Merge branch 'main' into hongshi/mac_sw_inventory

Author: guohdd

.custom-gcl.yml

@@ -19,7 +19,6 @@
 /.go-version                            @DataDog/agent-runtimes @DataDog/agent-build
 # Go linters and pre-commit config
 /.golangci.yml                          @DataDog/agent-devx
-/.custom-gcl.yml                        @DataDog/agent-devx
 /.pre-commit-config.yaml                @DataDog/agent-devx
 /.vscode/                               @DataDog/agent-devx
 
@@ -143,7 +142,7 @@
 /.gitlab/deploy/deploy_packages/windows.yml                    @DataDog/agent-delivery @DataDog/windows-products
 /.gitlab/distribute/winget.yml                     @DataDog/agent-delivery @DataDog/windows-products
 /.gitlab/deploy/deploy_packages/cluster_agent_cloudfoundry.yml @DataDog/agent-integrations @DataDog/agent-devx
-/.gitlab/deploy/deploy_packages/e2e.yml                        @DataDog/agent-devx @DataDog/agent-e2e-testing @DataDog/fleet
+/.gitlab/deploy/deploy_packages/e2e.yml                        @DataDog/agent-devx  @DataDog/fleet
 
 /.gitlab/.pre/deps_build/                                 @DataDog/ebpf-platform @DataDog/agent-build @DataDog/windows-products
 
@@ -152,8 +151,8 @@
 /.gitlab/.pre/common/                                     @DataDog/agent-devx
 
 /.gitlab/test/e2e/e2e.yml                                 @DataDog/container-integrations @DataDog/agent-devx @DataDog/fleet
-/.gitlab/deploy/container_build/fakeintake.yml              @DataDog/agent-e2e-testing @DataDog/agent-devx
-/.gitlab/build/binary_build/fakeintake.yml                 @DataDog/agent-e2e-testing @DataDog/agent-devx
+/.gitlab/deploy/container_build/fakeintake.yml               @DataDog/agent-devx
+/.gitlab/build/binary_build/fakeintake.yml                  @DataDog/agent-devx
 
 /.gitlab/test/functional_test/oracle.yml                  @DataDog/agent-devx @DataDog/database-monitoring
 
@@ -170,7 +169,7 @@
 
 /.gitlab/deploy/dev_container_deploy/                       @DataDog/container-integrations @DataDog/agent-delivery
 /.gitlab/deploy/dev_container_deploy/fakeintake.yml         @DataDog/agent-devx
-/.gitlab/deploy/dev_container_deploy/e2e.yml                @DataDog/agent-devx @DataDog/agent-e2e-testing
+/.gitlab/deploy/dev_container_deploy/e2e.yml                @DataDog/agent-devx 
 /.gitlab/deploy/dev_container_deploy/docker_windows.yml     @DataDog/agent-delivery @DataDog/windows-products
 
