Run tests on a schedule and integrate with Datadog's test optimization product #342
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| name: Datadog Test Optimization | ||
|
|
||
| permissions: | ||
| checks: write | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: | ||
| # every hour, 9-5 eastern, M-F | ||
| - cron: '15 12-21 * * 1-5' | ||
|
|
||
| push: | ||
| branches: | ||
| - 'main' | ||
| - 'michael.richey/dd-test-opt' | ||
|
|
||
| env: | ||
| DD_API_KEY: ${{ secrets.DD_API_KEY }} | ||
| DD_DESTINATION_API_KEY: ${{ secrets.DD_DESTINATION_API_KEY }} | ||
| DD_DESTINATION_APP_KEY: ${{ secrets.DD_DESTINATION_APP_KEY }} | ||
| DD_DESTINATION_API_URL: ${{ secrets.DD_DESTINATION_API_URL }} | ||
| DD_SOURCE_API_KEY: ${{ secrets.DD_SOURCE_API_KEY }} | ||
| DD_SOURCE_APP_KEY: ${{ secrets.DD_SOURCE_APP_KEY }} | ||
| DD_SOURCE_API_URL: ${{ secrets.DD_SOURCE_API_URL }} | ||
| RECORD: false | ||
| DD_ENV: ci | ||
| DD_SERVICE: datadog-sync-cli | ||
| DD_TAGS: "team:hamr" | ||
| DD_TRACE_ANALYTICS_ENABLED: "true" | ||
|
|
||
| jobs: | ||
| test-optimization: | ||
| strategy: | ||
| matrix: | ||
| os: [ubuntu-latest, windows-latest, macos-latest] | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - name: Install Python | ||
| uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c | ||
| with: | ||
| python-version: 3.12 | ||
| - name: Checkout code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - name: Configure Datadog Test Optimization | ||
| uses: datadog/test-visibility-github-action@v2 | ||
|
There was a problem hiding this comment. 🔴 High: Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| languages: python | ||
| api_key: ${{ secrets.DD_API_KEY }} | ||
| site: datadoghq.com | ||
| - name: Install requirements | ||
| run: | | ||
| python -m pip install . | ||
| python -m pip install tox | ||
| - name: Run unit tests | ||
| run: tox -e py312 -- --ddtrace | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| boto3==1.35.91 | ||
| click==8.1.7 | ||
| configobj==5.0.8 | ||
|
There was a problem hiding this comment. 🟡 Low: Library Vulnerabilityconfigobj → 5.0.8 configobj ReDoS exploitable by developer using values in a server-side configuration file
|
||
| deepdiff==6.7.1 | ||
| aiohttp==3.9.5 | ||
|
There was a problem hiding this comment. 🟠 Medium: Library Vulnerabilityaiohttp → 3.9.5 In aiohttp, compressed files as symlinks are not protected from path traversal
|
||
| tqdm==4.66.2 | ||
|
There was a problem hiding this comment. 🟡 Low: Library Vulnerabilitytqdm → 4.66.2 tqdm CLI arguments injection attack
|
||
| certifi>=2022.12.7 | ||
|
There was a problem hiding this comment. 🔴 High: Library Vulnerabilitycertifi → 2022.12.7 Removal of e-Tugra root certificate
|
||
| python-dateutil | ||
| setuptools>=67.6.0 | ||
|
There was a problem hiding this comment. 🔴 High: Library Vulnerabilitysetuptools → 67.6.0 setuptools vulnerable to Command Injection via package URL
|
||
| setuptools_scm | ||
| ddtrace==2.21.1 | ||
| black==24.3.0 | ||
| pytest==8.1.1 | ||
| pytest-black | ||
| pytest-console-scripts | ||
| pytest-recording | ||
| vcrpy@git+https://github.com/skarimo/vcrpy.git | ||
| freezegun==1.5.0 | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (
@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity: