chore: Add linters/formatters for GH actions (#726)

- **chore(Makefile): Add/Configure yaml and action linters/formatters**
- **chore(*.yml): Format yaml files**
- **chore(.github/workflows): Add Ratchet to make sure everything is
pinned**
- **chore(.github/workflows): Add actionlint and fix the discovered
issues** `(AI Assisted)`

**Tools that are used:**
https://github.com/sethvargo/ratchet
https://github.com/rhysd/actionlint
https://github.com/google/yamlfmt

---------

Signed-off-by: Kemal Akkoyun <kemal.akkoyun@datadoghq.com>

Author: kakkoyun

.github/actionlint.yaml

@@ -0,0 +1,7 @@
+# actionlint configuration
+# https://github.com/rhysd/actionlint/blob/main/docs/config.md
+
+# Custom self-hosted runner labels
+self-hosted-runner:
+  labels:
+    - arm-8core-linux

.github/actions/codecov-cli/action.yml

@@ -4,7 +4,6 @@ outputs:
   codecov:
     description: Path to the codecov CLI
     value: ${{ steps.install.outputs.codecov }}
-
 runs:
   using: composite
   steps:
@@ -13,10 +12,8 @@ runs:
       with:
         python-version: '3.12'
         cache-dependency-path: ${{ github.action_path }}/requirements-dev.txt
-
     - name: Setup Rust
-      uses: actions-rust-lang/setup-rust-toolchain@v1
-
+      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # ratchet:actions-rust-lang/setup-rust-toolchain@v1
     - name: Install codecov-cli
       id: install
       shell: bash

.github/actions/codecov-upload/action.yml

@@ -13,7 +13,6 @@ inputs:
   token:
     description: CodeCov token to use
     required: true
-
 runs:
   using: composite
   steps:

.github/dependabot.yml

@@ -1,5 +1,4 @@
 version: 2
-
 updates:
   - package-ecosystem: github-actions
     directory: /
@@ -12,7 +11,6 @@ updates:
         dependency-type: production
     labels:
       - dependencies
-
   - package-ecosystem: pip
     directory: /.github/actions/codecov-cli
     schedule:

.github/workflows/deps-update.yml

@@ -1,12 +1,9 @@
 name: Dependency Updates
-
 on:
   schedule:
     - cron: '42 5 * * 1' # Mondays at 5:42 AM
   workflow_dispatch: {} # Manual runs
-
 permissions: read-all
-
 jobs:
   update-go:
     name: Update Go Dependencies
@@ -16,7 +13,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-
       - name: Set up Go
         id: setup-go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
@@ -25,58 +21,51 @@ jobs:
           # will bail out if it encounters a "candidate" that requires a newer release.
           go-version: stable
           cache-dependency-path: '**/go.mod'
-
       - name: Determine latest github.com/DataDog/dd-trace-go/v2 version
         id: dd-trace-go
         run: |-
           set -euo pipefail
           version=$(go list -f '{{range .Versions}}{{.}}{{"\n"}}{{end}}' -m -versions github.com/DataDog/dd-trace-go/v2 | grep -v '-' | tail -n 1)
           echo "version=${version}" >> "${GITHUB_OUTPUT}"
-
       # Passing "go@<version>" to "go get -u" ensures no dependencies get upgraded to a release that
       # does not support that specific go release. We do `go get -u` everywhere first, and then
       # `go mod tidy`, so that the later accounts for the complete updated module graph (otherwise
       # we'd need to run these in dependency order to ensure stable output).
       - name: Update dependencies
         run: |-
-          for gomod in $(find . -iname go.mod -not -path './_docs/themes/**'); do
+          find . -iname go.mod -not -path './_docs/themes/**' -print0 | while IFS= read -r -d '' gomod; do
             dir="$(dirname "${gomod}")"
             go -C="${dir}" get -t -u "go@$(go -C="${dir}" mod edit -json | jq -r .Go)" "github.com/DataDog/dd-trace-go/v2@${{ steps.dd-trace-go.outputs.version }}" ./...
           done
       - name: Run go mod tidy
         run: |-
-          for gomod in $(find . -iname go.mod -not -path './_docs/themes/**'); do
+          find . -iname go.mod -not -path './_docs/themes/**' -print0 | while IFS= read -r -d '' gomod; do
             dir="$(dirname "${gomod}")"
             go -C="${dir}" mod tidy -go="$(go -C="${dir}" mod edit -json | jq -r .Go)"
             go -C="${dir}" mod edit -toolchain=none
           done
-
       - id: is-tree-dirty
         name: Check for updates
         run: |-
           git add .
           git diff --staged --patch --exit-code || echo "result=true" >> "${GITHUB_OUTPUT}"
-
       - name: Update LICENSE-3rdparty.csv
         if: steps.is-tree-dirty.outputs.result == 'true'
         run: ./_tools/make-licenses.sh
         env:
           TMPDIR: ${{ runner.temp }}
-
       - name: Build diff
         if: steps.is-tree-dirty.outputs.result == 'true'
         run: |-
           git add .
           git diff --staged --patch > "${{ runner.temp }}/go.diff.patch"
-
       - name: Upload Artifact
         if: steps.is-tree-dirty.outputs.result == 'true'
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: Patches
           path: ${{ runner.temp }}/go.diff.patch
           if-no-files-found: error
-
   create-pr:
     name: Create Pull Request
     runs-on: ubuntu-latest
@@ -88,16 +77,13 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-
       - name: Download patches
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4
         with:
           name: Patches
           path: ${{ runner.temp }}/patches
-
       - name: Apply patches
         run: find "${{ runner.temp }}/patches" -type f -name '*.patch' -exec git apply {} \;
-
       # We use ghcommit to create signed commits directly using the GitHub API
       - name: Create branch # The branch needs to exist before we can add commits to it
         id: create-branch
@@ -106,14 +92,12 @@ jobs:
           git push origin "${{ github.sha }}":"refs/heads/${branch}"
           echo "branch=${branch}" >> "${GITHUB_OUTPUT}"
           git fetch origin "${branch}"
-
       - name: Generate a GitHub token
         id: generate-token
         uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ vars.DD_K9_LIBRARY_GO_APP_ID }}
           private-key: ${{ secrets.DD_K9_LIBRARY_GO_APP_PRIVATE_KEY }}
-
       - name: Create Commit # Adds a commit to the branch we created above
         uses: planetscale/ghcommit-action@322be9669498a4be9ce66efc1169f8f43f6bd883 # v0.2.17
         with:
@@ -122,7 +106,6 @@ jobs:
           branch: ${{ steps.create-branch.outputs.branch }}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-
       - name: Create PR
         run: |-
           git fetch origin "${{ steps.create-branch.outputs.branch }}"

