fix(ci): pin github actions per commit-sha

[chouetz]

What does this PR do?

Pin all the github actions of the repo using commit-sha

Motivation

Having a floating version is not only a stability but also a security risk. Using a commit-sha version fix them and prevent malicious usages

Additional Notes

I bumped some versions so I'll need to fix the related jobs - on-going

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

[paulcacheux]

I would much rather we don't use comments with the version here since it will get out of sync if we merge a dependabot PR updating the sha

[chouetz]

If I believe this I think it will be synced

[paulcacheux]

Oh that's amazing !

[agent-platform-auto-pr]

[Fast Unit Tests Report]

On pipeline 33414270 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

• tests_deb-arm64-py3
• tests_deb-x64-py3
• tests_flavor_dogstatsd_deb-x64
• tests_flavor_heroku_deb-x64
• tests_flavor_iot_deb-x64
• tests_rpm-arm64-py3
• tests_rpm-x64-py3
• tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-developer-experience

[sgnn7]

LGTM for ASC-owned workflows (but left a small comment)

[sgnn7]

Would it make sense to have a centralized file where these version->hash maps are kept? Maybe we can also inject those as values into the build scripts? Without something like that, verification of proper hash value use becomes extremely had to maintain and review.

[chouetz]

I'll check if we can do this. It could remove some redundancy even if the updates are normally handled automatically by dependabot (so mitigates a little bit the maintenance complexity, wdyt?)

[amenasria]

Fully agree with Srdjan on this !

[paulcacheux]

I really disagree with the single file approach, we know in advance it will never be maintained and upgrades will never be made. Keeping the format easy for dependabot to do the upgrades on its own should be the main priority IMO.

[sgnn7]

@paulcacheux Hmm - that's a fair point. Any other alternatives to make this both dependabot and human easily digestible/maintainable without using the old tags? I'm afraid with hashes approach, nobody will actually check these in updates and something might slip by.

[chouetz]

We still have the associated tag in the comment for human-readable format. Would you prefer having a link to the release on the corresponding github repo?

[sgnn7]

@chouetz That may be a good compromise though a link to the repo at that tag release would be better I think since the hash can easily be compared.

[pr-commenter]

Regression Detector

Regression Detector Results

Run ID: d02895ce-66cd-4294-8b5f-eb8d471a0b9f
Baseline: d9d232d
Comparison: 6fe0a5c

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI
✅	file_to_blackhole	% cpu utilization	-34.20	[-39.00, -29.41]

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	tcp_syslog_to_blackhole	ingress throughput	+6.72	[-15.18, +28.61]
➖	pycheck_1000_100byte_tags	% cpu utilization	+2.54	[-2.33, +7.41]
➖	process_agent_standard_check	memory utilization	+0.88	[+0.83, +0.93]
➖	basic_py_check	% cpu utilization	+0.17	[-2.41, +2.75]
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.16	[-2.66, +2.98]
➖	trace_agent_json	ingress throughput	+0.00	[-0.01, +0.01]
➖	trace_agent_msgpack	ingress throughput	-0.01	[-0.02, +0.00]
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.22, +0.19]
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.02	[-0.05, +0.02]
➖	otel_to_otel_logs	ingress throughput	-0.06	[-0.42, +0.30]
➖	process_agent_real_time_mode	memory utilization	-0.17	[-0.22, -0.12]
➖	idle	memory utilization	-0.23	[-0.27, -0.19]
➖	file_tree	memory utilization	-0.25	[-0.34, -0.16]
➖	process_agent_standard_check_with_stats	memory utilization	-0.34	[-0.39, -0.28]
✅	file_to_blackhole	% cpu utilization	-34.20	[-39.00, -29.41]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[github-actions]

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between 2feb83d and c61c91b.

tl;dr

Use these benchmarks as an insight tool during development.

1. Skim down the vs base column in each chart. If there is a ~, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small.

2. The last row of each chart is the geomean. Ensure this percentage is either negative or very small.

What is this benchmarking?

The BenchmarkStartEndInvocation compares the amount of time it takes to call the start-invocation and end-invocation endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer.

