DataDog
diff --git a/‎.github/workflows/cache-cleanup.yml
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/cache-cleanup.yml
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/check.yml
Lines changed: 99 additions & 11 deletions b/‎.github/workflows/check.yml
Lines changed: 99 additions & 11 deletions
diff --git a/‎.github/workflows/datadog-sca.yml
Lines changed: 0 additions & 25 deletions b/‎.github/workflows/datadog-sca.yml
Lines changed: 0 additions & 25 deletions
diff --git a/‎.github/workflows/datadog-static-analysis.yml
Lines changed: 0 additions & 21 deletions b/‎.github/workflows/datadog-static-analysis.yml
Lines changed: 0 additions & 21 deletions
diff --git a/‎.github/workflows/publish.yml
Lines changed: 141 additions & 0 deletions b/‎.github/workflows/publish.yml
Lines changed: 141 additions & 0 deletions
diff --git a/‎.github/workflows/semgrep.yml
Lines changed: 0 additions & 27 deletions b/‎.github/workflows/semgrep.yml
Lines changed: 0 additions & 27 deletions
diff --git a/‎.github/workflows/system-tests.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/system-tests.yml
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,30 @@
+# Reference:
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+name: Cleanup caches by a branch
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cleanup
+        run: |
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh cache list --ref $BRANCH --limit 100 --json id --jq '.[].id')
+
+          ## Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh cache delete $cacheKey
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -1,25 +1,57 @@
-name: Check
+name: Static Analysis
 on:
   push:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  lint:
-    runs-on: ubuntu-22.04
-    container:
-      image: ghcr.io/datadog/images-rb/engines/ruby:3.2
+  build:
+    name: build
+    runs-on: ubuntu-24.04
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@v4
+      - run: bundle lock
+      - uses: actions/upload-artifact@v4
+        id: lockfile
+        with:
+          name: 'check-lockfile-${{ github.sha }}-${{ github.run_id }}'
+          path: '*.lock'
+          if-no-files-found: error
+
+  rubocop:
+    name: rubocop/lint
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+      - run: bundle install
+      - run: bundle exec rake rubocop
+
+  standard:
+    name: standard/lint
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
       - name: Install dependencies
         run: bundle install
-      - run: bundle exec rake rubocop standard
+      - run: bundle exec rake standard
 
-  check:
-    name: Check types
-    runs-on: ubuntu-22.04
-    container:
-      image: ghcr.io/datadog/images-rb/engines/ruby:3.2
+  steep:
+    name: steep/typecheck
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
       - name: Install dependencies
         run: bundle install
       - name: Check for stale signature files
@@ -30,3 +62,59 @@ jobs:
         run: bundle exec rake steep:check
       - name: Record stats
         run: bundle exec rake steep:stats[md] >> $GITHUB_STEP_SUMMARY
+
+  # Dogfooding Datadog SBOM Analysis
+  dd-software-composition-analysis:
+    name: dd/sca
+    runs-on: ubuntu-24.04
+    needs: ['build']
+    container: ghcr.io/datadog/images-rb/engines/ruby:3.3
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4 # requires the lockfile
+      - uses: DataDog/datadog-sca-github-action@main
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_site: datadoghq.com
+
+  # Dogfooding Datadog Static Analysis
+  dd-static-analysis:
+    name: dd/static-analysis
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DataDog/datadog-static-analyzer-github-action@v1
+        with:
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_site: datadoghq.com
+          cpu_count: 2
+
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-24.04
+    container: semgrep/semgrep # PENDING: Possible to be rate limited.
