ci: setup building nuget packages in CI

[ganeshnj]

What does this PR do?

• Build nuget packages on changes
• Include data pipeline artifacts

Motivation

• Prerequisite for data pipeline integration in .NET tracer
• Currently, we are not testing the building nuget packages in CI

Additional Notes

Anything else we should know when reviewing?

How to test the change?

The libdatadog nuget version attached in artifacts can be used directly in .NET tracer.

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

    

[pr-commenter]

Benchmarks

Comparison

Benchmark execution time: 2024-11-19 09:40:59

Comparing candidate commit 88f6c10 in PR branch ganeshnj/feat/datapipeline-nuget with baseline commit ce9ae28 in branch main.

Found 2 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 2 unstable metrics.

scenario:credit_card/is_card_number_no_luhn/378282246310005

• 🟩 execution_time [-9.198µs; -9.127µs] or [-12.827%; -12.728%]
• 🟩 throughput [+2035386.827op/s; +2050370.448op/s] or [+14.595%; +14.702%]

Candidate

Candidate benchmark details

Group 1

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
two way interface	execution_time	18.713µs	25.252µs ± 11.070µs	19.473µs ± 0.237µs	35.011µs	44.391µs	46.931µs	97.032µs	398.30%	2.825	12.479	43.73%	0.783µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
two way interface	execution_time	[23.717µs; 26.786µs] or [-6.075%; +6.075%]	None	None	None

Group 2

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
normalization/normalize_trace/test_trace	execution_time	296.093ns	313.341ns ± 19.890ns	305.035ns ± 6.133ns	318.706ns	357.882ns	370.360ns	370.556ns	21.48%	1.623	1.556	6.33%	1.406ns	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
normalization/normalize_trace/test_trace	execution_time	[310.584ns; 316.098ns] or [-0.880%; +0.880%]	None	None	None

Group 3

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
tags/replace_trace_tags	execution_time	2.615µs	2.692µs ± 0.022µs	2.694µs ± 0.007µs	2.704µs	2.716µs	2.720µs	2.721µs	1.01%	-2.075	4.424	0.82%	0.002µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
tags/replace_trace_tags	execution_time	[2.688µs; 2.695µs] or [-0.114%; +0.114%]	None	None	None

Group 4

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
write only interface	execution_time	1.389µs	3.291µs ± 1.421µs	3.146µs ± 0.029µs	3.168µs	3.202µs	14.150µs	15.115µs	380.43%	7.528	56.993	43.06%	0.100µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
write only interface	execution_time	[3.094µs; 3.488µs] or [-5.983%; +5.983%]	None	None	None