The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from benchstat. They represent the statistical change in duration (sec/op), memory overhead (B/op), and allocations (allocs/op).

The benchstat docs explain how to interpret these charts.

Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration.

The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ...

Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise.

Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

I need more help

First off, do not worry if the benchmarks are failing. They are not tests. The intention is for them to be a tool for you to use during development.

If you would like a hand interpreting the results come chat with us in #serverless-agent in the internal DataDog slack or in #serverless in the public DataDog slack. We're happy to help!

Benchmark stats

goos: linux
goarch: amd64
pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon
cpu: AMD EPYC 7763 64-Core Processor                
                                      │ baseline/benchmark.log │       current/benchmark.log        │
                                      │         sec/op         │   sec/op     vs base               │
api-gateway-appsec.json                            92.20µ ± 3%   87.92µ ± 2%  -4.65% (p=0.005 n=10)
api-gateway-kong-appsec.json                       71.81µ ± 3%   69.32µ ± 3%  -3.47% (p=0.001 n=10)
api-gateway-kong.json                              69.60µ ± 3%   67.53µ ± 3%  -2.98% (p=0.001 n=10)
api-gateway-non-proxy-async.json                   109.0µ ± 2%   106.8µ ± 2%  -2.07% (p=0.004 n=10)
api-gateway-non-proxy.json                         109.1µ ± 1%   107.2µ ± 1%  -1.79% (p=0.002 n=10)
api-gateway-websocket-connect.json                 71.81µ ± 2%   70.90µ ± 1%  -1.27% (p=0.004 n=10)
api-gateway-websocket-default.json                 64.88µ ± 2%   63.45µ ± 1%  -2.20% (p=0.001 n=10)
api-gateway-websocket-disconnect.json              64.61µ ± 1%   63.44µ ± 1%  -1.81% (p=0.000 n=10)
api-gateway.json                                   120.2µ ± 1%   116.9µ ± 1%  -2.75% (p=0.000 n=10)
application-load-balancer.json                     65.09µ ± 1%   64.27µ ± 1%  -1.26% (p=0.009 n=10)
cloudfront.json                                    49.16µ ± 2%   48.43µ ± 1%  -1.49% (p=0.000 n=10)
cloudwatch-events.json                             39.37µ ± 2%   38.23µ ± 2%  -2.91% (p=0.000 n=10)
cloudwatch-logs.json                               68.79µ ± 2%   66.59µ ± 1%  -3.21% (p=0.002 n=10)
custom.json                                        31.72µ ± 2%   30.70µ ± 2%  -3.22% (p=0.000 n=10)
dynamodb.json                                      97.53µ ± 3%   96.65µ ± 2%  -0.90% (p=0.043 n=10)
empty.json                                         30.26µ ± 2%   29.02µ ± 2%  -4.09% (p=0.000 n=10)
eventbridge-custom.json                            43.44µ ± 2%   42.54µ ± 3%  -2.08% (p=0.005 n=10)
http-api.json                                      76.00µ ± 1%   74.14µ ± 2%  -2.45% (p=0.001 n=10)
kinesis-batch.json                                 73.99µ ± 1%   71.76µ ± 2%  -3.02% (p=0.001 n=10)
kinesis.json                                       56.32µ ± 3%   54.45µ ± 3%  -3.32% (p=0.009 n=10)
s3.json                                            61.36µ ± 5%   60.24µ ± 1%  -1.83% (p=0.023 n=10)
sns-batch.json                                     96.00µ ± 2%   92.77µ ± 1%  -3.37% (p=0.001 n=10)
sns.json                                           68.04µ ± 2%   65.64µ ± 1%  -3.53% (p=0.000 n=10)
snssqs.json                                        117.4µ ± 1%   114.0µ ± 1%  -2.91% (p=0.000 n=10)
snssqs_no_dd_context.json                          104.4µ ± 2%   100.4µ ± 2%  -3.80% (p=0.000 n=10)
