From 805a42e72e9f65f67e2bfd361f8b986362dd5cd1 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 16 Oct 2025 14:09:44 -0400 Subject: [PATCH 1/3] Add GHA workflow to create a release branch and pin system tests commit sha after minor release --- .../self.update-system-tests.push.sts.yaml | 12 ++ .../scripts/update_system_test_reference.sh | 52 ++++++++ .github/workflows/create-release-branch.yaml | 115 ++++++++++++++++++ .github/workflows/run-system-tests.yaml | 3 +- 4 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 .github/chainguard/self.update-system-tests.push.sts.yaml create mode 100644 .github/scripts/update_system_test_reference.sh create mode 100644 .github/workflows/create-release-branch.yaml diff --git a/.github/chainguard/self.update-system-tests.push.sts.yaml b/.github/chainguard/self.update-system-tests.push.sts.yaml new file mode 100644 index 00000000000..0127556df84 --- /dev/null +++ b/.github/chainguard/self.update-system-tests.push.sts.yaml @@ -0,0 +1,12 @@ +issuer: https://token.actions.githubusercontent.com + +subject: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v[0-9]+.[0-9]+.0) + +claim_pattern: + event_name: (push|workflow_dispatch) + ref: refs/(heads/master|tags/v[0-9]+\.[0-9]+\.0) + ref_protected: "true" + job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master + +permissions: + contents: write diff --git a/.github/scripts/update_system_test_reference.sh b/.github/scripts/update_system_test_reference.sh new file mode 100644 index 00000000000..e71c70783d7 --- /dev/null +++ b/.github/scripts/update_system_test_reference.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +# This script updates the reference in a YAML file. + +# Check if required environment variables are set +if [ -z "$TARGET" ]; then + echo "Error: TARGET environment variable is not set" + exit 1 +fi + +if [ -z "$REF" ]; then + echo "Error: REF environment variable is not set" + exit 1 +fi + +if [ -z "$PATTERN" ]; then + echo "Error: PATTERN environment variable is not set" + exit 1 +fi + +echo "Target: $TARGET" +echo "Ref: $REF" + +# Remove leading and trailing forward slashes from pattern +CLEAN_PATTERN=$(echo "$PATTERN" | sed 's/^\///;s/\/$//') +echo "Pattern: $CLEAN_PATTERN" + +# Create a temporary file +TEMP_FILE=$(mktemp) + +# Read the file and perform the substitution +if [ -f "$TARGET" ]; then + # Perform the substitution and save to temporary file + # We use perl here because sed's regex support varies across platforms + perl -pe "s/$CLEAN_PATTERN/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE" + + # Compare files to check if any changes were made + if cmp -s "$TARGET" "$TEMP_FILE"; then + echo "No references found in $TARGET" + else + # Copy the temp file back to the target + cp "$TEMP_FILE" "$TARGET" + echo "✓ Updated references in $TARGET" + fi +else + echo "Error: Target file $TARGET does not exist" + rm -f "$TEMP_FILE" + exit 1 +fi + +# Clean up temporary file +rm -f "$TEMP_FILE" diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml new file mode 100644 index 00000000000..9e9bfb4a545 --- /dev/null +++ b/.github/workflows/create-release-branch.yaml @@ -0,0 +1,115 @@ +name: Create Release Branch and Pin System-Tests + +on: + push: + tags: + - 'v[0-9]+.[0-9]+.0' # Trigger on minor release tags (e.g. v1.54.0) + workflow_dispatch: + inputs: + tag: + description: 'The minor release tag (e.g. v1.54.0)' + required: true + type: string + +jobs: + create-release-branch: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # Required for OIDC token federation + steps: + - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog/dd-trace-java + policy: self.create-release-branch.push + + - name: Determine tag + id: determine-tag + run: | + if [ -n "${{ github.event.inputs.tag }}" ]; then + TAG=${{ github.event.inputs.tag }} + else + TAG=${GITHUB_REF#refs/tags/} + fi + echo "tag=${TAG}" >> "$GITHUB_OUTPUT" + echo "Processing release tag: ${TAG}" + + - name: Validate tag format + run: | + TAG=${{ steps.determine-tag.outputs.tag }} + if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then + echo "Error: Tag $TAG is not a valid minor release tag (expected format: vX.Y.0)" + exit 1 + fi + echo "Tag format is valid" + + - name: Define branch name from tag + id: define-branch + run: | + TAG=${{ steps.determine-tag.outputs.tag }} + BRANCH=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+)\.0$/release\/\1.x/') + echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT" + echo "Target branch: ${BRANCH}" + + - name: Checkout dd-trace-java + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 + + - name: Check if branch already exists + id: check-branch + run: | + BRANCH=${{ steps.define-branch.outputs.branch }} + if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then + echo "exists=true" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH already exists, skipping following steps" + else + echo "exists=false" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH does not exist, proceeding with following steps" + fi + + - name: Checkout system-tests to get latest SHA + if: steps.check-branch.outputs.exists == 'false' + id: system-test-ref + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 + with: + repository: "DataDog/system-tests" + path: system-tests + ref: main + + - name: Update reference 1/2 in run-system-tests.yaml + if: steps.check-branch.outputs.exists == 'false' + run: .github/scripts/update_system_test_reference.sh + env: + TARGET: ".github/workflows/run-system-tests.yaml" + PATTERN: '(\s*system-tests\.yml@)(\S+)(\s+# system tests.*)' + REF: ${{ steps.system-test-ref.outputs.commit }} + + - name: Update reference 2/2 in run-system-tests.yaml + if: steps.check-branch.outputs.exists == 'false' + run: .github/scripts/update_system_test_reference.sh + env: + TARGET: ".github/workflows/run-system-tests.yaml" + PATTERN: '(\s*ref: )(\S+)(\s+# system tests.*)' + REF: ${{ steps.system-test-ref.outputs.commit }} + + - name: Commit changes + if: steps.check-branch.outputs.exists == 'false' + id: create-commit + run: | + BRANCH=${{ steps.define-branch.outputs.branch }} + SHA=${{ steps.system-test-ref.outputs.commit }} + + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + + - name: Push changes + if: steps.check-branch.outputs.exists == 'false' + uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 + with: + token: "${{ steps.octo-sts.outputs.token }}" + branch: "${{ steps.define-branch.outputs.branch }}" + branch-from: "${{ github.sha }}" + command: push + commits: "${{ steps.create-commit.outputs.commit }}" diff --git a/.github/workflows/run-system-tests.yaml b/.github/workflows/run-system-tests.yaml index 01bf54dfa98..16b869b9090 100644 --- a/.github/workflows/run-system-tests.yaml +++ b/.github/workflows/run-system-tests.yaml @@ -60,7 +60,7 @@ jobs: main: needs: - build - uses: DataDog/system-tests/.github/workflows/system-tests.yml@main + uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference secrets: inherit permissions: contents: read @@ -68,6 +68,7 @@ jobs: packages: write with: library: java + ref: main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference binaries_artifact: binaries desired_execution_time: 900 # 15 minutes scenarios_groups: tracer-release From c0a94e8802374755e21fee2082f8f0196ae1abc8 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 16 Oct 2025 14:34:51 -0400 Subject: [PATCH 2/3] Update policy name in workflow --- .github/workflows/create-release-branch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 9e9bfb4a545..11eb28bc572 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -22,7 +22,7 @@ jobs: id: octo-sts with: scope: DataDog/dd-trace-java - policy: self.create-release-branch.push + policy: self.update-system-tests.push - name: Determine tag id: determine-tag From dae2904690e522805d4e6105024619faad5ecd6e Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 17 Oct 2025 11:27:58 -0400 Subject: [PATCH 3/3] Clean workflow and script --- .../scripts/update_system_test_reference.sh | 52 ------------------ .github/workflows/create-release-branch.yaml | 55 ++++--------------- .github/workflows/run-system-tests.yaml | 6 +- tooling/update_system_test_reference.sh | 47 ++++++++++++++++ 4 files changed, 63 insertions(+), 97 deletions(-) delete mode 100644 .github/scripts/update_system_test_reference.sh create mode 100644 tooling/update_system_test_reference.sh diff --git a/.github/scripts/update_system_test_reference.sh b/.github/scripts/update_system_test_reference.sh deleted file mode 100644 index e71c70783d7..00000000000 --- a/.github/scripts/update_system_test_reference.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -# This script updates the reference in a YAML file. - -# Check if required environment variables are set -if [ -z "$TARGET" ]; then - echo "Error: TARGET environment variable is not set" - exit 1 -fi - -if [ -z "$REF" ]; then - echo "Error: REF environment variable is not set" - exit 1 -fi - -if [ -z "$PATTERN" ]; then - echo "Error: PATTERN environment variable is not set" - exit 1 -fi - -echo "Target: $TARGET" -echo "Ref: $REF" - -# Remove leading and trailing forward slashes from pattern -CLEAN_PATTERN=$(echo "$PATTERN" | sed 's/^\///;s/\/$//') -echo "Pattern: $CLEAN_PATTERN" - -# Create a temporary file -TEMP_FILE=$(mktemp) - -# Read the file and perform the substitution -if [ -f "$TARGET" ]; then - # Perform the substitution and save to temporary file - # We use perl here because sed's regex support varies across platforms - perl -pe "s/$CLEAN_PATTERN/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE" - - # Compare files to check if any changes were made - if cmp -s "$TARGET" "$TEMP_FILE"; then - echo "No references found in $TARGET" - else - # Copy the temp file back to the target - cp "$TEMP_FILE" "$TARGET" - echo "✓ Updated references in $TARGET" - fi -else - echo "Error: Target file $TARGET does not exist" - rm -f "$TEMP_FILE" - exit 1 -fi - -# Clean up temporary file -rm -f "$TEMP_FILE" diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 11eb28bc572..bcd3bc4aa77 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -32,25 +32,18 @@ jobs: else TAG=${GITHUB_REF#refs/tags/} fi - echo "tag=${TAG}" >> "$GITHUB_OUTPUT" - echo "Processing release tag: ${TAG}" - - - name: Validate tag format - run: | - TAG=${{ steps.determine-tag.outputs.tag }} if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then - echo "Error: Tag $TAG is not a valid minor release tag (expected format: vX.Y.0)" + echo "Error: Tag $TAG is not in the expected format: vX.Y.0" exit 1 fi - echo "Tag format is valid" + echo "tag=${TAG}" >> "$GITHUB_OUTPUT" - name: Define branch name from tag id: define-branch run: | TAG=${{ steps.determine-tag.outputs.tag }} - BRANCH=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+)\.0$/release\/\1.x/') + BRANCH="release/${TAG%.0}.x" echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT" - echo "Target branch: ${BRANCH}" - name: Checkout dd-trace-java uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 @@ -60,52 +53,28 @@ jobs: run: | BRANCH=${{ steps.define-branch.outputs.branch }} if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then - echo "exists=true" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH already exists, skipping following steps" + echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH already exists - skipping following steps" else - echo "exists=false" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH does not exist, proceeding with following steps" + echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH does not exist - proceeding with following steps" fi - - name: Checkout system-tests to get latest SHA - if: steps.check-branch.outputs.exists == 'false' - id: system-test-ref - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 - with: - repository: "DataDog/system-tests" - path: system-tests - ref: main - - - name: Update reference 1/2 in run-system-tests.yaml - if: steps.check-branch.outputs.exists == 'false' - run: .github/scripts/update_system_test_reference.sh - env: - TARGET: ".github/workflows/run-system-tests.yaml" - PATTERN: '(\s*system-tests\.yml@)(\S+)(\s+# system tests.*)' - REF: ${{ steps.system-test-ref.outputs.commit }} - - - name: Update reference 2/2 in run-system-tests.yaml - if: steps.check-branch.outputs.exists == 'false' - run: .github/scripts/update_system_test_reference.sh - env: - TARGET: ".github/workflows/run-system-tests.yaml" - PATTERN: '(\s*ref: )(\S+)(\s+# system tests.*)' - REF: ${{ steps.system-test-ref.outputs.commit }} + - name: Update system-tests references to latest commit SHA on main + if: steps.check-branch.outputs.creating_new_branch == 'true' + run: BRANCH=main ./tooling/update_system_test_reference.sh - name: Commit changes - if: steps.check-branch.outputs.exists == 'false' + if: steps.check-branch.outputs.creating_new_branch == 'true' id: create-commit run: | - BRANCH=${{ steps.define-branch.outputs.branch }} - SHA=${{ steps.system-test-ref.outputs.commit }} - git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - name: Push changes - if: steps.check-branch.outputs.exists == 'false' + if: steps.check-branch.outputs.creating_new_branch == 'true' uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 with: token: "${{ steps.octo-sts.outputs.token }}" diff --git a/.github/workflows/run-system-tests.yaml b/.github/workflows/run-system-tests.yaml index 16b869b9090..694f3e02829 100644 --- a/.github/workflows/run-system-tests.yaml +++ b/.github/workflows/run-system-tests.yaml @@ -60,7 +60,8 @@ jobs: main: needs: - build - uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference + # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match. + uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only secrets: inherit permissions: contents: read @@ -68,7 +69,8 @@ jobs: packages: write with: library: java - ref: main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference + # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match. + ref: main # system tests are pinned for releases only binaries_artifact: binaries desired_execution_time: 900 # 15 minutes scenarios_groups: tracer-release diff --git a/tooling/update_system_test_reference.sh b/tooling/update_system_test_reference.sh new file mode 100644 index 00000000000..951fe8e4b1d --- /dev/null +++ b/tooling/update_system_test_reference.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script updates the system-tests reference in run-system-tests.yaml. +# The reference will be updated with the latest commit SHA of the given branch (or `main` if not set) of https://github.com/DataDog/system-tests. +# Usage: BRANCH= tooling/update_system_test_reference.sh + +# Set BRANCH to main if not set +if [ -z "${BRANCH:-}" ]; then + BRANCH="main" + echo "BRANCH is not set. Defaulting to 'main'." +fi + +TARGET=".github/workflows/run-system-tests.yaml" # target file to update +PATTERN_1='(\s*system-tests\.yml@)(\S+)(\s+# system tests.*)' # pattern to update the "system-tests.yml@" reference +PATTERN_2='(\s*ref: )(\S+)(\s+# system tests.*)' # pattern to update the "ref:" reference + +echo "Fetching latest commit SHA for system-tests branch: $BRANCH" +REF=$(git ls-remote https://github.com/DataDog/system-tests "refs/heads/$BRANCH" | cut -f 1) +if [ -z "$REF" ]; then + echo "Error: Failed to fetch commit SHA for branch $BRANCH" + exit 1 +fi +echo "Fetched SHA: $REF" + +if [ ! -f "$TARGET" ]; then + echo "Error: Target file $TARGET does not exist" + exit 1 +fi + +# Save the substitution results to a temporary file first +TEMP_FILE=$(mktemp) + +# Update the "system-tests.yml@" reference +echo "Updating 'system-tests.yml@' reference..." +perl -pe "s/$PATTERN_1/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE" +cp "$TEMP_FILE" "$TARGET" + +# Update the "ref:" reference +echo "Updating 'ref:' reference..." +perl -pe "s/$PATTERN_2/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE" +cp "$TEMP_FILE" "$TARGET" + +# Clean up temporary file +rm -f "$TEMP_FILE" + +echo "Done updating system-tests references to $REF"