Merge branch 'main' into pmartinez/race-condition

duncanista · web-flow · commit 7316b726b984 · 2026-03-04T22:10:13.000+01:00
diff --git a/.github/workflows/publish-serverless-init-to-ghcr.yml b/.github/workflows/publish-serverless-init-to-ghcr.yml
@@ -43,7 +43,7 @@ jobs:
           crane version
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/release-serverless-init.yml b/.github/workflows/release-serverless-init.yml
@@ -54,7 +54,7 @@ jobs:
           path: datadog-agent
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 #v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -78,7 +78,7 @@ jobs:
           cp ./scripts/serverless_init_dotnet.sh ./scripts/bin/
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
diff --git a/.github/workflows/rs_ci.yml b/.github/workflows/rs_ci.yml
@@ -44,7 +44,7 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
         with:
           cache: false
       - uses: mozilla-actions/sccache-action@v0.0.9
@@ -72,7 +72,7 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
         with:
           components: clippy
           cache: false
@@ -104,7 +104,7 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
         with:
           cache: false
       - uses: mozilla-actions/sccache-action@v0.0.9
@@ -132,7 +132,7 @@ jobs:
           unzip "protoc-${{ env.PB_VERSION }}-${{ env.PB_TARGET }}.zip" -d "$HOME/.local"
           export PATH="$PATH:$HOME/.local/bin"
 
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
         with:
           cache: false
       - uses: taiki-e/install-action@v2
@@ -150,7 +150,7 @@ jobs:
         os: [ubuntu-22.04, macos-latest]
     steps:
       - uses: actions/checkout@v6.0.2
-      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.3
         with:
           components: rustfmt
           cache: false
diff --git a/.github/workflows/serverless-init-vulnerability-scan.yml b/.github/workflows/serverless-init-vulnerability-scan.yml
@@ -16,15 +16,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest serverless-init image with trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: "datadog/serverless-init:latest"
           ignore-unfixed: true
           exit-code: 1
           format: table
 
       - name: Scan latest-alpine serverless-init image with trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: "datadog/serverless-init:latest-alpine"
           ignore-unfixed: true
diff --git a/.github/workflows/test-qemu-versions.yml b/.github/workflows/test-qemu-versions.yml
@@ -0,0 +1,47 @@
+name: Test QEMU versions for arm64 emulation
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test-qemu:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        qemu_image:
+          # v10.x - current era
+          - "tonistiigi/binfmt:qemu-v10.2.1"   # current latest, known broken
+          - "tonistiigi/binfmt:qemu-v10.1.3"   # released Feb 17 2026, day of last good build
+          - "tonistiigi/binfmt:qemu-v10.0.4"   # Jan 2026
+          # v9.x
+          - "tonistiigi/binfmt:qemu-v9.2.2"    # reportedly has fix for segfault issue
+          - "tonistiigi/binfmt:qemu-v9.2.0"    # known broken (Feb 2025 incident)
+          # v8.x
+          - "tonistiigi/binfmt:qemu-v8.1.5"    # reported working in issue #245
+          - "tonistiigi/binfmt:qemu-v8.1.4"
+          - "tonistiigi/binfmt:qemu-v8.0.4"
+          # v7.x - known good baseline
+          - "tonistiigi/binfmt:qemu-v7.0.0-28"
+    name: "QEMU ${{ matrix.qemu_image }}"
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
+        with:
+          image: ${{ matrix.qemu_image }}
+
+      - name: Show QEMU version
+        run: docker run --rm --privileged ${{ matrix.qemu_image }} --version
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Test: ubuntu:22.04 apt-get install (matching compresser stage)"
+        run: |
+          docker run --rm --platform linux/arm64 ubuntu:22.04 \
+            bash -c "apt-get update && apt-get install -y zip binutils && echo 'SUCCESS: apt-get completed'"
+
+      - name: "Test: alpine:3.16 apk add (matching builder stage)"
+        run: |
+          docker run --rm --platform linux/arm64 alpine:3.16 \
+            sh -c "apk add --no-cache git make musl-dev gcc && echo 'SUCCESS: apk completed'"
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -17,15 +17,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Scan latest released image with trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: "public.ecr.aws/datadog/lambda-extension:latest"
           ignore-unfixed: true
           exit-code: 1
           format: table
 
       - name: Scan latest-alpine released image with trivy
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           image-ref: "public.ecr.aws/datadog/lambda-extension:latest-alpine"
           ignore-unfixed: true
diff --git a/bottlecap/Cargo.lock b/bottlecap/Cargo.lock
diff --git a/bottlecap/src/lifecycle/invocation/processor.rs b/bottlecap/src/lifecycle/invocation/processor.rs
@@ -285,7 +285,10 @@ impl Processor {
     /// This is used to create a cold start span, since this telemetry event does not
     /// provide a `request_id`, we try to guess which invocation is the cold start.
     pub fn on_platform_init_start(&mut self, time: DateTime<Utc>, runtime_version: Option<String>) {
-        if runtime_version.as_deref().map_or(false, |rv| rv.contains("DurableFunction")) {
+        if runtime_version
+            .as_deref()
+            .is_some_and(|rv| rv.contains("DurableFunction"))
+        {
             self.enhanced_metrics.set_durable_function_tag();
         }
         let start_time: i64 = SystemTime::from(time)
diff --git a/bottlecap/src/logger.rs b/bottlecap/src/logger.rs
@@ -79,7 +79,10 @@ where
 
         let message = format!("DD_EXTENSION | {level} | {span_prefix}{}", visitor.0);
 
-        write!(writer, "{{\"level\":\"{level}\",\"message\":\"")?;
+        // Setting specifically `status` as opposed to `level` since AWS
+        // filters out logs by the `level` field. This allows our logs to
+        // appear in CWL regardless of the log level.
+        write!(writer, "{{\"status\":\"{level}\",\"message\":\"")?;
         write_json_escaped(&mut writer, &message)?;
         writeln!(writer, "\"}}")
     }
@@ -187,7 +190,7 @@ mod tests {
         let parsed: serde_json::Value =
             serde_json::from_str(output.trim()).expect("output should be valid JSON");
 
-        assert_eq!(parsed["level"], "INFO");
+        assert_eq!(parsed["status"], "INFO");
         assert!(
             parsed["message"]
                 .as_str()
@@ -204,7 +207,7 @@ mod tests {
 
         let parsed: serde_json::Value =
             serde_json::from_str(output.trim()).expect("output should be valid JSON");
-        assert_eq!(parsed["level"], "ERROR");
+        assert_eq!(parsed["status"], "ERROR");
         assert!(
             parsed["message"]
                 .as_str()
@@ -221,7 +224,7 @@ mod tests {
 
         let parsed: serde_json::Value =
             serde_json::from_str(output.trim()).expect("output should be valid JSON");
-        assert_eq!(parsed["level"], "DEBUG");
+        assert_eq!(parsed["status"], "DEBUG");
         assert!(
             parsed["message"]
                 .as_str()
