Merge pull request #4909 from linuxfoundation/unicron-add-opentelemetry-datadog-api-logging

Add OpenTelemetry/DataDog API logging [prod]

Author: lukaszgryglicki

.github/dependabot.yml

@@ -12,20 +12,50 @@ updates:
   - package-ecosystem: "npm" # See documentation for possible values
     directory: "/cla-landing-page" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    ignore:
+      - dependency-name: "serverless"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+      - dependency-name: "serverless-domain-manager"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
   - package-ecosystem: "npm" # See documentation for possible values
     directory: "/cla-backend" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    ignore:
+      - dependency-name: "serverless"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+      - dependency-name: "serverless-domain-manager"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
   - package-ecosystem: "pip" # See documentation for possible values
     directory: "/cla-backend" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    ignore:
+      - dependency-name: "serverless"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+      - dependency-name: "serverless-domain-manager"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
   - package-ecosystem: "npm" # See documentation for possible values
     directory: "/cla-backend-go" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    ignore:
+      - dependency-name: "serverless"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+      - dependency-name: "serverless-domain-manager"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
   - package-ecosystem: "gomod" # See documentation for possible values
     directory: "/cla-backend-go" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    ignore:
+      - dependency-name: "serverless"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+      - dependency-name: "serverless-domain-manager"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]

.github/workflows/build-pr.yml

@@ -16,6 +16,7 @@ permissions:
 env:
   AWS_REGION: us-east-1
   STAGE: dev
+  DD_VERSION: ${{ github.sha }}
 
 jobs:
   build-test-lint:

.github/workflows/codeql-analysis.yml

@@ -5,54 +5,42 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, ]
+    branches: [main]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [main]
   schedule:
     - cron: '0 5 * * 4'
 
 jobs:
   analyse:
-    name: Analyse
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    # Note: git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.
-    #- run: git checkout HEAD^2
-    #  if: ${{ github.event_name == 'pull_request' }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go', 'python', 'javascript']
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/deploy-dev.yml

@@ -16,6 +16,7 @@ permissions:
 env:
   AWS_REGION: us-east-1
   STAGE: dev
+  DD_VERSION: ${{ github.sha }}
 
 jobs:
   build-deploy-dev:

.github/workflows/deploy-prod.yml

@@ -18,6 +18,7 @@ permissions:
 env:
   AWS_REGION: us-east-1
   STAGE: prod
+  DD_VERSION: ${{ github.sha }}
 
 jobs:
   build-deploy-prod:

.github/workflows/yarn-scan-backend-go-pr.yml

@@ -9,6 +9,10 @@ on:
   pull_request:
     branches:
       - dev
+    paths:
+      - "cla-backend-go/package.json"
+      - "cla-backend-go/yarn.lock"
+      - ".github/workflows/yarn-scan-backend-go-pr.yml"
 
 jobs:
   yarn-scan-backend-go-pr:
@@ -25,4 +29,5 @@ jobs:
       - name: Yarn Audit
         working-directory: cla-backend-go
         run: |
-          yarn audit
+          yarn audit --json > audit.json || true
+          node ../scripts/yarn-audit-filter.mjs audit.json ../.yarn-audit-allowlist.json

.github/workflows/yarn-scan-backend-pr.yml

@@ -9,6 +9,10 @@ on:
   pull_request:
     branches:
       - dev
+    paths:
+      - "cla-backend/package.json"
+      - "cla-backend/yarn.lock"
+      - ".github/workflows/yarn-scan-backend-pr.yml"
 
 jobs:
   yarn-scan-backend-pr:
@@ -25,4 +29,5 @@ jobs:
       - name: Yarn Audit
         working-directory: cla-backend
         run: |
-          yarn audit
+          yarn audit --json > audit.json || true
+          node ../scripts/yarn-audit-filter.mjs audit.json ../.yarn-audit-allowlist.json

.gitignore

@@ -266,3 +266,7 @@ cla-backend/python-api.log
 cla-backend/python-api.err
 cla-backend-go/golang-api.err
 cla-backend-go/golang-api.log
+utils/otel_dd_go/otel_dd
+audit.json
+spans*.json
+api_usage.csv

.yarn-audit-allowlist.json

@@ -0,0 +1,9 @@
+{
+  "minSeverity": "high",
+  "allowlist": [
+    1111997
+  ],
+  "notes": {
+    "1111997": "aws-sdk v2 advisory flagged as 'No patch available' in our current baseline; accepted until migration."
+  }
+}

cla-backend-go/bootstrap

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+
+# AWS Lambda custom runtime entrypoint (provided.al2 / provided.al2023).
+# AWS executes /var/task/bootstrap. The configured Lambda "Handler" is exposed
+# via the $_HANDLER env var. We exec that handler binary (which is our Go
+# executable) so we don't need to rename every binary to 'bootstrap'.
+
+if [ -z "${_HANDLER:-}" ]; then
+  echo "bootstrap: _HANDLER is not set" >&2
+  exit 1
+fi
+
+HANDLER_PATH="/var/task/${_HANDLER}"
+if [ ! -x "${HANDLER_PATH}" ]; then
+  echo "bootstrap: handler '${HANDLER_PATH}' not found or not executable" >&2
+  ls -la /var/task >&2 || true
+  exit 1
+fi
+
+exec "${HANDLER_PATH}"