ci: automate SHA-pinned GitHub Actions updates via Dependabot

[kakkoyun]

What does this PR do?

Completes the supply-chain hardening started in #4542 by automating ongoing
maintenance of SHA-pinned GitHub Actions:

1. Switches Dependabot to a weekly schedule so SHA pins stay current.
2. Pins the three remaining @v tag refs in test-apps.cue to full commit SHAs.
3. Adds an auto-sync workflow that patches test-apps.cue whenever
   Dependabot bumps SHAs in test-apps.yml.

Motivation

After #4542, Dependabot can update YAML workflow files but not the CUE source
template (test-apps.cue). Without automation, every Dependabot PR creates
drift: test-apps.yml gets updated SHAs while test-apps.cue stays stale.
A developer running make test-apps.yml would silently revert all pinned SHAs
back to @v tags, undoing the security fix.

A naive CI drift check (cue export && git diff --exit-code) doesn't work
because cue export cannot produce YAML comments — Dependabot adds version
comments (# vX.Y.Z) that the CUE exporter can't reproduce, so the diff
would always be non-empty regardless of SHA correctness.

The auto-sync workflow triggers on Dependabot branch pushes, extracts updated
SHAs from test-apps.yml via grep/sed, patches test-apps.cue, and
commits back to the branch. Uses push trigger (not pull_request_target)
for simplicity and full write access without untrusted-code risks. The
GITHUB_TOKEN push safety prevents infinite workflow loops.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• New code is free of linting errors. You can check this by running make lint locally.
• New code doesn't break existing tests. You can check this by running make test locally.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• All generated files are up to date. You can check this by running make generate locally.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to date by running make fix-modules locally.

Unsure? Have a question? Request a review!

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 59.32% (+3.53%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ca48055 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-03-17 14:28:04

Comparing candidate commit ca48055 in PR branch kakkoyun/pin_dependabot with baseline commit e9cc077 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 155 metrics, 9 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.20%. Comparing base (e9cc077) to head (ca48055).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

see 434 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.