From 9ec8cf269d337476e3f36607f8fa4d65134a753e Mon Sep 17 00:00:00 2001
From: Manuel Palenzuela Merino <manuel.palenzuela@datadoghq.com>
Date: Thu, 12 Mar 2026 14:30:30 +0100
Subject: [PATCH 1/3] Add Datadog code coverage upload alongside Codecov

Add datadog-ci coverage upload steps to the "appsec code coverage" CI job
to run side-by-side with existing Codecov uploads. Both LCOV reports
(extension and helper) are uploaded to Datadog for coverage parity validation.

Also adds code-coverage.datadog.yml mirroring codecov.yml ignore paths and
PR gate thresholds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitlab/generate-appsec.php | 18 ++++++++++++++++++
 code-coverage.datadog.yml   | 12 ++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 code-coverage.datadog.yml

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index 8fecd224df7..aca25183952 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -230,6 +230,24 @@
       echo "Uploading helper coverage to codecov"
       cd "$CI_PROJECT_DIR"
       codecov -t "$CODECOV_TOKEN" -n appsec-helper -v -f appsec/build/coverage-helper.lcov
+    - |
+      echo "Uploading coverage to Datadog"
+      cd "$CI_PROJECT_DIR"
+
+      DATADOG_API_KEY=$(vault kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/datadoghq-api-key | jq -r .data.data.key)
+      export DATADOG_API_KEY
+      export DD_SITE="datadoghq.com"
+
+      # Install datadog-ci
+      DATADOG_CI_VERSION="v2.48.0"
+      curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+      chmod +x /usr/local/bin/datadog-ci
+
+      echo "Uploading extension coverage to Datadog"
+      datadog-ci coverage upload --format=lcov appsec/build/coverage-ext.lcov || true
+
+      echo "Uploading helper coverage to Datadog"
+      datadog-ci coverage upload --format=lcov appsec/build/coverage-helper.lcov || true
 
 
 "push appsec images":
diff --git a/code-coverage.datadog.yml b/code-coverage.datadog.yml
new file mode 100644
index 00000000000..20f4001ff36
--- /dev/null
+++ b/code-coverage.datadog.yml
@@ -0,0 +1,12 @@
+schema-version: v1
+ignore:
+  - "appsec/build/"
+  - "appsec/tests/"
+  - "appsec/third_party/"
+gates:
+  - type: total_coverage_percentage
+    config:
+      threshold: auto
+  - type: patch_coverage_percentage
+    config:
+      threshold: 90

From 8c15b293f46ab3229263a8e77a5fee3ec28382f9 Mon Sep 17 00:00:00 2001
From: Manuel Palenzuela Merino <manuel.palenzuela@datadoghq.com>
Date: Mon, 16 Mar 2026 17:52:41 +0100
Subject: [PATCH 2/3] Fix datadog-ci install path: use /tmp instead of
 /usr/local/bin

The CI runner doesn't have write permissions to /usr/local/bin.
Write the binary to /tmp instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitlab/generate-appsec.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index aca25183952..a86a33eb07b 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -240,14 +240,14 @@
 
       # Install datadog-ci
       DATADOG_CI_VERSION="v2.48.0"
-      curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
-      chmod +x /usr/local/bin/datadog-ci
+      curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/tmp/datadog-ci"
+      chmod +x /tmp/datadog-ci
 
       echo "Uploading extension coverage to Datadog"
-      datadog-ci coverage upload --format=lcov appsec/build/coverage-ext.lcov || true
+      /tmp/datadog-ci coverage upload --format=lcov appsec/build/coverage-ext.lcov || true
 
       echo "Uploading helper coverage to Datadog"
-      datadog-ci coverage upload --format=lcov appsec/build/coverage-helper.lcov || true
+      /tmp/datadog-ci coverage upload --format=lcov appsec/build/coverage-helper.lcov || true
 
 
 "push appsec images":

From 1c6333d97594f5671e9974af75939c8fd3bf0cb4 Mon Sep 17 00:00:00 2001
From: Manuel Palenzuela Merino <manuel.palenzuela@datadoghq.com>
Date: Tue, 17 Mar 2026 17:33:57 +0100
Subject: [PATCH 3/3] =?UTF-8?q?Fix=20datadog-ci=20version:=20v2.48.0=20?=
 =?UTF-8?q?=E2=86=92=20v5.9.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The coverage upload command is not available in v2.48.0. Updating to
v5.9.1 which includes the coverage plugin.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitlab/generate-appsec.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index a86a33eb07b..e44d9fa6232 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -239,7 +239,7 @@
       export DD_SITE="datadoghq.com"
 
       # Install datadog-ci
-      DATADOG_CI_VERSION="v2.48.0"
+      DATADOG_CI_VERSION="v5.9.1"
       curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/tmp/datadog-ci"
       chmod +x /tmp/datadog-ci