 /.gitlab/deploy/container_scan/container_scan.yml           @DataDog/container-integrations @DataDog/agent-delivery
@@ -264,7 +263,7 @@
 /cmd/system-probe/subcommands/ebpf/     @DataDog/ebpf-platform @DataDog/universal-service-monitoring
 /cmd/system-probe/subcommands/compliance/     @DataDog/agent-cspm
 /cmd/systray/                           @DataDog/windows-products
-/cmd/secret-backend/                    @DataDog/agent-configuration
+/cmd/secret-generic-connector/          @DataDog/agent-configuration
 /cmd/security-agent/                    @DataDog/agent-security
 /cmd/security-agent/subcommands/compliance/ @DataDog/agent-cspm
 /cmd/installer/                         @DataDog/fleet @DataDog/windows-products
@@ -506,6 +505,7 @@
 /pkg/config/autodiscovery/              @DataDog/container-integrations @DataDog/container-platform @DataDog/agent-configuration
 /pkg/config/env                         @DataDog/container-integrations @DataDog/container-platform @DataDog/agent-configuration
 /pkg/config/setup                            @DataDog/agent-configuration
+/pkg/config/setup/privateactionrunner.go      @DataDog/action-platform
 /pkg/config/setup/process*.go                 @DataDog/container-experiences @DataDog/agent-configuration
 /pkg/config/setup/system_probe.go               @DataDog/ebpf-platform @DataDog/agent-configuration
 /pkg/config/setup/system_probe_cws.go           @DataDog/agent-security @DataDog/agent-configuration
@@ -589,9 +589,6 @@
 /pkg/util/testutil/docker               @DataDog/universal-service-monitoring @DataDog/ebpf-platform
 /pkg/util/trie                          @DataDog/container-integrations
 /pkg/languagedetection                  @DataDog/container-experiences @DataDog/agent-discovery
-/pkg/linters/                           @DataDog/agent-devx
-/pkg/linters/components/                @DataDog/agent-runtimes
-/pkg/linters/components/pkgconfigusage  @DataDog/agent-configuration
 /pkg/logs/                              @DataDog/agent-log-pipelines
 /pkg/logs/launchers/container           @DataDog/agent-log-pipelines @DataDog/container-integrations
 /pkg/logs/tailers/container             @DataDog/agent-log-pipelines @DataDog/container-integrations
@@ -700,7 +697,7 @@
 /tasks/cluster_agent_cloudfoundry.py    @DataDog/agent-integrations
 /tasks/devcontainer.py                  @DataDog/agent-devx @DataDog/container-platform
 /tasks/skaffold.py                      @DataDog/agent-devx @DataDog/container-platform
-/tasks/new_e2e_tests.py                 @DataDog/agent-e2e-testing @DataDog/agent-devx
+/tasks/new_e2e_tests.py                  @DataDog/agent-devx
 /tasks/process_agent.py                 @DataDog/container-experiences
 /tasks/privateactionrunner.py           @DataDog/action-platform
 /tasks/system_probe.py                  @DataDog/ebpf-platform
@@ -743,12 +740,12 @@
 /test/integration/                      @DataDog/serverless-azure-gcp
 /test/integration/docker/               @DataDog/opentelemetry-agent
 /test/e2e-framework/testing/testcommon/check            @DataDog/agent-runtimes
-/test/fakeintake/                             @DataDog/agent-e2e-testing @DataDog/agent-devx
+/test/fakeintake/                              @DataDog/agent-devx
 /test/fakeintake/aggregator/ndmAggregator.go @DataDog/ndm-core
 /test/fakeintake/aggregator/ndmAggregator_test.go @DataDog/ndm-core
 /test/fakeintake/aggregator/ndmflowAggregator.go @DataDog/ndm-integrations
 /test/fakeintake/aggregator/ndmflowAggregator_test.go @DataDog/ndm-integrations
-/test/new-e2e/                                @DataDog/agent-e2e-testing @DataDog/agent-devx
+/test/new-e2e/                                 @DataDog/agent-devx
 /test/new-e2e/test-infra-definition           @DataDog/agent-devx
 /test/new-e2e/system-probe                    @DataDog/ebpf-platform
 /test/new-e2e/system-probe/config/vmconfig-security-agent.json @DataDog/ebpf-platform @DataDog/agent-security
@@ -807,6 +804,7 @@
 /test/regression/cases/docker_containers*     @DataDog/single-machine-performance @DataDog/container-integrations
 
 /tools/                                 @DataDog/agent-devx
+/tools/host-profiler/                   @DataDog/profiling-full-host
 /tools/bazel*                           @DataDog/agent-build
 /tools/ci/*bazel*                       @DataDog/agent-build
 /tools/ci                               @DataDog/agent-devx

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+issuer: https://gitlab.ddbuild.io
+subject_pattern: "project_path:DataDog/datadog-agent:ref_type:branch:ref:.*"
+claim_pattern:
+  project_path: "DataDog/datadog-agent"
+  ref_type: "branch"
+  ref: ".+"
+  ref_path: "refs/heads/.+"
+  ref_protected: "true"
+permissions:
+  security_events: write

.github/chainguard/codeql.sts.yaml

@@ -54,10 +54,6 @@ go_deps:
       - $CI_PROJECT_DIR/modcache.tar.xz
   cache:
     # The `cache:key:files` only accepts up to two paths ([docs](https://docs.gitlab.com/ee/ci/yaml/#cachekeyfiles)).
-    # Ideally, we should also include the https://github.com/DataDog/datadog-agent/blob/main/.custom-gcl.yml file to
-    # avoid issues if a plugin is added in one PR and enabled in another. However, we decided to accept this limitation
-    # because the probability for this to happen is very low and go mod files are modified frequently so the risk of
-    # failing a job because of a network issue when building the custom binary is very low, but still exists.
     # We should also include the file this job is defined in to invalicate the cache when this job is modified.
     - key:
         files:

.gitlab/.pre/deps_fetch/deps_fetch.yml

@@ -2,7 +2,7 @@
 
 set -eo pipefail
 
-if [ "$SIGN" = true ]; then
+if [ "${SIGN:-false}" = true ]; then
     echo "Signing enabled"
 else
     echo "Signing disabled"
@@ -24,7 +24,7 @@ if [ -n "$INTEGRATIONS_CORE_REF" ]; then
 fi
 
