Skip to content

ci: use github action that installs datadog-ci binary#52

Merged
calvinbayer merged 6 commits intomainfrom
calvin.bayer/pin-datadog-ci-version-by-downloading-binary
Apr 2, 2026
Merged

ci: use github action that installs datadog-ci binary#52
calvinbayer merged 6 commits intomainfrom
calvin.bayer/pin-datadog-ci-version-by-downloading-binary

Conversation

@calvinbayer
Copy link
Copy Markdown
Contributor

@calvinbayer calvinbayer commented Apr 2, 2026
edited
Loading

This PR eliminates the supply chain vulnerability caused by runtime npx installation by switching to pre-built datadog-ci binaries. This change resolves the security issues described in #49 and #31.

Changes Made

  • Removed runtime npm dependency resolution: Replaced npx @datadog/datadog-ci@latest with pre-built binary installation via DataDog/install-datadog-ci-github-action
  • Eliminated Node.js dependency: Removed actions/setup-node entirely since the binary is self-contained
  • Cleaned up unused parameters: Removed node-version input and updated datadog-ci-version to use GitHub release tags
  • Updated documentation: Reflected the architectural change in README.md

Issues Resolved

Fixes #49: Supply chain risk with runtime npm installs

The previous implementation used npx @datadog/datadog-ci@latest, which resolved transitive dependencies fresh from npm on every workflow run with no lockfile protection. This exposed users to supply chain
attacks like the malicious axios@1.14.1 incident.

How this PR fixes it:

  • ✅ No more runtime npm dependency resolution
  • ✅ Pre-built binaries have all dependencies bundled at build time
  • ✅ Eliminates the attack vector for transitive dependency compromises

Fixes #31: Pin actions/setup-node to SHA

The issue requested pinning actions/setup-node to a specific SHA for security.

How this PR fixes it:

  • ✅ Goes beyond the request by completely removing the actions/setup-node dependency
  • ✅ Eliminates the security concern entirely rather than just mitigating it

Security Improvements

Before: Dependencies resolved at runtime via npm semver ranges

npx @datadog/datadog-ci@latest
  → @datadog/datadog-ci@5.10.0
    → axios@^1.13.5 → could resolve to malicious versions
      → transitive dependencies with no integrity verification

After: Self-contained binary with no runtime dependency resolution

DataDog/install-datadog-ci-github-action downloads pre-built binary
  → All dependencies bundled and verified at build time
  → No npm install or dependency resolution at workflow runtime

calvinbayer and others added 6 commits April 2, 2026 14:16
@calvinbayer
ci: use github action that installs datadog-ci binary instead of inst…
7632016 
…alling it via npx to prevent supply-chain attacks
@calvinbayer @claude
chore: clean up unused inputs and pass version to install action
513763f 
- Remove unused node-version input parameter
- Pass datadog-ci-version to install action's version parameter
- Update datadog-ci-version default from "latest" to "v5"
- Update README to reflect binary installation instead of npx
- Remove node setup references from documentation

This completes the transition from npx-based installation to using
pre-built binaries, addressing the supply chain vulnerability in #49.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@calvinbayer @claude
chore: add backwards compatibility for legacy npm semver syntax
f6f9ab6 
- Extract version translation logic to scripts/translate-version.sh
- Support legacy npm semver syntax (^, ~, >=, latest, .x) with deprecation warnings
- Update test.yaml to remove node-version parameter
- Add test-legacy-version-syntax job to verify backwards compatibility
- Update documentation to note legacy syntax is supported but deprecated

The translation layer will be removed in v3.0.0. Users should migrate to:
- Major versions: v5 or 5
- Exact versions: v5.10.0 or 5.10.0

Fixes #49 - Eliminates supply chain vulnerability from runtime npm installs
Fixes #31 - Removes setup-node dependency entirely

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@calvinbayer @claude
docs: add TODO comment to remove backwards compatibility in v3.0.0
126b11d 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@calvinbayer @claude
fix: remove version tag from legacy syntax tests to avoid query issues
af23bf4 
Tags with special characters (>=, <, etc.) were being interpreted as
operators by the Datadog API query, causing test validation to fail.
Removed the version-specific tag since it's not needed for validation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@calvinbayer @claude
fix: sanitize version string for tags to avoid query issues
70df82d 
Add a sanitization step that replaces special characters with safe
equivalents before using them in tags:
- ^ → caret-
- ~ → tilde-
- >= → gte-
- > → gt-
- <= → lte-
- < → lt-

This prevents the Datadog API from interpreting these characters as
comparison operators in queries, while still allowing us to track which
version syntax was used in each test run.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@calvinbayer calvinbayer marked this pull request as ready for review April 2, 2026 12:56
@calvinbayer calvinbayer requested review from a team as code owners April 2, 2026 12:56
@calvinbayer calvinbayer merged commit 24449d0 into main Apr 2, 2026
9 checks passed
@calvinbayer calvinbayer deleted the calvin.bayer/pin-datadog-ci-version-by-downloading-binary branch April 2, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ypopovych ypopovych ypopovych approved these changes

@juliomalegria-dd juliomalegria-dd Awaiting requested review from juliomalegria-dd juliomalegria-dd is a code owner automatically assigned from DataDog/ci-app-backend

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Supply chain risk: runtime npx install exposes users to transitive dependency attacks Pin actions/setup-node to a specific SHA

2 participants

@calvinbayer @ypopovych