apply security format refs to template configuration YAMLs

[san-jos]

Summary

• Replaces secret: true with formats: ["secret"] in template YAMLs (http, jmx, tls, pdh_legacy, perf_counters) — the fleet-sync-worker converter now infers secret semantics from the format ref
• Fixes pre-existing broken jmx java_options format key: formats: ["java_jvm_options"] → formats: ["jvm"] (the converter's exception map maps jvm → java_jvm_options.json)
• Adds formats: ["path"] to TLS cert/CA cert fields in http and tls templates
• Adds formats: ["tag"] to tags items in the tags template and kubernetes_state_core spec
• Adds formats: ["url"] to prometheus_url in openmetrics_legacy_base

Test plan

• Run ddev validate config to verify no template regressions
• Verified upstream that all affected fields produce correct schema output with the companion dd-source PR

Sequencing

Depends on [dd-source PR B] merging first.
This PR removes secret: true from template YAMLs; the x-display.secret: true and writeOnly: true in generated schemas are restored by the converter inference added in the dd-source PR.

[dd-octo-sts]

Validation Report

Validation	Description	Status
config	Validate default configuration files against spec.yaml	❌
models	Validate configuration data models match spec.yaml	❌

Run ddev validate all changed --fix to attempt to auto-fix supported validations.

Passed validations (18)

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and Codecov settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run

[datadog-datadog-prod-us1-2]

✨ Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 8 Tests failed

    test from test_duplicate_hidden.py     (Fix with Cursor)

    test from test_duplicate_hidden.py     (Fix with Cursor)

test_template_array from test_load.py     (Fix with Cursor)

assert not ['test, test.yaml, instances, password: Attribute \`formats\` contains unknown value(s): secret, valid values are java_jvm_options | path | port | url', 'test, test.yaml, instances, tls_private_key: Attribute \`formats\` contains unknown value(s): secret, valid values are java_jvm_options | path | port | url']
 +  where ['test, test.yaml, instances, password: Attribute \`formats\` contains unknown value(s): secret, valid values are java_jvm_options | path | port | url', 'test, test.yaml, instances, tls_private_key: Attribute \`formats\` contains unknown value(s): secret, valid values are java_jvm_options | path | port | url'] = <datadog_checks.dev.tooling.configuration.core.ConfigSpec object at 0x7efdf5f56850>.errors

View all

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ce9c886 | Docs | Datadog PR Page | Give us feedback!}