ci/linting: Update envoy.code.check for yamllint

.azure-pipelines/cached.yml

@@ -1,4 +1,3 @@
-
 parameters:
 - name: arch
   type: string
@@ -50,7 +49,12 @@ steps:
     VSO_DEDUP_REDIRECT_TIMEOUT_IN_SEC: "${{ parameters.cacheTimeoutWorkaround }}"
   displayName: "Cache (${{ parameters.cacheName }})"
   inputs:
-    key: '${{ parameters.cacheName }} | "${{ parameters.version }}" | "${{ parameters.arch }}" | ${{ parameters.keyDocker }} | ${{ parameters.keyBazel }}'
+    key: >-
+      ${{ parameters.cacheName }}
+      | "${{ parameters.version }}"
+      | "${{ parameters.arch }}"
+      | ${{ parameters.keyDocker }}
+      | ${{ parameters.keyBazel }}
     path: "${{ parameters.pathTemp }}/all"
     cacheHitVar: CACHE_RESTORED
 
@@ -81,9 +85,19 @@ steps:
     BAZEL_RESTORED: $(BAZEL_CACHE_RESTORED)
   displayName: "Cache/prime (Docker/Bazel)"
   # TODO(phlax): figure if there is a way to test cache without downloading it
-  condition: and(not(canceled()), eq(${{ parameters.prime }}, true), eq('${{ parameters.cacheName }}', ''), or(ne(variables.DOCKER_CACHE_RESTORED, 'true'), ne(variables.BAZEL_CACHE_RESTORED, 'true')))
+  condition: >-
+    and(not(canceled()),
+        eq(${{ parameters.prime }}, true),
+        eq('${{ parameters.cacheName }}', ''),
+        or(ne(variables.DOCKER_CACHE_RESTORED, 'true'),
+           ne(variables.BAZEL_CACHE_RESTORED, 'true')))
 
 # Load the caches for a job
-- script: sudo .azure-pipelines/docker/load_caches.sh "$(Build.StagingDirectory)" "${{ parameters.pathTemp }}" "${{ parameters.pathDockerBind }}" "${{ parameters.tmpfsDockerDisabled }}"
+- script: >-
+    sudo .azure-pipelines/docker/load_caches.sh
+    "$(Build.StagingDirectory)"
+    "${{ parameters.pathTemp }}"
+    "${{ parameters.pathDockerBind }}"
+    "${{ parameters.tmpfsDockerDisabled }}"
   displayName: "Cache/restore"
   condition: and(not(canceled()), eq(${{ parameters.prime }}, false))

.azure-pipelines/gpg.yml

@@ -1,4 +1,3 @@
-
 parameters:
 - name: nameDownloadTask
   type: string

.azure-pipelines/pipelines.yml

@@ -57,7 +57,13 @@ variables:
   value: /mnt/docker
 
 - name: authGithubSSHKeyPublic
-  value: "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
+  value: >-
+    github.com ssh-rsa
+    AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/
+    C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY
+    7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B
+    381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1v
+    N1/wsjk="
 
 
 stages:

.azure-pipelines/stage/checks.yml

@@ -1,4 +1,3 @@
-
 parameters:
 - name: bucketGCP
   type: string
@@ -113,7 +112,7 @@ jobs:
   # This condition ensures that this (required) check passes if all of
   # the preceding checks either pass or are skipped
   # adapted from:
-  #   https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
+  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
   condition: |
     and(
       eq(variables['Build.Reason'], 'PullRequest'),

.azure-pipelines/stage/linux.yml

@@ -83,8 +83,10 @@ jobs:
   # This condition ensures that this (required) job passes if all of
   # the preceeding jobs either pass or are skipped
   # adapted from:
-  #   https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
-  condition: and(eq(variables['Build.Reason'], 'PullRequest'), in(dependencies.release.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'))
+  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
+  condition: |
+    and(eq(variables['Build.Reason'], 'PullRequest'),
+        in(dependencies.release.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'))
   steps:
   - checkout: none
   - bash: |

