Merge branch 'main' into jose/disk_feature_parity

Author: jose-manuel-almaza

.ddqa/config.toml

@@ -2,14 +2,6 @@ global_config_source = "aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0RhdGFEb2cv
 qa_statuses = ["To Do", "In Progress", "Done"]
 ignored_labels = ["qa/done", "qa/no-code-change"]
 
-[teams."Agent Metrics Logs"]
-jira_project = "AMLII"
-jira_issue_type = "Task"
-jira_statuses = ["To Do", "In Progress", "Done"]
-github_team = "agent-metrics-logs"
-github_labels = ["team/agent-metrics-logs"]
-exclude_members = ["olivielpeau"]
-
 [teams."Agent Log Pipelines"]
 jira_project = "AGNTLOG"
 jira_issue_type = "Task"
@@ -26,14 +18,6 @@ github_team = "agent-metric-pipelines"
 github_labels = ["team/agent-metric-pipelines"]
 exclude_members = [""]
 
-[teams."Agent Processing and Routing"]
-jira_project = "APR"
-jira_issue_type = "Task"
-jira_statuses = ["To Do", "In Progress", "Done"]
-github_team = "agent-processing-and-routing"
-github_labels = ["team/agent-processing-and-routing"]
-exclude_members = []
-
 [teams."Agent Runtimes"]
 jira_project = "AGENTRUN"
 jira_issue_type = "QA"

.github/CODEOWNERS

@@ -42,6 +42,7 @@
 /repository.datadog.yml                 @DataDog/agent-devx
 /generate_tools.go                      @DataDog/agent-devx
 /service.datadog.yaml                   @DataDog/agent-delivery
+/static-analysis.datadog.yml            @DataDog/agent-devx
 
 /modules.yml                            @DataDog/agent-runtimes
 # if go.work changes then either .go-version or modules.yml changed too, so ASC might as well own it
@@ -120,6 +121,8 @@
 /.gitlab/binary_build/system_probe.yml               @DataDog/ebpf-platform @DataDog/agent-delivery
 /.gitlab/binary_build/windows.yml                    @DataDog/agent-delivery @DataDog/windows-agent
 
+/.gitlab/source_test/codeql_scan.yml                 @DataDog/sdlc-security
+
 /.gitlab/benchmarks/                                 @DataDog/agent-devx @DataDog/apm-ecosystems-performance @DataDog/agent-apm
 
 /.gitlab/deploy_containers/                          @DataDog/container-integrations @DataDog/agent-delivery
@@ -584,8 +587,18 @@
 /pkg/snmp/                              @DataDog/ndm-core
 /pkg/tagger/                            @DataDog/container-platform
 /pkg/windowsdriver/                     @DataDog/windows-kernel-integrations
-/comp/core/workloadmeta/collectors/internal/cloudfoundry @DataDog/agent-integrations
-/comp/core/workloadmeta/collectors/internal/nvml @DataDog/ebpf-platform
+/comp/core/workloadmeta/collectors/internal/cloudfoundry  @DataDog/agent-integrations
+/comp/core/workloadmeta/collectors/internal/containerd    @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/crio          @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/docker        @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/ecs           @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/ecsfargate    @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/kubeapiserver @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/kubelet       @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/kubemetadata  @DataDog/container-platform @DataDog/container-integrations
+/comp/core/workloadmeta/collectors/internal/nvml          @DataDog/ebpf-platform
+/comp/core/workloadmeta/collectors/internal/podman        @DataDog/container-platform @DataDog/container-integrations
+/comp/core/tagger/collectors            @DataDog/container-platform @DataDog/container-integrations
 /pkg/sbom/                              @DataDog/agent-security @DataDog/container-integrations
 /pkg/networkpath/                       @DataDog/Networks
 /pkg/collector/corechecks/networkpath/  @DataDog/Networks
@@ -693,6 +706,7 @@
 /test/system/dogstatsd/                       @DataDog/agent-metric-pipelines
 /test/benchmarks/apm_scripts/                 @DataDog/agent-apm
 /test/regression/                             @DataDog/single-machine-performance
+/test/regression/cases/docker_containers*     @DataDog/single-machine-performance @DataDog/container-integrations
 
 /tools/                                 @DataDog/agent-devx
 /tools/ci                               @DataDog/agent-devx

