Verify yaml

[bengl]

Ensures that plugins are tested with the same ranges that they support.

[github-actions]

Overall package size

Self size: 8.26 MB
Deduped: 94.55 MB
No deduping: 95.07 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.2.2 | 29.27 MB | 29.27 MB | | @datadog/native-appsec | 8.3.0 | 19.37 MB | 19.38 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.6.0 | 2.58 MB | 2.72 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-12-13 21:15:16

Comparing candidate commit b5c8eb2 in PR branch bengl/verify-yaml with baseline commit 83c6928 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 262 metrics, 3 unstable metrics.

scenario:plugin-graphql-with-depth-and-collapse-on-18

• 🟩 max_rss_usage [-86.749MB; -85.771MB] or [-9.163%; -9.059%]

[Qard]

Seems like node-version is not actually used?

[bengl]

Yeah, it's for validation in the script. I'm gonna try to work out a better way of expressing this though.

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

Pin third party actions by hash, or at least by tag for trusted sources

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).

No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[tlhunter]

Shouldn't actions always be a trusted org? If we can't trust GitHub then why is our code on GitHub?

[rochdev]

Can we just disable this entirely? It just complains about everything, making it effectively useless as it just pollutes PRs with dozens of comments like this constantly everywhere.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.85%. Comparing base (823cfd4) to head (3fa3454).
Report is 30 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4639      +/-   ##
==========================================
- Coverage   65.05%   64.85%   -0.20%     
==========================================
  Files         304      127     -177     
  Lines       13950     4146    -9804     
==========================================
- Hits         9075     2689    -6386     
+ Misses       4875     1457    -3418     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

Pin third party actions by hash, or at least by tag for trusted sources

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).

No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[tlhunter]

Seems better than what we have today. That said I'm not sure how a developer can figure out how to fix things based on the resulting error.

[rochdev]

I think this (and the name of the script file too) could use a more descriptive name of what it's doing. Something like verify-plugin-versions or anything more descriptive.

[bengl]

Note that this now removes support (i.e. no longer instruments) Next.js >=12.0.0 <12.2.0 Since the tests won't run (because next build does not successfully run).

[rochdev]

Note that this now removes support (i.e. no longer instruments) Next.js >=12.0.0 <12.2.0 Since the tests won't run (because next build does not successfully run).

Do you know why they won't run? According to Next documentation, Next 12 supports Node.js >=12.

[rochdev]

Doesn't that mean that this version isn't supported anymore?

[bengl]

We'd have to take it out of instrumentation as well, not just the GitHub yaml. Meaning we'd never attempt to to instrument those versions. Is that fine?

[rochdev]

This is a breaking change.

[bengl]

For the versions removed from the range (12.0.x and 12.1.x), next build fails, so the tests fail. It doesn't appear that we can test these versions (or that we ever could) so the claim of support was always incorrect.