Merge branch 'main' into yiming.luo/clarify-span-dedup-log

Author: duncanista

.github/copilot-instructions.md

@@ -0,0 +1,29 @@
+# Copilot Code Review Instructions
+
+## Security — PII and Secrets
+
+Flag any logging statements (`log::info!`, `log::debug!`, `log::warn!`, `log::error!`,
+`tracing::info!`, `tracing::debug!`, `tracing::warn!`, `tracing::error!`, or unqualified
+`info!`, `debug!`, `warn!`, `error!` macros (e.g., via `use tracing::{info, debug, warn, error}`))
+that may log:
+- HTTP request/response headers (Authorization, Cookie, X-API-Key, or similar)
+- HTTP request/response bodies or raw payloads
+- Any PII fields (e.g., email, name, user_id, ip_address, phone, ssn, date_of_birth)
+- API keys, tokens, secrets, or credentials
+- Structs or types that contain any of the above fields
+- `SendData` values or any variable that contains a `SendData` object (e.g.,
+  `traces_with_tags` or similar variables built via `.with_api_key(...).build()`),
+  since these embed the Datadog API key
+
+Suggest redacting or omitting the sensitive field rather than logging it.
+
+## Security — Unsafe Rust
+
+Flag new `unsafe` blocks and explain what invariant the author must uphold to make the
+block safe. If there is a safe alternative, suggest it.
+
+## Security — Error Handling
+
+Flag cases where errors are silently swallowed (empty `catch`, `.ok()` without
+handling, `let _ = result`) or where operations like `.unwrap()`/`.expect()` may panic,
+in code paths that handle external input or network responses.

.github/dependabot.yml

@@ -29,7 +29,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+      uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -38,7 +38,7 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+      uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+      uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,120 @@
+name: Nightly serverless-init build
+
+on:
+  schedule:
+    # 2 AM UTC (~9-10 PM ET), daily
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: datadog/datadog-lambda-extension/serverless-init
+  REGISTRY: ghcr.io
+
+jobs:
+  build-nightly:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        arrays:
+          - { dockerFile: "Dockerfile.serverless-init.build", isAlpine: "false", tagSuffix: "" }
+          - { dockerFile: "Dockerfile.serverless-init.alpine.build", isAlpine: "true", tagSuffix: "-alpine" }
+    name: "Nightly Build (isAlpine: ${{ matrix.arrays.isAlpine }})"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: DataDog/datadog-agent
+          ref: main
+          path: datadog-agent
+
+      - name: Compute version tags
+        id: meta
+        run: |
+          STAMP=$(date -u +%Y%m%d)
+          SHORT_SHA=$(git -C datadog-agent rev-parse --short=8 HEAD)
+          AGENT_VERSION=$(grep -m 1 -E '^[0-9]+\.[0-9]+\.[0-9]+$' datadog-agent/CHANGELOG.rst) || { echo "ERROR: could not detect agent version from datadog-agent's CHANGELOG.rst"; exit 1; }
+          echo "stamp=${STAMP}" >> "$GITHUB_OUTPUT"
+          echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          echo "version=nightly-${STAMP}-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          echo "agent_version=${AGENT_VERSION}" >> "$GITHUB_OUTPUT"
+
+      # Pin QEMU to a known-good version. See release-serverless-init.yml
+      # and test-qemu-versions.yml for context on QEMU breakage history.
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        with:
+          image: tonistiigi/binfmt:qemu-v10.1.3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build binaries
+        working-directory: ./scripts
+        run: ./build_serverless_init.sh
+        env:
+          AGENT_PATH: datadog-agent
+          VERSION: ${{ steps.meta.outputs.version }}
+          AGENT_VERSION: ${{ steps.meta.outputs.agent_version }}
+          SERVERLESS_INIT: "true"
+          ALPINE: ${{ matrix.arrays.isAlpine }}
+
+      - name: Set up build directory and copy binaries
+        run: cp -r .layers/. ./scripts/bin/
+
+      - name: Set up tracer installation script
+        run: cp ./scripts/serverless_init_dotnet.sh ./scripts/bin/
+
+      - name: Login to GHCR
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: ./scripts
+          file: ./scripts/${{ matrix.arrays.dockerFile }}
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-main${{ matrix.arrays.tagSuffix }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ steps.meta.outputs.stamp }}-${{ steps.meta.outputs.short_sha }}${{ matrix.arrays.tagSuffix }}
+          provenance: false
+          platforms: linux/amd64,linux/arm64
+
+  retry:
+    needs: [build-nightly]
+    if: failure() && fromJSON(github.run_attempt) < 2
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+    steps:
+      - name: Retry failed action
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}
+
+  notify:
+    needs: [build-nightly]
+    if: failure() && fromJSON(github.run_attempt) >= 2
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Notify Slack
+        env:
+          SLACK_CHANNEL: "#serverless-agent"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        run: |
+          OPS_MESSAGE=":gh-check-failed: Nightly serverless-init build failed!
+
+          The nightly build from datadog-agent main did not succeed after retry.
+
+          See ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} for details."
+
+          curl -H "Content-type: application/json" -X POST "$SLACK_WEBHOOK" \
+            -d "$(jq -n --arg channel "$SLACK_CHANNEL" --arg text "$OPS_MESSAGE" '{channel: $channel, text: $text}')"

