DataDog
diff --git a/‎.github/workflows/README.md‎
Lines changed: 22 additions & 28 deletions b/‎.github/workflows/README.md‎
Lines changed: 22 additions & 28 deletions
diff --git a/‎.github/workflows/add-milestone-to-pull-requests.yaml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/add-milestone-to-pull-requests.yaml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/add-release-to-cloudfoundry.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/add-release-to-cloudfoundry.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/analyze-changes.yaml‎
Lines changed: 133 additions & 0 deletions b/‎.github/workflows/analyze-changes.yaml‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎.github/workflows/ci-static-analysis.yml‎
Lines changed: 0 additions & 25 deletions b/‎.github/workflows/ci-static-analysis.yml‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 0 additions & 54 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 0 additions & 54 deletions
diff --git a/‎.github/workflows/comment-on-submodule-update.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/comment-on-submodule-update.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/create-next-milestone.yaml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/create-next-milestone.yaml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/draft-release-notes-on-tag.yaml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/draft-release-notes-on-tag.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/gradle-wrapper-validation.yaml.disabled‎
Lines changed: 0 additions & 11 deletions b/‎.github/workflows/gradle-wrapper-validation.yaml.disabled‎
Lines changed: 0 additions & 11 deletions
@@ -74,52 +74,46 @@ _Action:_
 
 _Recovery:_ Check at the milestone for the related issues and update them manually.
 
+### prune-github-container-registry [🔗](prune-github-container-registry.yaml)
+
+_Trigger:_ Every week or manually.
+
+_Action:_ Clean up old lib-injection OCI images from GitHub Container Registry.
+
+_Recovery:_ Manually trigger the action again.
+
 ## Code Quality and Security
 
-### ci-static-analysis [🔗](ci-static-analysis.yml)
+### analyze-changes [🔗](analyze-changes-with-github-codeql.yaml)
 
-_Trigger:_ When pushing commits to `master` or any pull request to `master`.
+_Trigger:_ When pushing commits to `master` or any pull request targeting `master`.
 
-_Actions:_ Run [DataDog Static Analysis](https://docs.datadoghq.com/static_analysis/) and upload result to DataDog Code Analysis.
+_Action:_ 
+* Run [DataDog Static Analysis](https://docs.datadoghq.com/static_analysis/) and upload result to DataDog Code Analysis,
+* Run [GitHub CodeQL](https://codeql.github.com/) action, upload result to GitHub security tab and DataDog Code Analysis -- do not apply to pull request, only when pushing to `master`,
+* Run [Trivy security scanner](https://github.com/aquasecurity/trivy) on built artifacts and upload result to GitHub security tab.
 
 ### comment-on-submodule-update [🔗](comment-on-submodule-update.yaml)
 
 _Trigger:_ When creating a PR commits to `master` or a `release/*` branch with a Git Submodule update.
 
 _Action:_ Notify the PR author through comments that about the Git Submodule update.
 
-### codeql-analysis [🔗](codeql-analysis.yml)
-
-_Trigger:_ When pushing commits to `master`.
-
-_Action:_ Run GitHub CodeQL action, upload result to GitHub security tab and DataDog Code Analysis.
-
-### update-gradle-dependencies [🔗](trivy-analysis.yml)
+### update-gradle-dependencies [🔗](update-gradle-dependencies.yml)
 
 _Trigger:_ Every week or manually.
 
 _Action:_ Create a PR updating the Grade dependencies and their locking files.
 
 _Recovery:_ Manually trigger the action again.
 
-### trivy-analysis [🔗](trivy-analysis.yml)
 
-_Trigger:_ When pushing commits to `master` or any pull request to `master`.
+## Maintenance
 
-_Action:_ Run Trivy security scanner on built artifacts and upload result to GitHub security tab.
+GitHub actions should be part of the [repository allowed actions to run](https://github.com/DataDog/dd-trace-java/settings/actions).
+While GitHub owned actions are allowed by default, the other ones must be declared.
 
-### gradle-wrapper-validation [🔗](gradle-wrapper-validation.yaml.disabled)
-
-**DISABLED** - GitHub provides a way to disable actions rather than changing their extensions.
-
-_Comment:_ To delete?
-
-## Lib Injection
-
-### lib-injection-prune-registry [🔗](lib-injection-prune-registry.yaml)
-
-_Trigger:_ Every week or manually.
-
-_Action:_ Clean up old lib-injection Docker images from GHCR.
-
-_Recovery:_ Manually trigger the action again.
+Run the following script to get the list of actions to declare according the state of your working copy:
+```bash
+find .github/workflows -name "*.yaml" -exec  awk '/uses:/{print $2 ","}' {} \; | grep -vE '^(actions|github)/' | sort | uniq
+```
@@ -5,11 +5,12 @@ on:
     branches:
       - master
       - release/v*
-
 jobs:
   add_milestone_to_merged:
-    if: github.event.pull_request.merged && github.event.pull_request.milestone == null
     name: Add milestone to merged pull requests
+    permissions:
+      issues: write # Required to update the milestone of a pull request
+    if: github.event.pull_request.merged && github.event.pull_request.milestone == null
     runs-on: ubuntu-latest
     steps:
       - name: Add milestone to merged pull requests
 
@@ -5,6 +5,8 @@ on:
       - released
 jobs:
   update-releases:
+    permissions:
+      contents: write # Required to commit and push changes to the repository
     runs-on: ubuntu-latest
     steps:
       - name: Checkout "cloudfoundry" branch
 