Group 5

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
credit_card/is_card_number/	execution_time	4.599µs	4.612µs ± 0.009µs	4.613µs ± 0.007µs	4.618µs	4.629µs	4.631µs	4.633µs	0.45%	0.366	-0.701	0.19%	0.001µs	1	200
credit_card/is_card_number/	throughput	215826729.364op/s	216805162.102op/s ± 405842.961op/s	216797593.811op/s ± 312134.993op/s	217210359.325op/s	217378802.589op/s	217400321.857op/s	217419471.558op/s	0.29%	-0.359	-0.709	0.19%	28697.431op/s	1	200
credit_card/is_card_number/ 3782-8224-6310-005	execution_time	93.109µs	93.495µs ± 0.317µs	93.437µs ± 0.097µs	93.566µs	93.761µs	94.295µs	97.094µs	3.91%	7.692	81.521	0.34%	0.022µs	1	200
credit_card/is_card_number/ 3782-8224-6310-005	throughput	10299345.173op/s	10695897.113op/s ± 35403.148op/s	10702404.831op/s ± 11120.899op/s	10711882.155op/s	10718183.882op/s	10734310.779op/s	10740049.645op/s	0.35%	-7.449	77.639	0.33%	2503.381op/s	1	200
credit_card/is_card_number/ 378282246310005	execution_time	85.202µs	85.408µs ± 0.349µs	85.332µs ± 0.029µs	85.363µs	85.958µs	86.695µs	89.263µs	4.61%	7.667	75.136	0.41%	0.025µs	1	200
credit_card/is_card_number/ 378282246310005	throughput	11202803.880op/s	11708747.325op/s ± 46373.624op/s	11718980.647op/s ± 4019.880op/s	11722472.860op/s	11726100.894op/s	11730992.932op/s	11736864.317op/s	0.15%	-7.449	71.370	0.40%	3279.110op/s	1	200
credit_card/is_card_number/37828224631	execution_time	4.591µs	4.611µs ± 0.009µs	4.611µs ± 0.007µs	4.617µs	4.628µs	4.629µs	4.633µs	0.48%	0.386	-0.614	0.19%	0.001µs	1	200
credit_card/is_card_number/37828224631	throughput	215824473.380op/s	216855955.805op/s ± 405557.022op/s	216870764.932op/s ± 313579.675op/s	217254403.920op/s	217385762.240op/s	217399519.237op/s	217819088.387op/s	0.44%	-0.379	-0.620	0.19%	28677.212op/s	1	200
credit_card/is_card_number/378282246310005	execution_time	81.611µs	82.060µs ± 0.231µs	82.036µs ± 0.101µs	82.143µs	82.342µs	83.072µs	83.239µs	1.47%	1.945	7.570	0.28%	0.016µs	1	200
credit_card/is_card_number/378282246310005	throughput	12013643.166op/s	12186342.158op/s ± 34096.991op/s	12189764.866op/s ± 15079.243op/s	12204330.402op/s	12231633.580op/s	12249614.947op/s	12253287.095op/s	0.52%	-1.896	7.315	0.28%	2411.021op/s	1	200
credit_card/is_card_number/37828224631000521389798	execution_time	58.858µs	58.896µs ± 0.022µs	58.898µs ± 0.016µs	58.907µs	58.932µs	58.956µs	59.029µs	0.22%	1.419	5.438	0.04%	0.002µs	1	200
credit_card/is_card_number/37828224631000521389798	throughput	16940952.311op/s	16979138.587op/s ± 6405.134op/s	16978645.957op/s ± 4725.193op/s	16984245.838op/s	16987061.465op/s	16989363.418op/s	16989921.579op/s	0.07%	-1.413	5.396	0.04%	452.911op/s	1	200
credit_card/is_card_number/x371413321323331	execution_time	6.819µs	6.838µs ± 0.034µs	6.824µs ± 0.003µs	6.831µs	6.903µs	6.935µs	7.110µs	4.19%	3.666	20.405	0.50%	0.002µs	1	200
credit_card/is_card_number/x371413321323331	throughput	140653665.044op/s	146247265.993op/s ± 719687.404op/s	146541529.631op/s ± 66099.285op/s	146605712.745op/s	146627808.060op/s	146644258.581op/s	146654147.361op/s	0.08%	-3.537	18.880	0.49%	50889.584op/s	1	200
credit_card/is_card_number_no_luhn/	execution_time	4.588µs	4.613µs ± 0.008µs	4.613µs ± 0.006µs	4.619µs	4.626µs	4.630µs	4.631µs	0.39%	-0.003	-0.627	0.18%	0.001µs	1	200
