Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ci): pin github actions per commit-sha #25291

Merged
merged 3 commits into from
May 6, 2024
Merged

Conversation

chouetz
Copy link
Member

@chouetz chouetz commented May 1, 2024

What does this PR do?

Pin all the github actions of the repo using commit-sha

Motivation

Having a floating version is not only a stability but also a security risk. Using a commit-sha version fix them and prevent malicious usages

Additional Notes

I bumped some versions so I'll need to fix the related jobs - on-going

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

@chouetz chouetz added changelog/no-changelog qa/no-code-change No code change in Agent code requiring validation labels May 1, 2024
@chouetz chouetz requested review from a team as code owners May 1, 2024 19:36
@@ -26,25 +26,25 @@ jobs:
docker rmi $(docker image ls -aq) >/dev/null 2>&1

- name: Checkout datadog-agent repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would much rather we don't use comments with the version here since it will get out of sync if we merge a dependabot PR updating the sha

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I believe this I think it will be synced

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's amazing !

@agent-platform-auto-pr
Copy link
Contributor

agent-platform-auto-pr bot commented May 1, 2024

[Fast Unit Tests Report]

On pipeline 33414270 (CI Visibility). The following jobs did not run any unit tests:

Jobs:
  • tests_deb-arm64-py3
  • tests_deb-x64-py3
  • tests_flavor_dogstatsd_deb-x64
  • tests_flavor_heroku_deb-x64
  • tests_flavor_iot_deb-x64
  • tests_rpm-arm64-py3
  • tests_rpm-x64-py3
  • tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-developer-experience

Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for ASC-owned workflows (but left a small comment)

@@ -18,7 +18,7 @@ jobs:
GH_REPO: ${{ github.repository }}
steps:
- name: Checkout datadog-agent repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to have a centralized file where these version->hash maps are kept? Maybe we can also inject those as values into the build scripts? Without something like that, verification of proper hash value use becomes extremely had to maintain and review.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check if we can do this. It could remove some redundancy even if the updates are normally handled automatically by dependabot (so mitigates a little bit the maintenance complexity, wdyt?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agree with Srdjan on this !

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really disagree with the single file approach, we know in advance it will never be maintained and upgrades will never be made. Keeping the format easy for dependabot to do the upgrades on its own should be the main priority IMO.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulcacheux Hmm - that's a fair point. Any other alternatives to make this both dependabot and human easily digestible/maintainable without using the old tags? I'm afraid with hashes approach, nobody will actually check these in updates and something might slip by.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still have the associated tag in the comment for human-readable format. Would you prefer having a link to the release on the corresponding github repo?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chouetz That may be a good compromise though a link to the repo at that tag release would be better I think since the hash can easily be compared.

@pr-commenter
Copy link

pr-commenter bot commented May 1, 2024

Regression Detector

Regression Detector Results

Run ID: d02895ce-66cd-4294-8b5f-eb8d471a0b9f
Baseline: d9d232d
Comparison: 6fe0a5c

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI
file_to_blackhole % cpu utilization -34.20 [-39.00, -29.41]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI
tcp_syslog_to_blackhole ingress throughput +6.72 [-15.18, +28.61]
pycheck_1000_100byte_tags % cpu utilization +2.54 [-2.33, +7.41]
process_agent_standard_check memory utilization +0.88 [+0.83, +0.93]
basic_py_check % cpu utilization +0.17 [-2.41, +2.75]
uds_dogstatsd_to_api_cpu % cpu utilization +0.16 [-2.66, +2.98]
trace_agent_json ingress throughput +0.00 [-0.01, +0.01]
trace_agent_msgpack ingress throughput -0.01 [-0.02, +0.00]
uds_dogstatsd_to_api ingress throughput -0.01 [-0.22, +0.19]
tcp_dd_logs_filter_exclude ingress throughput -0.02 [-0.05, +0.02]
otel_to_otel_logs ingress throughput -0.06 [-0.42, +0.30]
process_agent_real_time_mode memory utilization -0.17 [-0.22, -0.12]
idle memory utilization -0.23 [-0.27, -0.19]
file_tree memory utilization -0.25 [-0.34, -0.16]
process_agent_standard_check_with_stats memory utilization -0.34 [-0.39, -0.28]
file_to_blackhole % cpu utilization -34.20 [-39.00, -29.41]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

Copy link
Contributor

github-actions bot commented May 2, 2024

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between 2feb83d and c61c91b.

tl;dr

Use these benchmarks as an insight tool during development.