.github/workflows/nightly-serverless-init.yml

@@ -22,7 +22,7 @@ on:
           - "no"
       agentVersion:
         type: string
-        description: Datadog agent version
+        description: Datadog agent version (default latest release tag from Datadog agent branch)
       agentBranch:
         type: string
         description: Datadog agent branch or tag name (default main)
@@ -53,6 +53,15 @@ jobs:
           ref: ${{ github.event.inputs.agentBranch }}
           path: datadog-agent
 
+      - name: Compute agent version
+        id: meta
+        run: |
+          AGENT_VERSION="${{ github.event.inputs.agentVersion }}"
+          if [ -z "$AGENT_VERSION" ]; then
+            AGENT_VERSION=$(grep -m 1 -E '^[0-9]+\.[0-9]+\.[0-9]+$' datadog-agent/CHANGELOG.rst) || { echo "ERROR: could not detect agent version from datadog-agent's CHANGELOG.rst; set the Datadog agent version manually"; exit 1; }
+          fi
+          echo "agent_version=${AGENT_VERSION}" >> "$GITHUB_OUTPUT"
+
       # Pin QEMU to a known-good version. The default (binfmt:latest) has broken
       # arm64 emulation multiple times due to QEMU segfaults in libc-bin triggers:
       #   - Feb 2025: qemu-v9.2.0 — PR #571 pinned, PR #581 reverted to :latest
@@ -76,7 +85,7 @@ jobs:
           VERSION: ${{ github.event.inputs.tag }}
           SERVERLESS_INIT: true
           ALPINE: ${{ matrix.arrays.isAlpine }}
-          AGENT_VERSION: ${{ github.event.inputs.agentVersion }}
+          AGENT_VERSION: ${{ steps.meta.outputs.agent_version }}
 
       - name: Set up build directory and copy binaries
         run: |

.github/workflows/release-serverless-init.yml

@@ -135,7 +135,7 @@ jobs:
       - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4
         with:
           cache: false
-      - uses: taiki-e/install-action@c12d62a803cbdfe2e7263af15f5a9548065cb4f2 # v2.69.3
+      - uses: taiki-e/install-action@328a871ad8f62ecac78390391f463ccabc974b72 # v2.69.9
         with:
           tool: nextest@0.9
       - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9

.github/workflows/rs_ci.yml

@@ -0,0 +1,26 @@
+name: Secrets Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Secrets Scan
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        with:
+          args: --redact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.github/workflows/secrets-scan.yml

@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest serverless-init image with grype
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         with:
           image: "datadog/serverless-init:latest"
           only-fixed: true
@@ -44,7 +44,7 @@ jobs:
           output-format: table
 
       - name: Scan latest-alpine serverless-init image with grype
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         with:
           image: "datadog/serverless-init:latest-alpine"
           only-fixed: true

.github/workflows/serverless-init-vulnerability-scan.yml

@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest release image with grype
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         with:
           image: "public.ecr.aws/datadog/lambda-extension:latest"
           only-fixed: true
@@ -46,7 +46,7 @@ jobs:
           output-format: table
 
       - name: Scan latest-alpine release image with grype
-        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         with:
           image: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
           only-fixed: true

.github/workflows/vulnerability-scan.yml

@@ -30,3 +30,4 @@ integration-tests/cdk.context.json
 
 .gitlab/pipeline*
 /CLAUDE.md
+/AGENTS.md