diff --git a/.github/workflows/build-and-publish-image.yml b/.github/workflows/build-and-publish-image.yml index d015d0c5c3f..2482d03a924 100644 --- a/.github/workflows/build-and-publish-image.yml +++ b/.github/workflows/build-and-publish-image.yml @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx diff --git a/.github/workflows/build_deploy.yml b/.github/workflows/build_deploy.yml index 78333b890c6..77d52c757f5 100644 --- a/.github/workflows/build_deploy.yml +++ b/.github/workflows/build_deploy.yml @@ -34,6 +34,7 @@ jobs: - uses: actions/checkout@v4 # Include all history and tags with: + persist-credentials: false fetch-depth: 0 - uses: actions-rust-lang/setup-rust-toolchain@v1 - uses: actions/setup-python@v5 @@ -58,6 +59,8 @@ jobs: image: python:3.9-alpine steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/download-artifact@v4 with: name: source-dist diff --git a/.github/workflows/build_python_3.yml b/.github/workflows/build_python_3.yml index f00de62e2b7..02832a008b9 100644 --- a/.github/workflows/build_python_3.yml +++ b/.github/workflows/build_python_3.yml @@ -20,6 +20,8 @@ jobs: include: ${{steps.set-matrix.outputs.include}} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.8' @@ -51,6 +53,7 @@ jobs: - uses: actions/checkout@v4 # Include all history and tags with: + persist-credentials: false fetch-depth: 0 - uses: actions/setup-python@v5 diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 5f9ac3ec1c7..aa705d8a02f 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -15,6 +15,7 @@ jobs: - uses: actions/checkout@v4 # Include all history and tags with: + persist-credentials: false fetch-depth: 0 # Ensure a new reno release note was added in this PR. diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index 3d7419846d6..3a0b5993058 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -12,6 +12,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: Get changed files id: changed-files diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e3a3edf4ecf..5af69a81073 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/django-overhead-profile.yml b/.github/workflows/django-overhead-profile.yml index 6d026338ca9..8fb697daa14 100644 --- a/.github/workflows/django-overhead-profile.yml +++ b/.github/workflows/django-overhead-profile.yml @@ -33,6 +33,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false path: ddtrace - uses: actions/setup-python@v5 @@ -51,4 +52,3 @@ jobs: with: name: django-overhead-profile${{ matrix.suffix }} path: ${{ github.workspace }}/prefix/artifacts - diff --git a/.github/workflows/encoders-profile.yml b/.github/workflows/encoders-profile.yml index 887d96ead39..ed77daa6d5a 100644 --- a/.github/workflows/encoders-profile.yml +++ b/.github/workflows/encoders-profile.yml @@ -21,6 +21,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false path: ddtrace - uses: actions/setup-python@v5 @@ -43,4 +44,3 @@ jobs: with: name: encoders-profile path: ${{ github.workspace }}/prefix/artifacts - diff --git a/.github/workflows/flask-overhead-profile.yml b/.github/workflows/flask-overhead-profile.yml index 4adefed18ed..8f4dce9e5c7 100644 --- a/.github/workflows/flask-overhead-profile.yml +++ b/.github/workflows/flask-overhead-profile.yml @@ -21,6 +21,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false path: ddtrace - uses: actions/setup-python@v5 @@ -39,4 +40,3 @@ jobs: with: name: flask-overhead-profile path: ${{ github.workspace }}/prefix/artifacts - diff --git a/.github/workflows/generate-package-versions.yml b/.github/workflows/generate-package-versions.yml index 70a1a83adbf..4db524c3d04 100644 --- a/.github/workflows/generate-package-versions.yml +++ b/.github/workflows/generate-package-versions.yml @@ -16,6 +16,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python 3.7 uses: actions/setup-python@v5 diff --git a/.github/workflows/pr-name.yml b/.github/workflows/pr-name.yml index 5a6e4bdfe80..a66c9f506e8 100644 --- a/.github/workflows/pr-name.yml +++ b/.github/workflows/pr-name.yml @@ -11,6 +11,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - uses: actions/setup-node@v4 name: Install Node.js diff --git a/.github/workflows/requirements-locks.yml b/.github/workflows/requirements-locks.yml index a504ee43a75..69400d35dbd 100644 --- a/.github/workflows/requirements-locks.yml +++ b/.github/workflows/requirements-locks.yml @@ -15,6 +15,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: Fixup git permissions diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 668aa507f89..4bd448eaf18 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -14,6 +14,8 @@ jobs: extension: ["src/core"] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install latest stable toolchain and rustfmt run: rustup update stable && rustup default stable && rustup component add rustfmt clippy - name: Run cargo build diff --git a/.github/workflows/set-target-milestone.yml b/.github/workflows/set-target-milestone.yml index 6370a0a7d8b..31dcb1a9938 100644 --- a/.github/workflows/set-target-milestone.yml +++ b/.github/workflows/set-target-milestone.yml @@ -15,6 +15,7 @@ jobs: - uses: actions/checkout@v4 # Include all history and tags with: + persist-credentials: false fetch-depth: 0 - uses: actions/setup-python@v5 