fix(ci): Backport .github information from main

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,46 +1,35 @@
 <!--
-* New contributors are highly encouraged to read our
-  [CONTRIBUTING](/CONTRIBUTING.md) documentation.
-* Both Contributor and Reviewer Checklists are available at https://github.com/DataDog/datadog-agent/blob/main/docs/dev/contributing.md#pull-requests.
+* Contributors are encouraged to read our [CONTRIBUTING](/CONTRIBUTING.md) documentation.
+* Both Contributor and Reviewer Checklists are available at https://datadoghq.dev/datadog-agent/guidelines/contributing/#pull-requests.
 * The pull request:
   * Should only fix one issue or add one feature at a time.
   * Must update the test suite for the relevant functionality.
   * Should pass all status checks before being reviewed or merged.
 * Commit titles should be prefixed with general area of pull request's change.
+* Please fill the below sections if possible with relevant information or links.
 -->
 ### What does this PR do?
 
-<!--
-* A brief description of the change being made with this pull request.
-* If the description here cannot be expressed in a succinct form, consider
-  opening multiple pull requests instead of a single one.
--->
-
 ### Motivation
 
+### Describe how you validated your changes
 <!--
-* What inspired you to submit this pull request?
-* Link any related GitHub issues or PRs here.
+Validate your changes before merge, ensuring that:
+* Your PR is tested by static / unit / integrations / e2e tests
+* Your PR description details which e2e tests cover your changes, if any
+* The PR description contains details of how you validated your changes. If you validated changes manually and not through automated tests, add context on why automated tests did not fit your changes validation.
+
+If you want additional validation by a second person, you can ask reviewers to do it. Describe how to set up an environment for manual tests in the PR description. Manual validation is expected to happen on every commit before merge.
+
+Any manual validation step should then map to an automated test. Manual validation should not substitute automation, minus exceptions not supported by test tooling yet.
 -->
 
-### Additional Notes
+### Possible Drawbacks / Trade-offs
 
+### Additional Notes
 <!--
 * Anything else we should know when reviewing?
 * Include benchmarking information here whenever possible.
 * Include info about alternatives that were considered and why the proposed
   version was chosen.
--->
-
-### Possible Drawbacks / Trade-offs
-
-<!--
-* What are the possible side-effects or negative impacts of the code change?
--->
-
-### Describe how to test/QA your changes
-
-<!--
-* Write here in detail or link to detailed instructions on how this change can
-  be tested/QAd/validated, including any environment setup.
--->
+-->

.github/labeler.yml

@@ -1,13 +1,15 @@
+---
 # add system-probe label to any changes done in network, security, eventmonitor or ebpf packages
 component/system-probe:
-  - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length)
-  - pkg/ebpf/** # ebpf-platform (ebpf_manager)
-  - pkg/eventmonitor/** # cws (new event monitor component)
-  - pkg/network/** # npm and usm
-  - pkg/process/monitor/** # usm (process monitor)
-  - pkg/security/** # cws
-  - pkg/util/kernel/** # ebpf-platform
-  - cmd/system-probe/** # ebpf_platform (system-probe executable)
-  - tasks/system_probe.py # invoke tasks
-
-
+- changed-files:
+  - any-glob-to-any-file:
+    - pkg/collector/corechecks/ebpf/** #ebpf-platform (oomkill and tcp_queue_length)
+    - pkg/collector/corechecks/servicediscovery/module/** # usm
+    - pkg/ebpf/** # ebpf-platform (ebpf_manager)
+    - pkg/eventmonitor/** # cws (new event monitor component)
+    - pkg/network/** # npm and usm
+    - pkg/process/monitor/** # usm (process monitor)
+    - pkg/security/** # cws
+    - pkg/util/kernel/** # ebpf-platform
+    - cmd/system-probe/** # ebpf_platform (system-probe executable)
+    - tasks/system_probe.py # invoke tasks

.github/workflows/add_milestone.yml

@@ -8,22 +8,28 @@ on:
       - main
       - "[0-9]+.[0-9]+.x"
 
+permissions: {}
+
 jobs:
   add-milestone-pr:
     name: Add Milestone on PR
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
     steps:
       - name: Checkout datadog-agent repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
 
       - name: Get repo current milestone
         id: current-milestone
         run: |
-          if [[ ${GITHUB_REF##*/} =~ ^7\.[0-9]+\.[0-9]+$ ]]; then
+          if [[ ${GITHUB_REF##*/} =~ ^6\.[0-9]+\.[0-9]+$ ]]; then
             # If we're on a release branch, set the milestone to the latest release milestone found.
             MILESTONE=$(gh release list | grep -o $(echo ${GITHUB_REF##*/} | sed 's/x/[0-9]*/g') | sort -uV | tail -1)
             if [ -z "$MILESTONE" ]; then
@@ -38,7 +44,7 @@ jobs:
               exit 1
             fi
           fi
-          if [[ ! $MILESTONE =~ ^7\.[0-9]+\.[0-9]+$ ]]; then
+          if [[ ! $MILESTONE =~ ^6\.[0-9]+\.[0-9]+$ ]]; then
             echo "Error: Malformed milestone $MILESTONE. It should be of the form '7.x.y'."
             exit 1
           fi

