Merge branch 'di-strip-path' into di-demo

* di-strip-path: (52 commits)
  types
  standard
  integration test
  quick fix
  doc for what to do
  Bump ruby/setup-ruby in the gh-actions-packages group (#4343)
  ci: pin all GitHub Actions by SHA and update via dependabot (#4341)
  Bundle install
  Pin system test sha
  Update lockfiles for release 2.10.0
  Bump version 2.9.0 to 2.10.0
  Add 2.10.0 to CHANGELOG.md
  Remove magic nix cache action (#4339)
  Test creating supported versions (#4236)
  Update supported versions workflow (#4326)
  Enable on pull request
  Provide batch summary
  Fix batches
  Purge cache after merge
  Implement cache
  ...

Author: p

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      gh-actions-packages:
+        patterns:
+          - "*"

.github/scripts/generate_table_versions.rb

@@ -14,6 +14,13 @@ class GemfileProcessor
   EXCLUDED_INTEGRATIONS = ["configuration", "propagation", "utils"].freeze
 
   def initialize(directory: 'gemfiles/', contrib_dir: 'lib/datadog/tracing/contrib/')
+    unless Dir.exist?(directory)
+      warn("Directory #{directory} does not exist")
+    end
+  
+    unless Dir.exist?(contrib_dir)
+      warn("Directory #{contrib_dir} does not exist")
+    end  
     @directory = directory
     @contrib_dir = contrib_dir
     @min_gems = { 'ruby' => {}, 'jruby' => {} }
@@ -25,7 +32,7 @@ def process
     parse_gemfiles
     process_integrations
     include_hardcoded_versions
-    write_output
+    write_markdown_output
   end
 
   private
@@ -106,18 +113,18 @@ def process_integrations
   def include_hardcoded_versions
       # `httpx` is maintained externally
     @integration_json_mapping['httpx'] = [
-      '0.11',         # Min version Ruby
-      'infinity',     # Max version Ruby
-      '0.11',         # Min version JRuby
-      'infinity'      # Max version JRuby
+      '[3rd-party support](https://honeyryderchuck.gitlab.io/httpx/)',         # Min version Ruby
+      '[3rd-party support](https://honeyryderchuck.gitlab.io/httpx/)',     # Max version Ruby
+      '[3rd-party support](https://honeyryderchuck.gitlab.io/httpx/)',         # Min version JRuby
+      '[3rd-party support](https://honeyryderchuck.gitlab.io/httpx/)',      # Max version JRuby
     ]
 
     # `makara` is part of `activerecord`
     @integration_json_mapping['makara'] = [
-      '0.3.5',        # Min version Ruby
-      'infinity',     # Max version Ruby
-      '0.3.5',        # Min version JRuby
-      'infinity'      # Max version JRuby
+      '0.5.1',        # Min version Ruby
+      '0.5.1',     # Max version Ruby
+      '0.5.1',        # Min version JRuby
+      '0.5.1'      # Max version JRuby
     ]
   end
 
@@ -131,10 +138,60 @@ def resolve_integration_name(integration)
     integration
   end
 
-  def write_output
-    @integration_json_mapping = @integration_json_mapping.sort.to_h
-    File.write("gem_output.json", JSON.pretty_generate(@integration_json_mapping))
+  def write_markdown_output
+    output_file = 'docs/integration_versions.md'
+    comment = <<~COMMENT
+      <!--
+      # Please do NOT manually edit this file.
+      # This file is generated by `bundle exec ruby .github/scripts/update_supported_versions.rb`
+
+      ### Supported Versions Table ###
+  
+      This markdown file is generated from the minimum and maximum versions of the integrations we support, as tested in our `gemfile.lock` lockfiles.
+      For a list of available integrations, and their supported version ranges, refer to the following:
+      -->
+    COMMENT
+    column_widths = {
+      integration: 24,
+      ruby_min: 19,
+      ruby_max: 19,
+      jruby_min: 19,
+      jruby_max: 19
+    }
+    columns = {
+      integration: "Integration",
+      ruby_min: "Ruby Min",
+      ruby_max: "Ruby Max",
+      jruby_min: "JRuby Min",
+      jruby_max: "JRuby Max"
+    }
+
+    adjusted_widths = columns.transform_values.with_index do |title, index|
+      [title.length, column_widths.values[index]].max
+    end
+
+    header = "| " + columns.map { |key, title| title.ljust(adjusted_widths[key]) }.join(" | ") + " |"
+    separator = "|-" + adjusted_widths.map { |_, width| "-" * width }.join("-|-") + "-|"
+    rows = @integration_json_mapping
+          .sort_by { |name, _versions| name.downcase }
+          .map do |name, versions|
+      integration_name = name.ljust(column_widths[:integration])
+      ruby_min = (versions[0] || "None").ljust(column_widths[:ruby_min])
+      ruby_max = (versions[1] == 'infinity' ? 'latest' : versions[1] || 'None').ljust(column_widths[:ruby_max])
+      jruby_min = (versions[2] || "None").ljust(column_widths[:jruby_min])
+      jruby_max = (versions[3] == 'infinity' ? 'latest' : versions[3] || 'None').ljust(column_widths[:jruby_max])
+  
+      "| #{integration_name} | #{ruby_min} | #{ruby_max} | #{jruby_min} | #{jruby_max} |"
+    end
+  
+    File.open(output_file, 'w') do |file|
+      file.puts comment
+      file.puts header
+      file.puts separator
+      rows.each { |row| file.puts row }
+    end
   end
 end
 
