From 7ae2a667a0b968e16367fee4123a3796f9fa911d Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:03:47 -0400 Subject: [PATCH 01/22] Add octo-sts policy --- .github/chainguard/dd-trace-java.release.sts.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/chainguard/dd-trace-java.release.sts.yaml diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml new file mode 100644 index 00000000000..a0f33f91054 --- /dev/null +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -0,0 +1,14 @@ +issuer: https://gitlab.ddbuild.io + +subject: repo:DataDog/dd-trace-java:ref:refs/heads/* ????? + +claim_pattern: + project_path: "DataDog/dd-trace-rb" + ref: "master" + ref_type: "branch" + ref_path: "refs/heads/master" + +permissions: + contents: + - read + - write From 3feedd7254031b0c82602572543770dbb1196a6f Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:08:45 -0400 Subject: [PATCH 02/22] Add workflow and debugging --- .gitlab-ci.yml | 48 +++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 41 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7368f16e3ac..e24b5f19232 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -800,6 +800,35 @@ deploy_to_maven_central: - 'workspace/dd-trace-api/build/libs/*.jar' - 'workspace/dd-trace-ot/build/libs/*.jar' +get_github_token: + stage: publish + image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 + tags: [ "arch:amd64" ] + + id_tokens: + DDOCTOSTS_ID_TOKEN: + aud: dd-octo-sts + + rules: + - if: '$POPULATE_CACHE' + when: never + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + when: on_success + + script: + - dd-octo-sts version + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release + - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt + # DEBUG + - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") + - echo "Token file size:" $(wc -c < github-token.txt) "bytes" + - echo "Token preview:" $(head -c 10 github-token.txt)... + + artifacts: + paths: + - github-token.txt + expire_in: 1 hour # tokens generated by dd-octo-sts only last for 1 hour + deploy_artifacts_to_github: stage: publish image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 @@ -814,16 +843,21 @@ deploy_artifacts_to_github: - job: deploy_to_maven_central # The deploy_to_maven_central job is not run for release candidate versions optional: true + - job: get_github_token + script: - - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt + # - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt + # Debug token reception + - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") + - echo "Token file size:" $(wc -c < github-token.txt) "bytes" - gh auth login --with-token < github-token.txt - gh auth status # Maybe helpful to have this output in logs? - - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version - - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + # - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version + # - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames + # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar retry: max: 2 when: always From 59d79267bad02d06c421cb5400bae3341c03fb97 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:11:18 -0400 Subject: [PATCH 03/22] Fix policy --- .github/chainguard/dd-trace-java.release.sts.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml index a0f33f91054..eba7c24fed9 100644 --- a/.github/chainguard/dd-trace-java.release.sts.yaml +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -1,14 +1,12 @@ issuer: https://gitlab.ddbuild.io -subject: repo:DataDog/dd-trace-java:ref:refs/heads/* ????? +subject: repo:DataDog/dd-trace-java:ref:refs/heads/master claim_pattern: - project_path: "DataDog/dd-trace-rb" + project_path: "DataDog/dd-trace-java" ref: "master" ref_type: "branch" ref_path: "refs/heads/master" permissions: - contents: - - read - - write + contents: "read,write" From 1bb367d772873854416fba80d9b0ec8f166142fa Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:24:02 -0400 Subject: [PATCH 04/22] Run jobs in CI for now --- .gitlab-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e24b5f19232..397e96662c1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -812,8 +812,8 @@ get_github_token: rules: - if: '$POPULATE_CACHE' when: never - - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - when: on_success + # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + # when: on_success script: - dd-octo-sts version @@ -835,8 +835,8 @@ deploy_artifacts_to_github: rules: - if: '$POPULATE_CACHE' when: never - - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - when: on_success + # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + # when: on_success # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release needs: From cbb15f93d644fd2eebd42e6ac69463103f66a510 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:26:35 -0400 Subject: [PATCH 05/22] Allow manual trigger for job --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 397e96662c1..88e80080c7f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -814,6 +814,8 @@ get_github_token: when: never # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' # when: on_success + - when: manual + allow_failure: true script: - dd-octo-sts version @@ -837,6 +839,8 @@ deploy_artifacts_to_github: when: never # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' # when: on_success + - when: manual + allow_failure: true # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release needs: From 060246b5b240fdd6d1e15ea430a91582589a5572 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 16:43:45 -0400 Subject: [PATCH 06/22] No dependencies for github token retrieval --- .gitlab-ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 88e80080c7f..b09ee68f8dd 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -804,6 +804,7 @@ get_github_token: stage: publish image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 tags: [ "arch:amd64" ] + needs: [] # DEBUG: No dependencies - can run immediately id_tokens: DDOCTOSTS_ID_TOKEN: @@ -814,7 +815,7 @@ get_github_token: when: never # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' # when: on_success - - when: manual + - when: manual # DEBUG: Allow manual trigger allow_failure: true script: @@ -839,7 +840,7 @@ deploy_artifacts_to_github: when: never # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' # when: on_success - - when: manual + - when: manual # DEBUG: Allow manual trigger allow_failure: true # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release From f075b0f2fa4e18cc79b7e796e81704549b63fd75 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 18:52:44 -0400 Subject: [PATCH 07/22] Allow policy for all branches for now --- .github/chainguard/dd-trace-java.release.sts.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml index eba7c24fed9..46f6459e518 100644 --- a/.github/chainguard/dd-trace-java.release.sts.yaml +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -1,12 +1,12 @@ issuer: https://gitlab.ddbuild.io -subject: repo:DataDog/dd-trace-java:ref:refs/heads/master +subject: repo:DataDog/dd-trace-java:ref:refs/heads/* claim_pattern: project_path: "DataDog/dd-trace-java" - ref: "master" - ref_type: "branch" - ref_path: "refs/heads/master" + # ref: "master" + # ref_type: "branch" + # ref_path: "refs/heads/master" permissions: contents: "read,write" From 3070e931d7fecb649b14bae9f280d7f516baf9ec Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 18:57:05 -0400 Subject: [PATCH 08/22] Comment out debug call --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b09ee68f8dd..80f661a5ac4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -820,7 +820,7 @@ get_github_token: script: - dd-octo-sts version - - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release + # - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt # DEBUG - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") From 05e4c8e4b4be2fd7e2d5d0b21cfd6a0cca348ff5 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 19:03:31 -0400 Subject: [PATCH 09/22] Clean --- .gitlab-ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 80f661a5ac4..ae37db58de9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -804,7 +804,7 @@ get_github_token: stage: publish image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 tags: [ "arch:amd64" ] - needs: [] # DEBUG: No dependencies - can run immediately + needs: [] # DEBUG: Enforce no dependencies to run immediately id_tokens: DDOCTOSTS_ID_TOKEN: @@ -820,9 +820,9 @@ get_github_token: script: - dd-octo-sts version - # - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt - # DEBUG + # DEBUG: Check token file - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - echo "Token file size:" $(wc -c < github-token.txt) "bytes" - echo "Token preview:" $(head -c 10 github-token.txt)... @@ -851,10 +851,10 @@ deploy_artifacts_to_github: - job: get_github_token script: - # - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt - # Debug token reception + # DEBUG: Check token file - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - echo "Token file size:" $(wc -c < github-token.txt) "bytes" + - gh auth login --with-token < github-token.txt - gh auth status # Maybe helpful to have this output in logs? # - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version From fa8f21c2870e9d6fbe77c54601ecce971b42181f Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Wed, 16 Jul 2025 19:34:32 -0400 Subject: [PATCH 10/22] Adjust policy --- .github/chainguard/dd-trace-java.release.sts.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml index 46f6459e518..fb95b062b2b 100644 --- a/.github/chainguard/dd-trace-java.release.sts.yaml +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -1,12 +1,12 @@ issuer: https://gitlab.ddbuild.io -subject: repo:DataDog/dd-trace-java:ref:refs/heads/* +# DEBUG: ref should be "master" +subject: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:branch:ref:sarahchen6/use-octo-sts" claim_pattern: - project_path: "DataDog/dd-trace-java" + project_path: "DataDog/apm-reliability/dd-trace-java" + ref_type: "branch" # ref: "master" - # ref_type: "branch" - # ref_path: "refs/heads/master" permissions: contents: "read,write" From 79cce5af3dd89605d21206926fa783ef877bf849 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 09:26:31 -0400 Subject: [PATCH 11/22] Update policy contents Co-authored-by: Christoph Hamsen <37963496+xopham@users.noreply.github.com> --- .github/chainguard/dd-trace-java.release.sts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml index fb95b062b2b..1ba967b9389 100644 --- a/.github/chainguard/dd-trace-java.release.sts.yaml +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -9,4 +9,4 @@ claim_pattern: # ref: "master" permissions: - contents: "read,write" + contents: "write" From 61872d89b1d1a21aec503c9017c9a49211266882 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 09:26:47 -0400 Subject: [PATCH 12/22] Update policy to work on tags Co-authored-by: Christoph Hamsen <37963496+xopham@users.noreply.github.com> --- .github/chainguard/dd-trace-java.release.sts.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/dd-trace-java.release.sts.yaml index 1ba967b9389..74ee1b28899 100644 --- a/.github/chainguard/dd-trace-java.release.sts.yaml +++ b/.github/chainguard/dd-trace-java.release.sts.yaml @@ -1,12 +1,11 @@ issuer: https://gitlab.ddbuild.io -# DEBUG: ref should be "master" -subject: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:branch:ref:sarahchen6/use-octo-sts" +subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:tag:ref:v.*" claim_pattern: project_path: "DataDog/apm-reliability/dd-trace-java" - ref_type: "branch" - # ref: "master" + ref_type: "tag" + ref: "v.*" permissions: contents: "write" From cd8653a087c9000142e7a9184327b4f4494aca6e Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 10:23:00 -0400 Subject: [PATCH 13/22] Rework gitlab-ci workflow --- .gitlab-ci.yml | 57 +++++++++++++++++++++----------------------------- 1 file changed, 24 insertions(+), 33 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ae37db58de9..affcfccbcac 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -800,12 +800,14 @@ deploy_to_maven_central: - 'workspace/dd-trace-api/build/libs/*.jar' - 'workspace/dd-trace-ot/build/libs/*.jar' -get_github_token: +deploy_artifacts_to_github: stage: publish - image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 - tags: [ "arch:amd64" ] + image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 + tags: [ "docker-in-docker:amd64" ] needs: [] # DEBUG: Enforce no dependencies to run immediately - + services: + - docker:dind + id_tokens: DDOCTOSTS_ID_TOKEN: aud: dd-octo-sts @@ -817,43 +819,28 @@ get_github_token: # when: on_success - when: manual # DEBUG: Allow manual trigger allow_failure: true - - script: - - dd-octo-sts version - - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release - - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt - # DEBUG: Check token file - - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - - echo "Token file size:" $(wc -c < github-token.txt) "bytes" - - echo "Token preview:" $(head -c 10 github-token.txt)... - - artifacts: - paths: - - github-token.txt - expire_in: 1 hour # tokens generated by dd-octo-sts only last for 1 hour - -deploy_artifacts_to_github: - stage: publish - image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 - rules: - - if: '$POPULATE_CACHE' - when: never - # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - # when: on_success - - when: manual # DEBUG: Allow manual trigger - allow_failure: true - # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) - # This will deploy the artifacts built from the publishToSonatype task to the GitHub release + needs: - job: deploy_to_maven_central # The deploy_to_maven_central job is not run for release candidate versions optional: true - - job: get_github_token script: - # DEBUG: Check token file + # Get GitHub token using dd-octo-sts in a container + - docker run --rm + -e DDOCTOSTS_ID_TOKEN + -v $(pwd):/workspace + registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 + sh -c " + dd-octo-sts version && + dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release && + dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > /workspace/github-token.txt + " + + # Verify token was generated - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - echo "Token file size:" $(wc -c < github-token.txt) "bytes" + - echo "Token preview:" $(head -c 10 github-token.txt)... - gh auth login --with-token < github-token.txt - gh auth status # Maybe helpful to have this output in logs? @@ -863,6 +850,10 @@ deploy_artifacts_to_github: # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + + # Clean up token file + - rm -f github-token.txt + retry: max: 2 when: always From 83e2792a184a7147e7b54cdf1869f3f0caa98119 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 14:18:30 -0400 Subject: [PATCH 14/22] Name change and fix needs block --- ...elease.sts.yaml => self.gitlab.release.sts.yaml} | 0 .gitlab-ci.yml | 13 ++++++------- 2 files changed, 6 insertions(+), 7 deletions(-) rename .github/chainguard/{dd-trace-java.release.sts.yaml => self.gitlab.release.sts.yaml} (100%) diff --git a/.github/chainguard/dd-trace-java.release.sts.yaml b/.github/chainguard/self.gitlab.release.sts.yaml similarity index 100% rename from .github/chainguard/dd-trace-java.release.sts.yaml rename to .github/chainguard/self.gitlab.release.sts.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index affcfccbcac..1bd64c0d10e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -804,7 +804,6 @@ deploy_artifacts_to_github: stage: publish image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 tags: [ "docker-in-docker:amd64" ] - needs: [] # DEBUG: Enforce no dependencies to run immediately services: - docker:dind @@ -820,10 +819,10 @@ deploy_artifacts_to_github: - when: manual # DEBUG: Allow manual trigger allow_failure: true - needs: - - job: deploy_to_maven_central - # The deploy_to_maven_central job is not run for release candidate versions - optional: true + needs: [] # DEBUG: Enforce no dependencies to run immediately +# - job: deploy_to_maven_central +# # The deploy_to_maven_central job is not run for release candidate versions +# optional: true script: # Get GitHub token using dd-octo-sts in a container @@ -833,8 +832,8 @@ deploy_artifacts_to_github: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 sh -c " dd-octo-sts version && - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release && - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > /workspace/github-token.txt + dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release && + dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > /workspace/github-token.txt " # Verify token was generated From 6c8d6869394c4918e1feb1cd297d712056692446 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 14:51:06 -0400 Subject: [PATCH 15/22] Rework workflow again --- .gitlab-ci.yml | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1bd64c0d10e..47a2a5a4150 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -802,10 +802,8 @@ deploy_to_maven_central: deploy_artifacts_to_github: stage: publish - image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 - tags: [ "docker-in-docker:amd64" ] - services: - - docker:dind + image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1 + tags: [ "arch:amd64" ] id_tokens: DDOCTOSTS_ID_TOKEN: @@ -824,18 +822,13 @@ deploy_artifacts_to_github: # # The deploy_to_maven_central job is not run for release candidate versions # optional: true - script: - # Get GitHub token using dd-octo-sts in a container - - docker run --rm - -e DDOCTOSTS_ID_TOKEN - -v $(pwd):/workspace - registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 - sh -c " - dd-octo-sts version && - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release && - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > /workspace/github-token.txt - " + before_script: + # Get a token + - dd-octo-sts version + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release + - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt + script: # Verify token was generated - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - echo "Token file size:" $(wc -c < github-token.txt) "bytes" @@ -850,8 +843,9 @@ deploy_artifacts_to_github: # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar - # Clean up token file - - rm -f github-token.txt + after_script: + # Revoke the token after usage + - dd-octo-sts revoke -t $(cat github-token.txt) retry: max: 2 From e726ef02742f0a2b8495d2a2a07a113c893040cd Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 15:00:11 -0400 Subject: [PATCH 16/22] Try original retrieval --- .gitlab-ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 47a2a5a4150..e361cf35597 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -826,9 +826,10 @@ deploy_artifacts_to_github: # Get a token - dd-octo-sts version - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release - - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt +# - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt script: + - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt # Verify token was generated - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - echo "Token file size:" $(wc -c < github-token.txt) "bytes" @@ -843,9 +844,9 @@ deploy_artifacts_to_github: # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar - after_script: - # Revoke the token after usage - - dd-octo-sts revoke -t $(cat github-token.txt) +# after_script: +# # Revoke the token after usage +# - dd-octo-sts revoke -t $(cat github-token.txt) retry: max: 2 From 4c17c509216f1fd0a6559aa7482696f103b4c496 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 15:44:22 -0400 Subject: [PATCH 17/22] Edit gitlab-ci.yml file --- .gitlab-ci.yml | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e361cf35597..d266a8c435f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -812,12 +812,14 @@ deploy_artifacts_to_github: rules: - if: '$POPULATE_CACHE' when: never - # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - # when: on_success +# - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' +# when: on_success - when: manual # DEBUG: Allow manual trigger allow_failure: true - - needs: [] # DEBUG: Enforce no dependencies to run immediately + + # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) + # This will deploy the artifacts built from the publishToSonatype task to the GitHub release + needs: [] # DEBUG: Enforce no dependencies for now to run immediately # - job: deploy_to_maven_central # # The deploy_to_maven_central job is not run for release candidate versions # optional: true @@ -825,16 +827,10 @@ deploy_artifacts_to_github: before_script: # Get a token - dd-octo-sts version - - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release -# - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release # Uncomment to debug the token + - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt script: - - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt - # Verify token was generated - - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO") - - echo "Token file size:" $(wc -c < github-token.txt) "bytes" - - echo "Token preview:" $(head -c 10 github-token.txt)... - - gh auth login --with-token < github-token.txt - gh auth status # Maybe helpful to have this output in logs? # - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version @@ -844,9 +840,9 @@ deploy_artifacts_to_github: # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar -# after_script: -# # Revoke the token after usage -# - dd-octo-sts revoke -t $(cat github-token.txt) + after_script: + # Revoke the token after usage + - dd-octo-sts revoke -t $(cat github-token.txt) retry: max: 2 From da7cace50f591d96ac57d446dd289409377602aa Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 17:05:46 -0400 Subject: [PATCH 18/22] Clean --- .gitlab-ci.yml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d266a8c435f..a8cd6e73d23 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -812,17 +812,15 @@ deploy_artifacts_to_github: rules: - if: '$POPULATE_CACHE' when: never -# - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' -# when: on_success - - when: manual # DEBUG: Allow manual trigger - allow_failure: true + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + when: on_success # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release - needs: [] # DEBUG: Enforce no dependencies for now to run immediately -# - job: deploy_to_maven_central -# # The deploy_to_maven_central job is not run for release candidate versions -# optional: true + needs: + - job: deploy_to_maven_central + # The deploy_to_maven_central job is not run for release candidate versions + optional: true before_script: # Get a token @@ -833,12 +831,12 @@ deploy_artifacts_to_github: script: - gh auth login --with-token < github-token.txt - gh auth status # Maybe helpful to have this output in logs? - # - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version - # - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames - # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar - # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar - # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar - # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version + - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar after_script: # Revoke the token after usage From 8bb3b8ad54b422311265ce11ac9604e035d6bcf0 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 17 Jul 2025 17:14:19 -0400 Subject: [PATCH 19/22] Remove comment --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a8cd6e73d23..3076987a9de 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -825,7 +825,7 @@ deploy_artifacts_to_github: before_script: # Get a token - dd-octo-sts version - - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release # Uncomment to debug the token + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt script: From 3fb4ab97fe688b1dc661dece3b7587449a76911d Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 21 Jul 2025 13:13:26 -0400 Subject: [PATCH 20/22] Move trust policy to a separate PR --- .github/chainguard/self.gitlab.release.sts.yaml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/chainguard/self.gitlab.release.sts.yaml diff --git a/.github/chainguard/self.gitlab.release.sts.yaml b/.github/chainguard/self.gitlab.release.sts.yaml deleted file mode 100644 index 74ee1b28899..00000000000 --- a/.github/chainguard/self.gitlab.release.sts.yaml +++ /dev/null @@ -1,11 +0,0 @@ -issuer: https://gitlab.ddbuild.io - -subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:tag:ref:v.*" - -claim_pattern: - project_path: "DataDog/apm-reliability/dd-trace-java" - ref_type: "tag" - ref: "v.*" - -permissions: - contents: "write" From 7a9e08af9fb03913d46bf19f43901e81a0512407 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 21 Jul 2025 13:40:14 -0400 Subject: [PATCH 21/22] Add aws ssm fallback --- .gitlab-ci.yml | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3076987a9de..0860d55ca79 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -191,6 +191,7 @@ default: after_script: - *cgroup_info +# TODO: Add a pre-release check to see if the dd-octo-sts token is working. # Checks and fail early if central credentials are incorrect, indeed, when a new token is generated # on the central publisher protal, it invalidates the old one. This checks prevents going further. # See https://datadoghq.atlassian.net/wiki/x/Oog5OgE @@ -828,19 +829,39 @@ deploy_artifacts_to_github: - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt +# TODO: This is a temporary solution to test the dd-octo-sts token during the release process. We should remove the AWS SSM token retrieval method once the dd-octo-sts token is provably working. script: - - gh auth login --with-token < github-token.txt - - gh auth status # Maybe helpful to