[CI] Remove template injection vulnerable bits from Serverless GHA Workflows

[amenasria]

What does this PR do?

This PR removes the template injection vulnerable bits from Serverless GHA Workflows.

Motivation

TL; DR: From this remediation security post from Gitlab:
The best practice to avoid code and command injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable:

- name: print title
  env:
    TITLE: ${{ github.event.issue.title }}
  run: echo "$TITLE"

This way, the value of the ${{ github.event.issue.title }} expression is stored in memory and used as variable instead of influencing the generation of script. As a side note, it is a good idea to double quote shell variables to avoid word splitting, but this is one of many general recommendations for writing shell scripts, not specific to GitHub Actions.

Describe how to test/QA your changes

Possible Drawbacks / Trade-offs

Additional Notes

[github-actions]

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between a0e73e3 and e924240.

tl;dr

Use these benchmarks as an insight tool during development.

1. Skim down the vs base column in each chart. If there is a ~, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small.

2. The last row of each chart is the geomean. Ensure this percentage is either negative or very small.

What is this benchmarking?

The BenchmarkStartEndInvocation compares the amount of time it takes to call the start-invocation and end-invocation endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer.

The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from benchstat. They represent the statistical change in duration (sec/op), memory overhead (B/op), and allocations (allocs/op).

The benchstat docs explain how to interpret these charts.

Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration.

The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ...

Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise.

Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

I need more help

First off, do not worry if the benchmarks are failing. They are not tests. The intention is for them to be a tool for you to use during development.

If you would like a hand interpreting the results come chat with us in #serverless-agent in the internal DataDog slack or in #serverless in the public DataDog slack. We're happy to help!

Benchmark stats

goos: linux
goarch: amd64
pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon
cpu: AMD EPYC 7763 64-Core Processor                
                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │         sec/op         │    sec/op     vs base               │
api-gateway-appsec.json                            87.52µ ± 4%    85.44µ ± 4%       ~ (p=0.353 n=10)
api-gateway-kong-appsec.json                       67.65µ ± 2%    67.01µ ± 1%       ~ (p=0.075 n=10)
api-gateway-kong.json                              66.70µ ± 4%    65.85µ ± 1%       ~ (p=0.315 n=10)
api-gateway-non-proxy-async.json                   105.4µ ± 2%    105.0µ ± 7%       ~ (p=0.912 n=10)
api-gateway-non-proxy.json                         105.9µ ± 2%    112.2µ ± 2%  +6.00% (p=0.000 n=10)
api-gateway-websocket-connect.json                 70.63µ ± 1%    74.63µ ± 2%  +5.67% (p=0.000 n=10)
api-gateway-websocket-default.json                 63.30µ ± 1%    65.36µ ± 2%  +3.24% (p=0.000 n=10)
api-gateway-websocket-disconnect.json              63.41µ ± 2%    65.64µ ± 1%  +3.51% (p=0.000 n=10)
api-gateway.json                                   116.0µ ± 1%    116.2µ ± 1%       ~ (p=0.315 n=10)
application-load-balancer.json                     64.43µ ± 1%    64.98µ ± 1%  +0.86% (p=0.002 n=10)
cloudfront.json                                    48.00µ ± 1%    49.10µ ± 3%  +2.29% (p=0.008 n=10)
cloudwatch-events.json                             38.83µ ± 1%    40.64µ ± 3%  +4.68% (p=0.001 n=10)
cloudwatch-logs.json                               65.37µ ± 1%    68.44µ ± 3%  +4.69% (p=0.000 n=10)
custom.json                                        31.35µ ± 2%    31.61µ ± 1%       ~ (p=0.143 n=10)
dynamodb.json                                      93.60µ ± 1%    94.45µ ± 2%  +0.91% (p=0.035 n=10)
empty.json                                         29.31µ ± 1%    29.54µ ± 4%       ~ (p=0.739 n=10)
eventbridge-custom.json                            48.58µ ± 4%    48.30µ ± 1%       ~ (p=0.393 n=10)
eventbridge-no-bus.json                            47.25µ ± 1%    47.24µ ± 3%       ~ (p=0.481 n=10)
eventbridge-no-timestamp.json                      47.11µ ± 2%    46.98µ ± 1%       ~ (p=1.000 n=10)
eventbridgesns.json                                63.78µ ± 1%    63.84µ ± 2%       ~ (p=0.971 n=10)
eventbridgesqs.json                                71.64µ ± 1%    72.21µ ± 2%       ~ (p=0.699 n=10)
http-api.json                                      73.37µ ± 1%    71.99µ ± 3%  -1.89% (p=0.023 n=10)
kinesis-batch.json                                 72.26µ ± 1%    72.38µ ± 1%       ~ (p=0.739 n=10)
kinesis.json                                       55.38µ ± 2%    55.16µ ± 1%       ~ (p=0.853 n=10)
s3.json                                            61.25µ ± 2%    61.08µ ± 2%       ~ (p=0.592 n=10)
sns-batch.json                                     94.04µ ± 1%    94.26µ ± 1%       ~ (p=0.684 n=10)
sns.json                                           68.60µ ± 1%    70.64µ ± 3%  +2.97% (p=0.011 n=10)
snssqs.json                                        117.9µ ± 2%    123.8µ ± 3%  +5.01% (p=0.000 n=10)
snssqs_no_dd_context.json                          107.7µ ± 2%    108.9µ ± 2%       ~ (p=0.481 n=10)
sqs-aws-header.json                                60.30µ ± 2%    60.72µ ± 2%       ~ (p=0.342 n=10)
sqs-batch.json                                     97.44µ ± 2%   100.02µ ± 2%  +2.65% (p=0.005 n=10)
sqs.json                                           74.33µ ± 3%    74.19µ ± 2%       ~ (p=0.684 n=10)
sqs_no_dd_context.json                             69.75µ ± 3%    69.79µ ± 2%       ~ (p=0.971 n=10)
stepfunction.json                                  47.01µ ± 3%    48.57µ ± 5%  +3.33% (p=0.002 n=10)
geomean                                            66.64µ         67.46µ       +1.22%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │          B/op          │     B/op      vs base               │
api-gateway-appsec.json                           37.34Ki ± 0%   37.33Ki ± 0%       ~ (p=0.853 n=10)
api-gateway-kong-appsec.json                      26.93Ki ± 0%   26.94Ki ± 0%       ~ (p=0.382 n=10)
api-gateway-kong.json                             24.43Ki ± 0%   24.44Ki ± 0%       ~ (p=0.725 n=10)
api-gateway-non-proxy-async.json                  48.14Ki ± 0%   48.14Ki ± 0%       ~ (p=0.869 n=10)
api-gateway-non-proxy.json                        47.35Ki ± 0%   47.37Ki ± 0%  +0.05% (p=0.000 n=10)
api-gateway-websocket-connect.json                25.53Ki ± 0%   25.54Ki ± 0%       ~ (p=0.158 n=10)
api-gateway-websocket-default.json                21.44Ki ± 0%   21.44Ki ± 0%       ~ (p=0.254 n=10)
api-gateway-websocket-disconnect.json             21.22Ki ± 0%   21.22Ki ± 0%       ~ (p=0.254 n=10)
api-gateway.json                                  49.59Ki ± 0%   49.59Ki ± 0%       ~ (p=0.896 n=10)
application-load-balancer.json                    23.31Ki ± 0%   23.32Ki ± 0%       ~ (p=0.170 n=10)
cloudfront.json                                   17.67Ki ± 0%   17.68Ki ± 0%  +0.06% (p=0.022 n=10)
cloudwatch-events.json                            11.73Ki ± 0%   11.74Ki ± 0%  +0.10% (p=0.033 n=10)
cloudwatch-logs.json                              53.38Ki ± 0%   53.39Ki ± 0%       ~ (p=0.224 n=10)
custom.json                                       9.753Ki ± 0%   9.739Ki ± 0%       ~ (p=0.060 n=10)
dynamodb.json                                     40.81Ki ± 0%   40.83Ki ± 0%       ~ (p=0.100 n=10)
empty.json                                        9.310Ki ± 0%   9.312Ki ± 0%       ~ (p=0.362 n=10)
eventbridge-custom.json                           15.02Ki ± 0%   15.02Ki ± 0%       ~ (p=0.469 n=10)
eventbridge-no-bus.json                           14.00Ki ± 0%   14.02Ki ± 0%       ~ (p=0.065 n=10)
eventbridge-no-timestamp.json                     14.02Ki ± 0%   14.03Ki ± 0%       ~ (p=0.684 n=10)
eventbridgesns.json                               20.96Ki ± 0%   20.98Ki ± 1%       ~ (p=0.739 n=10)
eventbridgesqs.json                               25.16Ki ± 0%   25.14Ki ± 0%       ~ (p=0.363 n=10)
http-api.json                                     23.93Ki ± 0%   23.93Ki ± 0%       ~ (p=0.670 n=10)
kinesis-batch.json                                27.16Ki ± 0%   27.12Ki ± 0%       ~ (p=0.123 n=10)
kinesis.json                                      17.92Ki ± 0%   17.90Ki ± 0%       ~ (p=0.971 n=10)
s3.json                                           20.42Ki ± 1%   20.46Ki ± 0%       ~ (p=0.753 n=10)
sns-batch.json                                    39.93Ki ± 0%   39.94Ki ± 0%       ~ (p=0.986 n=10)
sns.json                                          25.13Ki ± 0%   25.20Ki ± 0%  +0.26% (p=0.002 n=10)
snssqs.json                                       53.87Ki ± 0%   53.96Ki ± 0%       ~ (p=0.123 n=10)
snssqs_no_dd_context.json                         47.57Ki ± 0%   47.70Ki ± 0%  +0.28% (p=0.037 n=10)
sqs-aws-header.json                               19.47Ki ± 0%   19.48Ki ± 1%       ~ (p=0.912 n=10)
sqs-batch.json                                    42.38Ki ± 0%   42.37Ki ± 0%       ~ (p=0.971 n=10)
sqs.json                                          26.23Ki ± 0%   26.23Ki ± 0%       ~ (p=1.000 n=10)
sqs_no_dd_context.json                            21.88Ki ± 1%   21.93Ki ± 1%       ~ (p=0.753 n=10)
stepfunction.json                                 14.27Ki ± 2%   14.38Ki ± 1%       ~ (p=0.247 n=10)
geomean                                           24.61Ki        24.62Ki       +0.06%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │       allocs/op        │ allocs/op   vs base                 │
api-gateway-appsec.json                             629.5 ± 0%   629.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong-appsec.json                        488.0 ± 0%   488.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong.json                               466.0 ± 0%   466.0 ± 0%       ~ (p=1.000 n=10) ¹
api-gateway-non-proxy-async.json                    726.0 ± 0%   725.5 ± 0%       ~ (p=1.000 n=10)
api-gateway-non-proxy.json                          716.0 ± 0%   716.0 ± 0%       ~ (p=0.474 n=10)
api-gateway-websocket-connect.json                  453.0 ± 0%   453.0 ± 0%       ~ (p=0.474 n=10)
api-gateway-websocket-default.json                  379.0 ± 0%   379.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-disconnect.json               370.0 ± 0%   370.0 ± 0%       ~ (p=1.000 n=10)
api-gateway.json                                    791.0 ± 0%   791.0 ± 0%       ~ (p=1.000 n=10)
application-load-balancer.json                      353.0 ± 0%   353.0 ± 0%       ~ (p=1.000 n=10) ¹
cloudfront.json                                     284.0 ± 0%   284.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-events.json                              220.0 ± 0%   220.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-logs.json                                215.0 ± 0%   216.0 ± 0%       ~ (p=0.370 n=10)
custom.json                                         168.0 ± 0%   168.0 ± 0%       ~ (p=1.000 n=10)
dynamodb.json                                       589.0 ± 0%   589.0 ± 0%       ~ (p=1.000 n=10)
empty.json                                          160.0 ± 1%   160.0 ± 1%       ~ (p=1.000 n=10)
eventbridge-custom.json                             266.0 ± 0%   266.0 ± 0%       ~ (p=0.548 n=10)
eventbridge-no-bus.json                             257.5 ± 0%   258.0 ± 0%       ~ (p=0.350 n=10)
eventbridge-no-timestamp.json                       258.0 ± 0%   258.0 ± 0%       ~ (p=1.000 n=10)
eventbridgesns.json                                 326.0 ± 0%   326.0 ± 1%       ~ (p=1.000 n=10)
eventbridgesqs.json                                 367.0 ± 0%   366.5 ± 0%       ~ (p=0.318 n=10)
http-api.json                                       434.0 ± 0%   434.0 ± 0%       ~ (p=0.690 n=10)
kinesis-batch.json                                  392.0 ± 0%   391.5 ± 0%       ~ (p=0.515 n=10)
kinesis.json                                        286.0 ± 0%   286.0 ± 0%       ~ (p=0.577 n=10)
s3.json                                             358.0 ± 1%   359.0 ± 0%       ~ (p=0.855 n=10)
sns-batch.json                                      479.0 ± 0%   479.0 ± 0%       ~ (p=0.924 n=10)
sns.json                                            346.0 ± 1%   347.0 ± 1%  +0.29% (p=0.010 n=10)
snssqs.json                                         478.0 ± 1%   479.5 ± 0%       ~ (p=0.107 n=10)
snssqs_no_dd_context.json                           436.5 ± 0%   438.0 ± 0%       ~ (p=0.051 n=10)
sqs-aws-header.json                                 287.0 ± 1%   287.0 ± 1%       ~ (p=0.755 n=10)
sqs-batch.json                                      517.5 ± 0%   517.5 ± 0%       ~ (p=0.962 n=10)
sqs.json                                            364.0 ± 1%   364.0 ± 1%       ~ (p=0.944 n=10)
sqs_no_dd_context.json                              349.0 ± 1%   350.0 ± 1%       ~ (p=0.562 n=10)
stepfunction.json                                   237.0 ± 2%   238.5 ± 1%       ~ (p=0.253 n=10)
geomean                                             367.1        367.4       +0.07%
¹ all samples are equal

[agent-platform-auto-pr]

[Fast Unit Tests Report]

On pipeline 47884641 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

• tests_deb-arm64-py3
• tests_deb-x64-py3
• tests_flavor_dogstatsd_deb-x64
• tests_flavor_heroku_deb-x64
• tests_flavor_iot_deb-x64
• tests_rpm-arm64-py3
• tests_rpm-x64-py3
• tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-devx-help

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Run ID: 316d203e-0d12-4232-b983-6a41ab074c08 Metrics dashboard Target profiles

Baseline: a0e73e3
Comparison: 4dfcff6

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	otel_to_otel_logs	ingress throughput	+1.17	[+0.36, +1.98]	1	Logs
➖	basic_py_check	% cpu utilization	+0.98	[-1.76, +3.73]	1	Logs
➖	quality_gate_idle	memory utilization	+0.36	[+0.32, +0.41]	1	Logs bounds checks dashboard
➖	pycheck_lots_of_tags	% cpu utilization	+0.29	[-2.24, +2.81]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.27	[-0.45, +1.00]	1	Logs
➖	idle	memory utilization	+0.20	[+0.15, +0.24]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.10	[+0.05, +0.15]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.06	[-0.12, +0.24]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.01, +0.01]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.00	[-0.23, +0.22]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.10, +0.09]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.01	[-0.35, +0.32]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.02	[-0.26, +0.23]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.31	[-0.42, -0.20]	1	Logs bounds checks dashboard
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.41	[-0.89, +0.08]	1	Logs
➖	idle_all_features	memory utilization	-0.68	[-0.82, -0.54]	1	Logs bounds checks dashboard
➖	file_tree	memory utilization	-1.18	[-1.31, -1.04]	1	Logs

Bounds Checks

perf	experiment	bounds_check_name	replicates_passed
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	idle	memory_usage	10/10
✅	idle_all_features	memory_usage	10/10
✅	quality_gate_idle	memory_usage	10/10
✅	quality_gate_idle_all_features	memory_usage	10/10

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[amenasria]

/merge

[dd-devflow]

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 22m.

Use /merge -c to cancel this operation!