sqs-aws-header.json                                57.97µ ± 2%   56.68µ ± 2%  -2.22% (p=0.002 n=10)
sqs-batch.json                                    100.10µ ± 3%   97.44µ ± 1%  -2.65% (p=0.000 n=10)
sqs.json                                           72.05µ ± 2%   71.01µ ± 1%  -1.45% (p=0.014 n=10)
sqs_no_dd_context.json                             64.04µ ± 4%   64.72µ ± 3%       ~ (p=0.436 n=10)
geomean                                            69.76µ        68.03µ       -2.48%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │          B/op          │     B/op      vs base               │
api-gateway-appsec.json                           37.19Ki ± 0%   37.19Ki ± 0%       ~ (p=0.670 n=10)
api-gateway-kong-appsec.json                      26.80Ki ± 0%   26.80Ki ± 0%       ~ (p=0.782 n=10)
api-gateway-kong.json                             24.29Ki ± 0%   24.29Ki ± 0%       ~ (p=0.539 n=10)
api-gateway-non-proxy-async.json                  48.00Ki ± 0%   48.01Ki ± 0%       ~ (p=0.781 n=10)
api-gateway-non-proxy.json                        47.23Ki ± 0%   47.22Ki ± 0%       ~ (p=0.382 n=10)
api-gateway-websocket-connect.json                25.42Ki ± 0%   25.42Ki ± 0%       ~ (p=0.725 n=10)
api-gateway-websocket-default.json                21.31Ki ± 0%   21.32Ki ± 0%  +0.06% (p=0.002 n=10)
api-gateway-websocket-disconnect.json             21.08Ki ± 0%   21.11Ki ± 0%  +0.11% (p=0.022 n=10)
api-gateway.json                                  49.49Ki ± 0%   49.48Ki ± 0%       ~ (p=0.225 n=10)
application-load-balancer.json                    23.20Ki ± 0%   23.20Ki ± 0%       ~ (p=0.897 n=10)
cloudfront.json                                   17.60Ki ± 0%   17.59Ki ± 0%       ~ (p=0.515 n=10)
cloudwatch-events.json                            11.65Ki ± 0%   11.65Ki ± 0%       ~ (p=0.956 n=10)
cloudwatch-logs.json                              53.31Ki ± 0%   53.30Ki ± 0%       ~ (p=0.987 n=10)
custom.json                                       9.663Ki ± 0%   9.664Ki ± 0%       ~ (p=0.956 n=10)
dynamodb.json                                     40.66Ki ± 0%   40.64Ki ± 0%       ~ (p=0.289 n=10)
empty.json                                        9.219Ki ± 0%   9.229Ki ± 0%       ~ (p=0.325 n=10)
eventbridge-custom.json                           13.38Ki ± 0%   13.38Ki ± 0%       ~ (p=0.781 n=10)
http-api.json                                     23.71Ki ± 0%   23.71Ki ± 0%       ~ (p=0.867 n=10)
kinesis-batch.json                                26.99Ki ± 0%   26.99Ki ± 0%       ~ (p=0.591 n=10)
kinesis.json                                      17.78Ki ± 0%   17.77Ki ± 0%       ~ (p=0.342 n=10)
s3.json                                           20.33Ki ± 0%   20.32Ki ± 0%       ~ (p=0.810 n=10)
sns-batch.json                                    38.62Ki ± 0%   38.59Ki ± 0%  -0.09% (p=0.022 n=10)
sns.json                                          23.94Ki ± 0%   23.96Ki ± 0%       ~ (p=0.101 n=10)
snssqs.json                                       50.65Ki ± 0%   50.64Ki ± 0%       ~ (p=0.529 n=10)
snssqs_no_dd_context.json                         44.79Ki ± 0%   44.80Ki ± 0%       ~ (p=0.912 n=10)
sqs-aws-header.json                               18.85Ki ± 1%   18.84Ki ± 0%       ~ (p=1.000 n=10)
sqs-batch.json                                    41.69Ki ± 0%   41.59Ki ± 0%  -0.22% (p=0.043 n=10)
sqs.json                                          25.53Ki ± 1%   25.54Ki ± 0%       ~ (p=0.684 n=10)
sqs_no_dd_context.json                            20.62Ki ± 1%   20.62Ki ± 1%       ~ (p=0.971 n=10)
geomean                                           25.69Ki        25.69Ki       -0.01%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │       allocs/op        │ allocs/op   vs base                 │
api-gateway-appsec.json                             629.0 ± 0%   629.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong-appsec.json                        488.0 ± 0%   488.0 ± 0%       ~ (p=1.000 n=10) ¹
api-gateway-kong.json                               466.0 ± 0%   466.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-non-proxy-async.json                    725.0 ± 0%   726.0 ± 0%       ~ (p=0.656 n=10)
api-gateway-non-proxy.json                          716.0 ± 0%   716.0 ± 0%       ~ (p=0.211 n=10)
api-gateway-websocket-connect.json                  453.0 ± 0%   453.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-default.json                  379.0 ± 0%   379.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-disconnect.json               369.0 ± 0%   370.0 ± 0%  +0.27% (p=0.011 n=10)
api-gateway.json                                    791.0 ± 0%   791.0 ± 0%       ~ (p=1.000 n=10)
application-load-balancer.json                      353.0 ± 0%   353.0 ± 0%       ~ (p=1.000 n=10) ¹
cloudfront.json                                     284.0 ± 0%   284.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-events.json                              220.0 ± 0%   220.0 ± 0%       ~ (p=0.474 n=10)
cloudwatch-logs.json                                215.5 ± 0%   215.5 ± 0%       ~ (p=1.000 n=10)
custom.json                                         168.0 ± 1%   168.0 ± 0%       ~ (p=0.211 n=10)
dynamodb.json                                       589.0 ± 0%   589.0 ± 0%       ~ (p=1.000 n=10)
empty.json                                          159.0 ± 1%   159.5 ± 0%       ~ (p=1.000 n=10)
eventbridge-custom.json                             254.0 ± 0%   254.0 ± 0%       ~ (p=1.000 n=10)
http-api.json                                       432.5 ± 0%   432.5 ± 0%       ~ (p=1.000 n=10)
kinesis-batch.json                                  391.0 ± 0%   391.0 ± 0%       ~ (p=1.000 n=10)
kinesis.json                                        285.0 ± 0%   285.0 ± 0%       ~ (p=0.969 n=10)
s3.json                                             358.0 ± 0%   358.0 ± 0%       ~ (p=0.999 n=10)
sns-batch.json                                      456.0 ± 0%   455.0 ± 0%  -0.22% (p=0.035 n=10)
sns.json                                            323.0 ± 0%   324.0 ± 0%       ~ (p=0.056 n=10)
snssqs.json                                         446.0 ± 0%   446.0 ± 0%       ~ (p=0.445 n=10)
snssqs_no_dd_context.json                           399.0 ± 1%   399.5 ± 0%       ~ (p=1.000 n=10)
sqs-aws-header.json                                 274.5 ± 1%   274.0 ± 0%       ~ (p=0.910 n=10)
sqs-batch.json                                      505.0 ± 1%   504.0 ± 0%       ~ (p=0.187 n=10)
sqs.json                                            351.5 ± 1%   352.0 ± 1%       ~ (p=0.667 n=10)
sqs_no_dd_context.json                              324.5 ± 1%   324.0 ± 1%       ~ (p=0.942 n=10)
geomean                                             376.7        376.8       +0.02%
¹ all samples are equal

[amenasria]

LGTM ! This is good for security though really hard to maintain, centralizing the hash in a file would make it way easier for maintenance.

[amenasria]

Suggested change

	- changed-files:
	- changed-files:

❓ question: ‏Isn't it missing some spaces ?

[chouetz]

I used the very same format as in the documentation, and I guess yaml understands both, so I think it's equal

[amenasria]

Fully agree with Srdjan on this !

[chouetz]

/merge

[dd-devflow]

🚂 MergeQueue

Pull request added to the queue.

There are 4 builds ahead! (estimated merge in less than 2h)

Use /merge -c to cancel this operation!