have this output in logs? - - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version - - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar - - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + - | + deploy_to_github() { + gh auth login --with-token < github-token.txt + gh auth status + export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get the version + cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # upload two filenames + gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + } + + # Try using the dd-octo-sts token first. If it fails, then fall back to the AWS SSM token. + # Also track which token was used successfully. + if ! deploy_to_github; then + echo "Using dd-octo-sts token failed. Now proceeding with the original AWS SSM token retrieval method..." + echo "USED_DD_OCTO_STS_TOKEN=false" > github_token_source.env + aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt + deploy_to_github + else + echo "Using dd-octo-sts token succeeded. Github release artifacts were uploaded successfully." + echo "USED_DD_OCTO_STS_TOKEN=true" > github_token_source.env + fi after_script: - # Revoke the token after usage - - dd-octo-sts revoke -t $(cat github-token.txt) + # Only revoke the dd-octo-sts token if it was successfully used + - source github_token_source.env + - | + if [ "$USED_DD_OCTO_STS_TOKEN" = "true" ]; then + dd-octo-sts revoke -t $(cat github-token.txt) + fi retry: max: 2 From 6d7ceddd30c3cba2c756ca87a42f0859340690b3 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Tue, 22 Jul 2025 11:33:59 -0400 Subject: [PATCH 22/22] Split deployment to two jobs: new dd-octo-sts method and old aws method that is manually triggered --- .gitlab-ci.yml | 76 ++++++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0860d55ca79..beb8cf875e6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -805,64 +805,66 @@ deploy_artifacts_to_github: stage: publish image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1 tags: [ "arch:amd64" ] - id_tokens: DDOCTOSTS_ID_TOKEN: aud: dd-octo-sts - rules: - if: '$POPULATE_CACHE' when: never - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' when: on_success - # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release needs: - job: deploy_to_maven_central # The deploy_to_maven_central job is not run for release candidate versions optional: true - before_script: - # Get a token + # Get token - dd-octo-sts version - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt - -# TODO: This is a temporary solution to test the dd-octo-sts token during the release process. We should remove the AWS SSM token retrieval method once the dd-octo-sts token is provably working. script: - - | - deploy_to_github() { - gh auth login --with-token < github-token.txt - gh auth status - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get the version - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # upload two filenames - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar - } - - # Try using the dd-octo-sts token first. If it fails, then fall back to the AWS SSM token. - # Also track which token was used successfully. - if ! deploy_to_github; then - echo "Using dd-octo-sts token failed. Now proceeding with the original AWS SSM token retrieval method..." - echo "USED_DD_OCTO_STS_TOKEN=false" > github_token_source.env - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt - deploy_to_github - else - echo "Using dd-octo-sts token succeeded. Github release artifacts were uploaded successfully." - echo "USED_DD_OCTO_STS_TOKEN=true" > github_token_source.env - fi - + - gh auth login --with-token < github-token.txt + - gh auth status # Maybe helpful to have this output in logs? + - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version + - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar after_script: - # Only revoke the dd-octo-sts token if it was successfully used - - source github_token_source.env - - | - if [ "$USED_DD_OCTO_STS_TOKEN" = "true" ]; then - dd-octo-sts revoke -t $(cat github-token.txt) - fi + - dd-octo-sts revoke -t $(cat github-token.txt) + retry: + max: 2 + when: always +# This is the original job that uses the AWS SSM token retrieval method. Allow manual triggering in case the dd-octo-sts token is not working. +# TODO: Remove this job once the dd-octo-sts token is provably working. +deploy_artifacts_to_github_old: + stage: publish + image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 + rules: + - if: '$POPULATE_CACHE' + when: never + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + when: manual + # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) + # This will deploy the artifacts built from the publishToSonatype task to the GitHub release + needs: + - job: deploy_to_maven_central + # The deploy_to_maven_central job is not run for release candidate versions + optional: true + script: + - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt + - gh auth login --with-token < github-token.txt + - gh auth status # Maybe helpful to have this output in logs? + - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version + - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar retry: max: 2 when: always