Merge branch 'main' into jordan.gonzalez/gitlab/secrets-from-kv

Author: duncanista

.github/workflows/nightly-serverless-init.yml

@@ -36,9 +36,11 @@ jobs:
         run: |
           STAMP=$(date -u +%Y%m%d)
           SHORT_SHA=$(git -C datadog-agent rev-parse --short=8 HEAD)
+          AGENT_VERSION=$(grep -m 1 -E '^[0-9]+\.[0-9]+\.[0-9]+$' datadog-agent/CHANGELOG.rst) || { echo "ERROR: could not detect agent version from datadog-agent's CHANGELOG.rst"; exit 1; }
           echo "stamp=${STAMP}" >> "$GITHUB_OUTPUT"
           echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
           echo "version=nightly-${STAMP}-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          echo "agent_version=${AGENT_VERSION}" >> "$GITHUB_OUTPUT"
 
       # Pin QEMU to a known-good version. See release-serverless-init.yml
       # and test-qemu-versions.yml for context on QEMU breakage history.
@@ -56,6 +58,7 @@ jobs:
         env:
           AGENT_PATH: datadog-agent
           VERSION: ${{ steps.meta.outputs.version }}
+          AGENT_VERSION: ${{ steps.meta.outputs.agent_version }}
           SERVERLESS_INIT: "true"
           ALPINE: ${{ matrix.arrays.isAlpine }}
 

.github/workflows/release-serverless-init.yml

@@ -22,7 +22,7 @@ on:
           - "no"
       agentVersion:
         type: string
-        description: Datadog agent version
+        description: Datadog agent version (default latest release tag from Datadog agent branch)
       agentBranch:
         type: string
         description: Datadog agent branch or tag name (default main)
@@ -53,6 +53,15 @@ jobs:
           ref: ${{ github.event.inputs.agentBranch }}
           path: datadog-agent
 
+      - name: Compute agent version
+        id: meta
+        run: |
+          AGENT_VERSION="${{ github.event.inputs.agentVersion }}"
+          if [ -z "$AGENT_VERSION" ]; then
+            AGENT_VERSION=$(grep -m 1 -E '^[0-9]+\.[0-9]+\.[0-9]+$' datadog-agent/CHANGELOG.rst) || { echo "ERROR: could not detect agent version from datadog-agent's CHANGELOG.rst; set the Datadog agent version manually"; exit 1; }
+          fi
+          echo "agent_version=${AGENT_VERSION}" >> "$GITHUB_OUTPUT"
+
       # Pin QEMU to a known-good version. The default (binfmt:latest) has broken
       # arm64 emulation multiple times due to QEMU segfaults in libc-bin triggers:
       #   - Feb 2025: qemu-v9.2.0 — PR #571 pinned, PR #581 reverted to :latest
@@ -76,7 +85,7 @@ jobs:
           VERSION: ${{ github.event.inputs.tag }}
           SERVERLESS_INIT: true
           ALPINE: ${{ matrix.arrays.isAlpine }}
-          AGENT_VERSION: ${{ github.event.inputs.agentVersion }}
+          AGENT_VERSION: ${{ steps.meta.outputs.agent_version }}
 
       - name: Set up build directory and copy binaries
         run: |

.github/workflows/secrets-scan.yml

@@ -0,0 +1,26 @@
+name: Secrets Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Secrets Scan
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        with:
+          args: --redact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.gitleaks.toml

@@ -0,0 +1,42 @@
+title = "datadog-lambda-extension gitleaks config"
+
+# This file configures gitleaks to suppress known false positives.
+# Only add entries here after confirming a finding is NOT a real secret.
+# If a real secret is found: rotate it immediately, then add the commit hash to the `commits` list under [allowlist] below.
+#
+# Maintenance workflow:
+#   1. gitleaks flags something on a PR
+#   2. Review the finding — is it a real secret or a false positive?
+#   3. Real secret    → rotate immediately, fix the code, optionally add the commit hash below
+#   4. False positive → add the appropriate entry below with a comment explaining why
+
+[allowlist]
+description = "Known false positives"
+
+# paths: skip entire directories or files from scanning.
+# Use when a directory contains third-party code or test fixtures with fake data.
+# Examples:
+#   "integration-tests/node_modules"  — npm dependencies, not our code
+#   "bottlecap/tests/fixtures"        — test payloads with placeholder values
+#   "docs/examples"                   — documentation examples with fake keys
+paths = [
+  # npm dependencies bundled under integration-tests — not our code, would be noisy
+  "integration-tests/node_modules",
+]
+
+# regexes: suppress findings whose matched secret value matches one of these patterns.
+# Use for placeholder/example values that appear in source or docs but are not real secrets.
+# Examples:
+#   '''your-api-key'''          — generic placeholder in docs or scripts
+#   '''my_test_key'''           — unit test placeholder (bottlecap/tests/)
+#   '''AKIAIOSFODNN7EXAMPLE'''  — AWS example key from official AWS documentation
+#   '''DD_API_KEY_EXAMPLE'''    — Datadog placeholder used in README examples
+regexes = []
+
+# commits: suppress all findings from a specific historical commit.
+# Use when a commit contained a now-rotated credential that cannot be rewritten
+# (e.g., it is already on the default branch or in a public tag).
+# Always document why the commit is suppressed and confirm the credential was rotated.
+# Examples:
+#   "abc123def456"  — rotated DD_API_KEY accidentally committed on 2024-01-15, key invalidated
+commits = []