Skip to content

feat(.github/workflows): stricter GitHub token default permission compliance #10779

feat(.github/workflows): stricter GitHub token default permission compliance

feat(.github/workflows): stricter GitHub token default permission compliance #10779

Workflow file for this run

name: System Tests
on:
workflow_call: # allows to reuse this workflow
inputs:
branch_ref:
description: 'The branch to run the workflow on'
required: true
type: string
push:
branches:
- main
- release-v*
tags:
- "**"
pull_request:
branches:
- "**"
merge_group:
workflow_dispatch:
inputs:
ref:
description: 'System Tests ref/tag/branch'
required: true
default: main
type: string
schedule:
- cron: '00 04 * * 2-6'
permissions:
contents: read
jobs:
system-tests:
if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go')
# Note: Not using large runners because the jobs spawned by this pipeline
# don't seem to get a noticable speedup from using larger runners.
runs-on: ubuntu-latest
strategy:
matrix:
weblog-variant:
- net-http
- echo
- chi
- gin
- uds-echo
scenario:
- DEFAULT
- INTEGRATIONS
- CROSSED_TRACING_LIBRARIES
- APPSEC_DISABLED
- APPSEC_BLOCKING
- APPSEC_BLOCKING_FULL_DENYLIST
- APPSEC_REQUEST_BLOCKING
- APPSEC_API_SECURITY
- APPSEC_RASP
- APM_TRACING_E2E
- APM_TRACING_E2E_SINGLE_SPAN
- APM_TRACING_E2E_OTEL
include:
- weblog-variant: net-http
scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES
- weblog-variant: net-http
scenario: REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING
- weblog-variant: net-http
scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
# AppSec scenarios that don't depend on the integrations, so we just run on the net/http variant
- weblog-variant: net-http
scenario: APPSEC_RATE_LIMITER
- weblog-variant: net-http
scenario: APPSEC_CUSTOM_RULES
- weblog-variant: net-http
scenario: APPSEC_MISSING_RULES
- weblog-variant: net-http
scenario: APPSEC_CORRUPTED_RULES
- weblog-variant: net-http
scenario: APPSEC_LOW_WAF_TIMEOUT
- weblog-variant: net-http
scenario: APPSEC_CUSTOM_OBFUSCATION
# APM scenarios requiring specific environment settings
- scenario: APM_TRACING_E2E
env:
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY
DD_SITE="datadoghq.com"
- scenario: APM_TRACING_E2E_SINGLE_SPAN
env:
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY
DD_SITE="datadoghq.com"
- scenario: APM_TRACING_E2E_OTEL
env:
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY
DD_SITE="datadoghq.com"
# GraphQL System Tests
- scenario: GRAPHQL_APPSEC
weblog-variant: graph-gophers
- scenario: GRAPHQL_APPSEC
weblog-variant: graphql-go
- scenario: GRAPHQL_APPSEC
weblog-variant: gqlgen
fail-fast: false
env:
TEST_LIBRARY: golang
WEBLOG_VARIANT: ${{ matrix.weblog-variant }}
DD_API_KEY: ${{ secrets.DD_API_KEY }}
SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }}
SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
AWS_DEFAULT_REGION: us-east-1 # AWS services should use `AWS_REGION`, but some still use the older `AWS_DEFAULT_REGION`
name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }})
steps:
- name: Checkout system tests
uses: actions/checkout@v3
with:
repository: 'DataDog/system-tests'
ref: ${{ inputs.ref }}
- name: Checkout dd-trace-go
uses: actions/checkout@v3
with:
ref: ${{ inputs.branch_ref || github.ref }}
path: 'binaries/dd-trace-go'
- name: Build weblog
run: ./build.sh -i weblog
- name: Build runner
uses: ./.github/actions/install_runner
- name: Build agent
run: ./build.sh -i agent
- name: Run
run: env ${{ matrix.env }} ./run.sh ${{ matrix.scenario }}
- name: Compress artifact
if: ${{ always() }}
run: tar -czvf artifact.tar.gz $(ls | grep logs)
- name: Upload artifact
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: logs_${{ matrix.weblog-variant }}_${{ matrix.scenario }}
path: artifact.tar.gz