Add unit tests to Ci Visibility

ci/get_dd_api_key.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+
+# Loads DD_API_KEY for CI jobs that need Datadog API access without assuming an
+# AWS role (e.g. unit-test Test Optimization agentless reporting).
+#
+# Resolution order:
+#   1. Use DD_API_KEY if already set (e.g. GitLab CI/CD project variable).
+#   2. Read from Vault via the gitlab-runner secrets path (requires vault CLI).
+#
+# Slim python CI images do not ship vault; the script installs a static binary
+# when needed. Runners must provide VAULT_ADDR / VAULT_TOKEN for Vault auth.
+
+set -e
+
+VAULT_SECRETS_PATH="kv/k8s/gitlab-runner/datadog-lambda-python/secrets"
+VAULT_CLI_VERSION="${VAULT_CLI_VERSION:-1.18.5}"
+
+_ensure_vault_cli() {
+    if command -v vault >/dev/null 2>&1; then
+        return 0
+    fi
+
+    local arch
+    case "$(uname -m)" in
+        x86_64 | amd64) arch=amd64 ;;
+        aarch64 | arm64) arch=arm64 ;;
+        *)
+            printf "[Error] Unsupported architecture for vault install: %s\n" "$(uname -m)" >&2
+            exit 1
+            ;;
+    esac
+
+    local install_dir="${TMPDIR:-/tmp}/vault-cli-${VAULT_CLI_VERSION}-${arch}"
+    mkdir -p "$install_dir"
+
+    if [ ! -x "${install_dir}/vault" ]; then
+        if ! command -v curl >/dev/null 2>&1 || ! command -v unzip >/dev/null 2>&1; then
+            apt-get update -qq
+            apt-get install -y -qq curl unzip
+        fi
+
+        local zip_url="https://releases.hashicorp.com/vault/${VAULT_CLI_VERSION}/vault_${VAULT_CLI_VERSION}_linux_${arch}.zip"
+        printf "Installing vault CLI %s (%s)...\n" "$VAULT_CLI_VERSION" "$arch"
+        curl -fsSL "$zip_url" -o "${install_dir}/vault.zip"
+        unzip -qo "${install_dir}/vault.zip" -d "$install_dir"
+        rm -f "${install_dir}/vault.zip"
+    fi
+
+    export PATH="${install_dir}:${PATH}"
+}
+
+_export_dd_api_key() {
+    export DD_API_KEY
+
+    if [ -n "${GITLAB_ENV:-}" ]; then
+        echo "DD_API_KEY=${DD_API_KEY}" >>"$GITLAB_ENV"
+    fi
+}
+
+if [ -n "${DD_API_KEY:-}" ]; then
+    printf "Using DD_API_KEY from environment.\n"
+else
+    printf "Getting DD API KEY from Vault...\n"
+
+    _ensure_vault_cli
+
+    DD_API_KEY=$(vault kv get -field=dd-api-key "$VAULT_SECRETS_PATH")
+
+    if [ -z "$DD_API_KEY" ]; then
+        printf "[Error] DD_API_KEY is empty after Vault lookup.\n" >&2
+        return 1 2>/dev/null || exit 1
+    fi
+fi
+
+_export_dd_api_key

ci/input_files/build.yaml.tpl

@@ -82,11 +82,19 @@ unit-test ({{ $runtime.name }}-{{ $runtime.arch }}):
   {{ end }}
   image: registry.ddbuild.io/images/mirror/python:{{ $runtime.image }}
   cache: &{{ $runtime.name }}-{{ $runtime.arch }}-cache
+  variables:
+    DD_CIVISIBILITY_AGENTLESS_ENABLED: "true"
+    DD_SERVICE: "datadog-lambda-python-{{ $runtime.python_version }}-{{ $runtime.arch }}"
+    DD_ENV: "ci"
   before_script:
+    - source ./ci/get_dd_api_key.sh
     - PYTHON_VERSION={{ $runtime.python_version }} ARCH={{ $runtime.arch }} ./scripts/setup_python_env.sh
   script:
-    - source venv/bin/activate
-    - pytest -vv
+    - |
+      set -e
+      source ./ci/get_dd_api_key.sh
+      source venv/bin/activate
+      pytest -vv --ddtrace
   retry: 2
 
 integration-test ({{ $runtime.name }}-{{ $runtime.arch }}):

scripts/run_integration_tests.sh

@@ -220,6 +220,8 @@ for handler_name in "${LAMBDA_HANDLERS[@]}"; do
                 # Normalize python-requests version
                 sed -E "s/(User-Agent:python-requests\/)[0-9]+\.[0-9]+\.[0-9]+/\1X\.X\.X/g" |
                 sed -E "s/(\"http.useragent\"\: \"python-requests\/)[0-9]+\.[0-9]+\.[0-9]+/\1X\.X\.X/g" |
+                # ddtrace 4.x adds http.status_msg (derived from http.status_code); omit from snapshots
+                sed '/"http\.status_msg"/d' |
                 # Strip out trace/span/parent/timestamps
                 sed -E "s/(\"trace_id\"\: \")[A-Z0-9\.\-]+/\1XXXX/g" |
                 sed -E "s/(\"span_id\"\: \")[A-Z0-9\.\-]+/\1XXXX/g" |

tests/test_tracing.py

@@ -1045,13 +1045,15 @@ def test_set_correlation_ids(self):
         self.assertEqual(span.parent_id, int(fake_xray_header_value_parent_decimal))
         span.finish()
 
+    @patch("datadog_lambda.config.Config.trace_enabled", False)
     def test_set_correlation_ids_handle_empty_trace_context(self):
-        # neither x-ray or ddtrace is used. no tracing context at all.
+        # Incomplete trace context: no dummy span should be created. Do not assert
+        # tracer.current_span() is None — pytest's CI Visibility plugin (--ddtrace)
+        # keeps a root test span active for the duration of the test.
         self.mock_get_dd_trace_context.return_value = Context()
-        # no exception thrown
-        set_correlation_ids()
-        span = tracer.current_span()
-        self.assertIsNone(span)
+        with patch.object(tracer, "trace") as mock_trace:
+            set_correlation_ids()
+            mock_trace.assert_not_called()
 
 
 def _expected_span_pointer_link(