feat(.github/workflows): stricter GitHub token default permission compliance #10779
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: System Tests | |
on: | |
workflow_call: # allows to reuse this workflow | |
inputs: | |
branch_ref: | |
description: 'The branch to run the workflow on' | |
required: true | |
type: string | |
push: | |
branches: | |
- main | |
- release-v* | |
tags: | |
- "**" | |
pull_request: | |
branches: | |
- "**" | |
merge_group: | |
workflow_dispatch: | |
inputs: | |
ref: | |
description: 'System Tests ref/tag/branch' | |
required: true | |
default: main | |
type: string | |
schedule: | |
- cron: '00 04 * * 2-6' | |
permissions: | |
contents: read | |
jobs: | |
system-tests: | |
if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go') | |
# Note: Not using large runners because the jobs spawned by this pipeline | |
# don't seem to get a noticable speedup from using larger runners. | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
weblog-variant: | |
- net-http | |
- echo | |
- chi | |
- gin | |
- uds-echo | |
scenario: | |
- DEFAULT | |
- INTEGRATIONS | |
- CROSSED_TRACING_LIBRARIES | |
- APPSEC_DISABLED | |
- APPSEC_BLOCKING | |
- APPSEC_BLOCKING_FULL_DENYLIST | |
- APPSEC_REQUEST_BLOCKING | |
- APPSEC_API_SECURITY | |
- APPSEC_RASP | |
- APM_TRACING_E2E | |
- APM_TRACING_E2E_SINGLE_SPAN | |
- APM_TRACING_E2E_OTEL | |
include: | |
- weblog-variant: net-http | |
scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES | |
- weblog-variant: net-http | |
scenario: REMOTE_CONFIG_MOCKED_BACKEND_LIVE_DEBUGGING | |
- weblog-variant: net-http | |
scenario: REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD | |
# AppSec scenarios that don't depend on the integrations, so we just run on the net/http variant | |
- weblog-variant: net-http | |
scenario: APPSEC_RATE_LIMITER | |
- weblog-variant: net-http | |
scenario: APPSEC_CUSTOM_RULES | |
- weblog-variant: net-http | |
scenario: APPSEC_MISSING_RULES | |
- weblog-variant: net-http | |
scenario: APPSEC_CORRUPTED_RULES | |
- weblog-variant: net-http | |
scenario: APPSEC_LOW_WAF_TIMEOUT | |
- weblog-variant: net-http | |
scenario: APPSEC_CUSTOM_OBFUSCATION | |
# APM scenarios requiring specific environment settings | |
- scenario: APM_TRACING_E2E | |
env: | |
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY | |
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY | |
DD_SITE="datadoghq.com" | |
- scenario: APM_TRACING_E2E_SINGLE_SPAN | |
env: | |
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY | |
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY | |
DD_SITE="datadoghq.com" | |
- scenario: APM_TRACING_E2E_OTEL | |
env: | |
DD_API_KEY=$SYSTEM_TESTS_E2E_DD_API_KEY | |
DD_APPLICATION_KEY=$SYSTEM_TESTS_E2E_DD_APP_KEY | |
DD_SITE="datadoghq.com" | |
# GraphQL System Tests | |
- scenario: GRAPHQL_APPSEC | |
weblog-variant: graph-gophers | |
- scenario: GRAPHQL_APPSEC | |
weblog-variant: graphql-go | |
- scenario: GRAPHQL_APPSEC | |
weblog-variant: gqlgen | |
fail-fast: false | |
env: | |
TEST_LIBRARY: golang | |
WEBLOG_VARIANT: ${{ matrix.weblog-variant }} | |
DD_API_KEY: ${{ secrets.DD_API_KEY }} | |
SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }} | |
SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.SYSTEM_TESTS_IDM_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.SYSTEM_TESTS_IDM_AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: us-east-1 | |
AWS_DEFAULT_REGION: us-east-1 # AWS services should use `AWS_REGION`, but some still use the older `AWS_DEFAULT_REGION` | |
name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }}) | |
steps: | |
- name: Checkout system tests | |
uses: actions/checkout@v3 | |
with: | |
repository: 'DataDog/system-tests' | |
ref: ${{ inputs.ref }} | |
- name: Checkout dd-trace-go | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ inputs.branch_ref || github.ref }} | |
path: 'binaries/dd-trace-go' | |
- name: Build weblog | |
run: ./build.sh -i weblog | |
- name: Build runner | |
uses: ./.github/actions/install_runner | |
- name: Build agent | |
run: ./build.sh -i agent | |
- name: Run | |
run: env ${{ matrix.env }} ./run.sh ${{ matrix.scenario }} | |
- name: Compress artifact | |
if: ${{ always() }} | |
run: tar -czvf artifact.tar.gz $(ls | grep logs) | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() }} | |
with: | |
name: logs_${{ matrix.weblog-variant }}_${{ matrix.scenario }} | |
path: artifact.tar.gz |