 # --- Setup signing ---
-if [ "$SIGN" = true ]; then
+if [ "${SIGN:-false}" = true ]; then
     # Add certificates to temporary keychain
     echo "Setting up signing secrets"
 
@@ -84,7 +84,7 @@ echo Launching omnibus build
 rm -rf "$INSTALL_DIR" "$CONFIG_DIR"
 mkdir -p "$INSTALL_DIR" "$CONFIG_DIR"
 rm -rf "$OMNIBUS_DIR" && mkdir -p "$OMNIBUS_DIR"
-if [ "$SIGN" = "true" ]; then
+if [ "${SIGN:-false}" = true ]; then
     # Unlock the keychain to get access to the signing certificates
     security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_NAME"
     dda inv -- -e omnibus.build --hardened-runtime --config-directory "$CONFIG_DIR" --install-directory "$INSTALL_DIR" --base-dir "$OMNIBUS_DIR" || exit 1
@@ -123,7 +123,7 @@ fi
 echo Built packages using omnibus
 
 # --- Notarization ---
-if [ "$SIGN" = true ]; then
+if [ "${SIGN:-false}" = true ]; then
     printf "\033[0Ksection_start:%s:notarization\r\033[0KDoing notarization\n" "$(date +%s)"
     unset LATEST_DMG
 
@@ -176,7 +176,7 @@ if [ "$SIGN" = true ]; then
     printf "\033[0Ksection_end:%s:notarization\r\033[0K\n" "$(date +%s)"
 fi
 
-if [ "$SIGN" = true ]; then
+if [ "${SIGN:-false}" = true ]; then
     echo Built signed package
 else
     echo Built unsigned package

.gitlab/build/package_build/build_agent_dmg.sh

@@ -26,9 +26,14 @@
   stage: package_build
   needs: ["go_mod_tidy_check"]
   rules:
+     - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH =~ /^[0-9]+\.[0-9]+\.x$/
+       variables:
+         SIGN: true  # for `main` and release branches
+     - if: $CI_COMMIT_BRANCH =~ /notarization/
+       variables:
+         SIGN: true  # for branches with "notarization" in their name - should we need to tune it
      - !reference [.on_macos_files_change]
      - !reference [.on_packaging_change]
-     - !reference [.on_main_or_release_branch]
      - !reference [.on_all_builds]
      - !reference [.manual]
   artifacts:
@@ -40,7 +45,6 @@
     CI_IDENTITIES_GITLAB_ID_TOKEN:
       aud: ci-identities
   variables:
-    SIGN: true
     KEYCHAIN_NAME: "build.keychain"
     INTEGRATION_WHEELS_CACHE_BUCKET: dd-agent-omnibus
     INTEGRATION_WHEELS_SKIP_CACHE_UPLOAD: true
@@ -59,7 +63,7 @@
   after_script:
     # Destroy the keychain used to sign packages
     - |
-      if [ "$SIGN" = true ]; then
+      if [ "${SIGN:-false}" = true ]; then
         security delete-keychain "build.keychain" || true
       fi
     - sudo umount /Volumes/Agent || true

.gitlab/build/package_build/dmg.yml

@@ -8,6 +8,7 @@
   rules: !reference [.on_deploy_internal_or_internal_image_change_or_manual]
   image: registry.ddbuild.io/ci/datadog-agent-buildimages/linux$CI_IMAGE_LINUX_SUFFIX:$CI_IMAGE_LINUX
   tags: ["arch:amd64", "specific:true"]
+  timeout: 1h 30m
   script:
     # Constant variables
     - export RELEASE_STAGING="true"
@@ -36,18 +37,18 @@
 
 # -- binary specific variables --
 .agent_variables: &agent_variables
-  IMAGE_VERSION: tmpl-v20
+  IMAGE_VERSION: tmpl-v21
   IMAGE_NAME: datadog-agent
   TMPL_SRC_REPO: ci/datadog-agent/agent
 
 .cluster_agent_variables: &cluster_agent_variables
-  IMAGE_VERSION: tmpl-v10
+  IMAGE_VERSION: tmpl-v11
   IMAGE_NAME: datadog-cluster-agent
   TMPL_SRC_REPO: ci/datadog-agent/cluster-agent
   RELEASE_PROD: "true"
 
 .ot_standalone_variables: &ot_standalone_variables
-  IMAGE_VERSION: tmpl-v5
+  IMAGE_VERSION: tmpl-v6
   IMAGE_NAME: otel-agent
   TMPL_SRC_REPO: ci/datadog-agent/otel-agent