From 6fe0a5c375a735c09fb1192defe067f86ac1bf63 Mon Sep 17 00:00:00 2001 From: Nicolas Schweitzer Date: Tue, 30 Apr 2024 19:31:04 +0200 Subject: [PATCH 1/3] fix(ci): pin github actions per commit-sha --- .github/workflows/add_milestone.yml | 2 +- .github/workflows/backport-pr.yml | 4 ++-- .github/workflows/buildimages-update.yml | 10 +++++----- .github/workflows/codeql-analysis.yml | 10 +++++----- .github/workflows/create_rc_pr.yml | 6 +++--- .github/workflows/cws-btfhub-sync.yml | 12 ++++++------ .github/workflows/docs-dev.yml | 10 +++++----- .github/workflows/go-update-commenter.yml | 6 +++--- .github/workflows/go_mod_tidy.yml | 8 ++++---- .github/workflows/gohai.yml | 4 ++-- .github/workflows/label-analysis.yml | 8 ++++---- .github/workflows/labeler.yml | 2 +- .github/workflows/markdown-lint-check.yml | 4 ++-- .github/workflows/serverless-benchmarks.yml | 20 ++++++++++---------- .github/workflows/serverless-binary-size.yml | 12 ++++++------ .github/workflows/serverless-integration.yml | 14 +++++++------- .github/workflows/serverless-vuln-scan.yml | 16 ++++++++-------- .github/workflows/windows-linters.yml | 8 ++++---- .github/workflows/windows-unittests.yml | 8 ++++---- 19 files changed, 82 insertions(+), 82 deletions(-) diff --git a/.github/workflows/add_milestone.yml b/.github/workflows/add_milestone.yml index cde6cc294c423b..ef43c0869e8965 100644 --- a/.github/workflows/add_milestone.yml +++ b/.github/workflows/add_milestone.yml @@ -18,7 +18,7 @@ jobs: GH_REPO: ${{ github.repository }} steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Get repo current milestone id: current-milestone diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml index cc7a16cd1a61dc..4376045023d957 100644 --- a/.github/workflows/backport-pr.yml +++ b/.github/workflows/backport-pr.yml @@ -19,12 +19,12 @@ jobs: ) ) steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3 id: app-token with: app-id: ${{ vars.DD_GITHUB_TOKEN_GENERATOR_APP_ID }} private-key: ${{ secrets.DD_GITHUB_TOKEN_GENERATOR_PRIVATE_KEY }} - - uses: tibdex/backport@v2 + - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4 with: label_pattern: "^backport/(?([^ ]+))$" labels_template: "<%= JSON.stringify([...labels, 'backport', 'bot']) %>" diff --git a/.github/workflows/buildimages-update.yml b/.github/workflows/buildimages-update.yml index bd381792523455..9e7391bb5cd1eb 100644 --- a/.github/workflows/buildimages-update.yml +++ b/.github/workflows/buildimages-update.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.head_ref }} @@ -43,19 +43,19 @@ jobs: fi - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 if: ${{ steps.branch_fetch.outputs.RESULT == 'true' }} with: ref: ${{ inputs.branch }} - name: Setup Python and pip - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: # use Python < 3.12 so that distutil is still available by default python-version: 3.11 cache: "pip" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: # use the go version from the input, not from the .go-version file # in case it's a Go update PR @@ -83,7 +83,7 @@ jobs: echo 'MESSAGE=Update Go version to ${{ inputs.go_version }}' >> $GITHUB_OUTPUT fi - - uses: stefanzweifel/git-auto-commit-action@v5 + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 id: autocommit with: commit_message: ${{ steps.update_build_images.outputs.MESSAGE }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e11961dffd966b..578873d86660fd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,12 +19,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 - name: Setup Python3 - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11.8" cache: "pip" @@ -37,12 +37,12 @@ jobs: echo "CGO_LDFLAGS= -L${GITHUB_WORKSPACE}/rtloader/build/rtloader -ldl " >> $GITHUB_ENV echo "CGO_CFLAGS= -I${GITHUB_WORKSPACE}/rtloader/include -I${GITHUB_WORKSPACE}/rtloader/common " >> $GITHUB_ENV - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: ".go-version" - name: Initialize CodeQL - uses: github/codeql-action/init@v3.24.10 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: languages: ${{ matrix.language }} setup-python-dependencies: false @@ -61,4 +61,4 @@ jobs: invoke agent.build --build-exclude=systemd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.24.10 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 diff --git a/.github/workflows/create_rc_pr.yml b/.github/workflows/create_rc_pr.yml index 155a69a479c565..e440c5b3ce974b 100644 --- a/.github/workflows/create_rc_pr.yml +++ b/.github/workflows/create_rc_pr.yml @@ -12,12 +12,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.11 cache: "pip" @@ -33,7 +33,7 @@ jobs: echo "RELEASE_BRANCH=$(inv -e release.get-active-release-branch)" >> $GITHUB_ENV - name: Checkout release branch - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ env.RELEASE_BRANCH }} fetch-depth: 0 diff --git a/.github/workflows/cws-btfhub-sync.yml b/.github/workflows/cws-btfhub-sync.yml index 4d1a6cb0f22bfa..ab4bb5389d36da 100644 --- a/.github/workflows/cws-btfhub-sync.yml +++ b/.github/workflows/cws-btfhub-sync.yml @@ -26,25 +26,25 @@ jobs: docker rmi $(docker image ls -aq) >/dev/null 2>&1 - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ inputs.base_branch || 'main' }} - name: Checkout btfhub-archive repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: DataDog/btfhub-archive path: dev/dist/archive - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.9' cache: 'pip' - run: pip install -r requirements.txt - name: Install go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: '.go-version' @@ -61,7 +61,7 @@ jobs: run: | inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive ${{ inputs.force_refresh && '--force-refresh' || '' }} - - uses: stefanzweifel/git-auto-commit-action@v5 + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 id: commit-creator with: commit_message: "CWS: sync BTFhub constants" @@ -71,7 +71,7 @@ jobs: skip_checkout: true - name: Create Pull Request - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: steps.commit-creator.outputs.changes_detected == 'true' with: script: | diff --git a/.github/workflows/docs-dev.yml b/.github/workflows/docs-dev.yml index f7466f8e5b9e8f..0bd8a1ee8afc81 100644 --- a/.github/workflows/docs-dev.yml +++ b/.github/workflows/docs-dev.yml @@ -21,13 +21,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: # Fetch all history for applying timestamps to every page fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.12' @@ -45,7 +45,7 @@ jobs: - name: Build documentation run: invoke docs.build - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: documentation path: site @@ -58,12 +58,12 @@ jobs: - build steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: documentation path: site - - uses: peaceiris/actions-gh-pages@v3 + - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: site diff --git a/.github/workflows/go-update-commenter.yml b/.github/workflows/go-update-commenter.yml index 9116859d543f80..9925fba1614ca6 100644 --- a/.github/workflows/go-update-commenter.yml +++ b/.github/workflows/go-update-commenter.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: # get the Go version of the target branch - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.base_ref }} - name: Get former Go version @@ -21,7 +21,7 @@ jobs: echo version="$(cat .go-version)" >> $GITHUB_OUTPUT # get the Go version of the PR branch - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Get current Go version id: new_go_version run: | @@ -50,7 +50,7 @@ jobs: } >> $GITHUB_OUTPUT # and display it - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: # We need to store the output in an environment variable and not use it directly in the createComment, # as it will likely not be a valid JS string (eg. if it contains a quote character) diff --git a/.github/workflows/go_mod_tidy.yml b/.github/workflows/go_mod_tidy.yml index 5944641ee0639c..ea01af3d14151a 100644 --- a/.github/workflows/go_mod_tidy.yml +++ b/.github/workflows/go_mod_tidy.yml @@ -16,7 +16,7 @@ jobs: if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies-go')) }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.head_ref }} - name: Checkout PR @@ -26,11 +26,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: ".go-version" - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.9.12" cache: "pip" @@ -46,7 +46,7 @@ jobs: - name: Update mocks if: ${{ github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'dependencies-go-tools') }} run: inv -e security-agent.gen-mocks # generate both security agent and process mocks - - uses: stefanzweifel/git-auto-commit-action@v5 + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 id: autocommit with: commit_message: Auto-generate go.sum and LICENSE-3rdparty.csv changes diff --git a/.github/workflows/gohai.yml b/.github/workflows/gohai.yml index 625dd51b434a97..f8ece1afaebe30 100644 --- a/.github/workflows/gohai.yml +++ b/.github/workflows/gohai.yml @@ -30,8 +30,8 @@ jobs: go-file: [.go-version, pkg/gohai/go.mod] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: ${{ matrix.go-file }} - name: Test diff --git a/.github/workflows/label-analysis.yml b/.github/workflows/label-analysis.yml index 67b7697286124f..1c3e21582782f9 100644 --- a/.github/workflows/label-analysis.yml +++ b/.github/workflows/label-analysis.yml @@ -19,9 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.11 cache: 'pip' @@ -35,11 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.11 cache: 'pip' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 24eb9ebd2aba03..11d65855ad4f70 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml diff --git a/.github/workflows/markdown-lint-check.yml b/.github/workflows/markdown-lint-check.yml index 1478a8960cfe39..94386e05e6621d 100644 --- a/.github/workflows/markdown-lint-check.yml +++ b/.github/workflows/markdown-lint-check.yml @@ -7,8 +7,8 @@ jobs: markdown-link-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15 with: use-quiet-mode: yes config-file: .markdown-link-check diff --git a/.github/workflows/serverless-benchmarks.yml b/.github/workflows/serverless-benchmarks.yml index 6cd86839db94e3..41aa15753729e3 100644 --- a/.github/workflows/serverless-benchmarks.yml +++ b/.github/workflows/serverless-benchmarks.yml @@ -22,12 +22,12 @@ jobs: sha: ${{ steps.prepare.outputs.sha }} steps: - name: Checkout ${{ github.base_ref }} - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.base_ref }} - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable @@ -43,7 +43,7 @@ jobs: ./pkg/serverless/... | tee ${{runner.temp}}/benchmark.log - name: Upload result artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: baseline.log path: ${{runner.temp}}/benchmark.log @@ -58,12 +58,12 @@ jobs: steps: - name: Checkout ${{ github.ref }} - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: ref: ${{ github.sha }} - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable @@ -79,7 +79,7 @@ jobs: ./pkg/serverless/... | tee ${{runner.temp}}/benchmark.log - name: Upload result artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: current.log path: ${{runner.temp}}/benchmark.log @@ -92,7 +92,7 @@ jobs: steps: - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable cache: false @@ -102,12 +102,12 @@ jobs: go install golang.org/x/perf/cmd/benchstat@latest - name: Download baseline artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: baseline.log path: baseline - name: Download current artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: current.log path: current @@ -121,7 +121,7 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT - name: Post comment - uses: marocchino/sticky-pull-request-comment@v2.9.0 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: recreate: true message: | diff --git a/.github/workflows/serverless-binary-size.yml b/.github/workflows/serverless-binary-size.yml index 8432b780d3106e..8dfb4a0a1b674c 100644 --- a/.github/workflows/serverless-binary-size.yml +++ b/.github/workflows/serverless-binary-size.