bazel: migrate curl & openssl to dd_cc_packaged & dd_collect_dependencies

[chouquette]

What does this PR do?

Continue the migration toward installing dependencies with dd_collect_dependencies
This PR mostly migrates OpenSSL, Python & rtloader.

It also contains some changes to our rules:

• foreign_cc_shared_wrapper:
  • stop re-exporting the wrapped target's providers
  • add lib_filter to allow producing multiple wrappers objects for multiple libraries from a single configure_make target
  • return DefaultInfo so the wrapper can be used as a data dependency
• dd_cc_packaged: add installed_executables attribute to rpath-patch and
  install executables/shared modules (engines, ossl-modules, …) alongside the library
• rewrite_rpath: extract patchelf_file_action / otool_file_action & introduce patchelf_dir_action / otool_dir_action as reusable helpers. We now can rpath-patch entire output directories (useful for python modules & openssl engines)

Motivation

Migrating away from omnibus.

Describe how you validated your changes

Local bazel test //... and CI

Additional Notes

Based on top of #49386 (merged)
Based on top of #49500 (merged)
The rules_pkg change is opened upstream at bazelbuild/rules_pkg#1053 (change merged & rules_pkg commit bumped in main)

The preliminary changes to our tooling (foreign_cc_shared_wrapper, dd_cc_packaged's installed_executable & rewrite_rpath refactoring can each be split out in their own PR if it simplifies the review)

The heroku size increase is coming from license files that weren't shipped in the package before:

 - LICENSES/krb5-NOTICE — 64 KB 
  - LICENSES/rpm-COPYING — 44 KB 
  - LICENSES/gstatus-LICENSE — 35 KB 
  - LICENSES/acl-COPYING.LGPL — 26 KB
  - LICENSES/attr-COPYING.LGPL — 26 KB
  - LICENSES/gcrypt-COPYING.LIB — 26 KB
  - LICENSES/systemd-LICENSE.LGPL2.1 — 26 KB
  - LICENSES/libsepol-LICENSE — 26 KB 
  - LICENSES/freetds-COPYING.LIB — 25 KB
  - LICENSES/unixodbc-COPYING — 24 KB 
  - LICENSES/cacerts-MPL-2.0.txt — 16 KB 
  - LICENSES/msodbcsql18-LICENSE.txt — 12 KB
  - LICENSES/xmlsec-Copyright — 7 KB 
  - LICENSES/jmxfetch-LICENSE — 2 KB
  - LICENSES/dbus-COPYING — 1 KB
  - LICENSES/popt-COPYING — 1 KB
  - LICENSES/attr-LICENSE — 1 KB
  - sources/acl/offer.txt — 128 B
  - sources/attr/offer.txt — 129 B
  - sources/freetds/offer.txt — 133 B
  - sources/libsepol/offer.txt — 131 B
  - sources/systemd/offer.txt — 130 B

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 0f36ad4c:

Results for datadog-agent_7.80.0~devel.git.532.6f21cc3.pipeline.111668039-1_amd64.deb:

Detected file changes:

4 Removed files:

• opt/datadog-agent/LICENSES/gpg-error-COPYING.LIB (25.91 KiB)
• opt/datadog-agent/LICENSES/openscap-COPYING (25.82 KiB)
• opt/datadog-agent/LICENSES/lua-license_file (1.04 KiB)
• opt/datadog-agent/sources/openscap/offer.txt (133.0 B)

1 Changed files:

• opt/datadog-agent/embedded/lib/libpython3.13.so.1.0:
  • Permission changed: 0o755 -> 0o644

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 1042440c-7ba4-4321-8e35-1d45b5b3ca48

