[ABLD-387] Use hermetic Bazel-managed protobuf toolchain

[rdesgroppes]

What does this PR do?

Replace all host-dependent protobuf tool invocations in tasks/protobuf.py and tasks/security_agent.py with hermetic Bazel-managed equivalents (protoc, protoc-gen-go, protoc-gen-go-grpc, protoc-gen-go-vtproto,
protoc-go-inject-tag, mockgen, msgp).

Introduce a BazelTools class that lazily resolves binary paths via bazel cquery on first use, caching results for the duration of the invoke session.

Remove the install_protoc task, .protoc-version pin file, check_tools gating, the go install step from generate_cws_proto, and the associated Renovate rule.

Motivation

This is a prerequisite to migrating the generation of proto language bindings to BUILD.bazel files: by establishing a homogeneous, pinned toolchain now, subsequent PRs won't be encumbered with changes in generated files.

Hermetic tools guarantee identical output across all developer environments and CI, eliminating version drift and the manual setup steps (esp. dda inv install-protoc).

Describe how you validated your changes

Locally, on Linux and Windows (hence a few tweaked path constructions):

• dda inv protobuf.generate produces output identical to the committed generated files,
• dda inv security-agent.generate-cws-proto also regenerates the CWS API proto files successfully.

In CI, this is covered by existing jobs (now fetching Bazel's "progressive" cache):

• protobuf_test,
• security_go_generate_check.

Additional Notes

Reviewers will notice two categories of changes in the generated files:

• version strings in headers, for instance protoc now reads // protoc v7.34.1; this is intentional: the hermetic toolchain guarantees consistency everywhere,
• descriptor representation (api.pb.go shrinks from 171 KB to 129 KB): protoc-gen-go v1.36.6 indeed switched the raw file descriptor from var []byte{0x0a, ...} to const string = "\x0a..." + unsafe.Slice(unsafe.StringData(...)), a source-level compaction with identical runtime semantics, see: https://go-review.googlesource.com/c/protobuf/+/657895.

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor 3a4e6cd5:

Results for datadog-agent_7.79.0~devel.git.556.660a508.pipeline.106871821-1_amd64.deb:

No change detected

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 3a4e6cd
📊 Static Quality Gates Dashboard
🔗 SQG Job

31 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	751.314 MiB
✅	agent_deb_amd64_fips	708.218 MiB
✅	agent_heroku_amd64	311.746 MiB
✅	agent_msi	605.281 MiB
✅	agent_rpm_amd64	751.297 MiB
✅	agent_rpm_amd64_fips	708.202 MiB
✅	agent_rpm_arm64	729.701 MiB
✅	agent_rpm_arm64_fips	689.657 MiB
✅	agent_suse_amd64	751.297 MiB
✅	agent_suse_amd64_fips	708.202 MiB
✅	agent_suse_arm64	729.701 MiB
✅	agent_suse_arm64_fips	689.657 MiB
✅	docker_agent_amd64	811.584 MiB
✅	docker_agent_arm64	814.793 MiB
✅	docker_agent_jmx_amd64	1002.500 MiB
✅	docker_agent_jmx_arm64	994.487 MiB
✅	docker_cluster_agent_amd64	204.112 MiB
✅	docker_cluster_agent_arm64	218.547 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.274 MiB
✅	docker_dogstatsd_arm64	37.508 MiB
✅	dogstatsd_deb_amd64	29.921 MiB
✅	dogstatsd_deb_arm64	28.070 MiB
✅	dogstatsd_rpm_amd64	29.921 MiB
✅	dogstatsd_suse_amd64	29.921 MiB
✅	iot_agent_deb_amd64	43.445 MiB
✅	iot_agent_deb_arm64	40.480 MiB
✅	iot_agent_deb_armhf	41.228 MiB
✅	iot_agent_rpm_amd64	43.446 MiB
✅	iot_agent_suse_amd64	43.446 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+33.67 KiB (0.02% increase)	174.615 → 174.648 → 178.360
✅	agent_deb_amd64_fips	-32.56 KiB (0.02% reduction)	165.222 → 165.190 → 172.790
✅	agent_heroku_amd64	neutral	74.840 MiB → 79.970
✅	agent_msi	+44.0 KiB (0.03% increase)	138.496 → 138.539 → 146.220
✅	agent_rpm_amd64	-18.12 KiB (0.01% reduction)	177.466 → 177.448 → 181.830
✅	agent_rpm_amd64_fips	+21.75 KiB (0.01% increase)	167.271 → 167.292 → 173.370
✅	agent_rpm_arm64	-27.94 KiB (0.02% reduction)	159.410 → 159.383 → 163.060
✅	agent_rpm_arm64_fips	neutral	151.206 MiB → 156.170
✅	agent_suse_amd64	-18.12 KiB (0.01% reduction)	177.466 → 177.448 → 181.830
✅	agent_suse_amd64_fips	+21.75 KiB (0.01% increase)	167.271 → 167.292 → 173.370
✅	agent_suse_arm64	-27.94 KiB (0.02% reduction)	159.410 → 159.383 → 163.060
✅	agent_suse_arm64_fips	neutral	151.206 MiB → 156.170
✅	docker_agent_amd64	-3.63 KiB (0.00% reduction)	267.984 → 267.980 → 272.480
✅	docker_agent_arm64	+3.43 KiB (0.00% increase)	255.131 → 255.134 → 261.060
✅	docker_agent_jmx_amd64	+4.3 KiB (0.00% increase)	336.626 → 336.630 → 341.100
✅	docker_agent_jmx_arm64	-18.0 KiB (0.01% reduction)	319.778 → 319.761 → 325.620
✅	docker_cluster_agent_amd64	neutral	71.430 MiB → 72.920
✅	docker_cluster_agent_arm64	neutral	67.052 MiB → 68.220
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.182 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.497 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.900 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.785 MiB → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.912 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.912 MiB → 8.800
✅	iot_agent_deb_amd64	neutral	11.443 MiB → 13.040
✅	iot_agent_deb_arm64	neutral	9.761 MiB → 11.450
✅	iot_agent_deb_armhf	neutral	9.977 MiB → 11.620
✅	iot_agent_rpm_amd64	neutral	11.461 MiB → 13.060
✅	iot_agent_suse_amd64	neutral	11.461 MiB → 13.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: c8584e3c-6f47-441f-8029-86a86711eb16

Baseline: b255ecc
Comparison: 9f5b744
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.23	[-0.79, +5.24]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.23	[-0.79, +5.24]	1	Logs
➖	quality_gate_logs	% cpu utilization	+2.05	[+0.38, +3.73]	1	Logs bounds checks dashboard
➖	quality_gate_idle_all_features	memory utilization	+0.40	[+0.37, +0.44]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	+0.33	[+0.15, +0.51]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.26	[+0.11, +0.40]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.19	[+0.01, +0.37]	1	Logs
➖	ddot_logs	memory utilization	+0.17	[+0.10, +0.24]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.09	[-0.07, +0.25]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.06	[-0.33, +0.44]	1	Logs
➖	file_tree	memory utilization	+0.06	[-0.00, +0.12]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.05	[-0.37, +0.48]	1	Logs
➖	docker_containers_memory	memory utilization	+0.03	[-0.05, +0.11]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.02	[-0.19, +0.22]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.01	[-0.12, +0.14]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.10, +0.10]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.22, +0.19]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.09	[-0.59, +0.42]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.09	[-0.20, +0.02]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.16	[-0.22, -0.10]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.25	[-0.47, -0.02]	1	Logs
➖	quality_gate_idle	memory utilization	-0.29	[-0.34, -0.23]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-0.43	[-0.62, -0.23]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.47	[-0.70, -0.23]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	579 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	274.77MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	684 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.23GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.21GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	175.24MiB ≤ 181MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	487.66MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	202.14MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	345.91 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	403.05MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Gitlab CI Configuration Changes

Modified Jobs

protobuf_test

  protobuf_test:
    before_script:
    - mkdir -p $GOPATH/bin $GOPATH/pkg/mod/cache && zstd -dc modcache_tools.tar.zst
      | tar xf - -C $GOPATH
    - rm -f modcache_tools.tar.zst
    - export PATH=$PATH:$GOPATH/bin
+   cache:
+   - key:
+       files:
+       - .bazelversion
+       prefix: bazelversion-$CI_RUNNER_DESCRIPTION
+     paths:
+     - .cache/bazelisk
+     - .cache/bazel/*/install
+     policy: pull$BAZEL_CACHE_POLICY_SUFFIX
+     when: on_success
+   - key:
+       files:
+       - .go-version
+       - .python-version
+       prefix: bazel-$CI_JOB_NAME
+     paths:
+     - .cache/bazel/*/cache
+     - .cache/bazel/disk-cache
+     - .cache/go
+     - .cache/ms-go
+     - .cache/pip
+     policy: pull$BAZEL_CACHE_POLICY_SUFFIX
+     when: on_success
    image: registry.ddbuild.io/ci/datadog-agent-buildimages/linux$CI_IMAGE_LINUX_SUFFIX:$CI_IMAGE_LINUX
    needs:
    - go_tools_deps
    script:
    - dda inv -- -e protobuf.generate --pre-commit
    stage: source_test
    tags:
    - arch:amd64
    - specific:true
+   variables:
+     BAZELISK_HOME: $XDG_CACHE_HOME/bazelisk
+     XDG_CACHE_HOME: $CI_PROJECT_DIR/.cache

security_go_generate_check

  security_go_generate_check:
    before_script:
    - mkdir -p $GOPATH/pkg/mod/cache && zstd -dc modcache.tar.zst | tar xf - -C $GOPATH/pkg/mod/cache
    - rm -f modcache.tar.zst
    - mkdir -p $GOPATH/bin $GOPATH/pkg/mod/cache && zstd -dc modcache_tools.tar.zst
      | tar xf - -C $GOPATH
    - rm -f modcache_tools.tar.zst
    - export PATH=$PATH:$GOPATH/bin
+   cache:
+   - key:
+       files:
+       - .bazelversion
+       prefix: bazelversion-$CI_RUNNER_DESCRIPTION
+     paths:
+     - .cache/bazelisk
+     - .cache/bazel/*/install
+     policy: pull$BAZEL_CACHE_POLICY_SUFFIX
+     when: on_success
+   - key:
+       files:
+       - .go-version
+       - .python-version
+       prefix: bazel-$CI_JOB_NAME
+     paths:
+     - .cache/bazel/*/cache
+     - .cache/bazel/disk-cache
+     - .cache/go
+     - .cache/ms-go
+     - .cache/pip
+     policy: pull$BAZEL_CACHE_POLICY_SUFFIX
+     when: on_success
    image: registry.ddbuild.io/ci/datadog-agent-buildimages/linux$CI_IMAGE_LINUX_SUFFIX:$CI_IMAGE_LINUX
    needs:
    - go_deps
    - go_tools_deps
    script:
    - dda inv -- -e security-agent.go-generate-check
    stage: source_test
    tags:
    - arch:amd64
    - specific:true
    variables:
+     BAZELISK_HOME: $XDG_CACHE_HOME/bazelisk
      KUBERNETES_CPU_REQUEST: 4
+     XDG_CACHE_HOME: $CI_PROJECT_DIR/.cache

Changes Summary

Removed	Modified	Added	Renamed
0	2	0	0

ℹ️ Diff available in the job log.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a2d578ca44

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[davidor]

👍 for container-platform files

[JSGette]

Cool stuff!

[dd-gplassard]

For actionplatform files 👍

[YoannGh]

Good for agent-security owned files!

[KevinFairise2]

Looks good for the files owned by Agent DevX