+
 GemfileProcessor.new.process

.github/scripts/find_gem_version_bounds.rb renamed to .github/scripts/update_supported_versions.rb

@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Checkout code
         # Checks out the branch that the pull request is merged into
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 
@@ -26,7 +26,7 @@ jobs:
 
       - name: Get project milestones
         id: milestones
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
@@ -39,7 +39,7 @@ jobs:
 
       - name: Update Pull Request
         # Update the merged pull request with the milestone starts with the major version
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |

.github/workflows/add-milestone-to-pull-requests.yml

@@ -27,8 +27,8 @@ jobs:
     name: Build gem (${{ matrix.type }})
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
         with:
           ruby-version: '3.2'
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
@@ -60,7 +60,7 @@ jobs:
         run: |
           find pkg
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: 'datadog-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
           path: 'pkg/*.gem'
@@ -77,14 +77,14 @@ jobs:
       - build
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: 'datadog-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
           path: 'pkg'
       - name: List gem
         run: |
           find pkg
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
         with:
           ruby-version: '3.2'
       - name: Install gem
@@ -103,7 +103,7 @@ jobs:
     if: ${{ inputs.push }}
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: 'datadog-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
           path: 'pkg'

.github/workflows/build-gem.yml

@@ -0,0 +1,30 @@
+# Reference:
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+name: Cleanup caches by a branch
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cleanup
+        run: |
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh cache list --ref $BRANCH --limit 100 --json id --jq '.[].id')
+
+          ## Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh cache delete $cacheKey
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/cache-cleanup.yml

@@ -1,25 +1,57 @@
-name: Check
+name: Static Analysis
 on:
   push:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  lint:
-    runs-on: ubuntu-22.04
-    container:
-      image: ghcr.io/datadog/images-rb/engines/ruby:3.2
+  build:
+    name: build
+    runs-on: ubuntu-24.04
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: bundle lock
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        id: lockfile
+        with:
+          name: 'check-lockfile-${{ github.sha }}-${{ github.run_id }}'
+          path: '*.lock'
+          if-no-files-found: error
+
+  rubocop:
+    name: rubocop/lint
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      - run: bundle install
+      - run: bundle exec rake rubocop
+
+  standard:
+    name: standard/lint
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: Install dependencies
         run: bundle install
-      - run: bundle exec rake rubocop standard
+      - run: bundle exec rake standard
 
-  check:
-    name: Check types
-    runs-on: ubuntu-22.04
-    container:
-      image: ghcr.io/datadog/images-rb/engines/ruby:3.2
+  steep:
+    name: steep/typecheck
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: Install dependencies
         run: bundle install
       - name: Check for stale signature files
@@ -30,3 +62,59 @@ jobs:
         run: bundle exec rake steep:check
       - name: Record stats
         run: bundle exec rake steep:stats[md] >> $GITHUB_STEP_SUMMARY
+
+  # Dogfooding Datadog SBOM Analysis
+  dd-software-composition-analysis:
+    name: dd/sca
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 # requires the lockfile
+      - uses: DataDog/datadog-sca-github-action@main
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_site: datadoghq.com
+
+  # Dogfooding Datadog Static Analysis
+  dd-static-analysis:
+    name: dd/static-analysis
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: DataDog/datadog-static-analyzer-github-action@v1
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_site: datadoghq.com
+          cpu_count: 2
+
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-24.04
+    container: semgrep/semgrep # PENDING: Possible to be rate limited.
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: |
+          semgrep ci \
+          --include=bin/* \
+          --include=ext/* \
+          --include=lib/* \
+          --exclude-rule=ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible
+        env:
+          SEMGREP_RULES: p/default
+
+  static-analysis:
+    needs:
+      - 'steep'
+      - 'rubocop'
+      - 'standard'
+      - 'semgrep'
+      - 'dd-software-composition-analysis'
+      - 'dd-static-analysis'
+    runs-on: ubuntu-24.04
+    steps:
+      - run: echo "Done"