.azure-pipelines/stage/prechecks.yml

@@ -165,7 +165,7 @@ jobs:
   # This condition ensures that this (required) job passes if all of
   # the preceeding jobs either pass or are skipped
   # adapted from:
-  #   https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
+  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
   condition: |
     and(
       eq(variables['Build.Reason'], 'PullRequest'),

.azure-pipelines/stage/publish.yml

@@ -1,4 +1,3 @@
-
 parameters:
 
 - name: bucketGCP
@@ -253,7 +252,7 @@ jobs:
   # This condition ensures that this (required) check passes if all of
   # the preceding checks either pass or are skipped
   # adapted from:
-  #   https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
+  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
   condition: |
     and(
       in(dependencies.docker.result, 'Succeeded', 'SucceededWithIssues', 'Skipped'),

.azure-pipelines/stage/verify.yml

@@ -1,4 +1,3 @@
-
 parameters:
 
 # Auth
@@ -10,7 +9,12 @@ parameters:
 jobs:
 - job: packages_x64
   displayName: Debs (x64)
-  condition: and(not(canceled()), succeeded(), ne(stageDependencies.env.repo.outputs['changed.mobileOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.docsOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.examplesOnly'], 'true'))
+  condition: |
+    and(not(canceled()),
+        succeeded(),
+        ne(stageDependencies.env.repo.outputs['changed.mobileOnly'], 'true'),
+        ne(stageDependencies.env.repo.outputs['changed.docsOnly'], 'true'),
+        ne(stageDependencies.env.repo.outputs['changed.examplesOnly'], 'true'))
   timeoutInMinutes: 120
   pool: envoy-x64-small
   steps:
@@ -32,7 +36,12 @@ jobs:
 
 - job: packages_arm64
   displayName: Debs (arm64)
-  condition: and(not(canceled()), succeeded(), ne(stageDependencies.env.repo.outputs['changed.mobileOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.docsOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.examplesOnly'], 'true'))
+  condition: |
+    and(not(canceled()),
+        succeeded(),
+        ne(stageDependencies.env.repo.outputs['changed.mobileOnly'], 'true'),
+        ne(stageDependencies.env.repo.outputs['changed.docsOnly'], 'true'),
+        ne(stageDependencies.env.repo.outputs['changed.examplesOnly'], 'true'))
   timeoutInMinutes: 120
   pool: "envoy-arm-small"
   steps:
@@ -63,7 +72,7 @@ jobs:
   # This condition ensures that this (required) check passes if all of
   # the preceding checks either pass or are skipped
   # adapted from:
-  #   https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
+  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/process/expressions?view=azure-devops#job-to-job-dependencies-within-one-stage
   condition: |
     and(
       eq(variables['Build.Reason'], 'PullRequest'),

.azure-pipelines/stages.yml

@@ -1,4 +1,3 @@
-
 parameters:
 ## Build stages
 # NB: all stages _must_ depend on `env`

.clang-format

@@ -1,5 +1,5 @@
 ---
-Language:        Cpp
+Language: Cpp
 AccessModifierOffset: -2
 ColumnLimit: 100
 DerivePointerAlignment: false

.github/workflows/codeql-daily.yml

@@ -46,7 +46,9 @@ jobs:
       shell: bash
       run: |
        sudo apt-get update --error-on=any
-       sudo apt-get install --yes libtool cmake automake autoconf make ninja-build curl unzip virtualenv openjdk-11-jdk build-essential libc++1
+       sudo apt-get install --yes \
+           libtool cmake automake autoconf make ninja-build curl unzip \
+           virtualenv openjdk-11-jdk build-essential libc++1
        # Note: the llvm/clang version should match the version specifed in:
        #  - bazel/repository_locations.bzl
        #  - .github/workflows/codeql-push.yml
@@ -61,7 +63,8 @@ jobs:
       run: |
        bazel/setup_clang.sh bin/clang14
        bazelisk shutdown
-       bazelisk build -c fastbuild --spawn_strategy=local --discard_analysis_cache --nouse_action_cache --config clang --config libc++ //source/common/http/...
+       bazelisk build -c fastbuild --spawn_strategy=local --discard_analysis_cache --nouse_action_cache --config clang --config libc++ \
+           //source/common/http/...
 
