From 24b6fd42d47fd41f1f12781a1bce04346ddbbb86 Mon Sep 17 00:00:00 2001
From: Jamie Tanna <jamie.tanna@mend.io>
Date: Mon, 1 Dec 2025 11:55:57 +0000
Subject: [PATCH] fix(instrumentation): instrument command execution

As part of ongoing work to improve OpenTelemetry instrumentation of
Renovate in #38609, we can introduce an instrumented call for each
external command execution.

This makes sure we cover the two key functions used for command
execution - `exec` and `rawExec`.

Because commands could include sensitive arguments (such as repo or
global secrets) we need to make sure we sanitize the span name.
---
 lib/util/exec/common.ts | 5 ++++-
 tools/utils/exec.ts     | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/util/exec/common.ts b/lib/util/exec/common.ts
index 6e1b7b4c369..c21b210eff2 100644
--- a/lib/util/exec/common.ts
+++ b/lib/util/exec/common.ts
@@ -2,7 +2,9 @@ import type { ChildProcess } from 'node:child_process';
 import { spawn } from 'node:child_process';
 import type { Readable } from 'node:stream';
 import { isNullOrUndefined } from '@sindresorhus/is';
+import { instrument } from '../../instrumentation';
 import { getEnv } from '../env';
+import { sanitize } from '../sanitize';
 import type { ExecErrorData } from './exec-error';
 import { ExecError } from './exec-error';
 import type { DataListener, ExecResult, RawExecOptions } from './types';
@@ -169,4 +171,5 @@ function kill(cp: ChildProcess, signal: NodeJS.Signals): boolean {
 export const rawExec: (
   cmd: string,
   opts: RawExecOptions,
-) => Promise<ExecResult> = exec;
+) => Promise<ExecResult> = (cmd: string, opts: RawExecOptions) =>
+  instrument(`rawExec: ${sanitize(cmd)}`, () => exec(cmd, opts));
diff --git a/tools/utils/exec.ts b/tools/utils/exec.ts
index c14a9edc33f..d0a707466d3 100644
--- a/tools/utils/exec.ts
+++ b/tools/utils/exec.ts
@@ -3,6 +3,8 @@ import {
   type SpawnSyncReturns,
   spawnSync,
 } from 'node:child_process';
+import { instrument } from '../../lib/instrumentation';
+import { sanitize } from '../../lib/util/sanitize';
 
 const maxBuffer = 20 * 1024 * 1024;
 
@@ -17,5 +19,7 @@ export function exec(
   opts: SpawnSyncOptions = {},
 ): SpawnSyncReturns<string> {
   // args from shelljs
-  return spawnSync(cmd, args, { ...opts, maxBuffer, encoding: 'utf8' });
+  return instrument(`exec: ${sanitize(cmd)} ${sanitize(args.join(' '))}`, () =>
+    spawnSync(cmd, args, { ...opts, maxBuffer, encoding: 'utf8' }),
+  );
 }