Baseline: 2733cb8
Comparison: ca6ff35
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+0.61	[-2.26, +3.48]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+0.61	[-2.26, +3.48]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.55	[+0.32, +0.79]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.46	[+0.30, +0.61]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.43	[+0.18, +0.67]	1	Logs bounds checks dashboard
➖	ddot_logs	memory utilization	+0.35	[+0.28, +0.42]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.34	[+0.15, +0.53]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.33	[+0.17, +0.48]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.22	[+0.17, +0.26]	1	Logs
➖	file_tree	memory utilization	+0.16	[+0.10, +0.21]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.07	[-0.34, +0.48]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.05	[-0.48, +0.59]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.19, +0.21]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.01	[-0.13, +0.15]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.00	[-0.45, +0.44]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.01	[-0.10, +0.09]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.03	[-0.23, +0.16]	1	Logs
➖	docker_containers_memory	memory utilization	-0.10	[-0.20, +0.00]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.15	[-0.25, -0.05]	1	Logs
➖	quality_gate_idle	memory utilization	-0.15	[-0.20, -0.10]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	-0.18	[-0.38, +0.03]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.29	[-0.33, -0.25]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	-1.12	[-2.10, -0.15]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-1.20	[-1.40, -0.99]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	709 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	244.49MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	694 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	143.47MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	470.64MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	174.45MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	356.39 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	376.92MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.

[datadog-datadog-prod-us1-2]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 50.26% (-0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 6f21cc3 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 0f36ad4
📊 Static Quality Gates Dashboard
🔗 SQG Job
SOME SIZE DELTAS ARE N/A (ANCESTOR METRICS NOT YET AVAILABLE). RETRY JOB

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	N/A	N/A → 742.147 → 750.310
✅	agent_deb_amd64_fips	N/A	N/A → 700.222 → 702.690
✅	agent_heroku_amd64	N/A	N/A → 309.464 → 313.960
✅	agent_msi	N/A	N/A → 607.970 → 623.540
✅	agent_rpm_amd64	N/A	N/A → 742.131 → 750.280
✅	agent_rpm_amd64_fips	N/A	N/A → 700.205 → 702.670
✅	agent_rpm_arm64	N/A	N/A → 720.065 → 724.050
✅	agent_rpm_arm64_fips	N/A	N/A → 681.234 → 684.460
✅	agent_suse_amd64	N/A	N/A → 742.131 → 750.280
✅	agent_suse_amd64_fips	N/A	N/A → 700.205 → 702.670
✅	agent_suse_arm64	N/A	N/A → 720.065 → 724.050
✅	agent_suse_arm64_fips	N/A	N/A → 681.234 → 684.460
✅	docker_agent_amd64	N/A	N/A → 802.389 → 805.870
✅	docker_agent_arm64	N/A	N/A → 805.164 → 809.730
✅	docker_agent_jmx_amd64	N/A	N/A → 993.309 → 996.590
✅	docker_agent_jmx_arm64	N/A	N/A → 984.863 → 989.410
✅	docker_cluster_agent_amd64	N/A	N/A → 206.607 → 207.600
✅	docker_cluster_agent_arm64	N/A	N/A → 220.634 → 221.150
✅	docker_cws_instrumentation_amd64	N/A	N/A → 7.142 → 7.180
✅	docker_cws_instrumentation_arm64	N/A	N/A → 6.689 → 6.920
✅	docker_host_profiler_amd64	N/A	N/A → 301.106 → 315.800
✅	docker_host_profiler_arm64	N/A	N/A → 312.624 → 327.400
✅	docker_dogstatsd_amd64	N/A	N/A → 39.492 → 39.540
✅	docker_dogstatsd_arm64	N/A	N/A → 37.690 → 38.080
✅	dogstatsd_deb_amd64	N/A	N/A → 30.149 → 30.770
✅	dogstatsd_deb_arm64	N/A	N/A → 28.279 → 29.270
✅	dogstatsd_rpm_amd64	N/A	N/A → 30.149 → 30.770
✅	dogstatsd_suse_amd64	N/A	N/A → 30.149 → 30.770
✅	iot_agent_deb_amd64	N/A	N/A → 44.462 → 44.970
✅	iot_agent_deb_arm64	N/A	N/A → 41.442 → 42.560
✅	iot_agent_deb_armhf	N/A	N/A → 42.183 → 42.740
✅	iot_agent_rpm_amd64	N/A	N/A → 44.462 → 44.970
✅	iot_agent_suse_amd64	N/A	N/A → 44.462 → 44.970

