DataDog · ichinaski · Aug 13, 2024 · Aug 14, 2024 · Aug 14, 2024 · Aug 14, 2024
@@ -40,6 +40,9 @@ concurrency:
   # Automatically cancel previous runs if a new one is triggered to conserve resources.
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
 
+permissions:
+  contents: read
+
 jobs:
   # Prepare the cache of Go modules to share it will the other jobs.
   # This maximizes cache hits and minimizes the time spent downloading Go modules.
@@ -95,7 +98,7 @@ jobs:
     strategy:
       matrix:
         runs-on: [ macos-12, macos-14 ] # oldest and newest macos runners available - macos-14 mainly is here to cover the fact it is an ARM machine
-        go-version: [ "1.22", "1.21" ]
+        go-version: [ "1.22", "1.23" ]
       fail-fast: true # saving some CI time - macos runners too long to get
     steps:
       - uses: actions/checkout@v4
@@ -187,7 +190,7 @@ jobs:
     needs: go-mod-caching
     strategy:
       matrix:
-        go-version: [ "1.22", "1.21" ]
+        go-version: [ "1.22", "1.23" ]
         distribution: [ bookworm, bullseye, alpine ]
         platform: [ linux/amd64, linux/arm64 ]
 

@@ -2,6 +2,10 @@ on: [push]
 
 name: Datadog Static Analysis
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   static-analysis:
     runs-on: ubuntu-latest

@@ -5,6 +5,9 @@ on:
       - reopened
       - opened
       - edited
+permissions:
+  contents: read
+  issues: write
 jobs:
   label_issues:
     if: contains(github.event.issue.title, 'contrib')

@@ -7,6 +7,9 @@ on:
       - opened
       - reopened
       - edited
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   label_issues:
     runs-on: ubuntu-latest

@@ -14,6 +14,9 @@ on:
     - cron: '00 00 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck-tests:
     runs-on: ubuntu-latest

@@ -22,7 +22,7 @@ jobs:
   unit-integration-tests:
     strategy:
       matrix:
-        go-version: [ "1.21", "1.22" ]
+        go-version: [ "1.22", "1.23" ]
       fail-fast: false
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
@@ -33,7 +33,7 @@ jobs:
     strategy:
       matrix:
         runs-on: [ macos-latest, windows-latest, ubuntu-latest ]
-        go-version: [ "1.21", "1.22" ]
+        go-version: [ "1.22", "1.23" ]
       fail-fast: false
     uses: ./.github/workflows/multios-unit-tests.yml
     with:

@@ -29,6 +29,9 @@ on:
 env:
   DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
 
+permissions:
+  contents: read
+
 jobs:
   test-multi-os:
     runs-on: "${{ inputs.runs-on }}"

@@ -17,7 +17,7 @@ concurrency:
 jobs:
   test:
     name: 'Run Tests'
-    uses: DataDog/orchestrion/.github/workflows/workflow_call.yml@eliott.bouhana/APPSEC-53773 # we don't want to pin our own action
+    uses: DataDog/orchestrion/.github/workflows/workflow_call.yml@main # we don't want to pin our own action
     with:
       dd-trace-go-ref: ${{ github.sha }}
       runs-on: ubuntu-latest-16-cores
@@ -21,6 +21,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   parametric-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')

@@ -18,6 +18,6 @@ jobs:
     name: PR Unit and Integration Tests
     uses: ./.github/workflows/unit-integration-tests.yml
     with:
-      go-version: "1.21"
+      go-version: "1.22"
       ref: ${{ github.ref }}
     secrets: inherit
@@ -27,6 +27,9 @@ on:
 env:
   TEST_RESULTS: /tmp/test-results # path to where test results will be saved
 
+permissions:
+  contents: read
+
 jobs:
   go-get-u:
     #  Run go get -u to upgrade dd-trace-go dependencies to their
@@ -70,13 +73,20 @@ jobs:
     # Run go mod tidy to ensure that all go.mod and go.sum files are up-to-date.
     name: 'go mod tidy smoke test'
     runs-on: ubuntu-latest
+    env:
+      # Users may build our library with GOTOOLCHAIN=local. If they do, and our
+      # go.mod file specifies a newer Go version than their local toolchain, their
+      # build will break. Run our tests with GOTOOLCHAIN=local to ensure that
+      # our library builds with all of the Go versions we claim to support,
+      # without having to download a newer one.
+      GOTOOLCHAIN: local
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref || github.ref }}
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           cache: true
       - name: go mod tidy
         run: |-
@@ -99,7 +109,7 @@ jobs:
       matrix:
         # TODO: cross-compilation from/to different hardware architectures once
         #       github provides native ARM runners.
-        go: [ "1.21", "1.22", "1.23-rc" ]
+        go: [ "1.22", "1.23" ]
         build-env: [ alpine, bookworm, bullseye ]
         build-with-cgo: [ 0, 1 ]
         deployment-env: [ alpine, debian11, debian12, al2, al2023, busybox, scratch ]
@@ -171,7 +181,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: ./internal/apps/setup-smoke-test/Dockerfile
+          file: ./internal/setup-smoke-test/Dockerfile
           push: false
           load: true
           tags: smoke-test