credit_card/is_card_number_no_luhn/	throughput	215931138.574op/s	216798924.073op/s ± 391177.132op/s	216781930.103op/s ± 285461.416op/s	217075972.785op/s	217379676.524op/s	217426101.593op/s	217967320.579op/s	0.55%	0.010	-0.626	0.18%	27660.400op/s	1	200
credit_card/is_card_number_no_luhn/ 3782-8224-6310-005	execution_time	73.353µs	73.672µs ± 0.189µs	73.673µs ± 0.102µs	73.772µs	73.884µs	74.028µs	75.032µs	1.84%	2.588	16.403	0.26%	0.013µs	1	200
credit_card/is_card_number_no_luhn/ 3782-8224-6310-005	throughput	13327667.768op/s	13573736.481op/s ± 34571.573op/s	13573442.881op/s ± 18811.128op/s	13596872.722op/s	13620425.190op/s	13627864.159op/s	13632624.233op/s	0.44%	-2.500	15.673	0.25%	2444.579op/s	1	200
credit_card/is_card_number_no_luhn/ 378282246310005	execution_time	65.271µs	65.519µs ± 0.134µs	65.529µs ± 0.110µs	65.638µs	65.715µs	65.735µs	65.768µs	0.36%	-0.129	-1.059	0.20%	0.009µs	1	200
credit_card/is_card_number_no_luhn/ 378282246310005	throughput	15205011.254op/s	15262834.718op/s ± 31285.715op/s	15260304.911op/s ± 25682.767op/s	15290396.108op/s	15314730.553op/s	15319226.119op/s	15320854.747op/s	0.40%	0.135	-1.058	0.20%	2212.234op/s	1	200
credit_card/is_card_number_no_luhn/37828224631	execution_time	4.600µs	4.614µs ± 0.009µs	4.614µs ± 0.006µs	4.619µs	4.629µs	4.632µs	4.632µs	0.39%	0.203	-0.775	0.19%	0.001µs	1	200
credit_card/is_card_number_no_luhn/37828224631	throughput	215885725.684op/s	216723356.503op/s ± 404867.059op/s	216723662.837op/s ± 282290.335op/s	217022047.780op/s	217363236.924op/s	217393814.833op/s	217400172.577op/s	0.31%	-0.196	-0.778	0.19%	28628.424op/s	1	200
credit_card/is_card_number_no_luhn/378282246310005	execution_time	62.160µs	62.545µs ± 0.133µs	62.519µs ± 0.050µs	62.630µs	62.766µs	62.914µs	63.082µs	0.90%	0.490	1.422	0.21%	0.009µs	1	200
credit_card/is_card_number_no_luhn/378282246310005	throughput	15852351.201op/s	15988632.001op/s ± 33915.728op/s	15995188.647op/s ± 12793.733op/s	16005027.181op/s	16045617.611op/s	16064165.875op/s	16087438.445op/s	0.58%	-0.470	1.389	0.21%	2398.204op/s	1	200
credit_card/is_card_number_no_luhn/37828224631000521389798	execution_time	58.861µs	58.894µs ± 0.021µs	58.894µs ± 0.016µs	58.907µs	58.932µs	58.945µs	58.982µs	0.15%	0.947	1.602	0.04%	0.001µs	1	200
credit_card/is_card_number_no_luhn/37828224631000521389798	throughput	16954254.032op/s	16979678.749op/s ± 6102.157op/s	16979521.848op/s ± 4732.433op/s	16984985.273op/s	16987270.928op/s	16988215.699op/s	16989237.318op/s	0.06%	-0.944	1.589	0.04%	431.488op/s	1	200
credit_card/is_card_number_no_luhn/x371413321323331	execution_time	6.819µs	6.834µs ± 0.027µs	6.824µs ± 0.003µs	6.828µs	6.899µs	6.915µs	6.986µs	2.38%	2.653	7.806	0.39%	0.002µs	1	200
credit_card/is_card_number_no_luhn/x371413321323331	throughput	143141396.168op/s	146325651.675op/s ± 568445.720op/s	146551414.996op/s ± 64438.223op/s	146615209.512op/s	146639878.175op/s	146648571.834op/s	146659520.738op/s	0.07%	-2.621	7.539	0.39%	40195.182op/s	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
credit_card/is_card_number/	execution_time	[4.611µs; 4.614µs] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number/	throughput	[216748916.170op/s; 216861408.033op/s] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number/ 3782-8224-6310-005	execution_time	[93.451µs; 93.539µs] or [-0.047%; +0.047%]	None	None	None
credit_card/is_card_number/ 3782-8224-6310-005	throughput	[10690990.577op/s; 10700803.649op/s] or [-0.046%; +0.046%]	None	None	None
credit_card/is_card_number/ 378282246310005	execution_time	[85.359µs; 85.456µs] or [-0.057%; +0.057%]	None	None	None
credit_card/is_card_number/ 378282246310005	throughput	[11702320.387op/s; 11715174.263op/s] or [-0.055%; +0.055%]	None	None	None
credit_card/is_card_number/37828224631	execution_time	[4.610µs; 4.613µs] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number/37828224631	throughput	[216799749.502op/s; 216912162.107op/s] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number/378282246310005	execution_time	[82.028µs; 82.092µs] or [-0.039%; +0.039%]	None	None	None
credit_card/is_card_number/378282246310005	throughput	[12181616.643op/s; 12191067.673op/s] or [-0.039%; +0.039%]	None	None	None
credit_card/is_card_number/37828224631000521389798	execution_time	[58.893µs; 58.899µs] or [-0.005%; +0.005%]	None	None	None
credit_card/is_card_number/37828224631000521389798	throughput	[16978250.897op/s; 16980026.277op/s] or [-0.005%; +0.005%]	None	None	None
credit_card/is_card_number/x371413321323331	execution_time	[6.833µs; 6.843µs] or [-0.069%; +0.069%]	None	None	None
credit_card/is_card_number/x371413321323331	throughput	[146147524.241op/s; 146347007.746op/s] or [-0.068%; +0.068%]	None	None	None
credit_card/is_card_number_no_luhn/	execution_time	[4.611µs; 4.614µs] or [-0.025%; +0.025%]	None	None	None
credit_card/is_card_number_no_luhn/	throughput	[216744710.684op/s; 216853137.461op/s] or [-0.025%; +0.025%]	None	None	None
credit_card/is_card_number_no_luhn/ 3782-8224-6310-005	execution_time	[73.646µs; 73.698µs] or [-0.036%; +0.036%]	None	None	None
credit_card/is_card_number_no_luhn/ 3782-8224-6310-005	throughput	[13568945.193op/s; 13578527.768op/s] or [-0.035%; +0.035%]	None	None	None
credit_card/is_card_number_no_luhn/ 378282246310005	execution_time	[65.500µs; 65.538µs] or [-0.028%; +0.028%]	None	None	None
credit_card/is_card_number_no_luhn/ 378282246310005	throughput	[15258498.819op/s; 15267170.618op/s] or [-0.028%; +0.028%]	None	None	None
credit_card/is_card_number_no_luhn/37828224631	execution_time	[4.613µs; 4.615µs] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number_no_luhn/37828224631	throughput	[216667245.823op/s; 216779467.184op/s] or [-0.026%; +0.026%]	None	None	None
credit_card/is_card_number_no_luhn/378282246310005	execution_time	[62.526µs; 62.563µs] or [-0.029%; +0.029%]	None	None	None
credit_card/is_card_number_no_luhn/378282246310005	throughput	[15983931.607op/s; 15993332.395op/s] or [-0.029%; +0.029%]	None	None	None
credit_card/is_card_number_no_luhn/37828224631000521389798	execution_time	[58.891µs; 58.897µs] or [-0.005%; +0.005%]	None	None	None
credit_card/is_card_number_no_luhn/37828224631000521389798	throughput	[16978833.049op/s; 16980524.450op/s] or [-0.005%; +0.005%]	None	None	None
credit_card/is_card_number_no_luhn/x371413321323331	execution_time	[6.830µs; 6.838µs] or [-0.054%; +0.054%]	None	None	None
credit_card/is_card_number_no_luhn/x371413321323331	throughput	[146246870.565op/s; 146404432.784op/s] or [-0.054%; +0.054%]	None	None	None

