Revert "chore: vendor on npm prepare instead of committing to git (#7423)" (#7638)

This reverts commit 2608ddb.

Author: watson

.github/workflows/dependabot-automation.yml

@@ -12,10 +12,28 @@ env:
   GROUPS: '["dev-minor-and-patch-dependencies", "gh-actions-packages", "test-versions"]'
 
 jobs:
+  dependabot:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    # Keep this job as a stable, always-green check on Dependabot PRs, even when the workflow is
+    # re-triggered by an automation commit (e.g., vendoring). Sensitive operations (OIDC token mint,
+    # approving, enabling auto-merge) are delegated to `dependabot-automation` below.
+    permissions:
+      contents: read
+    steps:
+      - name: Status
+        run: |
+          echo "Dependabot PR detected."
+          if [ "${{ github.actor }}" = "dependabot[bot]" ]; then
+            echo "Automation steps will run in the 'dependabot-automation' job."
+          else
+            echo "Skipping automation: workflow actor is '${{ github.actor }}'."
+          fi
+
   dependabot-automation:
     # Only run automation on the initial Dependabot-triggered run. If an automation commit is pushed
-    # GitHub re-triggers this workflow with `github.actor == 'dd-octo-sts[bot]'`. We intentionally
-    # avoid minting tokens / approving / enabling auto-merge on that follow-up run.
+    # (e.g. vendor output), GitHub re-triggers this workflow with `github.actor == 'dd-octo-sts[bot]'`.
+    # We intentionally avoid minting tokens / approving / enabling auto-merge on that follow-up run.
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     permissions:
@@ -43,3 +61,283 @@ jobs:
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+
+  vendor-build:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    # Security: this job checks out and runs code from the PR (vendoring build),
+    # so it is intentionally restricted to read-only permissions and produces a
+    # patch artifact instead of pushing directly.
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      has_changes: ${{ steps.diff.outputs.has_changes }}
+      is_vendor_group: ${{ steps.ctx.outputs.is_vendor_group }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # 2.5.0
+      - name: Compute vendor context
+        id: ctx
+        run: |
+          set -euo pipefail
+
+          echo "is_vendor_group=${{ steps.metadata.outputs.directory == '/vendor' }}" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 1
+          persist-credentials: false
+      - name: Restore trusted Node setup actions
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+        run: |
+          git fetch --no-tags --depth=1 origin "${{ github.event.pull_request.base.sha }}"
+          git checkout "${{ github.event.pull_request.base.sha }}" -- .github/actions/node
+      - name: Restore trusted vendoring scripts
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+        run: |
+          git fetch --no-tags --depth=1 origin "${{ github.event.pull_request.base.sha }}"
+          git checkout "${{ github.event.pull_request.base.sha }}" -- vendor/rspack.js vendor/rspack.config.js
+      - uses: ./.github/actions/node/active-lts
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+      - name: Install vendoring deps (no lifecycle scripts)
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+        run: yarn --ignore-scripts --frozen-lockfile --non-interactive
+        working-directory: ./vendor
+      - name: Build vendored bundles (trusted script)
+        if: steps.ctx.outputs.is_vendor_group == 'true'
+        run: node ./rspack.js
+        working-directory: ./vendor
+      - name: Create patch (restricted paths only)
+        id: diff
+        run: |
+          set -euo pipefail
+
+          if [ "${{ steps.ctx.outputs.is_vendor_group }}" != "true" ]; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          if git diff --quiet; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          allowed_prefix_1="vendor/dist/"
+          allowed_file_1="vendor/package.json"
+          allowed_file_2="vendor/yarn.lock"
+
+          bad=0
+          while IFS= read -r file; do
+            case "$file" in
+              "$allowed_file_1" | "$allowed_file_2" | "$allowed_prefix_1"*)
+                ;;
+              *)
+                echo "Unexpected changed path: $file"
+                bad=1
+                ;;
+            esac
+          done < <(git diff --name-only)
+
+          if [ "$bad" -ne 0 ]; then
+            echo "Refusing to proceed: unexpected paths changed during vendoring."
+            exit 1
+          fi
+
+          git diff --binary --no-color > "${RUNNER_TEMP}/vendor.patch"
+          echo "has_changes=true" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: steps.diff.outputs.has_changes == 'true'
+        with:
+          name: vendor-patch
+          path: ${{ runner.temp }}/vendor.patch
+          if-no-files-found: error
+
+  vendor-push:
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && needs.vendor-build.outputs.is_vendor_group == 'true' && needs.vendor-build.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    needs: vendor-build
+    # Security: this job never runs installs/builds.
+    # It only applies the vetted patch artifact and writes the update via the GitHub API.
+    permissions:
+      id-token: write
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-js
+          policy: dependabot-automation
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # 2.5.0
+        with:
+          github-token: "${{ steps.octo-sts.outputs.token }}"
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          token: ${{ steps.octo-sts.outputs.token }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: vendor-patch
+          path: ${{ runner.temp }}/vendor-artifact
+      - name: Apply patch
+        run: git apply --whitespace=nowarn "${{ runner.temp }}/vendor-artifact/vendor.patch"
+      - name: Validate changed paths
+        run: |
+          set -euo pipefail
+
+          allowed_prefix_1="vendor/dist/"
+          allowed_file_1="vendor/package.json"
+          allowed_file_2="vendor/yarn.lock"
+
+          bad=0
+          while IFS= read -r file; do
+            case "$file" in
+              "$allowed_file_1" | "$allowed_file_2" | "$allowed_prefix_1"*)
+                ;;
+              *)
+                echo "Unexpected changed path after applying patch: $file"
+                bad=1
+                ;;
+            esac
+          done < <(git diff --name-only)
+
+          if [ "$bad" -ne 0 ]; then
+            echo "Refusing to proceed: unexpected paths changed."
+            exit 1
+          fi
+      - name: Create verified commit via GitHub API (server-side)
+        env:
+          TARGET_BRANCH: ${{ github.event.pull_request.head.ref }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        run: |
+          set -euo pipefail
+
+          repo="${GITHUB_REPOSITORY}"
+          expected_head_oid="$(git rev-parse HEAD)"
+
+          max_files=200
+          max_total_bytes=$((10 * 1024 * 1024)) # 10 MiB
+
+          mapfile -t changes < <(git diff --name-status)
+          change_count="${#changes[@]}"
+          if [ "$change_count" -eq 0 ]; then
+            echo "No changed files detected."
+            exit 1
+          fi
+          if [ "$change_count" -gt "$max_files" ]; then
+            echo "Too many changed files ($change_count > $max_files)."
+            exit 1
+          fi
+
+          additions='[]'
+          deletions='[]'
+          total_bytes=0
+          for change in "${changes[@]}"; do
+            read -r status path path2 <<<"$change"
+
+            if [[ "$status" == D ]]; then
+              deletions="$(jq -c --arg path "$path" '. + [{path: $path}]' <<<"$deletions")"
+              continue
+            fi
+
+            # Treat renames as delete+add to keep the server-side tree in sync.
+            if [[ "$status" == R* ]]; then
+              deletions="$(jq -c --arg path "$path" '. + [{path: $path}]' <<<"$deletions")"
+              path="$path2"
+            fi
+
+            test -f "$path"
+            file_bytes="$(stat -c '%s' "$path")"
+            total_bytes=$((total_bytes + file_bytes))
+            if [ "$total_bytes" -gt "$max_total_bytes" ]; then
+              echo "Total changes too large (${total_bytes} bytes)."
+              exit 1
+            fi
+            contents="$(base64 -w 0 "$path")"
+            additions="$(jq -c --arg path "$path" --arg contents "$contents" '. + [{path: $path, contents: $contents}]' <<<"$additions")"
+          done
+
+          variables="$(jq -c \
+            --arg repo "$repo" \
+            --arg branch "$TARGET_BRANCH" \
+            --arg msg "update vendored dependencies with new versions" \
+            --arg expected "$expected_head_oid" \
+            --argjson additions "$additions" \
+            --argjson deletions "$deletions" \
+            '{
+              input: {
+                branch: { repositoryNameWithOwner: $repo, branchName: $branch },
+                message: { headline: $msg },
+                expectedHeadOid: $expected,
+                fileChanges: { additions: $additions, deletions: $deletions }
+              }
+            }'
+          )"
+
+          query='mutation($input: CreateCommitOnBranchInput!) { createCommitOnBranch(input: $input) { commit { oid url } } }'
+          gh api graphql -f query="$query" -f variables="$variables" -q '.data.createCommitOnBranch.commit.oid' >/dev/null
+
+      # If branch protection is configured to dismiss stale approvals when new commits are pushed,
+      # the vendoring commit will invalidate the earlier approval. Re-approve and (re-)enable
+      # auto-merge after pushing so Dependabot PRs can still merge automatically.
+      - name: Approve a PR (after vendoring commit)
+        if: contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group)
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Enable auto-merge for Dependabot PRs (after vendoring commit)
+        if: contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group)
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+
+  vendor-validate:
+    # Run validation after the generated vendor patch has been pushed, to ensure the PR contains
+    # the committed `vendor/dist/*` outputs. This runs inside the same workflow as the push, so it
+    # doesn't rely on additional workflows being triggered by that push.
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && needs.vendor-build.outputs.is_vendor_group == 'true' && needs.vendor-build.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    needs:
+      - vendor-build
+      - vendor-push
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 1
+          persist-credentials: false
+      - name: Restore trusted Node setup actions
+        run: |
+          git fetch --no-tags --depth=1 origin "${{ github.event.pull_request.base.sha }}"
+          git checkout "${{ github.event.pull_request.base.sha }}" -- .github/actions/node
+      - name: Restore trusted vendoring scripts
+        run: |
+          git fetch --no-tags --depth=1 origin "${{ github.event.pull_request.base.sha }}"
+          git checkout "${{ github.event.pull_request.base.sha }}" -- vendor/rspack.js vendor/rspack.config.js
+      - uses: ./.github/actions/node/active-lts
+      # Running `yarn` also automatically runs Rspack as a postinstall script.
+      - run: yarn --frozen-lockfile
+        working-directory: vendor
+      - name: Ensure no untracked outputs
+        run: |
+          set -euo pipefail
+
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Working tree is dirty after vendoring:"
+            git status --porcelain
+            exit 1
+          fi
+      - name: Diff only expected paths
+        run: git diff --exit-code -- vendor/dist vendor/package.json vendor/yarn.lock

.github/workflows/platform.yml

@@ -43,8 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/node/active-lts
-      - uses: ./.github/actions/install
-      - run: FILENAME=$(npm pack --silent --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
+      - run: FILENAME=$(npm pack --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
       - run: mkdir -p /tmp/app
       - run: npm i -g pnpm
         if: matrix.manager.name == 'pnpm'
@@ -59,7 +58,7 @@ jobs:
       - uses: ./.github/actions/node/active-lts
       - uses: ./.github/actions/install
       - run: mkdir npm bun
-      - run: FILENAME=$(npm pack --silent) && tar -zxf $FILENAME -C npm
+      - run: FILENAME=$(npm pack) && tar -zxf $FILENAME -C npm
       - run: ./node_modules/.bin/bun pm pack --gzip-level 0 --filename bun.tgz && tar -zxf bun.tgz -C bun
       - run: diff -r npm bun
 
@@ -447,13 +446,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: ./.github/actions/node/active-lts
-      - uses: ./.github/actions/install
-      - run: bun add --ignore-scripts mocha@10 # Use older mocha to support old Node.js versions
-      - run: bun add --ignore-scripts express@4 # Use older express to support old Node.js versions
       - uses: ./.github/actions/node
         with:
           version: ${{ matrix.version }}
+      - uses: ./.github/actions/install
+      - run: bun add --ignore-scripts mocha@10 # Use older mocha to support old Node.js versions
+      - run: bun add --ignore-scripts express@4 # Use older express to support old Node.js versions
       - run: node node_modules/.bin/mocha --colors --timeout 30000 integration-tests/init.spec.js
       - uses: DataDog/junit-upload-github-action@055560f63c405095e9228ba443eee7987e22bb94 # v2.1.1
         if: always() && github.actor != 'dependabot[bot]'

.github/workflows/project.yml

@@ -76,7 +76,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/node/latest
-      - run: FILENAME=$(npm pack --silent --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
+      - run: FILENAME=$(npm pack --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
       - run: rm -rf *
       - run: tar -zxf /tmp/dd-trace.tgz -C $(pwd) --strip-components=1
       - run: yarn --prod --ignore-optional

.github/workflows/system-tests.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           path: dd-trace-js
       - name: Pack dd-trace-js
-        run: mkdir -p ./binaries && echo /binaries/$(npm pack --silent --pack-destination ./binaries ./dd-trace-js) > ./binaries/nodejs-load-from-npm
+        run: mkdir -p ./binaries && echo /binaries/$(npm pack --pack-destination ./binaries ./dd-trace-js) > ./binaries/nodejs-load-from-npm
       - name: Upload artifact
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:

.github/workflows/update-3rdparty-licenses.yml

@@ -3,8 +3,6 @@ name: Update 3rd-party licenses
 on:
   pull_request:
     paths:
-      - ".github/vendored-dependencies.csv"
-      - "vendor/package-lock.json"
       - "yarn.lock"
 
 jobs:
@@ -35,8 +33,8 @@ jobs:
       - name: Check out dd-license-attribution
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: watson/dd-license-attribution
-          ref: 8ea483b9f735bf8da632c89796789cc2a050a9a6
+          repository: DataDog/dd-license-attribution
+          ref: 224a89cb69d3143e8aa4640405037cf9c233ddf5
           path: dd-license-attribution
 
       - name: Install dd-license-attribution
@@ -69,7 +67,7 @@ jobs:
             --use-mirrors=mirrors.json \
             --no-scancode-strategy \
             --no-github-sbom-strategy \
-            --lockfile-subdir vendor \
+            --yarn-subdir vendor \
             "${REPOSITORY_URL}" > LICENSE-3rdparty.csv
 
       - name: Append vendored dependencies from PR