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          semgrep ci \
+          --include=bin/* \
+          --include=ext/* \
+          --include=lib/* \
+          --exclude-rule=ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible
+        env:
+          SEMGREP_RULES: p/default
+
+  static-analysis:
+    needs:
+      - 'steep'
+      - 'rubocop'
+      - 'standard'
+      - 'semgrep'
+      - 'dd-software-composition-analysis'
+      - 'dd-static-analysis'
+    runs-on: ubuntu-24.04
+    steps:
+      - run: echo "Done"
@@ -0,0 +1,141 @@
+name: Publish gem
+
+# TODO: Implement a dry-run mode to verify the checks without publishing
+on: workflow_dispatch
+
+concurrency: "rubygems" # Only one publish job at a time
+
+jobs:
+  verify-checks:
+    name: Verify commit status checks
+    runs-on: ubuntu-24.04
+    permissions:
+      checks: read
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3.7'
+
+      - id: version
+        run: echo "version=$(ruby -e 'puts Gem::Specification::load(Dir.glob("*.gemspec").first).version')" >> $GITHUB_OUTPUT
+
+      # Check if the gem version is already published
+      - name: Verify gem version
+        env:
+          GEM_VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          if gem search datadog --exact --remote --version "$GEM_VERSION" | grep -q "($GEM_VERSION)"; then
+            echo "::error::Version $GEM_VERSION is already published"
+            exit 1
+          else
+            echo "Version $GEM_VERSION is not published yet"
+          fi
+
+      # TODO: Verify draft release
+      # TODO: Verify milestone
+
+      # Check if the commit has passed all Github checks
+      # API: https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#list-check-runs-for-a-git-reference
+      - name: Verify check runs
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const checkRuns = await github.paginate(github.rest.checks.listForRef, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: context.sha,
+              per_page: 100
+            });
+
+            const failedChecks = checkRuns.filter(check =>
+              check.status === 'completed' &&
+              check.conclusion !== 'success' &&
+              check.conclusion !== 'skipped'
+            );
+
+            if (failedChecks.length > 0) {
+              const failedNames = failedChecks.map(c => c.name).join(', ');
+              core.setFailed(`Check runs failed: ${failedNames}`);
+            }
+
+      # Check if the commit has passed external CI checks
+      # API: https://docs.github.com/en/rest/commits/statuses?apiVersion=2022-11-28#get-the-combined-status-for-a-specific-reference
+      - name: Verify commit status
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: status } = await github.rest.repos.getCombinedStatusForRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: context.sha
+            });
+
+            if (status.state !== 'success') {
+              core.setFailed(`Commit status is ${status.state}`);
+            }
+
+      # Check if the commit has all the checks passed
+      - name: Verify deferred commit data
+        # NOTE:
+        #
+        # This step uses Github's internal API (for rendering the status of the checks in UI),
+        # which includes Github check runs and external CI statuses and possibly more.
+        #
+        # Although Github check runs and external CI statuses are already covered by the previous steps,
+        # it is still useful to have a double-check and also possibly unearth missing validations.
+        #
+        # However, not depending on Github's public API (REST/GraphQL) suggested that this might change in the future.
+        run: |
+          COMMIT_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/commit/$GITHUB_SHA"
+          STATUS=$(curl -sS --fail --retry 3 --retry-delay 5 "$COMMIT_URL/deferred_commit_data" | jq -r ".data.statusCheckStatus.state")
+          if [ "$STATUS" != "success" ]; then
+            echo "::error::Status check state is '$STATUS'. See: $COMMIT_URL"
+            exit 1
+          fi
+
+
+  rubygems-release:
+    name: Build and push gem to RubyGems.org
+    runs-on: ubuntu-24.04
+    environment: "rubygems.org" # see: https://github.com/DataDog/dd-trace-rb/settings/environments
+    needs: verify-checks # Make sure to release from a healthy commit
+    permissions:
+      id-token: write
+      contents: write
+    env:
+      SKIP_SIMPLECOV: 1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3.7'
+      - uses: rubygems/release-gem@v1
+        with:
+          attestations: false # PENDING decision for attestations
+
+  github-release:
+    name: Attach gem to GitHub release and publish
+    runs-on: ubuntu-24.04
+    needs:
+      - verify-checks
+      - rubygems-release
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_REPO: ${{ github.repository }}
+      GEM_VERSION: ${{ needs.verify-checks.outputs.version }}
+    permissions:
+      contents: write
+    steps:
+      - name: Download from RubyGems
+        run: |
+          gem fetch datadog --version ${GEM_VERSION} --verbose
+      - name: Attach to existing release draft
+        run: |
+          gh release upload "v${GEM_VERSION}" *.gem --clobber
+          gh release edit "v${GEM_VERSION}" --draft=false
+
+  # TODO: Close existing milestone and create next milestone
@@ -481,5 +481,5 @@ jobs:
     with:
       library: ruby
       binaries_artifact: system_tests_binaries
-      _experimental_job_count: 8
-      _experimental_job_matrix: "[1,2,3,4,5,6,7,8]"
+      job_count: 8
+      job_matrix: "[1,2,3,4,5,6,7,8]"