Group 6

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
normalization/normalize_name/normalize_name/Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Lo...	execution_time	271.455µs	272.960µs ± 0.641µs	272.826µs ± 0.376µs	273.312µs	274.061µs	274.856µs	275.321µs	0.91%	0.930	1.067	0.23%	0.045µs	1	200
normalization/normalize_name/normalize_name/Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Lo...	throughput	3632117.801op/s	3663562.533op/s ± 8587.026op/s	3665341.157op/s ± 5052.846op/s	3669565.756op/s	3674331.911op/s	3678824.644op/s	3683852.288op/s	0.51%	-0.914	1.028	0.23%	607.194op/s	1	200
normalization/normalize_name/normalize_name/bad-name	execution_time	25.797µs	25.908µs ± 0.067µs	25.892µs ± 0.040µs	25.946µs	26.032µs	26.096µs	26.111µs	0.85%	0.894	0.157	0.26%	0.005µs	1	200
normalization/normalize_name/normalize_name/bad-name	throughput	38298528.800op/s	38598516.434op/s ± 99306.643op/s	38622205.172op/s ± 59038.637op/s	38674435.531op/s	38713846.428op/s	38732732.889op/s	38764871.491op/s	0.37%	-0.884	0.132	0.26%	7022.040op/s	1	200
normalization/normalize_name/normalize_name/good	execution_time	15.447µs	15.496µs ± 0.044µs	15.478µs ± 0.018µs	15.516µs	15.589µs	15.621µs	15.674µs	1.26%	1.455	1.746	0.28%	0.003µs	1	200
normalization/normalize_name/normalize_name/good	throughput	63800737.537op/s	64532192.469op/s ± 182622.177op/s	64605934.759op/s ± 74852.086op/s	64666443.748op/s	64705170.756op/s	64719995.323op/s	64737908.577op/s	0.20%	-1.442	1.686	0.28%	12913.338op/s	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
normalization/normalize_name/normalize_name/Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Lo...	execution_time	[272.871µs; 273.049µs] or [-0.033%; +0.033%]	None	None	None
normalization/normalize_name/normalize_name/Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Lo...	throughput	[3662372.454op/s; 3664752.612op/s] or [-0.032%; +0.032%]	None	None	None
normalization/normalize_name/normalize_name/bad-name	execution_time	[25.899µs; 25.917µs] or [-0.036%; +0.036%]	None	None	None
normalization/normalize_name/normalize_name/bad-name	throughput	[38584753.489op/s; 38612279.380op/s] or [-0.036%; +0.036%]	None	None	None
normalization/normalize_name/normalize_name/good	execution_time	[15.490µs; 15.502µs] or [-0.039%; +0.039%]	None	None	None
normalization/normalize_name/normalize_name/good	throughput	[64506882.791op/s; 64557502.146op/s] or [-0.039%; +0.039%]	None	None	None

Group 7

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
redis/obfuscate_redis_string	execution_time	36.614µs	37.210µs ± 1.034µs	36.761µs ± 0.100µs	36.860µs	39.425µs	39.446µs	40.377µs	9.84%	1.703	1.001	2.77%	0.073µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
redis/obfuscate_redis_string	execution_time	[37.067µs; 37.354µs] or [-0.385%; +0.385%]	None	None	None

Group 8

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
benching string interning on wordpress profile	execution_time	141.294µs	142.042µs ± 0.381µs	142.001µs ± 0.174µs	142.180µs	142.480µs	143.147µs	145.024µs	2.13%	3.101	19.836	0.27%	0.027µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
benching string interning on wordpress profile	execution_time	[141.990µs; 142.095µs] or [-0.037%; +0.037%]	None	None	None

Group 9

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
sql/obfuscate_sql_string	execution_time	69.496µs	69.781µs ± 0.124µs	69.777µs ± 0.032µs	69.805µs	69.839µs	69.967µs	71.334µs	2.23%	9.987	123.667	0.18%	0.009µs	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
sql/obfuscate_sql_string	execution_time	[69.763µs; 69.798µs] or [-0.025%; +0.025%]	None	None	None