.github/workflows/backport-pr.yml

@@ -5,6 +5,8 @@ on:
       - closed
       - labeled
 
+permissions: {}
+
 jobs:
   backport:
     name: Backport PR
@@ -18,14 +20,23 @@ jobs:
           && contains(github.event.label.name, 'backport')
         )
       )
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token
         with:
           app-id: ${{ vars.DD_GITHUB_TOKEN_GENERATOR_APP_ID }}
           private-key: ${{ secrets.DD_GITHUB_TOKEN_GENERATOR_PRIVATE_KEY }}
-      - uses: tibdex/backport@v2
+      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
         with:
           label_pattern: "^backport/(?<base>([^ ]+))$"
           labels_template: "<%= JSON.stringify([...labels, 'backport', 'bot']) %>"
           github_token: ${{ steps.app-token.outputs.token }}
+          body_template: |
+            Backport <%- mergeCommitSha %> from #<%- number %>.
+
+            ___
+
+            <%- body %>

.github/workflows/buildimages-update.yml

@@ -19,43 +19,54 @@ on:
         description: 'Whether the images are test images'
         required: true
         type: boolean
+      include_otel_modules:
+        description: 'Whether to also bump the Go version in modules used by OpenTelemetry'
+        required: true
+        type: boolean
+
+permissions: {}
 
 jobs:
   open-go-update-pr:
     runs-on: ubuntu-latest
     permissions:
       contents: write # push commit and branch
+      pull-requests: write
 
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
-          ref: ${{ github.head_ref }}
+          # credentials are needed to create the PR at the end of the workflow
+          persist-credentials: true
 
       - name: Fetch branch
+        env:
+          TARGET_BRANCH: ${{ inputs.branch }}
         # this step needs the github repository to be already cloned locally
         id: branch_fetch
         run: |
-          if git fetch origin "refs/heads/${{ inputs.branch }}"; then
+          if git fetch origin "refs/heads/$TARGET_BRANCH"; then
             echo "RESULT=true" >> $GITHUB_OUTPUT
           else
             echo "RESULT=false" >> $GITHUB_OUTPUT
           fi
 
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         if: ${{ steps.branch_fetch.outputs.RESULT == 'true' }}
         with:
           ref: ${{ inputs.branch }}
+          persist-credentials: false
 
       - name: Setup Python and pip
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           # use Python < 3.12 so that distutil is still available by default
           python-version: 3.11
           cache: "pip"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           # use the go version from the input, not from the .go-version file
           # in case it's a Go update PR
@@ -70,20 +81,30 @@ jobs:
         run: |
           echo "GO_VERSION=$(inv go-version)" >> $GITHUB_OUTPUT
 
+      - name: Get current buildimage tag
+        id: current_buildimage_tag
+        run: |
+            echo "BUILDIMAGE_TAG=$(inv buildimages.get-tag)" >> $GITHUB_OUTPUT
+
       - name: Update buildimages IDs and Go version
         id: update_build_images
         env:
-          TEST_VERSION_FLAG: ${{ inputs.test_version && '--test-version' || '--no-test-version' }}
+          TEST_VERSION_FLAG: ${{ inputs.test_version && '--test' || '--no-test' }}
+          # INCLUDE_OTEL_MODULES must be used without quotes to be ignored when empty
+          INCLUDE_OTEL_MODULES: ${{ inputs.include_otel_modules && '--include-otel-modules' || '' }}
+          CURRENT_GO_VERSION: ${{ steps.current_go_version.outputs.GO_VERSION }}
+          INPUT_GO_VERSION: ${{ inputs.go_version }}
+          IMAGES_ID: ${{ inputs.images_id }}
         run: |
-          if [ "${{ steps.current_go_version.outputs.GO_VERSION }}" = "${{ inputs.go_version }}" ]; then
-            inv -e buildimages.update --image-tag ${{ inputs.images_id }} $TEST_VERSION_FLAG
-            echo 'MESSAGE=Update buildimages ID to ${{ inputs.images_id }}' >> $GITHUB_OUTPUT
+          if [ "$CURRENT_GO_VERSION" = "$INPUT_GO_VERSION" ]; then
+            inv -e buildimages.update --tag "$IMAGES_ID" "$TEST_VERSION_FLAG"
+            echo "MESSAGE=Update buildimages ID to $IMAGES_ID" >> $GITHUB_OUTPUT
           else
-            inv -e update-go --image-tag ${{ inputs.images_id }} $TEST_VERSION_FLAG -v "${{ inputs.go_version }}"
-            echo 'MESSAGE=Update Go version to ${{ inputs.go_version }}' >> $GITHUB_OUTPUT
+            inv -e update-go --image-tag "$IMAGES_ID" "$TEST_VERSION_FLAG" $INCLUDE_OTEL_MODULES -v "$INPUT_GO_VERSION"
+            echo "MESSAGE=Update Go version to $INPUT_GO_VERSION" >> $GITHUB_OUTPUT
           fi
 