.gitlab-ci.yml

@@ -169,45 +169,45 @@ variables:
   # To use images from datadog-agent-buildimages dev branches, set the corresponding
   # SUFFIX variable to _test_only
   DATADOG_AGENT_BUILDIMAGES_SUFFIX: ""
-  DATADOG_AGENT_BUILDIMAGES: v62029117-1ba50f31
+  DATADOG_AGENT_BUILDIMAGES: v62994096-9c8f38f2
   DATADOG_AGENT_WINBUILDIMAGES_SUFFIX: ""
-  DATADOG_AGENT_WINBUILDIMAGES: v62029117-1ba50f31
+  DATADOG_AGENT_WINBUILDIMAGES: v62994096-9c8f38f2
   DATADOG_AGENT_ARMBUILDIMAGES_SUFFIX: ""
-  DATADOG_AGENT_ARMBUILDIMAGES: v62029117-1ba50f31
+  DATADOG_AGENT_ARMBUILDIMAGES: v62994096-9c8f38f2
   DATADOG_AGENT_BTF_GEN_BUILDIMAGES_SUFFIX: ""
-  DATADOG_AGENT_BTF_GEN_BUILDIMAGES: v62029117-1ba50f31
+  DATADOG_AGENT_BTF_GEN_BUILDIMAGES: v62994096-9c8f38f2
   # New images to enable different version per image - not used yet
-  CI_IMAGE_BTF_GEN: v62029117-1ba50f31
+  CI_IMAGE_BTF_GEN: v62994096-9c8f38f2
   CI_IMAGE_BTF_GEN_SUFFIX: ""
-  CI_IMAGE_DEB_X64: v62029117-1ba50f31
+  CI_IMAGE_DEB_X64: v62994096-9c8f38f2
   CI_IMAGE_DEB_X64_SUFFIX: ""
-  CI_IMAGE_DEB_ARM64: v62029117-1ba50f31
+  CI_IMAGE_DEB_ARM64: v62994096-9c8f38f2
   CI_IMAGE_DEB_ARM64_SUFFIX: ""
-  CI_IMAGE_DEB_ARMHF: v62029117-1ba50f31
+  CI_IMAGE_DEB_ARMHF: v62994096-9c8f38f2
   CI_IMAGE_DEB_ARMHF_SUFFIX: ""
-  CI_IMAGE_DD_AGENT_TESTING: v62029117-1ba50f31
+  CI_IMAGE_DD_AGENT_TESTING: v62994096-9c8f38f2
   CI_IMAGE_DD_AGENT_TESTING_SUFFIX: ""
-  CI_IMAGE_DOCKER_X64: v62029117-1ba50f31
+  CI_IMAGE_DOCKER_X64: v62994096-9c8f38f2
   CI_IMAGE_DOCKER_X64_SUFFIX: ""
-  CI_IMAGE_DOCKER_ARM64: v62029117-1ba50f31
+  CI_IMAGE_DOCKER_ARM64: v62994096-9c8f38f2
   CI_IMAGE_DOCKER_ARM64_SUFFIX: ""
-  CI_IMAGE_GITLAB_AGENT_DEPLOY: v62029117-1ba50f31
+  CI_IMAGE_GITLAB_AGENT_DEPLOY: v62994096-9c8f38f2
   CI_IMAGE_GITLAB_AGENT_DEPLOY_SUFFIX: ""
-  CI_IMAGE_LINUX_GLIBC_2_17_X64: v62029117-1ba50f31
+  CI_IMAGE_LINUX_GLIBC_2_17_X64: v62994096-9c8f38f2
   CI_IMAGE_LINUX_GLIBC_2_17_X64_SUFFIX: ""
-  CI_IMAGE_LINUX_GLIBC_2_23_ARM64: v62029117-1ba50f31
+  CI_IMAGE_LINUX_GLIBC_2_23_ARM64: v62994096-9c8f38f2
   CI_IMAGE_LINUX_GLIBC_2_23_ARM64_SUFFIX: ""
-  CI_IMAGE_SYSTEM_PROBE_X64: v62029117-1ba50f31
+  CI_IMAGE_SYSTEM_PROBE_X64: v62994096-9c8f38f2
   CI_IMAGE_SYSTEM_PROBE_X64_SUFFIX: ""
-  CI_IMAGE_SYSTEM_PROBE_ARM64: v62029117-1ba50f31
+  CI_IMAGE_SYSTEM_PROBE_ARM64: v62994096-9c8f38f2
   CI_IMAGE_SYSTEM_PROBE_ARM64_SUFFIX: ""
-  CI_IMAGE_RPM_X64: v62029117-1ba50f31
+  CI_IMAGE_RPM_X64: v62994096-9c8f38f2
   CI_IMAGE_RPM_X64_SUFFIX: ""
-  CI_IMAGE_RPM_ARM64: v62029117-1ba50f31
+  CI_IMAGE_RPM_ARM64: v62994096-9c8f38f2
   CI_IMAGE_RPM_ARM64_SUFFIX: ""
-  CI_IMAGE_RPM_ARMHF: v62029117-1ba50f31
+  CI_IMAGE_RPM_ARMHF: v62994096-9c8f38f2
   CI_IMAGE_RPM_ARMHF_SUFFIX: ""
-  CI_IMAGE_WIN_LTSC2022_X64: v62029117-1ba50f31
+  CI_IMAGE_WIN_LTSC2022_X64: v62994096-9c8f38f2
   CI_IMAGE_WIN_LTSC2022_X64_SUFFIX: ""
 
   DATADOG_AGENT_EMBEDDED_PATH: /opt/datadog-agent/embedded
@@ -264,9 +264,6 @@ variables:
   DD_PKG_VERSION: "latest"
   PIPELINE_KEY_ALIAS: "alias/ci_datadog-agent_pipeline-key"
 
-  # Job cloning strategy
-  OVERRIDE_GIT_STRATEGY: "s3"
-
   # Job stage attempts (see https://docs.gitlab.com/ee/ci/runners/configure_runners.html#job-stages-attempts)
   ARTIFACT_DOWNLOAD_ATTEMPTS: 2
   EXECUTOR_JOB_SECTION_ATTEMPTS: 2
@@ -276,7 +273,6 @@ variables:
   FF_SCRIPT_SECTIONS: 1 # Prevent multiline scripts log collapsing, see https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3392
   FF_KUBERNETES_HONOR_ENTRYPOINT: true # Honor the entrypoint in the Docker image when running Kubernetes jobs
   FF_TIMESTAMPS: true
-  FF_USE_FASTZIP: true
 
 #
 # Condition mixins for simplification of rules

.gitlab/.ci-linters.yml

@@ -65,7 +65,6 @@ job-owners:
     - build_otel_agent_binary_arm64
     - build_otel_agent_binary_x64
     - cancel-prev-pipelines
-    - clone
     - close_failing_tests_stale_issues
     - compute_gitlab_ci_config
     - deploy_cluster_agent_cloudfoundry

.gitlab/.pre/clone.yml

@@ -2,6 +2,5 @@
 # Define preliminary jobs, which can start as soon as possible
 
 include:
-  - .gitlab/.pre/clone.yml
   - .gitlab/.pre/cancel-prev-pipelines.yml
   - .gitlab/.pre/ci_configuration.yml

.gitlab/.pre/include.yml

@@ -170,5 +170,8 @@ single_machine_performance*       @DataDog/single-machine-performance
 # Dependency Security
 software_composition_analysis*    @DataDog/sdlc-security
 
+# CodeQL
+run_codeql_scan                   @DataDog/sdlc-security
+
 # Experiment systemd units
 validate_experiment_systemd_units @DataDog/fleet

.gitlab/JOBOWNERS

@@ -19,20 +19,39 @@
 
 .select_python_env_commands:
   # Select the virtualenv using the current Python version. Create it if it doesn't exist.
-  - PYTHON_VERSION=$(python3 --version | awk '{print $2}')
+  - |
+    export PATH="$(pyenv root)/shims:$PATH"
+    eval "$(pyenv init -)"
+    eval "$(pyenv virtualenv-init -)"
+  - PYTHON_VERSION=3.12.6
   - VENV_NAME="datadog-agent-python-$PYTHON_VERSION"
   - VENV_PATH="$(pyenv root)/versions/$VENV_NAME"
   - echo "Using Python $PYTHON_VERSION..."
   - |
     # Check if the virtual environment directory exists
     if [ ! -d "$VENV_PATH" ]; then
+      # Install target python if necessary
+      if [ ! -d "$(pyenv root)/versions/$PYTHON_VERSION" ]; then
+        echo "Installing Python $PYTHON_VERSION..."
+        pyenv install "$PYTHON_VERSION"
+      fi
+
       echo "Creating virtual environment '$VENV_NAME'..."
       pyenv virtualenv "$PYTHON_VERSION" "$VENV_NAME"
     else
       echo "Virtual environment '$VENV_NAME' already exists. Skipping creation."
     fi
   - pyenv activate $VENV_NAME
 