@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

@@ -27,6 +27,9 @@ on:
   schedule:
     - cron:  '00 04 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   system-tests:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
@@ -43,6 +46,8 @@ jobs:
           - uds-echo
         scenario:
           - DEFAULT
+          - INTEGRATIONS
+          - CROSSED_TRACING_LIBRARIES
           - APPSEC_DISABLED
           - APPSEC_BLOCKING
           - APPSEC_BLOCKING_FULL_DENYLIST
@@ -56,7 +61,7 @@ jobs:
           - weblog-variant: net-http
             scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
           - weblog-variant: net-http
-            scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
+            scenario: REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING
           - weblog-variant: net-http
             scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
           # AppSec scenarios that don't depend on the integrations, so we just run on the net/http variant
@@ -103,6 +108,8 @@ jobs:
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
       SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
       SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
+      SYSTEM_TESTS_AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }}
+      SYSTEM_TESTS_AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }}
     name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
     steps:
       - name: Checkout system tests
@@ -134,7 +141,7 @@ jobs:
         run: tar -czvf artifact.tar.gz $(ls | grep logs)
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: ${{ always() }}
         with:
           name: logs_${{ matrix.weblog-variant }}_${{ matrix.scenario }}

@@ -115,6 +115,10 @@ env: {
   DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}",
 }
 
+permissions: {
+    contents: "read",
+}
+
 jobs: {
     for i, scenario in #scenarios {
         for j, env in #envs {

@@ -64,6 +64,8 @@ name: Test Apps
 env:
   DD_ENV: github
   DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}'
+permissions:
+  contents: read
 jobs:
   job-0-0:
     name: unit-of-work/v1 (prod)

@@ -13,6 +13,15 @@ on:
 
 env:
   DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness
+  # Users may build our library with GOTOOLCHAIN=local. If they do, and our
+  # go.mod file specifies a newer Go version than their local toolchain, their
+  # build will break. Run our tests with GOTOOLCHAIN=local to ensure that
+  # our library builds with all of the Go versions we claim to support,
+  # without having to download a newer one.
+  GOTOOLCHAIN: local
+
+permissions:
+  contents: read
 
 jobs:
   copyright:
@@ -22,7 +31,10 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ inputs.ref || github.ref }}
-
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
       - name: Copyright
         run: |
           go run checkcopyright.go
@@ -163,20 +175,24 @@ jobs:
         image: memcached:1.5.9
         ports:
           - 11211:11211
-      zookeeper:
-        image: bitnami/zookeeper:latest
-        env:
-          ALLOW_ANONYMOUS_LOGIN: "yes"
-        ports:
-          - 2181:2181
       kafka:
-        image: darccio/kafka:2.13-2.8.1
+        image: confluentinc/confluent-local:7.5.0
         env:
-          KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
-          KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://localhost:9092
-          KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:9092
-          KAFKA_CREATE_TOPICS: gotest:1:1,gosegtest:1:1
-          KAFKA_BROKER_ID: 1
+          KAFKA_LISTENERS: "PLAINTEXT://0.0.0.0:9093,BROKER://0.0.0.0:9092,CONTROLLER://0.0.0.0:9094"
+          KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT://localhost:9093,BROKER://localhost:9092"
+          KAFKA_REST_BOOTSTRAP_SERVERS: "PLAINTEXT://0.0.0.0:9093,BROKER://0.0.0.0:9092"
+          KAFKA_CONTROLLER_QUORUM_VOTERS: "1@localhost:9094"
+          KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "BROKER:PLAINTEXT,PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT"
+          KAFKA_INTER_BROKER_LISTENER_NAME: "BROKER"
+          KAFKA_BROKER_ID: "1"
+          KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: "1"
+          KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: "1"
+          KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: "1"
+          KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: "1"
+          KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: "0"
+          KAFKA_NODE_ID: "1"
+          KAFKA_PROCESS_ROLES: "broker,controller"
+          KAFKA_CONTROLLER_LISTENER_NAMES: "CONTROLLER"
         ports:
           - 9092:9092
       localstack:
@@ -245,7 +261,7 @@ jobs:
 
       - name: Testing outlier google.golang.org/api
         run: |
-              go get google.golang.org/api@v0.121.0 # version used to generate code
+              go get google.golang.org/api@v0.192.0 # version used to generate code
               go mod tidy # Go1.16 doesn't update the sum file correctly after the go get, this tidy fixes it
               go test -v ./contrib/google.golang.org/api/...