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: path: go/src/github.com/DataDog/datadog-agent @@ -25,13 +25,13 @@ jobs: git checkout $GITHUB_BASE_REF - name: Checkout the datadog-lambda-extension repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: DataDog/datadog-lambda-extension path: go/src/github.com/DataDog/datadog-lambda-extension - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Previous binary size and dependencies id: previous @@ -77,7 +77,7 @@ jobs: ### Steps below only run if size diff > SIZE_ALLOWANCE ### - name: Install graphviz - uses: ts-graphviz/setup-graphviz@v2 + uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2 if: steps.compare.outputs.diff > env.SIZE_ALLOWANCE - name: Install digraph @@ -109,14 +109,14 @@ jobs: done - name: Archive dependency graphs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: steps.compare.outputs.diff > env.SIZE_ALLOWANCE with: name: dependency-graphs path: go/src/github.com/DataDog/datadog-lambda-extension/graphs - name: Post comment - uses: marocchino/sticky-pull-request-comment@v2.9.0 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 if: steps.compare.outputs.diff > env.SIZE_ALLOWANCE with: hide_and_recreate: true diff --git a/.github/workflows/serverless-integration.yml b/.github/workflows/serverless-integration.yml index aa55c87fff7b98..8d2fcc7a72cf67 100644 --- a/.github/workflows/serverless-integration.yml +++ b/.github/workflows/serverless-integration.yml @@ -23,12 +23,12 @@ jobs: name: ${{ matrix.suite }} on ${{ matrix.architecture }} steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: path: go/src/github.com/DataDog/datadog-agent - name: Set up Node 20 - uses: actions/setup-node@v4 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 @@ -36,20 +36,20 @@ jobs: run: sudo yarn global add serverless@^3.36.0 --prefix /usr/local - name: Checkout the datadog-lambda-extension repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: DataDog/datadog-lambda-extension path: go/src/github.com/DataDog/datadog-lambda-extension - name: Set up QEMU id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: image: tonistiigi/binfmt:latest platforms: amd64,arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Create raw logs directory id: rawlogs @@ -59,7 +59,7 @@ jobs: - name: Run tests if AWS credentials are available id: test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 env: AWS_ACCESS_KEY_ID: ${{ secrets.SERVERLESS_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.SERVERLESS_AWS_SECRET_ACCESS_KEY }} @@ -74,7 +74,7 @@ jobs: - name: Archive raw logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: rawlogs-${{ matrix.suite }}-${{ matrix.architecture }} path: ${{ steps.rawlogs.outputs.dir }} diff --git a/.github/workflows/serverless-vuln-scan.yml b/.github/workflows/serverless-vuln-scan.yml index b7dabe4fee30a0..0c570ac239cf46 100644 --- a/.github/workflows/serverless-vuln-scan.yml +++ b/.github/workflows/serverless-vuln-scan.yml @@ -16,18 +16,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: path: go/src/github.com/DataDog/datadog-agent - name: Checkout datadog-lambda-extension repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: DataDog/datadog-lambda-extension path: go/src/github.com/DataDog/datadog-lambda-extension - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Build extension run: | @@ -35,7 +35,7 @@ jobs: ./scripts/build_binary_and_layer_dockerized.sh - name: Scan amd64 image with trivy - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 with: image-ref: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" ignore-unfixed: true @@ -43,7 +43,7 @@ jobs: format: table - name: Scan arm64 image with trivy - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 with: image-ref: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" ignore-unfixed: true @@ -51,7 +51,7 @@ jobs: format: table - name: Scan amd64 image with grype - uses: anchore/scan-action@v3 + uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 with: image: "datadog/build-lambda-extension-amd64:${{ env.VERSION }}" only-fixed: true @@ -60,7 +60,7 @@ jobs: output-format: table - name: Scan arm64 image with grype - uses: anchore/scan-action@v3 + uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 with: image: "datadog/build-lambda-extension-arm64:${{ env.VERSION }}" only-fixed: true @@ -69,7 +69,7 @@ jobs: output-format: table - name: Scan binary files with grype - uses: anchore/scan-action@v3 + uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 with: path: go/src/github.com/DataDog/datadog-lambda-extension/.layers only-fixed: true diff --git a/.github/workflows/windows-linters.yml b/.github/workflows/windows-linters.yml index 949390d1479927..25861dbe3836f4 100644 --- a/.github/workflows/windows-linters.yml +++ b/.github/workflows/windows-linters.yml @@ -16,12 +16,12 @@ jobs: runs-on: windows-2019 # https://github.com/actions/virtual-environments/blob/main/images/win/Windows2019-Readme.md steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 #needed for 'git describe' to work - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.9.5" cache: "pip" @@ -30,12 +30,12 @@ jobs: If ($lastExitCode -ne "0") { throw "Previous command returned $lastExitCode" } - name: Install go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: ".go-version" - name: Install Dotnet - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0 with: dotnet-version: '7.0.x' diff --git a/.github/workflows/windows-unittests.yml b/.github/workflows/windows-unittests.yml index 0f84ecb5273577..967f76600a8009 100644 --- a/.github/workflows/windows-unittests.yml +++ b/.github/workflows/windows-unittests.yml @@ -16,12 +16,12 @@ jobs: runs-on: windows-2022 # https://github.com/actions/virtual-environments/blob/main/images/win/Windows2019-Readme.md steps: - name: Checkout datadog-agent repository - uses: actions/checkout@v4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 #needed for 'git describe' to work - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.9.5" cache: "pip" @@ -30,7 +30,7 @@ jobs: If ($lastExitCode -ne "0") { throw "Previous command returned $lastExitCode" } - name: Install go - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: ".go-version" @@ -59,7 +59,7 @@ jobs: inv -e test --rerun-fails=2 --python-runtimes 3 --coverage --profile --python-home-3=$pythonLocation --timeout=600 --build-stdlib - name: Upload Codecov results - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: flags: windows name: codecov-windows From 781af228810b287dfcd4537e4c953d2fc152d620 Mon Sep 17 00:00:00 2001 From: Nicolas Schweitzer Date: Thu, 2 May 2024 11:12:09 +0200 Subject: [PATCH 2/3] fix the labeler configuration according to bump on v5 --- .github/labeler.yml | 23 ++++++++++++----------- .github/workflows/labeler.yml | 1 - 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 8f9851b6d3c943..1974e94dd10662 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,13 +1,14 @@ +--- # add system-probe label to any changes done in network, security, eventmonitor or ebpf packages component/system-probe: - - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length) - - pkg/ebpf/** # ebpf-platform (ebpf_manager) - - pkg/eventmonitor/** # cws (new event monitor component) - - pkg/network/** # npm and usm - - pkg/process/monitor/** # usm (process monitor) - - pkg/security/** # cws - - pkg/util/kernel/** # ebpf-platform - - cmd/system-probe/** # ebpf_platform (system-probe executable) - - tasks/system_probe.py # invoke tasks - - +- changed-files: + - any-glob-to-any-file: + - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length) + - pkg/ebpf/** # ebpf-platform (ebpf_manager) + - pkg/eventmonitor/** # cws (new event monitor component) + - pkg/network/** # npm and usm + - pkg/process/monitor/** # usm (process monitor) + - pkg/security/** # cws + - pkg/util/kernel/** # ebpf-platform + - cmd/system-probe/** # ebpf_platform (system-probe executable) + - tasks/system_probe.py # invoke tasks diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 11d65855ad4f70..5cade58e6495cd 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -16,6 +16,5 @@ jobs: - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" - configuration-path: .github/labeler.yml # currently doesn't work sync-labels: true From e578c2b54df12fb849544126f29384db430bb5f3 Mon Sep 17 00:00:00 2001 From: Nicolas Schweitzer Date: Thu, 2 May 2024 11:15:52 +0200 Subject: [PATCH 3/3] revert codeql to 3.24.10 as 3.25 requires a new version of cli --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 578873d86660fd..e07e56ae741e37 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: go-version-file: ".go-version" - name: Initialize CodeQL - uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: languages: ${{ matrix.language }} setup-python-dependencies: false @@ -61,4 +61,4 @@ jobs: invoke agent.build --build-exclude=systemd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10