+.install_python_dependencies:
+  # Python 3.12 changes default behavior how packages are installed.
+  # In particular, --break-system-packages command line option is
+  # required to use the old behavior or use a virtual env. https://github.com/actions/runner-images/issues/8615
+  - python3 -m pip install "git+https://github.com/DataDog/datadog-agent-dev.git@v$(cat .dda/version)" --break-system-packages
+  - pyenv rehash
+  - python3 -m dda self dep sync -f legacy-tasks
+  - pyenv rehash
+
 .vault_login:
   # Point the CLI to our internal vault
   - export VAULT_ADDR=https://vault.us1.ddbuild.io
@@ -51,16 +70,10 @@
       export GOPATH=$GOROOT
     # Selecting the current Python version
     - !reference [.select_python_env_commands]
+    - !reference [.install_python_dependencies]
     # List Python and Go existing environments and their disk space
     - !reference [.list_go_versions_commands]
     - !reference [.list_python_versions_commands]
-    # Installing the job dependencies
-    # Python 3.12 changes default behavior how packages are installed.
-    # In particular, --break-system-packages command line option is
-    # required to use the old behavior or use a virtual env. https://github.com/actions/runner-images/issues/8615
-    - python3 -m pip install "git+https://github.com/DataDog/datadog-agent-dev.git@v$(cat .dda/version)" --break-system-packages
-    - python3 -m dda self dep sync -f legacy-tasks
-    - pyenv rehash
     - dda inv -- -e rtloader.make
     - dda inv -- -e rtloader.install
     - dda inv -- -e install-tools

.gitlab/common/macos.yml

@@ -30,11 +30,6 @@ include:
     - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_PACKAGE} ${VERSION_NO_PIPELINE}
     - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_PACKAGE} ${CI_COMMIT_SHA}
     - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_PACKAGE} pipeline-${CI_PIPELINE_ID}
-    # necessary for ddstaging until we deprecate `-dev` packaging
-    - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_STAGING_PACKAGE} ${VERSION}
-    - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_PACKAGE} ${VERSION_NO_PIPELINE}
-    - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_STAGING_PACKAGE} ${CI_COMMIT_SHA}
-    - datadog-package replicate-s3 registry.ddbuild.io/ci/remote-updates/${OCI_PRODUCT}:pipeline-${CI_PIPELINE_ID} us-east-1 ${INSTALLER_TESTING_S3_BUCKET} ${S3_STAGING_PACKAGE} pipeline-${CI_PIPELINE_ID}
   variables:
     MAJOR_VERSION: 7
 
@@ -44,12 +39,10 @@ deploy_agent_oci:
   variables:
     OCI_PRODUCT: "datadog-agent"
     S3_PACKAGE: "agent-package"
-    S3_STAGING_PACKAGE: "agent-package-dev"
 
 deploy_installer_oci:
   extends: ".deploy_packages_oci"
   needs: [ "installer_oci", "go_tools_deps" ]
   variables:
     OCI_PRODUCT: "datadog-installer"
     S3_PACKAGE: "installer-package"
-    S3_STAGING_PACKAGE: "installer-package-dev"

.gitlab/deploy_packages/oci.yml

@@ -205,7 +205,7 @@ dev_nightly-a7-full:
   variables:
     IMG_REGISTRIES: dev
     IMG_SOURCES: ${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-full-amd64,${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-full-arm64
-    IMG_DESTINATIONS: agent-dev:nightly-full-${CI_COMMIT_REF_SLUG}-jmx
+    IMG_DESTINATIONS: agent-dev:nightly-full-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}-jmx,agent-dev:nightly-full-${CI_COMMIT_REF_SLUG}-jmx
 
 # deploys nightlies to agent-dev
 dev_nightly-dogstatsd:

.gitlab/dev_container_deploy/docker_linux.yml

@@ -601,6 +601,7 @@ new-e2e-installer-windows:
       - EXTRA_PARAMS: --run "TestInstallScript$/TestInstallFromOldInstaller$"
       - EXTRA_PARAMS: --run "TestInstallScript$/TestFailedUnsupportedVersion$"
       - EXTRA_PARAMS: --run "TestInstallScriptWithAgentUser$"
+      - EXTRA_PARAMS: --run "TestInstallScriptWithAgentUserOnDC$"
       # installer-package
       - EXTRA_PARAMS: --run "TestInstaller$"
       # TODO: disabling tests during MSI merge, should be covered by regular Agent MSI tests

.gitlab/e2e/e2e.yml

@@ -43,4 +43,24 @@ docker_image_build_otel:
     - !reference [.except_mergequeue]
     - when: on_success
 
-# TODO(songy23): restore datadog_otel_components_ocb_build in next version upgrade
+datadog_otel_components_ocb_build:
+  stage: integration_test
+  image: registry.ddbuild.io/ci/datadog-agent-buildimages/deb_x64$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  needs: ["go_deps"]
+  artifacts:
+    paths:
+      - ocb-output.log
+      - otelcol-custom.log
+      - flare-info.log
+    when: always
+  before_script:
+    - !reference [.retrieve_linux_go_deps]
+  script:
+    - echo "Building custom collector with datadog components"
+    - test/otel/testdata/ocb_build_script.sh
+    - echo "see artifacts for job logs"
+  rules:
+    - !reference [.except_mergequeue]
+    - when: on_success
+  timeout: 15 minutes

.gitlab/integration_test/otel.yml

@@ -0,0 +1,46 @@
+---
+# codeql_scan stage
+# Contains CodeQL scan job to perform security static analysis
+
+run_codeql_scan:
+  image: registry.ddbuild.io/code-scanning:v62112110-4faa53b-datadog-agent 
+  tags: ["arch:amd64"]
+  stage: source_test
+  rules:
+  - !reference [.on_scheduled_main]
+  needs: ["go_deps", "go_tools_deps"]
+  allow_failure: true # This job should not impact the overall status of the pipeline
+  variables:
+    ARCH: arm64
+    BASE_REF: main
+    GOMAXPROCS: 10
+    KUBERNETES_CPU_REQUEST: 10
+    KUBERNETES_CPU_LIMIT: 10
+    KUBERNETES_MEMORY_REQUEST: 64Gi
+    KUBERNETES_MEMORY_LIMIT: 64Gi
+    GITHUB_APP_PRIVATE_KEY_NAME: csec.codescanning.githubapp.privatekey
+    CODEQL: /usr/local/codeql/codeql
+    CODEQL_DB: /tmp/datadog-agent.codeql
+    DB_CONFIGS: --threads 8 --ram 96000 --db-cluster --language=go,python,javascript,cpp
+    SCAN_CONFIGS: --format sarifv2.1.0 --threads 8 --ram 96000 --no-tuple-counting
+    UPLOAD_CONFIGS: -upload_sarif=true
+    GITHUB_APP_PRIVATE_KEY_NAME: csec.codescanning.githubapp.privatekey
+    GITHUB_APP_ID: 209967
+    GITHUB_INSTALLATION_ID: 26442897
+  script:
+    - !reference [.retrieve_linux_go_deps]
+    - !reference [.retrieve_linux_go_tools_deps]
+    - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/"
+    - git clone https://github.com/DataDog/codescanning.git --depth 1 --single-branch --branch=main /tmp/codescanning
+    - invoke install-tools
+    - $CODEQL database create datadog-agent.codeql $DB_CONFIGS --command="inv -e agent.build --build-exclude=systemd"
+    - $CODEQL database analyze datadog-agent.codeql/javascript codeql/javascript-queries $SCAN_CONFIGS --sarif-category="javascript" --output="/tmp/javascript.sarif" --verbosity=progress+++
+    - $CODEQL database analyze datadog-agent.codeql/go codeql/go-queries $SCAN_CONFIGS --sarif-category="go" --output="/tmp/go.sarif" --verbosity=progress+++
+    - $CODEQL database analyze datadog-agent.codeql/python codeql/python-queries $SCAN_CONFIGS --sarif-category="python" --output="/tmp/python.sarif" --verbosity=progress+++
+    - $CODEQL database analyze datadog-agent.codeql/cpp codeql/cpp-queries $SCAN_CONFIGS --sarif-category="cpp" --output="/tmp/cpp.sarif" --verbosity=progress+++
+    - GOPRIVATE=github.com/DataDog GOBIN=/usr/local/go/bin go install github.com/DataDog/codescanning@main
+    - CODEQL_SARIF="/tmp/go.sarif" codescanning $UPLOAD_CONFIGS -scan_started_time="$CI_JOB_STARTED_AT"
+    - CODEQL_SARIF="/tmp/javascript.sarif" codescanning $UPLOAD_CONFIGS -scan_started_time="$CI_JOB_STARTED_AT"
+    - CODEQL_SARIF="/tmp/python.sarif" codescanning $UPLOAD_CONFIGS -scan_started_time="$CI_JOB_STARTED_AT"
+    - CODEQL_SARIF="/tmp/cpp.sarif" codescanning $UPLOAD_CONFIGS -scan_started_time="$CI_JOB_STARTED_AT"
+

.gitlab/source_test/codeql_scan.yml

@@ -15,3 +15,4 @@ include:
   - .gitlab/source_test/notify.yml
   - .gitlab/source_test/protobuf.yml
   - .gitlab/source_test/tooling_unit_tests.yml
+  - .gitlab/source_test/codeql_scan.yml