Devin.ford/workflow updates #30172
Devin.ford/workflow updates #30172
Conversation
ℹ️ Documentation Team ReviewNo documentation team review is required for this pull request. |
![datadog-dd-corpsite-datadog-org[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| @@ -0,0 +1,31 @@ | |||
| name: Octo STS Test | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Check the permissions granted to jobs
Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read and packages:read).
Your repository may require different setup, but please consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromission.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. Please note they can be defined at the job or the workflow level.
| steps: | ||
| # <TESTING> Only for debugging, remove after testing | ||
| - name: Debug OIDC Claims | ||
| uses: github/actions-oidc-debugger@main |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
Pin third party actions by hash
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).
No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are mutable, using a full length hash is recommended to make sure the action's content is actually frozen to some reviewed state.
If you wanna benefit from auto-updates, you can enable Dependabot on your repository. It is able to update actions pinned by hash and comment version numbers after them for better readability (see for instance this example PR).
What does this PR do? What is the motivation?
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
Additional notes