deps: Add toolshed-actions updater to envoy-dependency workflow

[Copilot]

Dependabot doesn't reliably update envoyproxy/toolshed/actions/...@<sha> refs in Envoy — particularly those nested inside composite action definitions — because they don't surface as standard github-actions dependencies. This adds a bespoke toolshed-actions task to the existing envoy-dependency dispatch workflow to handle these updates.

Changes

• New dispatch task option: adds toolshed-actions to workflow_dispatch.inputs.task choices in envoy-dependency.yml
• New job update-toolshed-actions with three resolution modes via the existing version input:
  • Empty → resolves latest actions-v* release from envoyproxy/toolshed
  • actions-v* tag → resolves that tag to its commit SHA via the GitHub commits API
  • 40-char hex SHA → uses directly, then reverse-looks up the matching actions-v* tag if one exists
• Comment normalization: when the target SHA maps to a known actions-v* tag, ensures every updated line carries a # actions-vX.Y.Z trailing comment; when dispatching a raw unmapped SHA, strips any stale comment
• Scoped rewrite: only touches files under .github/workflows/ containing toolshed action refs; uses perl -i -pe with $ENV{} interpolation for safe, deterministic substitution
• Standard PR output: reuses envoyproxy/toolshed/actions/github/pr with the same commit/branch/title conventions as other dependency update jobs

Example resulting line after an update with a known release SHA:

uses: envoyproxy/toolshed/actions/appauth@<new-sha>  # actions-v0.4.15

And after dispatching a raw unmapped SHA (no semver comment appended):

uses: envoyproxy/toolshed/actions/appauth@<raw-sha>

Original prompt

Implement a new bespoke dependency updater in envoyproxy/envoy for pinned envoyproxy/toolshed/actions/...@SHA references that Dependabot does not reliably update.

Context:

• Envoy currently uses many toolshed GitHub Actions pinned by full commit SHA with trailing human-readable comments like # actions-v0.4.12.
• Dependabot is configured for github-actions, but some toolshed action usages are nested / defined in ways that do not appear as normal action dependencies to the updater.
• There is already a manual/scheduled dependency workflow in Envoy at .github/workflows/envoy-dependency.yml that supports custom dependency update tasks like bazel, bazel-api, build-image, and check.
• Toolshed has precedent for preparing action releases by grepping and replacing pinned SHAs in .github/workflows/_release.yml.

Requested change:

1. Extend .github/workflows/envoy-dependency.yml with a new workflow_dispatch task option named toolshed-actions.
2. Add a dedicated updater path/job for toolshed-actions.
3. The updater must update pinned refs matching envoyproxy/toolshed/actions/...@<sha> in Envoy.
4. It must support the existing version dispatch input as an override:
   • If version is empty: resolve the latest actions-v* release/tag from envoyproxy/toolshed.
   • If version looks like an actions-v* tag: resolve that tag to its commit SHA.
   • If version looks like a 40-char commit SHA: use that SHA directly.
5. Comment handling is required:
   • By default, when the target SHA corresponds to a known actions-v* tag, ensure the updated line has a trailing comment exactly like # actions-vX.Y.Z.
   • When dispatching a raw SHA that does not map to a known actions-v* tag, the updated line should have no semver comment.
   • If updating from a line with an old # actions-v... comment to an unmapped SHA, remove the stale comment.
   • Conversely, if updating a line without a comment to a SHA that maps to an actions-v* tag, add the semver comment.
6. Scope the rewrite to relevant Envoy files that contain these refs (likely workflow-related files and any local action definitions if present), avoiding unnecessary broad rewrites.
7. Reuse the existing dependency workflow’s commit / PR behavior so the updater can produce a PR in the normal Envoy dependency-update flow.

Implementation guidance:

• Keep the output formatting deterministic.
• Preserve existing YAML formatting as much as practical.
• Prefer a simple shell-based grep/sed approach if that integrates cleanly with the existing workflow.
• Use GitHub/CLI/API helpers already available in workflows if useful.
• Ensure the updater is robust for both commented and uncommented uses: lines.

Please create a pull request in envoyproxy/envoy with this implementation.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: riddle me this - toolshed has just release a new actions-v version - why tf is dependabot not pickin it up?

Assistant: Because Dependabot is almost certainly doing exactly what you told it to do: it’s only tracking the github-actions ecosystem, and envoyproxy/toolshed/actions/... refs are being used as SHA-pinned third-party actions with inline comments, not version tags Dependabot can bump in the way you expect.

What I found:

• Dependabot is enabled for GitHub Actions at repo root in .github/dependabot.yml:

- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: daily
    time: "06:00"

• Your workflows use toolshed actions like this:

- uses: envoyproxy/toolshed/actions/jq@2ed4461f62fe3cf80196c05bea0d7dc39f15cf26  # actions-v0.4.12

That pattern repeats across a bunch of workflow files. The important bit is:

• actual dependency ref: @2ed4461f62fe3cf80196c05bea0d7dc39f15cf26
• human hint only: # actions-v0.4.12

Dependabot updates the ref, not the comment. So if it’s not opening a PR, the likely reason is one of these:

1. The new toolshed release/tag doesn’t resolve as an update for the exact action ref format Dependabot sees

   • You’re using subpath actions like:
     • envoyproxy/toolshed/actions/jq
     • envoyproxy/toolshed/actions/github/remnt
     • etc.
   • Dependabot must determine that the repo/tag for those action paths has a newer valid version it can map to.

2. The repo is pinned to a commit SHA, and Dependabot only updates when it can map that SHA to a newer release/tag

   • If the new “actions-v” release exists but isn’t being surfaced in a way Dependabot recognizes for these action references, no PR.

3. **The new release may not satisfy GitHub Actions versio...

This pull request was created from Copilot chat.

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44955 was opened by Copilot.

see: more, trace.