     - name: Clean Artifacts
       run: |

.github/workflows/codeql-push.yml

@@ -77,7 +77,9 @@ jobs:
       shell: bash
       run: |
        sudo apt-get update --error-on=any
-       sudo apt-get install --yes libtool cmake automake autoconf make ninja-build curl unzip virtualenv openjdk-11-jdk build-essential libc++1
+       sudo apt-get install --yes \
+           libtool cmake automake autoconf make ninja-build curl \
+           unzip virtualenv openjdk-11-jdk build-essential libc++1
        # Note: the llvm/clang version should match the version specifed in:
        #  - bazel/repository_locations.bzl
        #  - .github/workflows/codeql-daily.yml

.github/workflows/envoy-dependency.yml

@@ -43,9 +43,12 @@ jobs:
            github.event_name == 'workflow_dispatch'
            && startsWith(inputs.task, 'bazel')
       }}
-    name: >-
+    name: >
       Update dep
-      (${{ inputs.pr && 'PR/' || '' }}${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }}/${{ inputs.dependency }}/${{ inputs.version }})
+       (${{ inputs.pr && 'PR/' || '' }}
+      ${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }}
+      /${{ inputs.dependency }}
+      /${{ inputs.version }})
     runs-on: ubuntu-22.04
     steps:
     - id: appauth

.github/workflows/envoy-publish.yml

@@ -55,7 +55,7 @@ jobs:
       ENVOY_CI_SYNC_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_ID || '' }}
       ENVOY_CI_SYNC_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_SYNC_APP_KEY || '' }}
       ENVOY_CI_PUBLISH_APP_ID: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_ID || '' }}
-      ENVOY_CI_PUBLISH_APP_KEY:  ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }}
+      ENVOY_CI_PUBLISH_APP_KEY: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_CI_PUBLISH_APP_KEY || '' }}
     permissions:
       contents: read
       packages: read

.yamllint

@@ -18,8 +18,14 @@ rules:
     - "false"
     # https://github.com/adrienverge/yamllint/issues/430
     - "on"
+    - "off"
 
 yaml-files:
 - .clang-format
 - "*.yml"
 - "*.yaml"
+
+ignore:
+- "**/*template.yaml"
+- examples/single-page-app/_github-clusters.yml
+- test/config/integration/server_xds.cds.with_unknown_field.yaml

SECURITY-INSIGHTS.yml

@@ -10,43 +10,43 @@ project-lifecycle:
   status: active
   bug-fixes-only: false
   core-maintainers:  # from https://github.com/envoyproxy/envoy/blob/main/OWNERS.md
-# Senior maintainers
-    - github:mattklein123
-    - github:htuch
-    - github:alyssawilk
-    - github:zuercher
-    - github:lizan
-    - github:ggreenway
-    - github:yanavlasov
-    - github:phlax
-    - github:RyanTheOptimist
-    - github:wbpcode
-# Maintainers
-    - github:jmarantz
-    - github:adisuissa
-    - github:KBaichoo
-    - github:keith
-    - github:kyessenov
-    - github:ravenblackx
-    - github:soulxu
-    - github:nezdolik
+  # Senior maintainers
+  - github:mattklein123
+  - github:htuch
+  - github:alyssawilk
+  - github:zuercher
+  - github:lizan
+  - github:ggreenway
+  - github:yanavlasov
+  - github:phlax
+  - github:RyanTheOptimist
+  - github:wbpcode
+  # Maintainers
+  - github:jmarantz
+  - github:adisuissa
+  - github:KBaichoo
+  - github:keith
+  - github:kyessenov
+  - github:ravenblackx
+  - github:soulxu
+  - github:nezdolik
 contribution-policy:
   accepts-pull-requests: true
   accepts-automated-pull-requests: true
   code-of-conduct: https://github.com/envoyproxy/envoy/blob/main/CODE_OF_CONDUCT.md
 dependencies:
   third-party-packages: true
   dependencies-lists:
-    - https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps
+  - https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps
   env-dependencies-policy:
     policy-url: https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md
 distribution-points:
-  - https://github.com/envoyproxy/envoy
+- https://github.com/envoyproxy/envoy
 documentation:
-  - https://www.envoyproxy.io/docs
+- https://www.envoyproxy.io/docs
 security-contacts:
-  - type: email
-    value: envoy-security@googlegroups.com
+- type: email
+  value: envoy-security@googlegroups.com
 security-testing:
 - tool-type: sca
   tool-name: Dependabot