name: Install Python @@ -32,7 +33,7 @@ jobs: with: github-token: ${{secrets.GITHUB_TOKEN}} script: | - const title = "${{ steps.milestones.outputs.milestone }}"; + const title = "${{ steps.milestones.outputs.milestone }}" const milestones = await github.rest.issues.listMilestones({ owner: context.repo.owner, @@ -52,6 +53,6 @@ jobs: await github.rest.issues.update({ owner: context.repo.owner, repo: context.repo.repo, - issue_number: ${{ github.event.pull_request.number }}, + issue_number: context.pull_request.number, milestone: milestone.number, }); diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index e7edf051ecc..48d4196a2ee 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -18,6 +18,7 @@ jobs: - name: Checkout system tests uses: actions/checkout@v4 with: + persist-credentials: false repository: 'DataDog/system-tests' - name: Build agent @@ -62,11 +63,13 @@ jobs: - name: Checkout system tests uses: actions/checkout@v4 with: + persist-credentials: false repository: 'DataDog/system-tests' - name: Checkout dd-trace-py uses: actions/checkout@v4 with: + persist-credentials: false path: 'binaries/dd-trace-py' fetch-depth: 0 # NB this ref is necessary to keep the checkout out of detached HEAD state, which setuptools_scm requires for @@ -112,6 +115,7 @@ jobs: - name: Checkout system tests uses: actions/checkout@v4 with: + persist-credentials: false repository: 'DataDog/system-tests' - name: Build runner @@ -280,10 +284,12 @@ jobs: - name: Checkout system tests uses: actions/checkout@v4 with: + persist-credentials: false repository: 'DataDog/system-tests' - name: Checkout dd-trace-py uses: actions/checkout@v4 with: + persist-credentials: false path: 'binaries/dd-trace-py' fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha || github.sha }} diff --git a/.github/workflows/test_frameworks.yml b/.github/workflows/test_frameworks.yml index 4b0124db8d6..809dee38234 100644 --- a/.github/workflows/test_frameworks.yml +++ b/.github/workflows/test_frameworks.yml @@ -13,7 +13,7 @@ on: workflow_dispatch: {} schedule: - cron: '0 5 * * *' - + concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -26,6 +26,8 @@ jobs: outcome: ${{ steps.run_needed.outcome }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - id: run_needed name: Check if run is needed run: | @@ -77,9 +79,11 @@ jobs: if: needs.needs-run.outputs.outcome == 'success' with: path: ddtrace + persist-credentials: false - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: bottlepy/bottle ref: 0.12.25 path: bottle @@ -146,10 +150,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: sanic-org/sanic ref: v24.6.0 path: sanic @@ -229,10 +235,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: django/django ref: 5.0.7 path: django @@ -325,10 +333,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: graphql-python/graphene # TODO: bump ref to `graphene>3.0.0`. # Unreleased CI fix: https://github.com/graphql-python/graphene/pull/1412 @@ -397,10 +407,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: tiangolo/fastapi ref: 0.92.0 path: fastapi @@ -462,10 +474,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: pallets/flask ref: 3.0.3 path: flask @@ -512,10 +526,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: encode/httpx ref: 0.22.0 path: httpx @@ -584,10 +600,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: sqlalchemy/mako ref: rel_1_3_5 path: mako @@ -654,10 +672,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: encode/starlette ref: 0.38.4 path: starlette @@ -719,10 +739,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: psf/requests ref: v2.26.0 path: requests @@ -786,10 +808,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: magicstack/asyncpg ref: v0.29.0 path: asyncpg @@ -841,10 +865,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: benoitc/gunicorn ref: 20.1.0 path: gunicorn @@ -898,10 +924,12 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false repository: unbit/uwsgi ref: 2.0.21 path: uwsgi @@ -975,6 +1003,7 @@ jobs: - uses: actions/checkout@v4 if: needs.needs-run.outputs.outcome == 'success' with: + persist-credentials: false path: ddtrace - name: Checkout beautifulsoup if: needs.needs-run.outputs.outcome == 'success' diff --git a/.github/workflows/test_lib_injection.yml b/.github/workflows/test_lib_injection.yml index 7b9418390b8..c30988db6d1 100644 --- a/.github/workflows/test_lib_injection.yml +++ b/.github/workflows/test_lib_injection.yml @@ -32,6 +32,8 @@ jobs: - "3.13" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install pyenv run: | export PYENV_ROOT="${HOME}/.pyenv" diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index a81755cf20f..3de25fa22b0 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@v4 # Include all history and tags with: + persist-credentials: false fetch-depth: 0 - uses: actions-rust-lang/setup-rust-toolchain@v1 diff --git a/.github/workflows/upstream-issues.yml b/.github/workflows/upstream-issues.yml index 1ea1f31264f..5c838bc894c 100644 --- a/.github/workflows/upstream-issues.yml +++ b/.github/workflows/upstream-issues.yml @@ -8,6 +8,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: Kyle-Verhoog/upstream-issue-notifier@v0.1.3 env: GITHUB_TOKEN: ${{ github.token }}