.github/workflows/docsite.yml

@@ -7,13 +7,10 @@ on:
     branches: [main]
   push:
     branches: [main]
-
 permissions: read-all
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
-
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -40,7 +37,6 @@ jobs:
           name: site
           path: _docs/public/
           if-no-files-found: error
-
   publish:
     runs-on: ubuntu-latest
     needs: [build]

.github/workflows/ossf-scorecard.yml

@@ -6,10 +6,8 @@ on:
   schedule:
     - cron: '27 23 * * 2'
   push:
-    branches: [ "main" ]
-
+    branches: ["main"]
 permissions: read-all
-
 jobs:
   analysis:
     name: Scorecard analysis
@@ -19,28 +17,24 @@ jobs:
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-
     steps:
       - name: "Checkout code"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
         with:
           persist-credentials: false
-
       - name: "Run analysis"
         uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
-
       # Upload the results as artifacts.
       - name: "Upload artifact"
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
         uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3

.github/workflows/pr-labeler.yml

@@ -2,9 +2,7 @@ name: PR Labeler
 on:
   pull_request:
     types: [opened, edited, reopened]
-
 permissions: read-all
-
 jobs:
   update-labels:
     name: Update PR labels
@@ -19,9 +17,7 @@ jobs:
         with:
           go-version: oldstable
           cache-dependency-path: '**/go.mod'
-
       - name: Assign Labels
         run: go -C _tools run ./conventionalcommit
         env:
           GITHUB_TOKEN: ${{ github.token }}
-

.github/workflows/release.yml

@@ -7,9 +7,7 @@ on:
     paths: [internal/version/version.go]
   release:
     types: [published]
-
 permissions: read-all
-
 jobs:
   validate:
     if: github.event_name != 'release'
@@ -25,7 +23,6 @@ jobs:
         with:
           go-version: stable
           cache-dependency-path: '**/go.mod'
-
       # Obtains the current configured version tag from source, and verifies it is a valid tag name.
       # Also checks whether the tag already exists.
       - name: Determine version
@@ -43,7 +40,6 @@ jobs:
           fi
         env:
           GH_TOKEN: ${{ github.token }}
-
       # If this is a pull request, and the release does not yet exist, the PR title must be "release: <tag>"
       - name: 'Pull Request title must be "release: ${{ steps.version.outputs.tag }}"'
         if: "github.event_name == 'pull_request' && !fromJSON(steps.version.outputs.exists) && format('release: {0}', steps.version.outputs.tag) != github.event.pull_request.title"
@@ -52,14 +48,12 @@ jobs:
           exit 1
         env:
           EVENT_PR_TITLE: ${{ toJSON(github.event.pull_request.title) }}
-
       # Release must not already exist (if the PR title suggests this is intended to be a release)
       - name: Release ${{ steps.version.outputs.tag }} already exists
         if: github.event_name == 'pull_request' && fromJSON(steps.version.outputs.exists) && startsWith(github.event.pull_request.title, 'release:')
         run: |-
           echo 'A release already exists for tag ${{ steps.version.outputs.tag }}. Please update to another version.'
           exit 1
-
       # If the release does not yet exist, create a draft release targeting this commit.
       - name: Create draft release
         if: github.event_name == 'push' && steps.version.outputs.exists == 'false'
@@ -84,7 +78,6 @@ jobs:
             ${{ contains(steps.version.outputs.tag, '-') && '--prerelease' || '' }}
         env:
           GH_TOKEN: ${{ github.token }}
-
   release:
     if: github.event_name == 'release'
     name: Tag Release
@@ -112,7 +105,7 @@ jobs:
         env:
           EVENT_TAG: ${{ github.event.release.tag_name }}
         run: |-
-          for gomod in $(find . -iname go.mod -not -path '*/_*'); do
+          find . -iname go.mod -not -path '*/_*' -print0 | while IFS= read -r -d '' gomod; do
             dir=$(dirname "${gomod}")
             mod=$(go -C "${dir}" list -m)
             case "${mod}" in

.github/workflows/sast.yml

@@ -1,5 +1,4 @@
 name: CodeQL
-
 on:
   push:
     branches: [main]
@@ -9,9 +8,7 @@ on:
     branches: [main]
   schedule:
     - cron: '45 23 * * 6'
-
 permissions: read-all
-
 jobs:
   analyze:
     name: Analyze (go)
@@ -27,18 +24,15 @@ jobs:
       security-events: write
       # required to fetch internal or private CodeQL packs
       packages: read
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
-
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with:
           languages: go
           build-mode: autobuild
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3
         with: