Add CI/CD automation and update documentation for envoy-openssl

This commit adds GitHub Actions workflows for continuous integration and
automated synchronization with upstream Envoy, plus documentation updates.

GitHub Actions workflows:
- envoy-openssl.yml: CI pipeline for building and testing with OpenSSL
  - Runs on PR events only (not on push)
  - Uses standard Envoy build infrastructure
  - Includes disk cleanup step for CI environment

- envoy-sync-scheduled.yaml: Automated upstream synchronization
  - Runs 4 times daily to merge from upstream Envoy
  - Creates auto-merge PRs for each release branch
  - Handles merge conflicts with issue creation
  - Auto-merges bot update PRs

- envoy-openssl-auto-merge.yml: Additional merge automation
  - Handles bot-generated update PRs
  - Ensures timely integration of upstream changes

Repository configuration:
- Update CODEOWNERS to prevent upstream Envoy maintainers from getting
  review requests on envoy-openssl-specific changes
- Remove .github/dependabot.yml to avoid dependency update conflicts
- Update .gitignore for OpenSSL build artifacts

Documentation:
- Update README.md with envoy-openssl-specific build instructions
- Document differences from upstream Envoy
- Explain bssl-compat layer and OpenSSL requirements
- Add architecture support information (s390x, ppc64le)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Jonh Wendell <jwendell@redhat.com>

Author: jwendell

.github/dependabot.yml

@@ -0,0 +1,70 @@
+name: Auto-merge Bot PRs
+
+on:
+  workflow_run:
+    workflows: ["OpenSSL testing"]
+    types:
+    - completed
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  enable-auto-merge:
+    if: |
+      github.repository == 'envoyproxy/envoy-openssl'
+      && github.event.workflow_run.conclusion == 'success'
+      && github.event.workflow_run.repository.full_name == github.repository
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Get PR info
+      id: pr
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const prs = context.payload.workflow_run.pull_requests;
+          if (prs.length === 0) {
+            core.notice("No pull request associated with this workflow_run (likely from a fork). Skipping workflow.");
+            // Explicitly set a flag so next steps can check
+            core.setOutput("skip", "true");
+            return;
+          }
+          const prNumber = prs[0].number;
+          const { data: pr } = await github.rest.pulls.get({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            pull_number: prNumber
+          });
+          core.setOutput("pr_number", pr.number);
+          core.setOutput("pr_author", pr.user.login);
+          core.setOutput("labels", pr.labels.map(l => l.name).join(","));
+
+    - name: Print info
+      if: ${{ steps.pr.outputs.skip != 'true' }}
+      run: |
+        echo "PR author: ${{ steps.pr.outputs.pr_author }}"
+        echo "Labels: ${{ steps.pr.outputs.labels }}"
+        if [[ "${{ steps.pr.outputs.pr_author }}" != "update-openssl-envoy[bot]" ]]; then
+          echo "::notice title=Skip reason::PR author is not update-openssl-envoy[bot]"
+        fi
+        if [[ "${{ steps.pr.outputs.labels }}" != *"auto-merge"* ]]; then
+          echo "::notice title=Skip reason::Label 'auto-merge' not found"
+        fi
+
+    - name: Merge PR
+      if: ${{ steps.pr.outputs.skip != 'true' && contains(steps.pr.outputs.labels, 'auto-merge') && steps.pr.outputs.pr_author == 'update-openssl-envoy[bot]' }}
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const prNumber = parseInt('${{ steps.pr.outputs.pr_number }}');
+          await github.rest.pulls.merge({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            pull_number: prNumber,
+            merge_method: 'merge'
+          });
+          core.notice(`✅ PR #${prNumber} merged automatically.`);

.github/workflows/envoy-openssl-auto-merge.yml

@@ -0,0 +1,35 @@
+name: OpenSSL testing
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+
+jobs:
+  openssl:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 180
+    permissions:
+      contents: read
+      packages: read
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy-openssl' }}
+    steps:
+    - name: Free disk space
+      uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.3.23
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - run: |
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc //test/...'
+      env:
+        BAZEL_BUILD_EXTRA_OPTIONS: >-
+          --config=remote-envoy-engflow
+          --config=bes-envoy-engflow
+          --config=remote-ci
+        ENVOY_RBE: 1
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/envoy-openssl.yml

@@ -0,0 +1,54 @@
+name: Sync from Upstream (Scheduled)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  sync:
+    if: github.repository == 'envoyproxy/envoy-openssl'
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        branch_name:
+          - release/v1.32
+          - release/v1.34
+          - release/v1.35
+    steps:
+    - id: appauth
+      uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.23
+      with:
+        key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
+        app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}
+
+    # Checkout the branch we're merging into
+    - name: "Checkout ${{ github.repository }}[${{ matrix.branch_name }}]"
+      uses: actions/checkout@v4
+      with:
+        token: ${{ steps.appauth.outputs.token }}
+        ref: ${{ matrix.branch_name }}
+        fetch-depth: 0
+
+    # Configure the git user info on the repository
+    - run: git config user.name "${{ github.actor }}"
+    - run: git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+
+    # Checkout & run the script from the default branch
+    - name: 'Checkout ci/envoy-sync-receive.sh'
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.repository.default_branch }}
+        sparse-checkout: 'ci/envoy-sync-receive.sh'
+        sparse-checkout-cone-mode: false
+        path: '.script'
+    - run: .script/ci/envoy-sync-receive.sh ${{ matrix.branch_name }}
+      env:
+          GH_TOKEN: ${{ steps.appauth.outputs.token }}

.github/workflows/envoy-sync-scheduled.yaml

@@ -46,7 +46,7 @@ TAGS
 clang-tidy-fixes.yaml
 clang.bazelrc
 user.bazelrc
-CMakeLists.txt
+openssl.bazelrc
 cmake-build-debug
 /linux
 bazel.output.txt

.gitignore

@@ -440,4 +440,10 @@ extensions/upstreams/tcp @ggreenway @mattklein123
 /contrib/dlb @mattklein123 @daixiang0
 /contrib/qat/ @giantcroc @soulxu
 /contrib/generic_proxy/ @wbpcode @UNOWNED
-/contrib/tap_sinks/ @coolg92003 @yiyibaoguo
+
+# The bulk of the files in this envoyproxy/envoy-openssl repository are just
+# copied from the upstream envoyproxy/envoy repository by automation.
+# Therefore, all of the above code owners should NOT be notified about changes
+# to this repository. To achive that, we have a default pattern which overrides
+# all the matches from above, and notifies the envoy-openssl-sync team instead.
+* @envoyproxy/envoy-openssl-sync