Group 10

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
normalization/normalize_service/normalize_service/A0000000000000000000000000000000000000000000000000...	execution_time	506.830µs	507.685µs ± 0.623µs	507.605µs ± 0.308µs	507.939µs	508.607µs	508.903µs	513.190µs	1.10%	3.672	28.767	0.12%	0.044µs	1	200
normalization/normalize_service/normalize_service/A0000000000000000000000000000000000000000000000000...	throughput	1948596.483op/s	1969728.648op/s ± 2406.781op/s	1970034.158op/s ± 1195.114op/s	1971145.732op/s	1972590.690op/s	1972906.285op/s	1973047.933op/s	0.15%	-3.609	28.028	0.12%	170.185op/s	1	200
normalization/normalize_service/normalize_service/Data🐨dog🐶 繋がっ⛰てて	execution_time	467.690µs	468.647µs ± 0.311µs	468.658µs ± 0.208µs	468.852µs	469.144µs	469.251µs	469.406µs	0.16%	-0.171	0.036	0.07%	0.022µs	1	200
normalization/normalize_service/normalize_service/Data🐨dog🐶 繋がっ⛰てて	throughput	2130352.216op/s	2133804.480op/s ± 1415.355op/s	2133750.081op/s ± 948.678op/s	2134765.199op/s	2136056.549op/s	2137168.143op/s	2138166.520op/s	0.21%	0.175	0.040	0.07%	100.081op/s	1	200
normalization/normalize_service/normalize_service/Test Conversion 0f Weird !@#$%^&**() Characters	execution_time	179.854µs	180.241µs ± 0.173µs	180.213µs ± 0.119µs	180.345µs	180.561µs	180.660µs	180.697µs	0.27%	0.385	-0.274	0.10%	0.012µs	1	200
normalization/normalize_service/normalize_service/Test Conversion 0f Weird !@#$%^&**() Characters	throughput	5534120.960op/s	5548136.100op/s ± 5311.040op/s	5548975.361op/s ± 3653.854op/s	5552125.163op/s	5555220.662op/s	5558123.655op/s	5560055.584op/s	0.20%	-0.381	-0.279	0.10%	375.547op/s	1	200
normalization/normalize_service/normalize_service/[empty string]	execution_time	44.687µs	45.081µs ± 0.124µs	45.099µs ± 0.069µs	45.165µs	45.228µs	45.326µs	45.336µs	0.53%	-0.919	1.049	0.27%	0.009µs	1	200
normalization/normalize_service/normalize_service/[empty string]	throughput	22057400.920op/s	22182678.253op/s ± 61057.581op/s	22173275.601op/s ± 34075.370op/s	22212780.071op/s	22312009.589op/s	22369816.470op/s	22377676.030op/s	0.92%	0.937	1.090	0.27%	4317.423op/s	1	200
normalization/normalize_service/normalize_service/test_ASCII	execution_time	49.042µs	49.165µs ± 0.096µs	49.153µs ± 0.019µs	49.180µs	49.227µs	49.270µs	50.399µs	2.53%	10.572	132.989	0.20%	0.007µs	1	200
normalization/normalize_service/normalize_service/test_ASCII	throughput	19841477.740op/s	20339808.893op/s ± 39078.006op/s	20344459.124op/s ± 7851.711op/s	20349922.637op/s	20369926.331op/s	20378983.571op/s	20390881.748op/s	0.23%	-10.436	130.672	0.19%	2763.232op/s	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
normalization/normalize_service/normalize_service/A0000000000000000000000000000000000000000000000000...	execution_time	[507.599µs; 507.771µs] or [-0.017%; +0.017%]	None	None	None
normalization/normalize_service/normalize_service/A0000000000000000000000000000000000000000000000000...	throughput	[1969395.091op/s; 1970062.204op/s] or [-0.017%; +0.017%]	None	None	None
normalization/normalize_service/normalize_service/Data🐨dog🐶 繋がっ⛰てて	execution_time	[468.604µs; 468.690µs] or [-0.009%; +0.009%]	None	None	None
normalization/normalize_service/normalize_service/Data🐨dog🐶 繋がっ⛰てて	throughput	[2133608.326op/s; 2134000.635op/s] or [-0.009%; +0.009%]	None	None	None
normalization/normalize_service/normalize_service/Test Conversion 0f Weird !@#$%^&**() Characters	execution_time	[180.217µs; 180.265µs] or [-0.013%; +0.013%]	None	None	None
normalization/normalize_service/normalize_service/Test Conversion 0f Weird !@#$%^&**() Characters	throughput	[5547400.041op/s; 5548872.159op/s] or [-0.013%; +0.013%]	None	None	None
normalization/normalize_service/normalize_service/[empty string]	execution_time	[45.063µs; 45.098µs] or [-0.038%; +0.038%]	None	None	None
normalization/normalize_service/normalize_service/[empty string]	throughput	[22174216.260op/s; 22191140.247op/s] or [-0.038%; +0.038%]	None	None	None
normalization/normalize_service/normalize_service/test_ASCII	execution_time	[49.151µs; 49.178µs] or [-0.027%; +0.027%]	None	None	None
normalization/normalize_service/normalize_service/test_ASCII	throughput	[20334393.057op/s; 20345224.728op/s] or [-0.027%; +0.027%]	None	None	None

