chore: switch from hectane/go-acl to DataDog/go-acl fork

[chouetz]

Summary

Replaces the direct dependency on github.com/hectane/go-acl (v0.0.0-20230225031251-cdfc9e3acf94, which is the head of upstream's unmerged PR #19) with github.com/DataDog/go-acl v1.0.0, a tagged release of a DataDog-owned fork containing the same code.

Why

Upstream hectane/go-acl is effectively inactive (last commit early 2023) and has no semver tags. The commit we currently pin lives on an unmerged PR branch, which made it fragile in two ways:

1. Renovate digest updates produced malformed go.mod entries and time-regressing "updates" — see Update github.com/hectane/go-acl digest to ca0b05c - autoclosed #49574, where Renovate proposed bumping the dep from a Feb 2023 commit to a Jan 2023 one (older).
2. The pinned commit could vanish if upstream force-pushed or deleted the PR branch.

Owning a tagged fork lets Renovate resolve real semver versions and guarantees the source we depend on is immutable.

The companion guardrail PR #49861 disables digest updates for the gomod Renovate manager — together they prevent this class of issue across all tag-less Go deps.

What's in the fork

DataDog/go-acl@v1.0.0 is upstream master HEAD (ca0b05c) plus the golang.org/x/sys 0.1.0 bump from upstream PR #19 (cherry-picked, dependabot authorship preserved), with the module directive set to github.com/DataDog/go-acl.

Scope

• 2 Go imports rewritten:
  • pkg/util/filesystem/permission_windows.go
  • pkg/security/probe/probe_auditing_windows_test.go
• go.mod and go.sum updates across the workspace via dda inv tidy.
• Bazel manifest updates (deps/go.MODULE.bazel, pkg/util/filesystem/BUILD.bazel).
• LICENSE-3rdparty.csv regenerated.

About the remaining hectane/go-acl // indirect entries

After this PR, hectane/go-acl still appears as // indirect in some submodule go.mod files. Those come from opentelemetry-collector-contrib packages that pin older datadog-agent submodule versions which still required hectane. They will disappear automatically once OTel bumps its datadog-agent pin past this PR — no action needed on our side.

The pseudo-version on those indirect entries (v0.0.0-20230122075934-ca0b05cb1adb) is the upstream master HEAD as resolved by Go's MVS — the previous Feb 2023 pin (cdfc9e3) was a manual reference to the unmerged PR branch and was never present in the published versions of our submodules.

Test plan

• CI builds pass (Linux + Windows).
• Go imports + build tags resolve correctly.
• dda inv tidy is idempotent.
• Bazel build of pkg/util/filesystem succeeds on Windows.
• dda inv lint-licenses passes.

[dd-octo-sts]

Go Package Import Differences

Baseline: baebb27
Comparison: 782d4d6

binary	os	arch	change
agent	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
process-agent	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
security-agent	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
system-probe	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
trace-agent	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
installer	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api
privateactionrunner	windows	amd64	+2, -2 +github.com/DataDog/go-acl +github.com/DataDog/go-acl/api -github.com/hectane/go-acl -github.com/hectane/go-acl/api

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 9cdd8c6e:

Results for datadog-agent_7.80.0~devel.git.354.9b25671.pipeline.110522586-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 9cdd8c6
📊 Static Quality Gates Dashboard
🔗 SQG Job

31 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	740.336 MiB
✅	agent_deb_amd64_fips	698.742 MiB
✅	agent_heroku_amd64	309.138 MiB
✅	agent_msi	607.026 MiB
✅	agent_rpm_amd64	740.319 MiB
✅	agent_rpm_amd64_fips	698.726 MiB
✅	agent_rpm_arm64	718.373 MiB
✅	agent_rpm_arm64_fips	679.813 MiB
✅	agent_suse_amd64	740.319 MiB
✅	agent_suse_amd64_fips	698.726 MiB
✅	agent_suse_arm64	718.373 MiB
✅	agent_suse_arm64_fips	679.813 MiB
✅	docker_agent_amd64	800.794 MiB
✅	docker_agent_arm64	803.657 MiB
✅	docker_agent_jmx_amd64	991.714 MiB
✅	docker_agent_jmx_arm64	983.356 MiB
✅	docker_cluster_agent_amd64	206.402 MiB
✅	docker_cluster_agent_arm64	220.508 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.351 MiB
✅	docker_dogstatsd_arm64	37.565 MiB
✅	dogstatsd_deb_amd64	30.005 MiB
✅	dogstatsd_deb_arm64	28.146 MiB
✅	dogstatsd_rpm_amd64	30.005 MiB
✅	dogstatsd_suse_amd64	30.005 MiB
✅	iot_agent_deb_amd64	44.404 MiB
✅	iot_agent_deb_arm64	41.392 MiB
✅	iot_agent_deb_armhf	42.124 MiB
✅	iot_agent_rpm_amd64	44.404 MiB
✅	iot_agent_suse_amd64	44.404 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+9.71 KiB (0.01% increase)	175.040 → 175.049 → 179.160
✅	agent_deb_amd64_fips	-15.76 KiB (0.01% reduction)	166.812 → 166.797 → 174.440
✅	agent_heroku_amd64	-2.3 KiB (0.00% reduction)	74.927 → 74.925 → 80.310
✅	agent_msi	+20.0 KiB (0.01% increase)	140.402 → 140.422 → 148.730
✅	agent_rpm_amd64	+30.93 KiB (0.02% increase)	177.049 → 177.079 → 182.080
✅	agent_rpm_amd64_fips	-14.35 KiB (0.01% reduction)	168.198 → 168.184 → 174.140
✅	agent_rpm_arm64	neutral	159.262 MiB → 163.610
✅	agent_rpm_arm64_fips	-10.61 KiB (0.01% reduction)	151.530 → 151.519 → 156.850
✅	agent_suse_amd64	+30.93 KiB (0.02% increase)	177.049 → 177.079 → 182.080
✅	agent_suse_amd64_fips	-14.35 KiB (0.01% reduction)	168.198 → 168.184 → 174.140
✅	agent_suse_arm64	neutral	159.262 MiB → 163.610
✅	agent_suse_arm64_fips	-10.61 KiB (0.01% reduction)	151.530 → 151.519 → 156.850
✅	docker_agent_amd64	+10.98 KiB (0.00% increase)	267.411 → 267.422 → 272.990
✅	docker_agent_arm64	neutral	254.415 MiB → 261.470
✅	docker_agent_jmx_amd64	-15.43 KiB (0.00% reduction)	336.060 → 336.045 → 341.610
✅	docker_agent_jmx_arm64	+6.06 KiB (0.00% increase)	319.053 → 319.059 → 326.050
✅	docker_cluster_agent_amd64	neutral	72.334 MiB → 73.460
✅	docker_cluster_agent_arm64	neutral	67.812 MiB → 68.680
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.231 MiB → 15.870
✅	docker_dogstatsd_arm64	neutral	14.546 MiB → 14.890
✅	dogstatsd_deb_amd64	neutral	7.937 MiB → 8.830
✅	dogstatsd_deb_arm64	neutral	6.818 MiB → 7.750
✅	dogstatsd_rpm_amd64	neutral	7.948 MiB → 8.840
✅	dogstatsd_suse_amd64	neutral	7.948 MiB → 8.840
✅	iot_agent_deb_amd64	neutral	11.688 MiB → 13.210
✅	iot_agent_deb_arm64	neutral	9.991 MiB → 11.620
✅	iot_agent_deb_armhf	neutral	10.191 MiB → 11.780
✅	iot_agent_rpm_amd64	neutral	11.707 MiB → 13.230
✅	iot_agent_suse_amd64	neutral	11.707 MiB → 13.230

