kong: Enforce kong-manager version and artifact checksum

[Malcolm-GetAHead]

Enforces the version of kong-manager being deployed in the build and enforced the checksum of the artifact.

In this comment it's mentioned that the kong-manager version included in the build is always nightly, but this is not the case:
#38875 (comment)

The commit referenced in the comment was sourced from a commit in the main branch:
https://github.com/Kong/kong/blob/df6cc598b65d4d205ae148812d0a673d2fc098b9/.requirements#L26

If you look at the release tag for Kong 3.9.0 you can see it's set to a static version:
https://github.com/Kong/kong/blob/3.9.0/.requirements

I've also added aSHA256 check of the artifact to ensure the integrity of the downloaded artifact.

[octo-sts]

⚠️ EXPERIMENTAL

Please use 👍 or 👎 on this comment to indicate if you agree or disagree with the recommendation.

To provide more detailed feedback please comment on the recommendation prefixed with /ai-verify:

e.g. /ai-verify partially helpful but I also added bash to the build environment

Gen AI suggestions to solve the build error:

Based on the error output, I'll provide a structured analysis and solution:

• Detected Error: "Unrecoverable error while evaluating node 'IGNORED_SUBDIRECTORIES:@@'"

• Error Category: Build Configuration

• Failure Point: Bazel initialization/configuration phase before actual build starts

• Root Cause Analysis:
The error occurs during Bazel's workspace initialization, specifically when processing ignored subdirectories. This typically happens when there's an invalid configuration in the Bazel workspace setup or when there are permission/path issues.

• Suggested Fix:

1. Add a .bazelignore file in the root directory:

# Add to .bazelignore
bazel-*
.git

2. Modify the pipeline section to include proper Bazel workspace setup:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/Kong/kong
      tag: ${{package.version}}
      expected-commit: 0118b3c220681d4f0327540ae1a5e8f271081bf6

  - uses: patch
    with:
      patches: http-archive.patch openssl.patch

  - runs: |
      # Create .bazelignore
      echo "bazel-*" > .bazelignore
      echo ".git" >> .bazelignore
      
      # Clean any existing Bazel artifacts
      rm -rf bazel-* .bazel

      # Configure Bazel
      export PATH=$PATH:$HOME/.cargo/bin
      export JAVA_HOME=/usr/lib/jvm/java-21-openjdk
      
      # Build with more verbose output
      bazel clean
      bazel build //build:kong --verbose_failures --worker_verbose --config=release

• Explanation:
The fix addresses the IGNORED_SUBDIRECTORIES error by:

1. Explicitly defining which directories Bazel should ignore
2. Ensuring clean workspace state before build
3. Setting up proper environment variables
4. Adding more verbose output for debugging

• Additional Notes:

• The error is a common Bazel workspace initialization issue
• Adding .bazelignore helps Bazel properly handle workspace boundaries
• More verbose output flags help diagnose build issues
• Clean workspace ensures no conflicting state

• References:

• Bazel Documentation: https://bazel.build/docs/user-manual#bazelignore
• Kong Build Documentation: https://github.com/Kong/kong/blob/master/BUILD.bazel
• Similar Issue: remote: implement a naive action-scoped file system bazelbuild/bazel#7926

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.