Group 11

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
concentrator/add_spans_to_concentrator	execution_time	9.001ms	9.037ms ± 0.021ms	9.035ms ± 0.011ms	9.046ms	9.064ms	9.139ms	9.182ms	1.62%	2.914	15.350	0.24%	0.002ms	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
concentrator/add_spans_to_concentrator	execution_time	[9.034ms; 9.040ms] or [-0.033%; +0.033%]	None	None	None

Group 12

cpu_model	git_commit_sha	git_commit_date	git_branch
Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	88f6c10	1732008589	ganeshnj/feat/datapipeline-nuget

scenario	metric	min	mean ± sd	median ± mad	p75	p95	p99	max	peak_to_median_ratio	skewness	kurtosis	cv	sem	runs	sample_size
benching deserializing traces from msgpack to their internal representation	execution_time	58.724ms	58.947ms ± 0.235ms	58.892ms ± 0.062ms	58.979ms	59.257ms	59.775ms	61.213ms	3.94%	5.480	44.128	0.40%	0.017ms	1	200

scenario	metric	95% CI mean	Shapiro-Wilk pvalue	Ljung-Box pvalue (lag=1)	Dip test pvalue
benching deserializing traces from msgpack to their internal representation	execution_time	[58.914ms; 58.979ms] or [-0.055%; +0.055%]	None	None	None

Baseline

Omitted due to size.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.57%. Comparing base (d04fad9) to head (88f6c10).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #697      +/-   ##
==========================================
- Coverage   70.58%   70.57%   -0.02%     
==========================================
  Files         295      296       +1     
  Lines       43096    43281     +185     
==========================================
+ Hits        30420    30544     +124     
- Misses      12676    12737      +61     

Components	Coverage Δ
crashtracker	37.14% <ø> (+0.03%)	⬆️
crashtracker-ffi	8.67% <ø> (ø)
datadog-alloc	98.73% <ø> (ø)
data-pipeline	91.95% <ø> (ø)
data-pipeline-ffi	0.00% <ø> (ø)
ddcommon	83.46% <ø> (ø)
ddcommon-ffi	69.12% <ø> (ø)
ddtelemetry	59.10% <ø> (ø)
ddtelemetry-ffi	22.13% <ø> (ø)
dogstatsd	89.45% <ø> (ø)
dogstatsd-client	79.77% <ø> (ø)
ipc	82.86% <ø> (+0.10%)	⬆️
profiling	84.30% <ø> (ø)
profiling-ffi	77.46% <ø> (ø)
serverless	0.00% <ø> (ø)
sidecar	38.00% <ø> (+0.64%)	⬆️
sidecar-ffi	0.00% <ø> (ø)
spawn-worker	50.36% <ø> (ø)
tinybytes	94.77% <ø> (ø)
trace-mini-agent	72.18% <ø> (ø)
trace-normalization	98.25% <ø> (ø)
trace-obfuscation	95.77% <ø> (ø)
trace-protobuf	77.67% <ø> (ø)
trace-utils	93.15% <ø> (+<0.01%)	⬆️

---- 🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Possible script injection through user controlled input (...read more)

As detailed in Security hardening for GitHub Actions - GitHub Docs, it is possible for an attacker to inject scripts through PR, branch, commit names, and more.

Avoid using user input in your actions shell scripts, and if you must, consider storing them first in an environment variable to escape them properly.

Read Cycode Discovers a Supply Chain Vulnerability in Bazel - Cycode if you wanna see a concrete exploitation of such mechanism.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

    

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.