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c91e5390e2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Retarget the fork's internal ACL API import

This leaf module has no OTel collector dependencies, yet tidy still adds github.com/hectane/go-acl immediately after switching its only ACL import to github.com/DataDog/go-acl. That means the new fork is still pulling upstream's github.com/hectane/go-acl/api internally, so Windows builds of this package continue to depend on the untagged upstream module rather than only the tagged DataDog fork; the fork should rewrite its internal api import and be retagged before this dependency swap achieves its stated supply-chain goal.

Useful? React with 👍 / 👎.

[chouetz]

Thanks for catching this — I verified the chain and confirmed the issue. The fork's source files (apply.go and util.go) still imported github.com/hectane/go-acl/api, so consumers of the fork were transitively pulling upstream regardless of the module-path rename.

Fixed in the fork via DataDog/go-acl#3 — internal api imports rewritten to github.com/DataDog/go-acl/api. v1.0.0 retagged at the new merge commit, and go.sum refreshed here in commit 3adc641 to pick up the new zip hash (h1:FL7NsVyHOfZl2b1jTrmJCVhMatG/0zYKgWS+5FbUiSA=).

Confirmed self-contained on the fork side: go list -deps github.com/DataDog/go-acl after a build cache flush no longer references github.com/hectane/go-acl/api.

The hectane/go-acl // indirect entries that remain in some workspace go.mod files are no longer caused by the fork's internals — they come solely from opentelemetry-collector-contrib packages pinning older datadog-agent submodule versions that still required hectane. Those will clear automatically once OTel bumps its datadog-agent pin past this PR.

[chouquette]

LGTM for the only agent-build owned file

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 7e4b939d-ff1b-4339-a1af-39f811b84812

Baseline: 3698031
Comparison: 9b25671
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-0.68	[-3.57, +2.21]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+1.53	[+0.55, +2.51]	1	Logs bounds checks dashboard
➖	otlp_ingest_logs	memory utilization	+0.55	[+0.44, +0.67]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.49	[+0.45, +0.53]	1	Logs bounds checks dashboard
➖	quality_gate_metrics_logs	memory utilization	+0.37	[+0.12, +0.62]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.15	[+0.10, +0.20]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.09	[-0.35, +0.53]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.06	[-0.45, +0.57]	1	Logs
➖	docker_containers_memory	memory utilization	+0.05	[-0.05, +0.15]	1	Logs
➖	ddot_metrics	memory utilization	+0.04	[-0.16, +0.24]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.04	[-0.15, +0.22]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.03	[-0.06, +0.12]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.02	[-0.37, +0.42]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.19, +0.20]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.00	[-0.20, +0.20]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.01	[-0.13, +0.11]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.03	[-0.27, +0.21]	1	Logs
➖	file_tree	memory utilization	-0.08	[-0.12, -0.03]	1	Logs
➖	quality_gate_idle	memory utilization	-0.27	[-0.32, -0.22]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_cumulative	memory utilization	-0.42	[-0.57, -0.26]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.56	[-0.72, -0.40]	1	Logs
➖	ddot_logs	memory utilization	-0.67	[-0.74, -0.59]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-0.68	[-3.57, +2.21]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-1.79	[-1.98, -1.60]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	740 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	241.98MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	681 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.18GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	141.58MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	468.27MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	173.44MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	347.34 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	394.04MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.