  1. Skim down the vs base column in each chart. If there is a ~, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small.

  2. The last row of each chart is the geomean. Ensure this percentage is either negative or very small.

What is this benchmarking?

The BenchmarkStartEndInvocation compares the amount of time it takes to call the start-invocation and end-invocation endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer.

The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from benchstat. They represent the statistical change in duration (sec/op), memory overhead (B/op), and allocations (allocs/op).

The benchstat docs explain how to interpret these charts.

Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration.

The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ...

Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise.

Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

I need more help

First off, do not worry if the benchmarks are failing. They are not tests. The intention is for them to be a tool for you to use during development.

If you would like a hand interpreting the results come chat with us in #serverless-agent in the internal DataDog slack or in #serverless in the public DataDog slack. We're happy to help!

Benchmark stats
goos: linux
goarch: amd64
pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon
cpu: AMD EPYC 7763 64-Core Processor                
                                      │ baseline/benchmark.log │       current/benchmark.log        │
                                      │         sec/op         │   sec/op     vs base               │
api-gateway-appsec.json                            92.20µ ± 3%   87.92µ ± 2%  -4.65% (p=0.005 n=10)
api-gateway-kong-appsec.json                       71.81µ ± 3%   69.32µ ± 3%  -3.47% (p=0.001 n=10)
api-gateway-kong.json                              69.60µ ± 3%   67.53µ ± 3%  -2.98% (p=0.001 n=10)
api-gateway-non-proxy-async.json                   109.0µ ± 2%   106.8µ ± 2%  -2.07% (p=0.004 n=10)
api-gateway-non-proxy.json                         109.1µ ± 1%   107.2µ ± 1%  -1.79% (p=0.002 n=10)
api-gateway-websocket-connect.json                 71.81µ ± 2%   70.90µ ± 1%  -1.27% (p=0.004 n=10)
api-gateway-websocket-default.json                 64.88µ ± 2%   63.45µ ± 1%  -2.20% (p=0.001 n=10)
api-gateway-websocket-disconnect.json              64.61µ ± 1%   63.44µ ± 1%  -1.81% (p=0.000 n=10)
api-gateway.json                                   120.2µ ± 1%   116.9µ ± 1%  -2.75% (p=0.000 n=10)
application-load-balancer.json                     65.09µ ± 1%   64.27µ ± 1%  -1.26% (p=0.009 n=10)
cloudfront.json                                    49.16µ ± 2%   48.43µ ± 1%  -1.49% (p=0.000 n=10)
cloudwatch-events.json                             39.37µ ± 2%   38.23µ ± 2%  -2.91% (p=0.000 n=10)
cloudwatch-logs.json                               68.79µ ± 2%   66.59µ ± 1%  -3.21% (p=0.002 n=10)
custom.json                                        31.72µ ± 2%   30.70µ ± 2%  -3.22% (p=0.000 n=10)
dynamodb.json                                      97.53µ ± 3%   96.65µ ± 2%  -0.90% (p=0.043 n=10)
empty.json                                         30.26µ ± 2%   29.02µ ± 2%  -4.09% (p=0.000 n=10)
eventbridge-custom.json                            43.44µ ± 2%   42.54µ ± 3%  -2.08% (p=0.005 n=10)
http-api.json                                      76.00µ ± 1%   74.14µ ± 2%  -2.45% (p=0.001 n=10)
kinesis-batch.json                                 73.99µ ± 1%   71.76µ ± 2%  -3.02% (p=0.001 n=10)
kinesis.json                                       56.32µ ± 3%   54.45µ ± 3%  -3.32% (p=0.009 n=10)
s3.json                                            61.36µ ± 5%   60.24µ ± 1%  -1.83% (p=0.023 n=10)
sns-batch.json                                     96.00µ ± 2%   92.77µ ± 1%  -3.37% (p=0.001 n=10)
sns.json                                           68.04µ ± 2%   65.64µ ± 1%  -3.53% (p=0.000 n=10)
snssqs.json                                        117.4µ ± 1%   114.0µ ± 1%  -2.91% (p=0.000 n=10)
snssqs_no_dd_context.json                          104.4µ ± 2%   100.4µ ± 2%  -3.80% (p=0.000 n=10)
sqs-aws-header.json                                57.97µ ± 2%   56.68µ ± 2%  -2.22% (p=0.002 n=10)
sqs-batch.json                                    100.10µ ± 3%   97.44µ ± 1%  -2.65% (p=0.000 n=10)
sqs.json                                           72.05µ ± 2%   71.01µ ± 1%  -1.45% (p=0.014 n=10)
sqs_no_dd_context.json                             64.04µ ± 4%   64.72µ ± 3%       ~ (p=0.436 n=10)
geomean                                            69.76µ        68.03µ       -2.48%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │          B/op          │     B/op      vs base               │
api-gateway-appsec.json                           37.19Ki ± 0%   37.19Ki ± 0%       ~ (p=0.670 n=10)
api-gateway-kong-appsec.json                      26.80Ki ± 0%   26.80Ki ± 0%       ~ (p=0.782 n=10)
api-gateway-kong.json                             24.29Ki ± 0%   24.29Ki ± 0%       ~ (p=0.539 n=10)
api-gateway-non-proxy-async.json                  48.00Ki ± 0%   48.01Ki ± 0%       ~ (p=0.781 n=10)
api-gateway-non-proxy.json                        47.23Ki ± 0%   47.22Ki ± 0%       ~ (p=0.382 n=10)
api-gateway-websocket-connect.json                25.42Ki ± 0%   25.42Ki ± 0%       ~ (p=0.725 n=10)
api-gateway-websocket-default.json                21.31Ki ± 0%   21.32Ki ± 0%  +0.06% (p=0.002 n=10)