-      - uses: stefanzweifel/git-auto-commit-action@v5
+      - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         id: autocommit
         with:
           commit_message: ${{ steps.update_build_images.outputs.MESSAGE }}
@@ -95,3 +116,53 @@ jobs:
           # the action fetches all branches and tags, in our case the branches we care about are already fetched
           # if they exist, so we can skip the fetch
           skip_fetch: true
+
+      - name: Check if PR exists
+        id: check_pr
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BASE_BRANCH: ${{ github.ref_name }}
+          INPUT_BRANCH: ${{ inputs.branch }}
+        run: |
+          # prs variable contains the number of PRs already created that match head and base branches
+          prs=$(gh pr list \
+              --repo "$GITHUB_REPOSITORY" \
+              --head "$INPUT_BRANCH" \
+              --base "$BASE_BRANCH" \
+              --json title \
+              --jq 'length')
+          if [ $prs -eq 0 ]; then
+            echo "CREATE_PR=true" >> $GITHUB_OUTPUT
+          fi
+
+      # Create PR only if there is no pre-existing PR on the branch
+      - name: Create PR
+        if: ${{ steps.check_pr.outputs.CREATE_PR == 'true' }}
+        env:
+          TMP_PR_BODY_PATH: /tmp/pr_body
+          GH_TOKEN: ${{ github.token }}
+          PR_TITLE: "[automated] ${{ steps.update_build_images.outputs.MESSAGE }}"
+          PR_LABELS: "go-update,team/agent-shared-components"
+          CURRENT_BUILDIMAGE_TAG: ${{ steps.current_buildimage_tag.outputs.BUILDIMAGE_TAG }}
+          IMAGES_ID: ${{ inputs.images_id }}
+          CURRENT_GO_VERSION: ${{ steps.current_go_version.outputs.GO_VERSION }}
+          INPUT_GO_VERSION: ${{ inputs.go_version }}
+          # INPUT_TEST_VERSION must be used without quotes to be ignored when empty
+          INPUT_TEST_VERSION: ${{ inputs.test_version && '--test' || '' }}
+          GITHUB_REF: ${{ github.ref }}
+        run: |
+          # Generate the PR description
+          inv -e buildimages.generate-pr-body \
+          "$CURRENT_BUILDIMAGE_TAG" \
+          "$IMAGES_ID" \
+          "$CURRENT_GO_VERSION" \
+          "$INPUT_GO_VERSION" \
+          $INPUT_TEST_VERSION > $TMP_PR_BODY_PATH
+
+          # Create the PR
+          gh pr create \
+          --base "$GITHUB_REF" \
+          --title "$PR_TITLE" \
+          --body-file "$TMP_PR_BODY_PATH" \
+          --label "$PR_LABELS" \
+          --draft \

.github/workflows/codeql-analysis.yml

@@ -5,47 +5,55 @@ on:
     branches:
       - main
       - "[0-9]+.[0-9]+.x"
-      - mq-working-branch-*
   pull_request:
     branches:
       - main
       - "[0-9]+.[0-9]+.x"
 
+permissions: {}
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-20.04
+    permissions:
+      security-events: write
+    strategy:
+      matrix:
+        language: ["go", "javascript", "python", "cpp"]
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Python3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: "3.11.8"
+          python-version: "3.12.6"
           cache: "pip"
       - run: pip3 install -r requirements.txt
 
       - name: Setup env variables
         run: |
-          echo "CODEQL_PYTHON=$(which python3)" >> $GITHUB_ENV
-          echo "$GOPATH/bin" >> $GITHUB_PATH
           echo "CGO_LDFLAGS= -L${GITHUB_WORKSPACE}/rtloader/build/rtloader -ldl " >> $GITHUB_ENV
           echo "CGO_CFLAGS= -I${GITHUB_WORKSPACE}/rtloader/include  -I${GITHUB_WORKSPACE}/rtloader/common " >> $GITHUB_ENV
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: ".go-version"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3.24.10
+        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
-          languages: go, javascript, python, cpp
-          setup-python-dependencies: false
-          # Defining a fixed CodeQL bundle version
-          tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-20230207/codeql-bundle-linux64.tar.gz
+          languages: ${{ matrix.language }}
+          config: |
+            paths-ignore:
+              - rtloader/build/rtloader/CMakeFiles/datadog-agent-rtloader.dir
+              - rtloader/build/three/CMakeFiles/datadog-agent-three.dir
+              - rtloader/build/test/CMakeFiles/run.dir
+              - rtloader/build/CMakeFiles/clang-format.dir
 
       - name: Set Swap Space
         uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c
@@ -59,4 +67,4 @@ jobs:
           invoke agent.build --build-exclude=systemd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3.24.10
+        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9