Use dd-sts OIDC for Datadog creds instead of static secrets #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Analyze CI failure with Datadog Workflow | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| ci_url: | |
| description: "GitHub Actions run or job URL to analyze (e.g. .../actions/runs/123 or .../runs/123/job/456)" | |
| required: true | |
| type: string | |
| prompt: | |
| description: "Optional custom prompt (defaults to a root-cause prompt built from ci_url)" | |
| required: false | |
| default: "" | |
| type: string | |
| workflow_id: | |
| description: "Datadog Workflow Automation ID to trigger" | |
| required: false | |
| default: "feb92c49-f433-48b0-954c-7ccde4a80338" | |
| type: string | |
| # ─── TEMPORARY: delete this whole `push:` block before merging ─── | |
| # Lets you test THIS branch's version of the workflow without it first | |
| # being on the default branch. Push to the branch named below and the job | |
| # runs using the fallback CI_URL / WORKFLOW_ID in the job env (push events | |
| # carry no inputs). Rename the branch here to match the one you push. | |
| push: | |
| branches: | |
| - danielcarmo/ci-root-cause-analysis | |
| paths: | |
| - .github/workflows/analyze-ci-failure.yml | |
| # ─── END TEMPORARY ─── | |
| jobs: | |
| trigger-datadog-workflow: | |
| name: Trigger Datadog workflow | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # required for dd-sts OIDC token exchange | |
| contents: read | |
| steps: | |
| # This repo has no static DD_API_KEY/DD_APPLICATION_KEY secrets; Datadog | |
| # credentials are minted at runtime via OIDC, same as push_to_test_optim. | |
| # The `system-tests` dd-sts policy must grant an app_key with permission | |
| # to create workflow instances for the call below to succeed. | |
| - name: Get Datadog credentials | |
| id: dd-sts | |
| uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0 | |
| with: | |
| policy: system-tests | |
| - name: Trigger Datadog workflow instance | |
| env: | |
| DD_API_KEY: ${{ steps.dd-sts.outputs.api_key }} | |
| DD_APP_KEY: ${{ steps.dd-sts.outputs.app_key }} | |
| # On push events there are no inputs, so fall back to test defaults. | |
| CI_URL: ${{ (github.event_name == 'workflow_dispatch' && inputs.ci_url) || 'https://github.com/DataDog/system-tests/actions/runs/26634388026' }} | |
| INPUT_PROMPT: ${{ (github.event_name == 'workflow_dispatch' && inputs.prompt) || '' }} | |
| WORKFLOW_ID: ${{ (github.event_name == 'workflow_dispatch' && inputs.workflow_id) || 'feb92c49-f433-48b0-954c-7ccde4a80338' }} | |
| run: | | |
| set -euo pipefail | |
| if [[ -z "${DD_API_KEY}" || -z "${DD_APP_KEY}" ]]; then | |
| echo "::error::dd-sts did not return an api_key and/or app_key. The 'system-tests' dd-sts policy must grant an application key with workflow-instance permissions." | |
| exit 1 | |
| fi | |
| PROMPT="${INPUT_PROMPT:-}" | |
| if [[ -z "${PROMPT}" ]]; then | |
| PROMPT="Why did this job fail? ${CI_URL}" | |
| fi | |
| # Build the JSON body with jq so the prompt is safely escaped. | |
| PAYLOAD="$(jq -n --arg p "${PROMPT}" '{meta: {payload: {prompt: $p}}}')" | |
| echo "Triggering Datadog workflow ${WORKFLOW_ID} with prompt:" | |
| echo " ${PROMPT}" | |
| HTTP_CODE="$(curl -sS -o response.json -w '%{http_code}' -X POST \ | |
| -H "Content-Type: application/json" \ | |
| -H "Accept: application/json" \ | |
| -H "DD-API-KEY: ${DD_API_KEY}" \ | |
| -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ | |
| -d "${PAYLOAD}" \ | |
| "https://api.datadoghq.com/api/v2/workflows/${WORKFLOW_ID}/instances")" | |
| echo "HTTP ${HTTP_CODE}" | |
| cat response.json | |
| echo | |
| if [[ "${HTTP_CODE}" -lt 200 || "${HTTP_CODE}" -ge 300 ]]; then | |
| echo "::error::Datadog workflow trigger failed (HTTP ${HTTP_CODE})" | |
| exit 1 | |
| fi |