docs/root/configuration/http/http_filters/_include/aws-lambda-filter-upstream.yaml

@@ -43,14 +43,14 @@ static_resources:
         auto_config:
           http2_protocol_options: {}
         http_filters:
-          - name: envoy.filters.http.aws_lambda
-            typed_config:
-              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
-              arn: "arn:aws:lambda:us-west-2:987654321:function:hello_envoy"
-              payload_passthrough: false
-          - name: envoy.filters.http.upstream_codec
-            typed_config:
-              "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
+        - name: envoy.filters.http.aws_lambda
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
+            arn: "arn:aws:lambda:us-west-2:987654321:function:hello_envoy"
+            payload_passthrough: false
+        - name: envoy.filters.http.upstream_codec
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
     transport_socket:
       name: envoy.transport_sockets.tls
       typed_config:

docs/root/configuration/http/http_filters/_include/aws-request-signing-filter-upstream.yaml

@@ -43,20 +43,20 @@ static_resources:
         auto_config:
           http2_protocol_options: {}
         http_filters:
-          - name: envoy.filters.http.aws_request_signing
-            typed_config:
-              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
-              service_name: vpc-lattice-svcs
-              region: '*'
-              signing_algorithm: AWS_SIGV4A
-              use_unsigned_payload: true
-              match_excluded_headers:
-              - prefix: x-envoy
-              - prefix: x-forwarded
-              - exact: x-amzn-trace-id
-          - name: envoy.filters.http.upstream_codec
-            typed_config:
-              "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
+        - name: envoy.filters.http.aws_request_signing
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
+            service_name: vpc-lattice-svcs
+            region: '*'
+            signing_algorithm: AWS_SIGV4A
+            use_unsigned_payload: true
+            match_excluded_headers:
+            - prefix: x-envoy
+            - prefix: x-forwarded
+            - exact: x-amzn-trace-id
+        - name: envoy.filters.http.upstream_codec
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
     transport_socket:
       name: envoy.transport_sockets.tls
       typed_config:

docs/root/configuration/http/http_filters/_include/compressor-filter.yaml

@@ -21,15 +21,19 @@ static_resources:
                   "@type": type.googleapis.com/envoy.extensions.filters.http.compressor.v3.CompressorPerRoute
                   disabled: true
               routes:
-              - match: { prefix: "/static" }
-                route: { cluster: service }
+              - match:
+                  prefix: "/static"
+                route:
+                  cluster: service
                 typed_per_filter_config:
                   envoy.filters.http.compression:
                     "@type": type.googleapis.com/envoy.extensions.filters.http.compressor.v3.CompressorPerRoute
                     overrides:
                       response_direction_config:
-              - match: { prefix: "/" }
-                route: { cluster: service }
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: service
           http_filters:
           - name: envoy.filters.http.compressor
             typed_config:
@@ -38,8 +42,8 @@ static_resources:
                 common_config:
                   min_content_length: 100
                   content_type:
-                    - text/html
-                    - application/json
+                  - text/html
+                  - application/json
                 disable_on_etag_header: true
               request_direction_config:
                 common_config: