From ff73b6cbecad48b89b18ccb984afe5e7c81f73ca Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 23 Mar 2026 13:44:22 -0400 Subject: [PATCH 1/4] Use ossrh-staging-api releases for Maven Central credential check --- .gitlab-ci.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 49cbfcd3ff9..0754d80de4f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -229,11 +229,14 @@ maven-central-pre-release-check: - | MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) MAVEN_CENTRAL_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_password --with-decryption --query "Parameter.Value" --out text) - # See https://central.sonatype.org/publish/publish-portal-api/ - # 15e0cbbb-deff-421e-9e02-296a24d0cada is deployment, any deployment id listed in central work, the idea is to check whether the token can authenticate - curl --request POST --include --fail https://central.sonatype.com/api/v1/publisher/status?id=15e0cbbb-deff-421e-9e02-296a24d0cada --header "Authorization: Bearer $(printf "$MAVEN_CENTRAL_USERNAME:$MAVEN_CENTRAL_PASSWORD" | base64)" - if [ $? -ne 0 ]; then - echo "Failed to authenticate against central. Check credentials, see https://datadoghq.atlassian.net/wiki/x/Oog5OgE" + # See https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/ + # Use the staging API search endpoint to validate the tokens without relying on a specific deployment + AUTHORIZATION_HEADER="Authorization: Bearer $(printf '%s:%s' "$MAVEN_CENTRAL_USERNAME" "$MAVEN_CENTRAL_PASSWORD" | base64)" + if ! curl --silent --show-error --fail \ + "https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?ip=any" \ + --header "$AUTHORIZATION_HEADER" \ + > /dev/null; then + echo "Failed to authenticate tokens against maven central staging API. Check credentials and see https://datadoghq.atlassian.net/wiki/x/Oog5OgE" exit 1 fi From 62773f94db32814ac262891e75cddf80609c8b27 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 23 Mar 2026 13:47:05 -0400 Subject: [PATCH 2/4] Temporarily comment out job rules for testing --- .gitlab-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0754d80de4f..9ddc421fe81 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -221,10 +221,10 @@ default: maven-central-pre-release-check: image: ${BUILDER_IMAGE_REPO}:${BUILDER_IMAGE_VERSION_PREFIX}base stage: .pre - rules: - - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - when: on_success - allow_failure: false + # rules: + # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + # when: on_success + # allow_failure: false script: - | MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) From eaaab346669832f7fac05d0c7fdf301b74e8b398 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 23 Mar 2026 13:54:49 -0400 Subject: [PATCH 3/4] Use bad credentials and except failure --- .gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9ddc421fe81..bdcbb72e6cc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -227,7 +227,8 @@ maven-central-pre-release-check: # allow_failure: false script: - | - MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) + MAVEN_CENTRAL_USERNAME="invalid" + # MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) MAVEN_CENTRAL_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_password --with-decryption --query "Parameter.Value" --out text) # See https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/ # Use the staging API search endpoint to validate the tokens without relying on a specific deployment From 42972f00ee620236ec140f75514c67f8ff66ee2f Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Mon, 23 Mar 2026 13:58:16 -0400 Subject: [PATCH 4/4] Revert testing changes --- .gitlab-ci.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bdcbb72e6cc..fe7ddfda3aa 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -221,14 +221,16 @@ default: maven-central-pre-release-check: image: ${BUILDER_IMAGE_REPO}:${BUILDER_IMAGE_VERSION_PREFIX}base stage: .pre - # rules: - # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' - # when: on_success - # allow_failure: false + rules: + - if: '$CI_COMMIT_BRANCH == "master"' + when: on_success + allow_failure: false + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + when: on_success + allow_failure: false script: - | - MAVEN_CENTRAL_USERNAME="invalid" - # MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) + MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text) MAVEN_CENTRAL_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_password --with-decryption --query "Parameter.Value" --out text) # See https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/ # Use the staging API search endpoint to validate the tokens without relying on a specific deployment