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	N/A	N/A → 175.725 → 179.160
✅	agent_deb_amd64_fips	N/A	N/A → 167.419 → 174.440
✅	agent_heroku_amd64	N/A	N/A → 74.986 → 80.310
✅	agent_msi	N/A	N/A → 140.695 → 148.730
✅	agent_rpm_amd64	N/A	N/A → 177.805 → 182.080
✅	agent_rpm_amd64_fips	N/A	N/A → 168.729 → 174.140
✅	agent_rpm_arm64	N/A	N/A → 159.797 → 163.610
✅	agent_rpm_arm64_fips	N/A	N/A → 152.082 → 156.850
✅	agent_suse_amd64	N/A	N/A → 177.805 → 182.080
✅	agent_suse_amd64_fips	N/A	N/A → 168.729 → 174.140
✅	agent_suse_arm64	N/A	N/A → 159.797 → 163.610
✅	agent_suse_arm64_fips	N/A	N/A → 152.082 → 156.850
✅	docker_agent_amd64	N/A	N/A → 268.248 → 272.990
✅	docker_agent_arm64	N/A	N/A → 255.252 → 261.470
✅	docker_agent_jmx_amd64	N/A	N/A → 336.887 → 341.610
✅	docker_agent_jmx_arm64	N/A	N/A → 319.896 → 326.050
✅	docker_cluster_agent_amd64	N/A	N/A → 72.427 → 73.460
✅	docker_cluster_agent_arm64	N/A	N/A → 67.892 → 68.680
✅	docker_cws_instrumentation_amd64	N/A	N/A → 2.999 → 3.330
✅	docker_cws_instrumentation_arm64	N/A	N/A → 2.729 → 3.090
✅	docker_host_profiler_amd64	N/A	N/A → 110.738 → 125.600
✅	docker_host_profiler_arm64	N/A	N/A → 105.080 → 120.000
✅	docker_dogstatsd_amd64	N/A	N/A → 15.287 → 15.870
✅	docker_dogstatsd_arm64	N/A	N/A → 14.598 → 14.890
✅	dogstatsd_deb_amd64	N/A	N/A → 7.976 → 8.830
✅	dogstatsd_deb_arm64	N/A	N/A → 6.858 → 7.750
✅	dogstatsd_rpm_amd64	N/A	N/A → 7.988 → 8.840
✅	dogstatsd_suse_amd64	N/A	N/A → 7.988 → 8.840
✅	iot_agent_deb_amd64	N/A	N/A → 11.703 → 13.210
✅	iot_agent_deb_arm64	N/A	N/A → 9.998 → 11.620
✅	iot_agent_deb_armhf	N/A	N/A → 10.209 → 11.780
✅	iot_agent_rpm_amd64	N/A	N/A → 11.717 → 13.230
✅	iot_agent_suse_amd64	N/A	N/A → 11.717 → 13.230

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7aead3faa3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep Heroku license deps aligned with shipped curl stack

Removing curl/nghttp2 from //packages/install_dir:all_deps breaks license collection for Heroku builds: omnibus/config/software/datadog-agent-finalize.rb uses //packages/install_dir:install plus //packages/agent/heroku:license_files_install, and packages/agent/heroku/BUILD.bazel currently defines all_deps as empty, so there is no alternate path that re-adds those licenses. At the same time, Heroku still ships curl transitively via //packages/agent/dependencies:_collected_libs, so this creates a package-content vs license-manifest mismatch.

Useful? React with 👍 / 👎.

[aiuto]

This seems a real problem. -1.15 MiB drop in size.

[chouquette]

This is now fixed (partly by fixing the installed packages from bazel, partly by fixing a stale cache issue - #50161)

[chouquette]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-11 14:33:48 UTC ℹ️ Start processing command /merge

---

2026-05-11 14:33:54 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 1h (p90).

---

2026-05-11 15:37:40 UTC ℹ️ MergeQueue: The merge request ahead of this one was cancelled, retrying soon

---

2026-05-11 16:31:09 UTC ℹ️ MergeQueue: This merge request was merged