Merge branch 'main' of github.com:DataDog/datadog-agent into pgimalac…

…/update-python-workflows

.github/CODEOWNERS

@@ -59,6 +59,7 @@
 /.github/workflows/cws-btfhub-sync.yml               @DataDog/agent-security
 /.github/workflows/gohai.yml                         @DataDog/agent-shared-components
 /.github/workflows/go-update-commenter.yml           @DataDog/agent-shared-components
+/.github/workflows/update_dependencies.yml           @DataDog/agent-shared-components
 /.github/workflows/buildimages-update.yml            @DataDog/agent-delivery @DataDog/agent-shared-components
 /.github/workflows/collector-generate-and-update.yml @DataDog/opentelemetry
 
@@ -270,6 +271,7 @@
 /go.mod                                 # do not notify anyone
 /go.sum                                 # do not notify anyone
 
+
 /Makefile.trace                         @DataDog/agent-apm
 
 /omnibus/                               @DataDog/agent-delivery
@@ -646,3 +648,16 @@
 /internal/third_party/client-go         @DataDog/container-platform
 /internal/third_party/kubernetes        @DataDog/container-integrations
 /internal/third_party/golang/           @DataDog/container-integrations
+
+# With the introduction of go.work, dependencies bump modify go.mod and go.sum in a lot of file.
+# Which bring a lot of team in the review each time. To make it smoother we no longer consider go.mod and go.sum owned by teams.
+# Each team can individually decide to update CODEOWNERS to be requested for a review on each modification of their go.mod/sum
+/**/go.mod                              # do not notify anyone
+/**/go.sum                              # do not notify anyone
+
+# Add here modules that need explicit review from the team owning them
+/internal/tools/**/go.mod                @DataDog/agent-devx-loops
+/internal/tools/**/go.sum                @DataDog/agent-devx-loops
+
+/pkg/util/scrubber/go.mod                @DataDog/agent-shared-components
+/pkg/util/scrubber/go.sum                @DataDog/agent-shared-components

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
           go-version-file: ".go-version"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           languages: ${{ matrix.language }}
           config: |
@@ -67,4 +67,4 @@ jobs:
           invoke agent.build --build-exclude=systemd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9

.github/workflows/create_rc_pr.yml

@@ -5,10 +5,12 @@ on:
   schedule:
     - cron: '0 14 * * 1,3,5' # Run on Monday, Wednesday, and Friday at 14:00 UTC
     - cron: '0 8 * * 1,3,5' # Same as above but at 08:00 UTC, to warn agent-integrations team about releasing
+    - cron: '0 9 * * 1' # Run Agent 6 workflow on Monday at 09:00 UTC
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
+  AGENT6_RELEASE_BRANCH: '6.53.x'
+  IS_AGENT6_RELEASE: ${{ github.event.schedule == '0 9 * * 1' }}
 permissions: {}
 
 jobs:
@@ -19,18 +21,21 @@ jobs:
           warning: ${{ steps.warning.outputs.value }}
         steps:
             - name: Checkout repository
+              if: ${{ env.IS_AGENT6_RELEASE == 'false' }}
               uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
               with:
                 sparse-checkout: 'tasks'
                 persist-credentials: false
 
             - name: Install python
+              if: ${{ env.IS_AGENT6_RELEASE == 'false' }}
               uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
               with:
                 python-version-file: .python-version
                 cache: "pip"
 
             - name: Install Python dependencies
+              if: ${{ env.IS_AGENT6_RELEASE == 'false' }}
               run: |
                 python -m pip install --upgrade pip
                 pip install -r requirements.txt
@@ -40,7 +45,11 @@ jobs:
             - name: Determine the release active branches
               id: branches
               run: |
-                echo "value=$(inv release.get-unreleased-release-branches)" >> $GITHUB_OUTPUT
+                if ${{ env.IS_AGENT6_RELEASE == 'true' }}; then
+                  echo "value=[\"$AGENT6_RELEASE_BRANCH\"]" >> $GITHUB_OUTPUT
+                else
+                  echo "value=$(inv release.get-unreleased-release-branches)" >> $GITHUB_OUTPUT
+                fi
 
             - name: Set the warning option
               id: warning
@@ -93,11 +102,12 @@ jobs:
                 fi
 
             - name: Create RC PR
-              if: ${{ steps.check_for_changes.outputs.CHANGES == 'true'}}
+              if: ${{ steps.check_for_changes.outputs.CHANGES == 'true' || env.IS_AGENT6_RELEASE == 'true' }}
               env:
                 MATRIX: ${{ matrix.value }}
               run: |
-                git config user.name "github-actions[bot]"
-                git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-                git fetch
-                inv -e release.create-rc -r "$MATRIX" --slack-webhook=${{ secrets.AGENT_RELEASE_SYNC_SLACK_WEBHOOK }}
+                if ${{ env.IS_AGENT6_RELEASE == 'true' }}; then
+                  inv -e release.create-rc -r "$MATRIX" --slack-webhook=${{ secrets.AGENT_RELEASE_SYNC_SLACK_WEBHOOK }} --patch-version
+                else
+                  inv -e release.create-rc -r "$MATRIX" --slack-webhook=${{ secrets.AGENT_RELEASE_SYNC_SLACK_WEBHOOK }}
+                fi

.github/workflows/cws-btfhub-sync.yml

@@ -97,7 +97,7 @@ jobs:
           inv -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive --output-path=./"$ARTIFACT_NAME".json --force-refresh
 
       - name: Upload artifact
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: ${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
           path: ./${{ steps.artifact-name.outputs.ARTIFACT_NAME }}.json
@@ -127,7 +127,7 @@ jobs:
           go-version-file: '.go-version'
 
       - name: Download All Artifacts
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           path: ./dev/dist/constants
           pattern: constants-*

.github/workflows/docs-dev.yml

@@ -50,7 +50,7 @@ jobs:
     - name: Build documentation
       run: invoke docs.build
 
-    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: documentation
         path: site
@@ -65,7 +65,7 @@ jobs:
     - build
 
     steps:
-    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: documentation
         path: site

.github/workflows/serverless-benchmarks.yml

@@ -48,7 +48,7 @@ jobs:
               ./pkg/serverless/... | tee "$TEMP_RUNNER"/benchmark.log
 
       - name: Upload result artifact
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: baseline.log
           path: ${{runner.temp}}/benchmark.log
@@ -87,7 +87,7 @@ jobs:
               ./pkg/serverless/... | tee "$TEMP_RUNNER"/benchmark.log
 
       - name: Upload result artifact
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: current.log
           path: ${{runner.temp}}/benchmark.log
@@ -112,12 +112,12 @@ jobs:
           go install golang.org/x/perf/cmd/benchstat@latest
 
       - name: Download baseline artifact
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: baseline.log
           path: baseline
       - name: Download current artifact
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: current.log
           path: current

.github/workflows/serverless-binary-size.yml

@@ -43,7 +43,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
 
       - name: Previous binary size and dependencies
         id: previous
@@ -152,7 +152,7 @@ jobs:
           done
 
       - name: Archive dependency graphs
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: steps.should.outputs.should_run == 'true'
         with:
           name: dependency-graphs

.github/workflows/serverless-integration.yml

@@ -54,7 +54,7 @@ jobs:
           platforms: amd64,arm64
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
 
       - name: Create raw logs directory
         id: rawlogs
@@ -80,7 +80,7 @@ jobs:
 
       - name: Archive raw logs
         if: always()
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: rawlogs-${{ matrix.suite }}-${{ matrix.architecture }}
           path: ${{ steps.rawlogs.outputs.dir }}

.github/workflows/update_dependencies.yml

@@ -0,0 +1,82 @@
+name: Update golang.org/x/... dependencies
+on:
+  schedule:
+    # Run every 10th of the month, as it seems golang.org/x/... packages are usually
+    # released at the beginning of the month.
+    # Run at 6AM UTC so that it's ready at the beginning of the day CET.
+    - cron: "0 6 10 * *"
+
+  # allow triggering the workflow manually
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  backport:
+    name: Update golang.org/x/... dependencies
+    runs-on: ubuntu-latest
+    permissions: {} # the workflow uses the GitHub App token to create the PR so no specific permissions needed here
+    steps:
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        id: app-token
+        with:
+          app-id: ${{ vars.DD_GITHUB_TOKEN_GENERATOR_APP_ID }}
+          private-key: ${{ secrets.DD_GITHUB_TOKEN_GENERATOR_PRIVATE_KEY }}
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          # credentials are needed to create the PR at the end of the workflow
+          persist-credentials: true
+          token: ${{ steps.app-token.outputs.token }}
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: ".go-version"
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          cache: "pip"
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r tasks/requirements.txt
+      - name: Update every golang.org/x/... package
+        run: |
+          go get -u golang.org/x/arch golang.org/x/crypto \
+                    golang.org/x/lint golang.org/x/mod \
+                    golang.org/x/net golang.org/x/sync \
+                    golang.org/x/sys golang.org/x/term \
+                    golang.org/x/text golang.org/x/time \
+                    golang.org/x/xerrors golang.org/x/tools \
+                    golang.org/x/exp
+          # run tidy twice because the first one doesn't always clean everything
+          # depending on module order
+          inv -e tidy tidy
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
+        id: autocommit
+        with:
+          commit_message: "chore(deps): update all golang.org/x/... dependencies"
+          branch: update-golang-org-x-${{ github.run_id }}-${{ github.run_attempt }}
+          create_branch: true
+          skip_fetch: true
+      - name: Create PR
+        env:
+          TMP_PR_BODY_PATH: /tmp/pr_body
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          PR_TITLE: "[automated] Update golang.org/x/... dependencies"
+          PR_LABELS: "team/agent-shared-components,qa/done,changelog/no-changelog"
+          GITHUB_REF: ${{ github.ref }}
+        run: |
+          # Generate the PR description
+          cat > $TMP_PR_BODY_PATH <<- EOM
+          ### What does this PR do?
+          Update all \`golang.org/x/...\` dependencies.
+
+          ### Motivation
+          Keep dependencies up-to-date, benefit from bug fixes and new features.
+
+          ### Describe how you validated your changes
+          CI is considered enough to validate changes.
+          EOM
+
+          # Create the PR
+          gh pr create \
+          --base "$GITHUB_REF" \
+          --title "$PR_TITLE" \
+          --body-file "$TMP_PR_BODY_PATH" \
+          --label "$PR_LABELS"

.gitlab-ci.yml

@@ -151,6 +151,7 @@ variables:
   ## comment out both lines below (S3_OMNIBUS_CACHE_BUCKET and USE_S3_CACHING) to allow
   ## build to succeed with S3 caching disabled.
   S3_OMNIBUS_CACHE_BUCKET: dd-ci-datadog-agent-omnibus-cache-build-stable
+  S3_OMNIBUS_GIT_CACHE_BUCKET: dd-ci-datadog-agent-omnibus-git-cache-build-stable
   USE_S3_CACHING: --omnibus-s3-cache
   # This value is not used on windows, a specific value is provided to
   # our build containers in the windows build jobs
@@ -583,8 +584,10 @@ workflow:
     when: always
 
 .on_deploy_stable_or_beta_repo_branch:
+  - !reference [.except_mergequeue]
   - <<: *if_not_stable_or_beta_repo_branch
-    when: never
+    when: manual
+    allow_failure: true
   - <<: *if_deploy
 
 .on_deploy_stable_or_beta_repo_branch_manual:
@@ -613,7 +616,8 @@ workflow:
 
 .except_no_tests_no_deploy:
   - if: $DEPLOY_AGENT == "false" && $DDR_WORKFLOW_ID == null && $RUN_E2E_TESTS == "off"
-    when: never
+    when: manual
+    allow_failure: true
 
 .on_main_or_release_branch:
   - <<: *if_main_branch