Merge remote-tracking branch 'origin/master' into feature/metrics_exp…

…iration_per_set

.github/actions/spelling/allow.txt

@@ -441,6 +441,7 @@ scriptblock
 servlet
 Sinjo
 sublocation
+shannon
 sundar
 svcb
 snyk
@@ -523,3 +524,6 @@ requestline
 jetbrains
 JetBrains
 gifs
+meme
+simdutf
+vhosts

.github/actions/spelling/expect.txt

@@ -78,7 +78,7 @@ bytesize
 califrag
 califragilistic
 CAROOT
-CBOR
+cbor
 cddl
 cdylib
 cef

.github/audit.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   security_audit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v1
       - uses: actions-rs/audit-check@v1

.github/workflows/changes.yml

@@ -129,7 +129,7 @@ on:
 jobs:
   # Detects changes that are not specific to integration tests
   source:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
     if: ${{ inputs.source }}
     outputs:

.github/workflows/ci-integration-review.yml

@@ -55,7 +55,7 @@ jobs:
     name: (PR review) Signal pending to PR
     runs-on: ubuntu-24.04
     timeout-minutes: 5
-    if: startsWith(github.event.review.body, '/ci-run-integration') || contains(github.event.review.body, '/ci-run-all')
+    if: startsWith(github.event.review.body, '/ci-run-integration') || startsWith(github.event.review.body, '/ci-run-e2e') || contains(github.event.review.body, '/ci-run-all')
     steps:
       - name: Generate authentication token
         id: generate_token
@@ -84,7 +84,7 @@ jobs:
 
   integration-tests:
     needs: prep-pr
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     strategy:
       matrix:
@@ -117,7 +117,7 @@ jobs:
 
   e2e-tests:
     needs: prep-pr
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -138,16 +138,15 @@ jobs:
           max_attempts: 3
           command: bash scripts/ci-int-e2e-test.sh e2e datadog-logs
 
-  # TODO: Uncomment once https://github.com/vectordotdev/vector/issues/22379 is fixed.
-  #      - name: datadog-e2e-metrics
-  #        if: ${{ startsWith(github.event.review.body, '/ci-run-e2e-datadog-metrics')
-  #          || startsWith(github.event.review.body, '/ci-run-integration-all')
-  #          || startsWith(github.event.review.body, '/ci-run-all') }}
-  #        uses: nick-fields/retry@v3
-  #        with:
-  #          timeout_minutes: 35
-  #          max_attempts: 3
-  #          command: bash scripts/ci-int-e2e-test.sh e2e datadog-metrics
+      - name: datadog-e2e-metrics
+        if: ${{ startsWith(github.event.review.body, '/ci-run-e2e-datadog-metrics')
+          || startsWith(github.event.review.body, '/ci-run-e2e-all')
+          || startsWith(github.event.review.body, '/ci-run-all') }}
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 35
+          max_attempts: 3
+          command: bash scripts/ci-int-e2e-test.sh e2e datadog-metrics
 
   update-pr-status:
     name: Signal result to PR

.github/workflows/cli.yml

@@ -8,7 +8,7 @@ permissions:
 
 jobs:
   test-cli:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     env:
       CARGO_INCREMENTAL: 0
@@ -44,7 +44,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-cargo-
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - run: make test-cli

.github/workflows/compilation-timings.yml

@@ -13,18 +13,18 @@ env:
 jobs:
   release-build-optimized:
     name: "Release Build (optimized)"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build --release
 
   release-build-normal:
     name: "Release Build (normal)"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     env:
       # We're not actually doing a debug build, we're just turning off the logic
       # in release-flags.sh so that we don't override the Cargo "release" profile
@@ -33,29 +33,29 @@ jobs:
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build --release
 
   debug-build:
     name: "Debug Build"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build
 
   debug-rebuild:
     name: "Debug Rebuild"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo build
@@ -64,11 +64,11 @@ jobs:
 
   check:
     name: "Cargo Check"
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     steps:
       - uses: colpal/actions-clean@v1
       - uses: actions/checkout@v4
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: cargo clean
       - run: cargo check

.github/workflows/component_features.yml

@@ -22,7 +22,7 @@ permissions:
 jobs:
   check-component-features:
     # use free tier on schedule and 8 core to expedite results on demand invocation
-    runs-on: ${{ github.event_name == 'schedule' && 'ubuntu-20.04' || 'ubuntu-20.04-8core' }}
+    runs-on: ${{ github.event_name == 'schedule' && 'ubuntu-24.04' || 'ubuntu-24.04-8core' }}
     if: github.event_name == 'pull_request_review' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     steps:
       - name: (PR review) Set latest commit status as pending
@@ -44,7 +44,7 @@ jobs:
         if: github.event_name != 'pull_request_review'
         uses: actions/checkout@v4
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - run: make check-component-features

.github/workflows/create_preview_sites.yml

@@ -42,7 +42,7 @@ jobs:
           const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
-             run_id: ${{ github.event.workflow_run.id }},
+             run_id: context.runId,
           });
           const matchArtifact = artifacts.data.artifacts.filter(artifact => artifact.name == "pr")[0];
           const download = await github.rest.actions.downloadArtifact({
@@ -55,36 +55,86 @@ jobs:
 
     # Extract the info from the artifact and set variables
     - name: Extract PR info from artifact
-      run: |
-        unzip pr.zip -d pr
-        BRANCH_NAME=$(cat ./pr/branch)
-        SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/[\/\.]/-/g')
-        echo "SANITIZED_BRANCH_NAME=$SANITIZED_BRANCH_NAME" >> $GITHUB_ENV
-        echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const fs = require('fs');
+          const { execSync } = require('child_process');
+          const path = require('path');
+          const core = require('@actions/core');
+
+          execSync('unzip pr.zip -d pr');
+          const branchName = fs.readFileSync(path.join('pr', 'branch'), 'utf8').trim();
+          const prNumber = fs.readFileSync(path.join('pr', 'number'), 'utf8').trim();
+          const integrity = fs.readFileSync(path.join('pr', 'integrity'), 'utf8').trim();
+
+          // Validate branch name again (only allow alphanumeric, dash, and underscore)
+          const branchNameRegex = /^[a-zA-Z0-9_\-]+$/;
+          if (!branchNameRegex.test(branchName)) {
+            core.setFailed(`Invalid branch name detected: ${branchName}`);
+            return;
+          }
+
+          const sanitizedBranchName = branchName.replace(/[\/\.]/g, '-');
+          core.exportVariable('SANITIZED_BRANCH_NAME', sanitizedBranchName);
+          core.exportVariable('BRANCH_NAME', branchName);
+          core.exportVariable('PR_NUMBER', prNumber);
+          core.exportVariable('INTEGRITY', integrity);
+
+    # Validate the integrity of the artifact
+    - name: Validate Artifact Integrity
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const crypto = require('crypto');
+          const core = require('@actions/core');
+
+          const prNumber = process.env.PR_NUMBER;
+          const branchName = process.env.BRANCH_NAME;
+          const integrity = process.env.INTEGRITY;
+
+          const numberHash = crypto.createHash('sha256').update(prNumber).digest('hex');
+          const branchHash = crypto.createHash('sha256').update(branchName).digest('hex');
+          const expectedIntegrity = `${numberHash}:${branchHash}`;
+
+          if (expectedIntegrity !== integrity) {
+            core.setFailed('Artifact integrity validation failed');
+          }
 
     # Kick off the job in amplify
     - name: Deploy Site
-      env:
-        APP_ID: ${{ inputs.APP_ID }}
-        APP_NAME: ${{ inputs.APP_NAME }}
-        REQUEST_TOKEN: ${{ secrets.REQUEST_TOKEN }}
-        REQUEST_MESSAGE: ${{ secrets.REQUEST_MESSAGE }}
-        ENDPOINT: ${{ secrets.ENDPOINT }}
-      run: |
-        sleep 20
-        HMAC_KEY=$(echo -n $REQUEST_MESSAGE | openssl dgst -sha256 -hmac "$REQUEST_TOKEN" | cut -d" " -f2)
-        SIGNATURE="sha256=$HMAC_KEY"
-        RESPONSE_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
-             -H "Content-Type: application/json" \
-             -H "X-Hub-Signature: $SIGNATURE" \
-             -d "{\"app_id\": \"$APP_ID\", \"branch_name\": \"$BRANCH_NAME\"}" \
-          "$ENDPOINT")
-
-        # check the response code and fail if not 200
-        if [ "$RESPONSE_CODE" != "200" ]; then
-          echo "Request failed with response code $RESPONSE_CODE"
-          exit 1
-        fi
+      uses: actions/github-script@v7.0.1
+      with:
+        script: |
+          const crypto = require('crypto');
+          const fetch = require('node-fetch');
+          const core = require('@actions/core');
+
+          const appId = core.getInput('APP_ID');
+          const appName = core.getInput('APP_NAME');
+          const requestToken = core.getSecret('REQUEST_TOKEN');
+          const requestMessage = core.getSecret('REQUEST_MESSAGE');
+          const endpoint = core.getSecret('ENDPOINT');
+          const sanitizedBranchName = process.env.SANITIZED_BRANCH_NAME;
+
+          const hmacKey = crypto.createHmac('sha256', requestToken).update(requestMessage).digest('hex');
+          const signature = `sha256=${hmacKey}`;
+
+          const response = await fetch(endpoint, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Hub-Signature': signature,
+            },
+            body: JSON.stringify({
+              app_id: appId,
+              branch_name: sanitizedBranchName,
+            }),
+          });
+
+          if (!response.ok) {
+            core.setFailed(`Request failed with response code ${response.status}`);
+          }
 
     # Add preview link to comment if all 3 sites successfully start
     - name: Comment Preview Link
@@ -99,7 +149,7 @@ jobs:
           const fs = require('fs');
           const prNumber = fs.readFileSync('./pr/number', 'utf8');
           const issueNumber = parseInt(prNumber);
-          const { APP_ID, APP_NAME, SANITIZED_BRANCH_NAME } = process.env
+          const { APP_ID, APP_NAME, SANITIZED_BRANCH_NAME } = process.env;
 
           await github.rest.issues.createComment({
             owner: context.repo.owner,

.github/workflows/cross.yml

@@ -9,7 +9,7 @@ permissions:
 jobs:
   cross-linux:
     name: Cross - ${{ matrix.target }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 45
     env:
       CARGO_INCREMENTAL: 0
@@ -78,7 +78,7 @@ jobs:
 
   update-pr-status:
     name: (PR review) Signal result to PR
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 5
     needs: cross-linux
     if: needs.cross-linux.result == 'success' && github.event_name == 'pull_request_review'

.github/workflows/deny.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   test-deny:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     env:
       CARGO_INCREMENTAL: 0
@@ -57,7 +57,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-cargo-
 
-      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh
+      - run: sudo -E bash scripts/environment/bootstrap-ubuntu-24.04.sh
       - run: bash scripts/environment/prepare.sh
       - run: echo "::add-matcher::.github/matchers/rust.json"
       - name: Check cargo deny advisories/licenses

.github/workflows/e2e.yml

@@ -52,7 +52,7 @@ jobs:
 
   e2e-tests:
     name: E2E Tests
-    runs-on: ubuntu-20.04-8core
+    runs-on: ubuntu-24.04-8core
     timeout-minutes: 45
     needs: changes
     if: always() && (