@@ -0,0 +1,133 @@
+name: Analyze changes
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+
+jobs:
+  datadog-static-analyzer:
+    name: Analyze changes with DataDog Static Analyzer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
+        with:
+          submodules: 'recursive'
+      - name: Check code meets quality standards
+        id: datadog-static-analysis
+        uses: DataDog/datadog-static-analyzer-github-action@c74aff158c8cc1c3e285660713bcaa5f9c6d696e # v1
+        with:
+          dd_app_key: ${{ secrets.DD_APP_KEY }}
+          dd_api_key: ${{ secrets.DD_API_KEY }}
+          dd_site: datad0g.com
+          dd_service: "dd-trace-java"
+          dd_env: "ci"
+          cpu_count: 2
+          enable_performance_statistics: false
+
+  codeql:
+    name: Analyze changes with GitHub CodeQL
+    # Don’t run on PR, only when pushing to master
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write # Required to upload the results to the Security tab
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
+        with:
+          submodules: 'recursive'
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          languages: 'java'
+          build-mode: 'manual'
+      - name: Build dd-trace-java for creating the CodeQL database
+        run: |
+          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
+          JAVA_HOME=$JAVA_HOME_8_X64 \
+          JAVA_8_HOME=$JAVA_HOME_8_X64 \
+          JAVA_11_HOME=$JAVA_HOME_11_X64 \
+          JAVA_17_HOME=$JAVA_HOME_17_X64 \
+          JAVA_21_HOME=$JAVA_HOME_21_X64 \
+          ./gradlew clean :dd-java-agent:shadowJar \
+            --build-cache --parallel --stacktrace --no-daemon --max-workers=4
+      - name: Perform CodeQL Analysis and upload results to GitHub Security tab
+        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+
+      - name: Upload results to Datadog CI Static Analysis
+        run: |
+          wget --no-verbose https://github.com/DataDog/datadog-ci/releases/download/v2.42.0/datadog-ci_linux-x64 -O datadog-ci
+          chmod +x datadog-ci
+          ./datadog-ci sarif upload /home/runner/work/dd-trace-java/results/java.sarif --service dd-trace-java --env ci
+        env:
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          DD_SITE: datad0g.com
+
+  trivy:
+    name: Analyze changes with Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write # Required to upload the results to the Security tab
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # 4.1.6
+        with:
+          submodules: 'recursive'
+
+      - name: Remove old artifacts
+        run: |
+          MVN_LOCAL_REPO=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout)
+          echo "MVN_LOCAL_REPO=${MVN_LOCAL_REPO}" >> "$GITHUB_ENV"
+          rm -rf "${MVN_LOCAL_REPO}/com/datadoghq"
+
+      - name: Build and publish artifacts locally
+        run: |
+          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
+          JAVA_HOME=$JAVA_HOME_8_X64 \
+          JAVA_8_HOME=$JAVA_HOME_8_X64 \
+          JAVA_11_HOME=$JAVA_HOME_11_X64 \
+          JAVA_17_HOME=$JAVA_HOME_17_X64 \
+          JAVA_21_HOME=$JAVA_HOME_21_X64 \
+          ./gradlew clean publishToMavenLocal \
+            --build-cache --parallel --stacktrace --no-daemon --max-workers=4
+
+      - name: Copy published artifacts
+        run: |
+          mkdir -p ./workspace/.trivy
+          cp -RP "${MVN_LOCAL_REPO}/com/datadoghq" ./workspace/.trivy/
+          ls -laR "./workspace/.trivy"
+
+      - name: Run Trivy security scanner
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        with:
+          scan-type: rootfs
+          scan-ref: './workspace/.trivy/'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Upload results to Datadog CI Static Analysis
+        run: |
+          wget --no-verbose https://github.com/DataDog/datadog-ci/releases/download/v2.42.0/datadog-ci_linux-x64 -O datadog-ci
+          chmod +x datadog-ci
+          ./datadog-ci sarif upload trivy-results.sarif --service dd-trace-java --env ci
+        env:
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          DD_SITE: datad0g.com
@@ -10,11 +10,13 @@ on:
 
 jobs:
   comment_on_submodule_update:
+    permissions:
+      issues: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
 
     steps:
       - name: Post comment on submodule update
-        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # 6.3.3
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
 
@@ -5,15 +5,17 @@ on:
 
 jobs:
   create_next_milestone:
+    permissions:
+      issues: write # Required to create a milestone
     runs-on: ubuntu-latest
     steps:
       - name: Get next minor version
         id: semvers
-        uses: WyriHaximus/github-action-next-semvers@33d116a4c239252582a60a1ba8dbba63ad493ffd # 1.1.0
+        uses: WyriHaximus/github-action-next-semvers@18aa9ed4152808ab99b88d71f5481e41f8d89930 # 1.2.1
         with:
           version: ${{ github.event.milestone.title }}
       - name: Create next milestone
-        uses: WyriHaximus/github-action-create-milestone@b86699ba7511fa3b61154ac8675d86b01938fc16 # 1.0.0
+        uses: WyriHaximus/github-action-create-milestone@bb0276ee386c630b476fa3ca788457bf3daa7c2e # 1.1.1
         with:
           title: ${{ steps.semvers.outputs.minor }}
         env:
 
@@ -6,12 +6,14 @@ on:
 jobs:
   draft_release_notes:
     name: Draft release notes
+    permissions:
+      contents: write # Required to create a release
     if: (github.event.ref_type == 'tag' && github.event.master_branch == 'master') || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     steps:
       - name: Get milestone title
         id: milestoneTitle
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # 6.4.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1
         with:
           result-encoding: string
           script: |