chore: retrieve tokens from vault (#112)

Author: korniltsev

.github/workflows/tag_linux.yml

@@ -6,11 +6,11 @@ on:
       - 'v*'
       - '!v*opentelemetry'
       - '!v*opentracing'
-
 jobs:
   release-linux-profiler-x86_64:
     permissions:
       contents: write
+      id-token: write
     runs-on: ubuntu-latest
     env:
       DOCKER_BUILDKIT: 1
@@ -26,11 +26,16 @@ jobs:
         with:
           submodules: 'true'
           persist-credentials: false
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            DOCKERHUB_USERNAME=dockerhub:user
+            DOCKERHUB_PASSWORD=dockerhub:token
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
       - run: make bump_version && git diff --exit-code
       - run: make docker/build
       - run: make docker/push
@@ -42,6 +47,7 @@ jobs:
   release-linux-profiler-aarch64:
     permissions:
       contents: write
+      id-token: write
     runs-on: github-hosted-ubuntu-arm64-large
     env:
       DOCKER_BUILDKIT: 1
@@ -57,11 +63,16 @@ jobs:
         with:
           submodules: 'true'
           persist-credentials: false
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            DOCKERHUB_USERNAME=dockerhub:user
+            DOCKERHUB_PASSWORD=dockerhub:token
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
       - run: make bump_version && git diff --exit-code
       - run: make docker/build
       - run: make docker/push
@@ -73,6 +84,7 @@ jobs:
   release-linux-profiler:
     permissions:
       contents: read
+      id-token: write
     needs: ['release-linux-profiler-x86_64', 'release-linux-profiler-aarch64']
     runs-on: ubuntu-latest
     env:
@@ -88,9 +100,14 @@ jobs:
         with:
           submodules: 'true'
           persist-credentials: false
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            DOCKERHUB_USERNAME=dockerhub:user
+            DOCKERHUB_PASSWORD=dockerhub:token
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
         name: Login to Docker Hub
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_PASSWORD }}
       - run: make docker/manifest

.github/workflows/tag_managed_helper.yml

@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release-managed-helper:
@@ -27,11 +28,15 @@ jobs:
       - run: make bump_version && git diff --exit-code
       - run: dotnet build -c Release
         working-directory: Pyroscope
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            NUGET_API_KEY=nuget:api_key
       - name: Publish the package to nuget.org
-        run: dotnet nuget push Pyroscope/bin/Release/*.nupkg -k $NUGET_AUTH_TOKEN -s https://api.nuget.org/v3/index.json
+        run: dotnet nuget push Pyroscope/bin/Release/*.nupkg -k "${NUGET_API_KEY}" -s https://api.nuget.org/v3/index.json
         working-directory: Pyroscope
         env:
-          NUGET_AUTH_TOKEN: ${{ secrets.NUGET_API_KEY }}
+          NUGET_API_KEY: ${{ env.NUGET_API_KEY }}
       - name: Release
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         if: startsWith(github.ref, 'refs/tags/')

.github/workflows/tag_tracing_opentelemetry_helper.yml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release-opentelemetry-lib:
@@ -22,11 +23,15 @@ jobs:
           dotnet-version: '6.0'
       - run: dotnet build -c Release
         working-directory: Pyroscope/Pyroscope.OpenTelemetry
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            NUGET_API_KEY=nuget:api_key
       - name: Publish the package to nuget.org
-        run: dotnet nuget push bin/Release/*.nupkg -k $NUGET_AUTH_TOKEN -s https://api.nuget.org/v3/index.json
+        run: dotnet nuget push bin/Release/*.nupkg -k "${NUGET_API_KEY}" -s https://api.nuget.org/v3/index.json
         working-directory: Pyroscope/Pyroscope.OpenTelemetry
         env:
-          NUGET_AUTH_TOKEN: ${{ secrets.NUGET_API_KEY }}
+          NUGET_API_KEY: ${{ env.NUGET_API_KEY }}
       - name: Release
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         if: startsWith(github.ref, 'refs/tags/')

.github/workflows/tag_tracing_opentracing_helper.yml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release-opentracing-lib:
@@ -22,11 +23,15 @@ jobs:
           dotnet-version: '6.0'
       - run: dotnet build -c Release
         working-directory: Pyroscope/Pyroscope.OpenTracing
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760
+        with:
+          repo_secrets: |
+            NUGET_API_KEY=nuget:api_key
       - name: Publish the package to nuget.org
-        run: dotnet nuget push bin/Release/*.nupkg -k $NUGET_AUTH_TOKEN -s https://api.nuget.org/v3/index.json
+        run: dotnet nuget push bin/Release/*.nupkg -k "${NUGET_API_KEY}" -s https://api.nuget.org/v3/index.json
         working-directory: Pyroscope/Pyroscope.OpenTracing
         env:
-          NUGET_AUTH_TOKEN: ${{ secrets.NUGET_API_KEY }}
+          NUGET_API_KEY: ${{ env.NUGET_API_KEY }}
       - name: Release
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         if: startsWith(github.ref, 'refs/tags/')

Pyroscope/Pyroscope/Pyroscope.csproj

@@ -5,9 +5,9 @@
         <ImplicitUsings>enable</ImplicitUsings>
         <Nullable>enable</Nullable>
         <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
-        <PackageVersion>0.10.0</PackageVersion>
-        <AssemblyVersion>0.10.0</AssemblyVersion>
-        <FileVersion>0.10.0</FileVersion>
+        <PackageVersion>0.12.0</PackageVersion>
+        <AssemblyVersion>0.12.0</AssemblyVersion>
+        <FileVersion>0.12.0</FileVersion>
         <LangVersion>10</LangVersion>
     </PropertyGroup>
 

profiler/src/ProfilerEngine/Datadog.Profiler.Native/PyroscopePprofSink.h

@@ -10,7 +10,7 @@
 #include "httplib.h"
 #include "url.hpp"
 
-#define PYROSCOPE_SPY_VERSION "0.10.0"
+#define PYROSCOPE_SPY_VERSION "0.12.0"
 
 class PyroscopePprofSink : public PProfExportSink
 {