api-gateway-websocket-disconnect.json             21.08Ki ± 0%   21.11Ki ± 0%  +0.11% (p=0.022 n=10)
api-gateway.json                                  49.49Ki ± 0%   49.48Ki ± 0%       ~ (p=0.225 n=10)
application-load-balancer.json                    23.20Ki ± 0%   23.20Ki ± 0%       ~ (p=0.897 n=10)
cloudfront.json                                   17.60Ki ± 0%   17.59Ki ± 0%       ~ (p=0.515 n=10)
cloudwatch-events.json                            11.65Ki ± 0%   11.65Ki ± 0%       ~ (p=0.956 n=10)
cloudwatch-logs.json                              53.31Ki ± 0%   53.30Ki ± 0%       ~ (p=0.987 n=10)
custom.json                                       9.663Ki ± 0%   9.664Ki ± 0%       ~ (p=0.956 n=10)
dynamodb.json                                     40.66Ki ± 0%   40.64Ki ± 0%       ~ (p=0.289 n=10)
empty.json                                        9.219Ki ± 0%   9.229Ki ± 0%       ~ (p=0.325 n=10)
eventbridge-custom.json                           13.38Ki ± 0%   13.38Ki ± 0%       ~ (p=0.781 n=10)
http-api.json                                     23.71Ki ± 0%   23.71Ki ± 0%       ~ (p=0.867 n=10)
kinesis-batch.json                                26.99Ki ± 0%   26.99Ki ± 0%       ~ (p=0.591 n=10)
kinesis.json                                      17.78Ki ± 0%   17.77Ki ± 0%       ~ (p=0.342 n=10)
s3.json                                           20.33Ki ± 0%   20.32Ki ± 0%       ~ (p=0.810 n=10)
sns-batch.json                                    38.62Ki ± 0%   38.59Ki ± 0%  -0.09% (p=0.022 n=10)
sns.json                                          23.94Ki ± 0%   23.96Ki ± 0%       ~ (p=0.101 n=10)
snssqs.json                                       50.65Ki ± 0%   50.64Ki ± 0%       ~ (p=0.529 n=10)
snssqs_no_dd_context.json                         44.79Ki ± 0%   44.80Ki ± 0%       ~ (p=0.912 n=10)
sqs-aws-header.json                               18.85Ki ± 1%   18.84Ki ± 0%       ~ (p=1.000 n=10)
sqs-batch.json                                    41.69Ki ± 0%   41.59Ki ± 0%  -0.22% (p=0.043 n=10)
sqs.json                                          25.53Ki ± 1%   25.54Ki ± 0%       ~ (p=0.684 n=10)
sqs_no_dd_context.json                            20.62Ki ± 1%   20.62Ki ± 1%       ~ (p=0.971 n=10)
geomean                                           25.69Ki        25.69Ki       -0.01%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │       allocs/op        │ allocs/op   vs base                 │
api-gateway-appsec.json                             629.0 ± 0%   629.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong-appsec.json                        488.0 ± 0%   488.0 ± 0%       ~ (p=1.000 n=10) ¹
api-gateway-kong.json                               466.0 ± 0%   466.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-non-proxy-async.json                    725.0 ± 0%   726.0 ± 0%       ~ (p=0.656 n=10)
api-gateway-non-proxy.json                          716.0 ± 0%   716.0 ± 0%       ~ (p=0.211 n=10)
api-gateway-websocket-connect.json                  453.0 ± 0%   453.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-default.json                  379.0 ± 0%   379.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-disconnect.json               369.0 ± 0%   370.0 ± 0%  +0.27% (p=0.011 n=10)
api-gateway.json                                    791.0 ± 0%   791.0 ± 0%       ~ (p=1.000 n=10)
application-load-balancer.json                      353.0 ± 0%   353.0 ± 0%       ~ (p=1.000 n=10) ¹
cloudfront.json                                     284.0 ± 0%   284.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-events.json                              220.0 ± 0%   220.0 ± 0%       ~ (p=0.474 n=10)
cloudwatch-logs.json                                215.5 ± 0%   215.5 ± 0%       ~ (p=1.000 n=10)
custom.json                                         168.0 ± 1%   168.0 ± 0%       ~ (p=0.211 n=10)
dynamodb.json                                       589.0 ± 0%   589.0 ± 0%       ~ (p=1.000 n=10)
empty.json                                          159.0 ± 1%   159.5 ± 0%       ~ (p=1.000 n=10)
eventbridge-custom.json                             254.0 ± 0%   254.0 ± 0%       ~ (p=1.000 n=10)
http-api.json                                       432.5 ± 0%   432.5 ± 0%       ~ (p=1.000 n=10)
kinesis-batch.json                                  391.0 ± 0%   391.0 ± 0%       ~ (p=1.000 n=10)
kinesis.json                                        285.0 ± 0%   285.0 ± 0%       ~ (p=0.969 n=10)
s3.json                                             358.0 ± 0%   358.0 ± 0%       ~ (p=0.999 n=10)
sns-batch.json                                      456.0 ± 0%   455.0 ± 0%  -0.22% (p=0.035 n=10)
sns.json                                            323.0 ± 0%   324.0 ± 0%       ~ (p=0.056 n=10)
snssqs.json                                         446.0 ± 0%   446.0 ± 0%       ~ (p=0.445 n=10)
snssqs_no_dd_context.json                           399.0 ± 1%   399.5 ± 0%       ~ (p=1.000 n=10)
sqs-aws-header.json                                 274.5 ± 1%   274.0 ± 0%       ~ (p=0.910 n=10)
sqs-batch.json                                      505.0 ± 1%   504.0 ± 0%       ~ (p=0.187 n=10)
sqs.json                                            351.5 ± 1%   352.0 ± 1%       ~ (p=0.667 n=10)
sqs_no_dd_context.json                              324.5 ± 1%   324.0 ± 1%       ~ (p=0.942 n=10)
geomean                                             376.7        376.8       +0.02%
¹ all samples are equal

Copy link
Contributor

@amenasria amenasria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ! This is good for security though really hard to maintain, centralizing the hash in a file would make it way easier for maintenance.

- tasks/system_probe.py # invoke tasks


- changed-files:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- changed-files:
- changed-files:

❓ question: ‏Isn't it missing some spaces ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used the very same format as in the documentation, and I guess yaml understands both, so I think it's equal

@@ -18,7 +18,7 @@ jobs:
GH_REPO: ${{ github.repository }}
steps:
- name: Checkout datadog-agent repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agree with Srdjan on this !

@chouetz
Copy link
Member Author

chouetz commented May 6, 2024

/merge

@dd-devflow
Copy link

dd-devflow bot commented May 6, 2024

🚂 MergeQueue

Pull request added to the queue.

There are 4 builds ahead! (estimated merge in less than 2h)

Use /merge -c to cancel this operation!

@dd-mergequeue dd-mergequeue bot merged commit 94966da into main May 6, 2024
192 checks passed
@dd-mergequeue dd-mergequeue bot deleted the nschweitzer/pin_actions branch May 6, 2024 10:50
@github-actions github-actions bot added this to the 7.55.0 milestone May 6, 2024
alexgallotta pushed a commit that referenced this pull request May 9, 2024
* fix(ci): pin github actions per commit-sha

* fix the labeler configuration according to bump on v5

* revert codeql to 3.24.10 as 3.25 requires a new version of cli
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog/no-changelog qa/no-code-change No code change in Agent code requiring validation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants