Skip to content

Use dd-octo-sts to retrieve github release token #9187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Jul 22, 2025
Merged

Use dd-octo-sts to retrieve github release token #9187

merged 23 commits into from
Jul 22, 2025

Conversation

sarahchen6
Copy link
Contributor

@sarahchen6 sarahchen6 commented Jul 16, 2025
edited
Loading

What Does This Do

Use dd-octo-sts to retrieve the github release token. Fall back to our existing method that uses aws ssm to retrieve a fine-grained PAT if the dd-octo-sts process fails.

Motivation

Leverage dd-octo-sts security: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/4705912130/DD+Octo+STS

Additional Notes

The trust policy logic is in #9198 . Since policies can only be read from master, that PR will need to be merged first.

This workflow is based on the dd-octo-sts User Guide example.

Contributor Checklist

Jira ticket: https://datadoghq.atlassian.net/browse/LANGPLAT-696

@sarahchen6 sarahchen6 added type: enhancement Enhancements and improvements tag: do not merge Do not merge changes tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels Jul 16, 2025
@pr-commenter
Copy link

pr-commenter bot commented Jul 16, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sarahchen6/use-octo-sts
git_commit_date 1753187273 1753198727
git_commit_sha 766af68 4cc35a7
release_version 1.51.1-SNAPSHOT~766af685ed 1.52.0-SNAPSHOT~4cc35a712b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1753200627 1753200627
ci_job_id 1041452688 1041452688
ci_pipeline_id 71332477 71332477
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-2i8wn2et 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-2i8wn2et 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.037 s) : 0, 1037456
Total [baseline] (10.633 s) : 0, 10633191
Agent [candidate] (1.042 s) : 0, 1042492
Total [candidate] (10.59 s) : 0, 10589915
section appsec
Agent [baseline] (1.22 s) : 0, 1219698
Total [baseline] (10.789 s) : 0, 10789201
Agent [candidate] (1.219 s) : 0, 1218941
Total [candidate] (10.844 s) : 0, 10844445
section iast
Agent [baseline] (1.179 s) : 0, 1179168
Total [baseline] (10.937 s) : 0, 10937490
Agent [candidate] (1.173 s) : 0, 1173023
Total [candidate] (10.886 s) : 0, 10886007
section profiling
Agent [baseline] (1.191 s) : 0, 1190878
Total [baseline] (11.01 s) : 0, 11010166
Agent [candidate] (1.191 s) : 0, 1190835
Total [candidate] (10.927 s) : 0, 10926540
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.037 s -
Agent appsec 1.22 s 182.242 ms (17.6%)
Agent iast 1.179 s 141.713 ms (13.7%)
Agent profiling 1.191 s 153.422 ms (14.8%)
Total tracing 10.633 s -
Total appsec 10.789 s 156.011 ms (1.5%)
Total iast 10.937 s 304.299 ms (2.9%)
Total profiling 11.01 s 376.975 ms (3.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.042 s -
Agent appsec 1.219 s 176.449 ms (16.9%)
Agent iast 1.173 s 130.531 ms (12.5%)
Agent profiling 1.191 s 148.344 ms (14.2%)
Total tracing 10.59 s -
Total appsec 10.844 s 254.529 ms (2.4%)
Total iast 10.886 s 296.091 ms (2.8%)
Total profiling 10.927 s 336.625 ms (3.2%) 
gantt
    title petclinic - break down per module: candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.43 ms) : 0, 1430
crashtracking [candidate] (1.439 ms) : 0, 1439
BytebuddyAgent [baseline] (728.271 ms) : 0, 728271
BytebuddyAgent [candidate] (731.798 ms) : 0, 731798
GlobalTracer [baseline] (241.213 ms) : 0, 241213
GlobalTracer [candidate] (243.024 ms) : 0, 243024
AppSec [baseline] (30.641 ms) : 0, 30641
AppSec [candidate] (30.36 ms) : 0, 30360
Debugger [baseline] (6.025 ms) : 0, 6025
Debugger [candidate] (5.998 ms) : 0, 5998
Remote Config [baseline] (650.947 µs) : 0, 651
Remote Config [candidate] (645.474 µs) : 0, 645
Telemetry [baseline] (8.261 ms) : 0, 8261
Telemetry [candidate] (8.18 ms) : 0, 8180
section appsec
crashtracking [baseline] (1.434 ms) : 0, 1434
crashtracking [candidate] (1.442 ms) : 0, 1442
BytebuddyAgent [baseline] (753.108 ms) : 0, 753108
BytebuddyAgent [candidate] (751.003 ms) : 0, 751003
GlobalTracer [baseline] (234.649 ms) : 0, 234649
GlobalTracer [candidate] (235.582 ms) : 0, 235582
AppSec [baseline] (170.534 ms) : 0, 170534
AppSec [candidate] (169.21 ms) : 0, 169210
Debugger [baseline] (6.377 ms) : 0, 6377
Debugger [candidate] (7.962 ms) : 0, 7962
Remote Config [baseline] (598.362 µs) : 0, 598
Remote Config [candidate] (616.933 µs) : 0, 617
Telemetry [baseline] (8.154 ms) : 0, 8154
Telemetry [candidate] (8.124 ms) : 0, 8124
IAST [baseline] (23.515 ms) : 0, 23515
IAST [candidate] (23.745 ms) : 0, 23745
section iast
crashtracking [baseline] (1.44 ms) : 0, 1440
crashtracking [candidate] (1.445 ms) : 0, 1445
BytebuddyAgent [baseline] (851.67 ms) : 0, 851670
BytebuddyAgent [candidate] (846.011 ms) : 0, 846011
GlobalTracer [baseline] (231.922 ms) : 0, 231922
GlobalTracer [candidate] (231.659 ms) : 0, 231659
AppSec [baseline] (28.387 ms) : 0, 28387
AppSec [candidate] (26.8 ms) : 0, 26800
Debugger [baseline] (8.502 ms) : 0, 8502
Debugger [candidate] (6.702 ms) : 0, 6702
Remote Config [baseline] (598.765 µs) : 0, 599
Remote Config [candidate] (601.494 µs) : 0, 601
Telemetry [baseline] (7.951 ms) : 0, 7951
Telemetry [candidate] (7.948 ms) : 0, 7948
IAST [baseline] (27.609 ms) : 0, 27609
IAST [candidate] (30.854 ms) : 0, 30854
section profiling
ProfilingAgent [baseline] (104.6 ms) : 0, 104600
ProfilingAgent [candidate] (105.248 ms) : 0, 105248
crashtracking [baseline] (1.431 ms) : 0, 1431
crashtracking [candidate] (1.41 ms) : 0, 1410
BytebuddyAgent [baseline] (763.073 ms) : 0, 763073
BytebuddyAgent [candidate] (762.386 ms) : 0, 762386
GlobalTracer [baseline] (221.529 ms) : 0, 221529
GlobalTracer [candidate] (221.232 ms) : 0, 221232
AppSec [baseline] (30.473 ms) : 0, 30473
AppSec [candidate] (30.57 ms) : 0, 30570
Debugger [baseline] (6.34 ms) : 0, 6340
Debugger [candidate] (6.36 ms) : 0, 6360
Remote Config [baseline] (679.364 µs) : 0, 679
Remote Config [candidate] (671.793 µs) : 0, 672
Telemetry [baseline] (14.039 ms) : 0, 14039
Telemetry [candidate] (14.239 ms) : 0, 14239
Profiling [baseline] (104.623 ms) : 0, 104623
Profiling [candidate] (105.273 ms) : 0, 105273
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.043 s) : 0, 1042547
Total [baseline] (8.634 s) : 0, 8634429
Agent [candidate] (1.045 s) : 0, 1044705
Total [candidate] (8.639 s) : 0, 8639445
section iast
Agent [baseline] (1.17 s) : 0, 1169692
Total [baseline] (9.267 s) : 0, 9266569
Agent [candidate] (1.17 s) : 0, 1170004
Total [candidate] (9.25 s) : 0, 9250106
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.043 s -
Agent iast 1.17 s 127.145 ms (12.2%)
Total tracing 8.634 s -
Total iast 9.267 s 632.141 ms (7.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.045 s -
Agent iast 1.17 s 125.299 ms (12.0%)
Total tracing 8.639 s -
Total iast 9.25 s 610.661 ms (7.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.439 ms) : 0, 1439
crashtracking [candidate] (1.441 ms) : 0, 1441
BytebuddyAgent [baseline] (733.331 ms) : 0, 733331
BytebuddyAgent [candidate] (733.938 ms) : 0, 733938
GlobalTracer [baseline] (241.457 ms) : 0, 241457
GlobalTracer [candidate] (242.784 ms) : 0, 242784
AppSec [baseline] (30.391 ms) : 0, 30391
AppSec [candidate] (30.525 ms) : 0, 30525
Debugger [baseline] (6.013 ms) : 0, 6013
Debugger [candidate] (6.085 ms) : 0, 6085
Remote Config [baseline] (650.879 µs) : 0, 651
Remote Config [candidate] (648.148 µs) : 0, 648
Telemetry [baseline] (8.206 ms) : 0, 8206
Telemetry [candidate] (8.264 ms) : 0, 8264
section iast
crashtracking [baseline] (1.425 ms) : 0, 1425
crashtracking [candidate] (1.436 ms) : 0, 1436
BytebuddyAgent [baseline] (844.993 ms) : 0, 844993
BytebuddyAgent [candidate] (844.167 ms) : 0, 844167
GlobalTracer [baseline] (231.6 ms) : 0, 231600
GlobalTracer [candidate] (230.827 ms) : 0, 230827
IAST [baseline] (30.425 ms) : 0, 30425
IAST [candidate] (28.328 ms) : 0, 28328
AppSec [baseline] (26.325 ms) : 0, 26325
AppSec [candidate] (28.323 ms) : 0, 28322
Debugger [baseline] (5.77 ms) : 0, 5770
Debugger [candidate] (7.482 ms) : 0, 7482
Remote Config [baseline] (576.685 µs) : 0, 577
Remote Config [candidate] (585.598 µs) : 0, 586
Telemetry [baseline] (7.854 ms) : 0, 7854
Telemetry [candidate] (7.986 ms) : 0, 7986
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sarahchen6/use-octo-sts
git_commit_date 1753187273 1753198727
git_commit_sha 766af68 4cc35a7
release_version 1.51.1-SNAPSHOT~766af685ed 1.52.0-SNAPSHOT~4cc35a712b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1753200306 1753200306
ci_job_id 1041452690 1041452690
ci_pipeline_id 71332477 71332477
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-f72dq273 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-f72dq273 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 1 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:iast_FULL:high_load better
[-898.617µs; -305.857µs] or [-6.325%; -2.153%]		 unstable
[-24.327op/s; +52.827op/s] or [-7.414%; +16.100%]		 13.606ms 342.375op/s 14.208ms 328.125op/s
scenario:load:petclinic:profiling:high_load worse
[+3.073ms; +4.048ms] or [+6.836%; +9.005%]		 unstable
[-15.076op/s; -0.099op/s] or [-14.486%; -0.095%]		 48.517ms 96.487op/s 44.956ms 104.075op/s
scenario:load:petclinic:tracing:high_load better
[-2.040ms; -1.221ms] or [-4.534%; -2.713%]		 unstable
[-3.483op/s; +11.233op/s] or [-3.350%; +10.803%]		 43.362ms 107.850op/s 44.992ms 103.975op/s
scenario:load:petclinic:appsec:high_load better
[-3.109ms; -2.220ms] or [-6.435%; -4.594%]		 unstable
[-1.139op/s; +12.489op/s] or [-1.175%; +12.893%]		 45.645ms 102.537op/s 48.309ms 96.862op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed
    dateFormat X
    axisFormat %s
section baseline
no_agent (37.471 ms) : 37166, 37775
.   : milestone, 37471,
appsec (48.309 ms) : 47885, 48733
.   : milestone, 48309,
code_origins (44.814 ms) : 44431, 45197
.   : milestone, 44814,
iast (45.226 ms) : 44832, 45621
.   : milestone, 45226,
profiling (44.956 ms) : 44517, 45395
.   : milestone, 44956,
tracing (44.992 ms) : 44607, 45377
.   : milestone, 44992,
section candidate
no_agent (37.271 ms) : 36968, 37575
.   : milestone, 37271,
appsec (45.645 ms) : 45243, 46047
.   : milestone, 45645,
code_origins (45.182 ms) : 44799, 45566
.   : milestone, 45182,
iast (45.025 ms) : 44631, 45418
.   : milestone, 45025,
profiling (48.517 ms) : 48050, 48984
.   : milestone, 48517,
tracing (43.362 ms) : 42986, 43738
.   : milestone, 43362,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 37.471 ms [37.166 ms, 37.775 ms] -
appsec 48.309 ms [47.885 ms, 48.733 ms] 10.838 ms (28.9%)
code_origins 44.814 ms [44.431 ms, 45.197 ms] 7.343 ms (19.6%)
iast 45.226 ms [44.832 ms, 45.621 ms] 7.755 ms (20.7%)
profiling 44.956 ms [44.517 ms, 45.395 ms] 7.485 ms (20.0%)
tracing 44.992 ms [44.607 ms, 45.377 ms] 7.521 ms (20.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 37.271 ms [36.968 ms, 37.575 ms] -
appsec 45.645 ms [45.243 ms, 46.047 ms] 8.373 ms (22.5%)
code_origins 45.182 ms [44.799 ms, 45.566 ms] 7.911 ms (21.2%)
iast 45.025 ms [44.631 ms, 45.418 ms] 7.753 ms (20.8%)
profiling 48.517 ms [48.05 ms, 48.984 ms] 11.246 ms (30.2%)
tracing 43.362 ms [42.986 ms, 43.738 ms] 6.09 ms (16.3%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.477 ms) : 4427, 4526
.   : milestone, 4477,
iast (9.276 ms) : 9127, 9426
.   : milestone, 9276,
iast_FULL (14.208 ms) : 13924, 14492
.   : milestone, 14208,
iast_GLOBAL (10.399 ms) : 10204, 10595
.   : milestone, 10399,
profiling (8.658 ms) : 8525, 8791
.   : milestone, 8658,
tracing (7.341 ms) : 7239, 7444
.   : milestone, 7341,
section candidate
no_agent (4.451 ms) : 4401, 4501
.   : milestone, 4451,
iast (9.288 ms) : 9137, 9440
.   : milestone, 9288,
iast_FULL (13.606 ms) : 13339, 13872
.   : milestone, 13606,
iast_GLOBAL (10.159 ms) : 9983, 10336
.   : milestone, 10159,
profiling (8.7 ms) : 8565, 8836
.   : milestone, 8700,
tracing (7.473 ms) : 7372, 7575
.   : milestone, 7473,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.477 ms [4.427 ms, 4.526 ms] -
iast 9.276 ms [9.127 ms, 9.426 ms] 4.8 ms (107.2%)
iast_FULL 14.208 ms [13.924 ms, 14.492 ms] 9.731 ms (217.4%)
iast_GLOBAL 10.399 ms [10.204 ms, 10.595 ms] 5.923 ms (132.3%)
profiling 8.658 ms [8.525 ms, 8.791 ms] 4.182 ms (93.4%)
tracing 7.341 ms [7.239 ms, 7.444 ms] 2.865 ms (64.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.451 ms [4.401 ms, 4.501 ms] -
iast 9.288 ms [9.137 ms, 9.44 ms] 4.838 ms (108.7%)
iast_FULL 13.606 ms [13.339 ms, 13.872 ms] 9.155 ms (205.7%)
iast_GLOBAL 10.159 ms [9.983 ms, 10.336 ms] 5.709 ms (128.3%)
profiling 8.7 ms [8.565 ms, 8.836 ms] 4.25 ms (95.5%)
tracing 7.473 ms [7.372 ms, 7.575 ms] 3.023 ms (67.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sarahchen6/use-octo-sts
git_commit_date 1753187273 1753198727
git_commit_sha 766af68 4cc35a7
release_version 1.51.1-SNAPSHOT~766af685ed 1.52.0-SNAPSHOT~4cc35a712b
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1753200853 1753200853
ci_job_id 1041452693 1041452693
ci_pipeline_id 71332477 71332477
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-7vkpn09k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-7vkpn09k 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.471 ms) : 1460, 1483
.   : milestone, 1471,
appsec (3.624 ms) : 3407, 3840
.   : milestone, 3624,
iast (2.179 ms) : 2117, 2241
.   : milestone, 2179,
iast_GLOBAL (2.233 ms) : 2170, 2295
.   : milestone, 2233,
profiling (2.028 ms) : 1978, 2078
.   : milestone, 2028,
tracing (2.005 ms) : 1957, 2053
.   : milestone, 2005,
section candidate
no_agent (1.473 ms) : 1461, 1485
.   : milestone, 1473,
appsec (3.618 ms) : 3402, 3833
.   : milestone, 3618,
iast (2.181 ms) : 2119, 2243
.   : milestone, 2181,
iast_GLOBAL (2.224 ms) : 2162, 2287
.   : milestone, 2224,
profiling (2.026 ms) : 1976, 2076
.   : milestone, 2026,
tracing (2.006 ms) : 1957, 2054
.   : milestone, 2006,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.471 ms [1.46 ms, 1.483 ms] -
appsec 3.624 ms [3.407 ms, 3.84 ms] 2.152 ms (146.3%)
iast 2.179 ms [2.117 ms, 2.241 ms] 707.793 µs (48.1%)
iast_GLOBAL 2.233 ms [2.17 ms, 2.295 ms] 761.414 µs (51.7%)
profiling 2.028 ms [1.978 ms, 2.078 ms] 556.636 µs (37.8%)
tracing 2.005 ms [1.957 ms, 2.053 ms] 533.667 µs (36.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.461 ms, 1.485 ms] -
appsec 3.618 ms [3.402 ms, 3.833 ms] 2.145 ms (145.6%)
iast 2.181 ms [2.119 ms, 2.243 ms] 708.316 µs (48.1%)
iast_GLOBAL 2.224 ms [2.162 ms, 2.287 ms] 751.17 µs (51.0%)
profiling 2.026 ms [1.976 ms, 2.076 ms] 553.096 µs (37.5%)
tracing 2.006 ms [1.957 ms, 2.054 ms] 532.705 µs (36.2%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.52.0-SNAPSHOT~4cc35a712b, baseline=1.51.1-SNAPSHOT~766af685ed
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.568 s) : 15568000, 15568000
.   : milestone, 15568000,
appsec (14.856 s) : 14856000, 14856000
.   : milestone, 14856000,
iast (18.782 s) : 18782000, 18782000
.   : milestone, 18782000,
iast_GLOBAL (18.085 s) : 18085000, 18085000
.   : milestone, 18085000,
profiling (15.299 s) : 15299000, 15299000
.   : milestone, 15299000,
tracing (14.664 s) : 14664000, 14664000
.   : milestone, 14664000,
section candidate
no_agent (14.97 s) : 14970000, 14970000
.   : milestone, 14970000,
appsec (14.834 s) : 14834000, 14834000
.   : milestone, 14834000,
iast (18.517 s) : 18517000, 18517000
.   : milestone, 18517000,
iast_GLOBAL (17.979 s) : 17979000, 17979000
.   : milestone, 17979000,
profiling (15.239 s) : 15239000, 15239000
.   : milestone, 15239000,
tracing (14.82 s) : 14820000, 14820000
.   : milestone, 14820000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.568 s [15.568 s, 15.568 s] -
appsec 14.856 s [14.856 s, 14.856 s] -712.0 ms (-4.6%)
iast 18.782 s [18.782 s, 18.782 s] 3.214 s (20.6%)
iast_GLOBAL 18.085 s [18.085 s, 18.085 s] 2.517 s (16.2%)
profiling 15.299 s [15.299 s, 15.299 s] -269.0 ms (-1.7%)
tracing 14.664 s [14.664 s, 14.664 s] -904.0 ms (-5.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.97 s [14.97 s, 14.97 s] -
appsec 14.834 s [14.834 s, 14.834 s] -136.0 ms (-0.9%)
iast 18.517 s [18.517 s, 18.517 s] 3.547 s (23.7%)
iast_GLOBAL 17.979 s [17.979 s, 17.979 s] 3.009 s (20.1%)
profiling 15.239 s [15.239 s, 15.239 s] 269.0 ms (1.8%)
tracing 14.82 s [14.82 s, 14.82 s] -150.0 ms (-1.0%)

xopham
xopham reviewed Jul 17, 2025
View reviewed changes
xopham
xopham reviewed Jul 17, 2025
View reviewed changes
xopham
xopham reviewed Jul 17, 2025
View reviewed changes
@sarahchen6 sarahchen6 removed the tag: do not merge Do not merge changes label Jul 17, 2025
@sarahchen6 sarahchen6 changed the title Use octo-sts for github release token Use dd-octo-sts to retrieve github release token Jul 21, 2025
@sarahchen6 sarahchen6 marked this pull request as ready for review July 21, 2025 19:51
@sarahchen6 sarahchen6 requested a review from a team as a code owner July 21, 2025 19:51
@sarahchen6 sarahchen6 requested review from erikayasuda and removed request for a team July 21, 2025 19:51
PerfectSlayer
PerfectSlayer reviewed Jul 22, 2025
View reviewed changes
Copy link
Contributor

@PerfectSlayer PerfectSlayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left few comments. Another review from the R&P is welcome :)

@sarahchen6 sarahchen6 merged commit f21ceea into master Jul 22, 2025
503 checks passed
@sarahchen6 sarahchen6 deleted the sarahchen6/use-octo-sts branch July 22, 2025 17:34
@github-actions github-actions bot added this to the 1.52.0 milestone Jul 22, 2025
@mtoffl01 mtoffl01 mentioned this pull request Jul 22, 2025
Closed
mtoffl01 pushed a commit that referenced this pull request Jul 22, 2025
@sarahchen6 @xopham @mtoffl01
Use dd-octo-sts to retrieve github release token (#9187)
cc9825b 
* Add octo-sts policy

* Add workflow and debugging

* Fix policy

* Run jobs in CI for now

* Allow manual trigger for job

* No dependencies for github token retrieval

* Allow policy for all branches for now

* Comment out debug call

* Clean

* Adjust policy

* Update policy contents

Co-authored-by: Christoph Hamsen <[email protected]>

* Update policy to work on tags

Co-authored-by: Christoph Hamsen <[email protected]>

* Rework gitlab-ci workflow

* Name change and fix needs block

* Rework workflow again

* Try original retrieval

* Edit gitlab-ci.yml file

* Clean

* Remove comment

* Move trust policy to a separate PR

* Add aws ssm fallback

* Split deployment to two jobs: new dd-octo-sts method and old aws method that is manually triggered

---------

Co-authored-by: Christoph Hamsen <[email protected]>
@mtoffl01 mtoffl01 mentioned this pull request Jul 22, 2025
Merged
bm1549 pushed a commit that referenced this pull request Jul 22, 2025
@mtoffl01 @sarahchen6 @xopham
🍒 9187 - Use dd-octo-sts to retrieve github release token (#9222)
d5ad1fe 
* Use dd-octo-sts to retrieve github release token (#9187)

* Add octo-sts policy

* Add workflow and debugging

* Fix policy

* Run jobs in CI for now

* Allow manual trigger for job

* No dependencies for github token retrieval

* Allow policy for all branches for now

* Comment out debug call

* Clean

* Adjust policy

* Update policy contents

Co-authored-by: Christoph Hamsen <[email protected]>

* Update policy to work on tags

Co-authored-by: Christoph Hamsen <[email protected]>

* Rework gitlab-ci workflow

* Name change and fix needs block

* Rework workflow again

* Try original retrieval

* Edit gitlab-ci.yml file

* Clean

* Remove comment

* Move trust policy to a separate PR

* Add aws ssm fallback

* Split deployment to two jobs: new dd-octo-sts method and old aws method that is manually triggered

---------

Co-authored-by: Christoph Hamsen <[email protected]>

* Change deploy_to_maven_central name back to deploy_to_sonatype

---------

Co-authored-by: Sarah Chen <[email protected]>
Co-authored-by: Christoph Hamsen <[email protected]>
@sarahchen6 sarahchen6 mentioned this pull request Jul 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer left review comments

@xopham xopham xopham left review comments

@nayeem-kamal nayeem-kamal nayeem-kamal approved these changes

@erikayasuda erikayasuda Awaiting requested review from erikayasuda erikayasuda is a code owner automatically assigned from DataDog/apm-release-platform

Assignees
No one assigned
Labels
comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes type: enhancement Enhancements and improvements
Projects
None yet
Milestone
1.52.0
Development

Successfully merging this pull request may close these issues.
4 participants
@sarahchen6 @PerfectSlayer @nayeem-kamal @xopham