Merge branch 'main' into dinesh.gurumurthy/OASIS-13

.circleci/config.yml

@@ -15,7 +15,7 @@ experimental:
 templates:
   job_template: &job_template
     docker:
-      - image: gcr.io/datadoghq/agent-circleci-runner:v32377621-ce42cb8e
+      - image: gcr.io/datadoghq/agent-circleci-runner:v32778237-8467c81e
         environment:
           USE_SYSTEM_LIBS: "1"
     working_directory: /go/src/github.com/DataDog/datadog-agent

.github/labeler.yml

@@ -1,13 +1,14 @@
+---
 # add system-probe label to any changes done in network, security, eventmonitor or ebpf packages
 component/system-probe:
-  - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length)
-  - pkg/ebpf/** # ebpf-platform (ebpf_manager)
-  - pkg/eventmonitor/** # cws (new event monitor component)
-  - pkg/network/** # npm and usm
-  - pkg/process/monitor/** # usm (process monitor)
-  - pkg/security/** # cws
-  - pkg/util/kernel/** # ebpf-platform
-  - cmd/system-probe/** # ebpf_platform (system-probe executable)
-  - tasks/system_probe.py # invoke tasks
-
-
+- changed-files:
+  - any-glob-to-any-file:
+    - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length)
+    - pkg/ebpf/** # ebpf-platform (ebpf_manager)
+    - pkg/eventmonitor/** # cws (new event monitor component)
+    - pkg/network/** # npm and usm
+    - pkg/process/monitor/** # usm (process monitor)
+    - pkg/security/** # cws
+    - pkg/util/kernel/** # ebpf-platform
+    - cmd/system-probe/** # ebpf_platform (system-probe executable)
+    - tasks/system_probe.py # invoke tasks

.github/workflows/add_milestone.yml

@@ -18,7 +18,7 @@ jobs:
       GH_REPO: ${{ github.repository }}
     steps:
       - name: Checkout datadog-agent repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
       - name: Get repo current milestone
         id: current-milestone

.github/workflows/backport-pr.yml

@@ -19,12 +19,12 @@ jobs:
         )
       )
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
         id: app-token
         with:
           app-id: ${{ vars.DD_GITHUB_TOKEN_GENERATOR_APP_ID }}
           private-key: ${{ secrets.DD_GITHUB_TOKEN_GENERATOR_PRIVATE_KEY }}
-      - uses: tibdex/backport@v2
+      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
         with:
           label_pattern: "^backport/(?<base>([^ ]+))$"
           labels_template: "<%= JSON.stringify([...labels, 'backport', 'bot']) %>"

.github/workflows/buildimages-update.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: ${{ github.head_ref }}
 
@@ -43,19 +43,19 @@ jobs:
           fi
 
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         if: ${{ steps.branch_fetch.outputs.RESULT == 'true' }}
         with:
           ref: ${{ inputs.branch }}
 
       - name: Setup Python and pip
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           # use Python < 3.12 so that distutil is still available by default
           python-version: 3.11
           cache: "pip"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           # use the go version from the input, not from the .go-version file
           # in case it's a Go update PR
@@ -83,7 +83,7 @@ jobs:
             echo 'MESSAGE=Update Go version to ${{ inputs.go_version }}' >> $GITHUB_OUTPUT
           fi
 
-      - uses: stefanzweifel/git-auto-commit-action@v5
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         id: autocommit
         with:
           commit_message: ${{ steps.update_build_images.outputs.MESSAGE }}

.github/workflows/codeql-analysis.yml

@@ -19,12 +19,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
 
       - name: Setup Python3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: "3.11.8"
           cache: "pip"
@@ -37,12 +37,12 @@ jobs:
           echo "CGO_LDFLAGS= -L${GITHUB_WORKSPACE}/rtloader/build/rtloader -ldl " >> $GITHUB_ENV
           echo "CGO_CFLAGS= -I${GITHUB_WORKSPACE}/rtloader/include  -I${GITHUB_WORKSPACE}/rtloader/common " >> $GITHUB_ENV
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: ".go-version"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/[email protected]
+        uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           languages: ${{ matrix.language }}
           setup-python-dependencies: false
@@ -61,4 +61,4 @@ jobs:
           invoke agent.build --build-exclude=systemd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/[email protected]
+        uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10

.github/workflows/create_rc_pr.yml

@@ -12,12 +12,12 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
               with:
                 fetch-depth: 0
 
             - name: Install python
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
               with:
                 python-version: 3.11
                 cache: "pip"
@@ -33,7 +33,7 @@ jobs:
                 echo "RELEASE_BRANCH=$(inv -e release.get-active-release-branch)" >> $GITHUB_ENV
             
             - name: Checkout release branch
-              uses: actions/checkout@v4
+              uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
               with:
                 ref: ${{ env.RELEASE_BRANCH }}
                 fetch-depth: 0

.github/workflows/cws-btfhub-sync.yml

@@ -26,25 +26,25 @@ jobs:
           docker rmi $(docker image ls -aq) >/dev/null 2>&1
 
       - name: Checkout datadog-agent repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: ${{ inputs.base_branch || 'main' }}
 
       - name: Checkout btfhub-archive repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           repository: DataDog/btfhub-archive
           path: dev/dist/archive
 
       - name: Install python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.9'
           cache: 'pip'
       - run: pip install -r requirements.txt
 
       - name: Install go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: '.go-version'
 
@@ -61,7 +61,7 @@ jobs:
         run: |
           inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive ${{ inputs.force_refresh && '--force-refresh' || '' }}
 
-      - uses: stefanzweifel/git-auto-commit-action@v5
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         id: commit-creator
         with:
           commit_message: "CWS: sync BTFhub constants"
@@ -71,7 +71,7 @@ jobs:
           skip_checkout: true
 
       - name: Create Pull Request
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: steps.commit-creator.outputs.changes_detected == 'true'
         with:
           script: |

.github/workflows/docs-dev.yml

@@ -21,13 +21,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       with:
         # Fetch all history for applying timestamps to every page
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: '3.12'
 
@@ -45,7 +45,7 @@ jobs:
     - name: Build documentation
       run: invoke docs.build
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: documentation
         path: site
@@ -58,12 +58,12 @@ jobs:
     - build
 
     steps:
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: documentation
         path: site
 
-    - uses: peaceiris/actions-gh-pages@v3
+    - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: site

.github/workflows/external-contributor.yml

@@ -1,3 +1,4 @@
+---
 name: Handle External Contributor PRs
 
 on:
@@ -11,10 +12,27 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.head.repo.full_name != github.repository
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+          cache: 'pip'
+          cache-dependency-path: '**/requirements*.txt'
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r tasks/requirements.txt
       - name: Set label on external contributor PRs
-        run: gh issue edit "$NUMBER" --add-label "$LABELS" --milestone "$MILESTONE"
+        run: |
+          gh issue edit "$NUMBER" --milestone "$MILESTONE"
+          inv -e github.handle-community-pr --repo="$GH_REPO" --pr-id="$NUMBER" --labels="$LABELS"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SLACK_API_TOKEN: ${{ secrets.SLACK_DATADOG_AGENT_BOT_TOKEN }}
           GH_REPO: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
           # labels is a comma-separated list of tags

.github/workflows/go-update-commenter.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # get the Go version of the target branch
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: ${{ github.base_ref }}
       - name: Get former Go version
@@ -21,7 +21,7 @@ jobs:
           echo version="$(cat .go-version)" >> $GITHUB_OUTPUT
 
       # get the Go version of the PR branch
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Get current Go version
         id: new_go_version
         run: |
@@ -50,7 +50,7 @@ jobs:
           } >> $GITHUB_OUTPUT
 
       # and display it
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           # We need to store the output in an environment variable and not use it directly in the createComment,
           # as it will likely not be a valid JS string (eg. if it contains a quote character)

.github/workflows/go_mod_tidy.yml

@@ -16,7 +16,7 @@ jobs:
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies-go')) }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: ${{ github.head_ref }}
       - name: Checkout PR
@@ -26,11 +26,11 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Install go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: ".go-version"
       - name: Install python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: "3.9.12"
           cache: "pip"
@@ -46,7 +46,7 @@ jobs:
       - name: Update mocks
         if: ${{ github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'dependencies-go-tools') }}
         run: inv -e security-agent.gen-mocks # generate both security agent and process mocks
-      - uses: stefanzweifel/git-auto-commit-action@v5
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         id: autocommit
         with:
           commit_message: Auto-generate go.sum and LICENSE-3rdparty.csv changes

.github/workflows/gohai.yml

@@ -30,8 +30,8 @@ jobs:
         go-file: [.go-version, pkg/gohai/go.mod]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: ${{ matrix.go-file }}
       - name: Test

.github/workflows/label-analysis.yml

@@ -19,9 +19,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Setup python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.11
           cache: 'pip'
@@ -35,11 +35,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
       - name: Setup python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.11
           cache: 'pip'

.github/workflows/labeler.yml

@@ -13,9 +13,8 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-path: .github/labeler.yml
           # currently doesn't work
           sync-labels: true

.github/workflows/markdown-lint-check.yml

@@ -7,8 +7,8 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
       with:
         use-quiet-mode: yes
         config-file: .markdown-link-check