstream (Scheduled)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  sync:
+    if: github.repository == 'envoyproxy/envoy-openssl'
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        branch_name:
+          - release/v1.32
+          - release/v1.34
+          - release/v1.35
+    steps:
+    - id: appauth
+      uses: envoyproxy/toolshed/gh-actions/[email protected]
+      with:
+        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
+        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}
+
+    # Checkout the branch we're merging into
+    - name: "Checkout ${{ github.repository }}[${{ matrix.branch_name }}]"
+      uses: actions/checkout@v4
+      with:
+        token: ${{ steps.appauth.outputs.token }}
+        ref: ${{ matrix.branch_name }}
+        fetch-depth: 0
+
+    # Configure the git user info on the repository
+    - run: git config user.name "${{ github.actor }}"
+    - run: git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+
+    # Checkout & run the script from the default branch
+    - name: 'Checkout ci/envoy-sync-receive.sh'
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.repository.default_branch }}
+        sparse-checkout: 'ci/envoy-sync-receive.sh'
+        sparse-checkout-cone-mode: false
+        path: '.script'
+    - run: .script/ci/envoy-sync-receive.sh ${{ matrix.branch_name }}
+      env:
+          GH_TOKEN: ${{ steps.appauth.outputs.token }}

CODEOWNERS

@@ -463,3 +463,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123
 /contrib/peak_ewma/filters/http/ @rroblak @UNOWNED
 /contrib/peak_ewma/load_balancing_policies/ @rroblak @UNOWNED
 /contrib/kae/ @Misakokoro @UNOWNED
+
+# OpenSSL FIXME: Maybe create another group "owners"?
+/bssl-compat/ @envoyproxy/envoy-openssl-sync
+/openssl/ @envoyproxy/envoy-openssl-sync