ci: Add API protobuf breaking-change-detector CI script

[YaseenAlk]

Commit Message: Add API protobuf breaking-change-detector CI script

Additional Description:

This PR is a continuation to #17515 - it adds a script that uses buf to check for breaking changes on proto files in the api folder. It does so by comparing the current api folder against the api folder at the git commit computed by tools/git/last_github_commit.sh - that should hopefully represent the most recent commit on main (if there is a better method to obtain the base branch commit, let me know!).

Adding the script also required re-organizing some of the breaking change detector logic from the previous pr: some levels of abstraction were added, and the detector now expects a git repository and ref as the input for initial state (rather than a proto file).

The script is invoked in do_ci.sh if bazel.api_compat is specified as the CI_TARGET.

This PR also bumps the buf bazel dependency to 0.53.0. If this is preferred to be in a separate PR, let me know and I would be happy to do so

Risk Level: low (hopefully) - the CI script will be invoked in a separate CI pipeline job that can be set to be optional on github. The azure pipeline has been added but needs to be set to optional by a CI maintainer

Testing: New scripts and logic were tested manually; also ran tests from the previous PR and they still pass. hoping to observe more output of this tool through reading CI logs of other PRs once this is merged (this PR should not affect the existing PR workflow - refer to Risk Level)

Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: CI script uses a linux binary for buf so it cannot be run outside of docker on non-linux systems

Related Issue #3368

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #17793 was opened by YaseenAlk.

see: more, trace.

[YaseenAlk]

cc @akonradi @adisuissa

[akonradi]

Still need to review plenty of the code but flushing comments for now

[akonradi]

We can capture or redirect stderr if that's useful?

[YaseenAlk]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17793 (comment) was created by @YaseenAlk.

see: more, trace.

[YaseenAlk]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17793 (comment) was created by @YaseenAlk.

see: more, trace.

[adisuissa]

Thanks for working on this!
Left a few high-level comments

[adisuissa]

Maybe we should also have detector_ci.py here.

[akonradi]

Happy to re-review once the changes to remove lock file support are made

[htuch]

I'd recommend moving this to a bazel.api_compat target and CI job. We can then turn this on as an optional GitHub check, which will make it an active part of the ongoing review process. If we see false positives or need to override, it won't block developer velocity, and ideally we can tune them. At some point it can become a mandatory check and senior maintainers can override as needed.

WDYT @lizan @phlax @mattklein123?

I'm very excited to see this land and think this will be immeasurably valuable in avoiding costly breaking changes that hurt the ecosystem. It will also free up bandwidth of @envoyproxy/api-shepherds to focus on things other than breaking changes.

[mattklein123]

Sure SGTM

[YaseenAlk]

not sure what adding a new CI job entails on the azure/github side but I modified .azure-pipelines/pipelines.yml to add api_compat under api for the bazel job of the check stage. if I need to do anything else, let me know

[akonradi]

I see the new CI check, and it seems to be failing as expected.

[YaseenAlk]

this should be ready for a second review! @adisuissa @akonradi

[akonradi]

LGTM with one nit.

[akonradi]

I see the new CI check, and it seems to be failing as expected.

[adisuissa]

LGTM, thanks!

[adisuissa]

Please add a comment on why api_compat is failing for this PR.

[johanbrandhorst]

FYI, this protobuf module has been deprecated in favor of buf.build/googleapis/googleapis. I think it'd be good to update it now before merging this as changing the dependency later can be annoying for downstream dependents.

[YaseenAlk]

@htuch this should be ready for one last review from you! the api_compat check will fail until we merge in necessary buf config files into the main branch (e.g. buf.lock file), because buf is trying to compile the API proto files on the main branch without proper configuration. I will also monitor other PRs today to make sure it starts passing and I can try to make a quick fix if something else is wrong

[johanbrandhorst]

FYI, if you actually want to parse this output (I see it's not really being parsed here) you can use --error-format=json to get structured results.

[YaseenAlk]

actually hold on, going to push one more change to update buf version and adjust BSR dependencies that @johanbrandhorst recommended

[YaseenAlk]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17793 (comment) was created by @YaseenAlk.

see: more, trace.

[htuch]

LGTM, thanks! Look forward to working with this and iterating. Great accomplishment for the internship!

[htuch]

/lgtm deps

[htuch]

@envoyproxy/maintainers @phlax this may cause issues in CI or PRs; presumably not given its an optional check, but just flagging it in case. Please rollback if there is a genuine CI breakage (i.e. modulo the optional api_compat check).