feat(ci): integrate Datadog CI products for enhanced visibility

.datadog-ci.json

@@ -0,0 +1,17 @@
+{
+  "apiKey": "${DATADOG_API_KEY}",
+  "appKey": "${DD_APP_KEY}",
+  "site": "${DD_SITE}",
+  "files": [
+    "coverage.out"
+  ],
+  "coverage": {
+    "format": "go-cover",
+    "basePath": "."
+  },
+  "sast": {
+    "enabled": true,
+    "languages": ["go"],
+    "rules": "recommended"
+  }
+}

.github/workflows/ci.yml

@@ -4,36 +4,92 @@ on:
   pull_request:
     branches:
       - '**'
+  push:
+    branches:
+      - main
 
 permissions:
   contents: write  # Needed to commit coverage badge on main branch
   pull-requests: write
+  security-events: write  # Needed for Datadog SAST results
+  id-token: write # Needed to federate STS token to upload coverage
+
+env:
+  DD_ENV: ci
+  DD_SERVICE: pup
 
 jobs:
   test:
     name: Test and Coverage
     runs-on: ubuntu-latest
+    env:
+      DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      DD_SITE: ${{ secrets.DD_SITE || 'datadoghq.com' }}
+      DD_CIVISIBILITY_AGENTLESS_ENABLED: true
+      DD_CIVISIBILITY_GIT_UPLOAD_ENABLED: true
+      DD_CIVISIBILITY_ENABLED: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # Fetch full git history for Datadog CI Visibility
 
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version: '1.25'
           cache: true
 
+      - name: Get Datadog credentials
+        id: dd-sts # Needed to be able to reference this step's output later
+        uses: DataDog/dd-sts-action@main # Pin to the main branch to get auto updates for free, or to a specific commit hash if you want stability
+        with:
+          policy: public-datadog-pup-sts
+
+      - name: Configure Datadog Test Optimization
+        uses: datadog/test-visibility-github-action@v2
+        with:
+          languages: go
+          api_key: ${{ steps.dd-sts.outputs.api_key }}
+          site: datadoghq.com
+
+      - name: Install Datadog CI tools
+        run: |
+          # Install orchestrion for Go test instrumentation
+          go install github.com/DataDog/orchestrion@latest
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+          # Install datadog-ci CLI for coverage upload
+          npm install -g @datadog/datadog-ci
+
       - name: Install bc for floating-point math
         run: sudo apt-get update && sudo apt-get install -y bc
 
       - name: Run tests with coverage
+        env:
+          DD_CIVISIBILITY_ENABLED: true
+          DD_ENV: ci
         run: |
-          # Run tests on all packages with race detection and parallel execution
-          go test -v -race -parallel 8 ./...
-          # Calculate coverage only for pkg/ (cmd/ is CLI code with lower test coverage)
-          # Use -count=1 to disable test caching and get accurate coverage
-          # Use -parallel 8 for faster execution (4.7x faster than sequential)
-          go test -count=1 -parallel 8 -coverprofile=coverage.out -covermode=atomic ./pkg/...
+          # Run tests on all packages with race detection
+          # Use orchestrion to instrument tests for Datadog CI Visibility
+          # IMPORTANT: Use -parallel 256 with orchestrion. The test-visibility-github-action
+          # sets GOFLAGS='-toolexec=orchestrion toolexec' which auto-injects t.Parallel()
+          # into ALL subtests. With the default parallel limit (GOMAXPROCS=2 on runners),
+          # this deadlocks table-driven tests where parent tests wait for subtests that are
+          # blocked waiting for parallel slots. A high limit avoids the deadlock.
+          if [ -n "$DD_API_KEY" ]; then
+            echo "Running tests with Datadog CI Visibility enabled"
+            orchestrion go test -v -race -parallel 256 ./...
+            # Calculate coverage with orchestrion instrumentation
+            # Use -count=1 to disable test caching and get accurate coverage
+            orchestrion go test -count=1 -parallel 256 -coverprofile=coverage.out -covermode=atomic ./pkg/...
+          else
+            echo "Running tests without Datadog CI Visibility (DD_API_KEY not set)"
+            go test -v -race ./...
+            go test -count=1 -coverprofile=coverage.out -covermode=atomic ./pkg/...
+          fi
+
+          # Generate HTML coverage report
           go tool cover -html=coverage.out -o coverage.html
 
       - name: Calculate coverage
@@ -57,6 +113,15 @@ jobs:
           echo "" >> coverage_report.txt
           go tool cover -func=coverage.out | tail -1 >> coverage_report.txt
 
+      - name: Upload coverage to Datadog
+        if: env.DD_API_KEY != ''
+        env:
+          DATADOG_API_KEY: ${{ steps.dd-sts.outputs.api_key }}
+          DD_SITE: datadoghq.com
+        run: |
+          # Upload coverage reports to Datadog
+          datadog-ci coverage upload --format=go-coverprofile coverage.out
+
       - name: Check coverage threshold
         run: |
           COVERAGE=${{ steps.coverage.outputs.coverage }}
@@ -75,107 +140,6 @@ jobs:
             echo "✅ Coverage $COVERAGE% meets threshold $THRESHOLD%"
           fi
 
-      - name: Generate coverage badge data
-        if: github.event_name == 'pull_request'
-        id: badge
-        run: |
-          COVERAGE=${{ steps.coverage.outputs.coverage }}
-
-          # Determine badge color based on coverage
-          if [ $(echo "$COVERAGE >= 90" | bc -l) -eq 1 ]; then
-            COLOR="brightgreen"
-          elif [ $(echo "$COVERAGE >= 80" | bc -l) -eq 1 ]; then
-            COLOR="green"
-          elif [ $(echo "$COVERAGE >= 70" | bc -l) -eq 1 ]; then
-            COLOR="yellow"
-          elif [ $(echo "$COVERAGE >= 60" | bc -l) -eq 1 ]; then
-            COLOR="orange"
-          else
-            COLOR="red"
-          fi
-
-          echo "color=$COLOR" >> $GITHUB_OUTPUT
-
-      - name: Generate PR comment body
-        if: github.event_name == 'pull_request'
-        id: comment
-        env:
-          COVERAGE: ${{ steps.coverage.outputs.coverage }}
-          BADGE_COLOR: ${{ steps.badge.outputs.color }}
-          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-        run: |
-          # Determine status
-          if [ $(echo "$COVERAGE >= 80" | bc -l) -eq 1 ]; then
-            STATUS="✅ PASSED - Coverage meets minimum threshold"
-            STATUS_EMOJI="✅"
-          else
-            STATUS="❌ FAILED - Coverage below minimum threshold"
-            STATUS_EMOJI="❌"
-          fi
-
-          # Create comment body using heredoc
-          cat > comment_final.txt << EOF
-          ## 📊 Test Coverage Report
-
-          **Overall Coverage:** ${COVERAGE}% ![Coverage](https://img.shields.io/badge/coverage-${COVERAGE}%25-${BADGE_COLOR})
-
-          **Threshold:** 80% ${STATUS_EMOJI}
-
-          <details>
-          <summary>Coverage by Package</summary>
-
-          \`\`\`
-          $(cat coverage_report.txt)
-          \`\`\`
-
-          </details>
-
-          ---
-          📈 **Coverage Status:** ${STATUS}
-
-          <sub>Updated for commit ${COMMIT_SHA}</sub>
-          EOF
-
-      - name: Comment on PR
-        if: github.event_name == 'pull_request'
-        continue-on-error: true  # Don't fail CI if comment posting fails
-        uses: actions/github-script@v8
-        env:
-          COMMENT_BODY: ${{ steps.comment.outputs.comment_body }}
-        with:
-          script: |
-            const fs = require('fs');
-            const commentBody = fs.readFileSync('comment_final.txt', 'utf8');
-
-            // Find existing comment
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-
-            const botComment = comments.find(comment =>
-              comment.user.type === 'Bot' && comment.body.includes('📊 Test Coverage Report')
-            );
-
-            if (botComment) {
-              // Update existing comment
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: commentBody
-              });
-            } else {
-              // Create new comment
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: commentBody
-              });
-            }
-
       - name: Generate coverage badge for main branch
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         env:
@@ -262,3 +226,33 @@ jobs:
 
       - name: Verify binary
         run: ./pup --version
+
+  sast:
+    name: Datadog Static Analysis
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    env:
+      DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
+      DD_SITE: ${{ secrets.DD_SITE || 'datadoghq.com' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # Full history for better SAST analysis
+
+      - name: Run Datadog Static Analysis
+        if: env.DD_API_KEY != ''
+        run: |
+          # Install datadog-ci if not already installed
+          npm install -g @datadog/datadog-ci
+
+          # Run static analysis
+          # This will analyze the code for security vulnerabilities, code quality issues, etc.
+          datadog-ci sast scan --service=${{ env.DD_SERVICE }} --env=${{ env.DD_ENV }}
+
+      - name: SAST disabled notice
+        if: env.DD_API_KEY == ''
+        run: |
+          echo "⚠️  Datadog Static Analysis skipped: DD_API_KEY not configured"
+          echo "To enable SAST, add DD_API_KEY and DD_APP_KEY as repository secrets"

CLAUDE.md

@@ -7,6 +7,7 @@ Go-based CLI wrapper for Datadog APIs. Provides OAuth2 + API key authentication
 - **[COMMANDS.md](docs/COMMANDS.md)** - Complete command reference with all 33 domains
 - **[CONTRIBUTING.md](docs/CONTRIBUTING.md)** - Git workflow, PR process, commit format
 - **[TESTING.md](docs/TESTING.md)** - Test strategy, coverage requirements, CI/CD
+- **[DATADOG_CI.md](docs/DATADOG_CI.md)** - Datadog CI products integration (Test Visibility, Code Coverage, SAST)
 - **[OAUTH2.md](docs/OAUTH2.md)** - OAuth2 implementation details (DCR, PKCE, token storage)
 - **[EXAMPLES.md](docs/EXAMPLES.md)** - Usage examples and common workflows
 - **[ARCHITECTURE.md](docs/ARCHITECTURE.md)** - Design decisions and technical details