From df84fee06cc099c325476f33d7293a10b7dc64b4 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 11 Dec 2025 11:50:54 -0500 Subject: [PATCH 01/10] Add pin system tests workflow --- .github/workflows/pin-system-tests.yaml | 96 +++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .github/workflows/pin-system-tests.yaml diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml new file mode 100644 index 00000000000..36421d87c20 --- /dev/null +++ b/.github/workflows/pin-system-tests.yaml @@ -0,0 +1,96 @@ +name: Pin system tests + +on: + workflow_dispatch: + inputs: + tag: + description: 'The minor release tag (e.g. v1.54.0)' + required: true + type: string + +jobs: + pin-system-tests: + name: "Pin system tests" + runs-on: ubuntu-latest + permissions: + contents: write # may not be needed + id-token: write # Required for OIDC token federation + steps: + - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog/dd-trace-java + policy: self.pin-system-tests.create-pr + + - name: Checkout the repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Define branch name + id: define-branch + run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT + + - name: Check if branch already exists + id: check-branch + run: | + BRANCH=${{ steps.define-branch.outputs.branch }} + if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then + echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH already exists - skipping creation" + else + echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" + echo "Branch $BRANCH does not exist - creating it now" + fi + + - name: Create and push branch + if: steps.check-branch.outputs.creating_new_branch == 'true' + id: create-branch + run: | + git checkout -b "${{ steps.define-branch.outputs.branch }}" + git push -u origin "${{ steps.define-branch.outputs.branch }}" + + - name: Update system-tests references to latest commit SHA on main + run: ./tooling/update_system_test_reference.sh + + - name: Check if changes should be committed + id: check-changes + run: | + if [[ -z "$(git status -s)" ]]; then + echo "No changes to commit, exiting." + echo "commit_changes=false" >> "$GITHUB_OUTPUT" + exit 0 + else + echo "commit_changes=true" >> "$GITHUB_OUTPUT" + echo "Changes to commit:" + git status -s + fi + + - name: Commit changes + if: steps.check-changes.outputs.commit_changes == 'true' + id: create-commit + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + + - name: Push changes + uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 + if: steps.check-changes.outputs.commit_changes == 'true' + with: + token: "${{ steps.octo-sts.outputs.token }}" + branch: "${{ steps.define-branch.outputs.branch }}" + command: push + commits: "${{ steps.create-commit.outputs.commit }}" + + - name: Create pull request + if: steps.check-changes.outputs.commit_changes == 'true' + env: + GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + # base may need to be `release/v*` + run: | + gh pr create --title "Pin system tests for release branch" \ + --base master \ + --head ${{ steps.define-branch.outputs.branch }} \ + --label "tag: dependencies" \ + --label "tag: no release notes" \ + --body "This PR pins the system-tests reference for the release branch." From f2cb0ddedbc61ca6b664ab88cd2eac617f5ae9da Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 11 Dec 2025 11:59:22 -0500 Subject: [PATCH 02/10] Add testing trigger --- .github/workflows/pin-system-tests.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index 36421d87c20..e881abb0035 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -7,6 +7,10 @@ on: description: 'The minor release tag (e.g. v1.54.0)' required: true type: string + # for testing + push: + branches: + - sarahchen6/pin-system-tests-workflow jobs: pin-system-tests: From 2a2a8ea3dcd717e43e033f89fdee8dc460a10287 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 11 Dec 2025 15:36:30 -0500 Subject: [PATCH 03/10] Try peter-evans/create-pull-request --- .github/workflows/pin-system-tests.yaml | 77 ++++++++++++++----------- 1 file changed, 44 insertions(+), 33 deletions(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index e881abb0035..d757e5b1731 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -45,12 +45,12 @@ jobs: echo "Branch $BRANCH does not exist - creating it now" fi - - name: Create and push branch - if: steps.check-branch.outputs.creating_new_branch == 'true' - id: create-branch - run: | - git checkout -b "${{ steps.define-branch.outputs.branch }}" - git push -u origin "${{ steps.define-branch.outputs.branch }}" + # - name: Create and push branch + # if: steps.check-branch.outputs.creating_new_branch == 'true' + # id: create-branch + # run: | + # git checkout -b "${{ steps.define-branch.outputs.branch }}" + # git push -u origin "${{ steps.define-branch.outputs.branch }}" - name: Update system-tests references to latest commit SHA on main run: ./tooling/update_system_test_reference.sh @@ -68,33 +68,44 @@ jobs: git status -s fi - - name: Commit changes - if: steps.check-changes.outputs.commit_changes == 'true' - id: create-commit - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml - echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - - name: Push changes - uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 + - name: Create pull request if: steps.check-changes.outputs.commit_changes == 'true' + uses: peter-evans/create-pull-request@v8 with: - token: "${{ steps.octo-sts.outputs.token }}" - branch: "${{ steps.define-branch.outputs.branch }}" - command: push - commits: "${{ steps.create-commit.outputs.commit }}" + token: ${{ steps.octo-sts.outputs.token }} + commit-message: "chore: Pin system-tests for release branch" + title: "Pin system-tests for release branch" + branch: ${{ steps.define-branch.outputs.branch }} + base: "master" + body: "This PR pins the system-tests reference for the release branch." + + # - name: Commit changes + # if: steps.check-changes.outputs.commit_changes == 'true' + # id: create-commit + # run: | + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + # git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml + # echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + + # - name: Push changes + # uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 + # if: steps.check-changes.outputs.commit_changes == 'true' + # with: + # token: "${{ steps.octo-sts.outputs.token }}" + # branch: "${{ steps.define-branch.outputs.branch }}" + # command: push + # commits: "${{ steps.create-commit.outputs.commit }}" - - name: Create pull request - if: steps.check-changes.outputs.commit_changes == 'true' - env: - GH_TOKEN: ${{ steps.octo-sts.outputs.token }} - # base may need to be `release/v*` - run: | - gh pr create --title "Pin system tests for release branch" \ - --base master \ - --head ${{ steps.define-branch.outputs.branch }} \ - --label "tag: dependencies" \ - --label "tag: no release notes" \ - --body "This PR pins the system-tests reference for the release branch." + # - name: Create pull request + # if: steps.check-changes.outputs.commit_changes == 'true' + # env: + # GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + # # base may need to be `release/v*` + # run: | + # gh pr create --title "Pin system tests for release branch" \ + # --base master \ + # --head ${{ steps.define-branch.outputs.branch }} \ + # --label "tag: dependencies" \ + # --label "tag: no release notes" \ + # --body "This PR pins the system-tests reference for the release branch." From 032688d16418e9c869caa325c6b75aa34034c85d Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 08:47:04 -0600 Subject: [PATCH 04/10] Revert "Try peter-evans/create-pull-request" This reverts commit 2a2a8ea3dcd717e43e033f89fdee8dc460a10287. --- .github/workflows/pin-system-tests.yaml | 77 +++++++++++-------------- 1 file changed, 33 insertions(+), 44 deletions(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index d757e5b1731..e881abb0035 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -45,12 +45,12 @@ jobs: echo "Branch $BRANCH does not exist - creating it now" fi - # - name: Create and push branch - # if: steps.check-branch.outputs.creating_new_branch == 'true' - # id: create-branch - # run: | - # git checkout -b "${{ steps.define-branch.outputs.branch }}" - # git push -u origin "${{ steps.define-branch.outputs.branch }}" + - name: Create and push branch + if: steps.check-branch.outputs.creating_new_branch == 'true' + id: create-branch + run: | + git checkout -b "${{ steps.define-branch.outputs.branch }}" + git push -u origin "${{ steps.define-branch.outputs.branch }}" - name: Update system-tests references to latest commit SHA on main run: ./tooling/update_system_test_reference.sh @@ -68,44 +68,33 @@ jobs: git status -s fi - - name: Create pull request + - name: Commit changes if: steps.check-changes.outputs.commit_changes == 'true' - uses: peter-evans/create-pull-request@v8 - with: - token: ${{ steps.octo-sts.outputs.token }} - commit-message: "chore: Pin system-tests for release branch" - title: "Pin system-tests for release branch" - branch: ${{ steps.define-branch.outputs.branch }} - base: "master" - body: "This PR pins the system-tests reference for the release branch." - - # - name: Commit changes - # if: steps.check-changes.outputs.commit_changes == 'true' - # id: create-commit - # run: | - # git config user.name "github-actions[bot]" - # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - # git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml - # echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + id: create-commit + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - # - name: Push changes - # uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 - # if: steps.check-changes.outputs.commit_changes == 'true' - # with: - # token: "${{ steps.octo-sts.outputs.token }}" - # branch: "${{ steps.define-branch.outputs.branch }}" - # command: push - # commits: "${{ steps.create-commit.outputs.commit }}" + - name: Push changes + uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 + if: steps.check-changes.outputs.commit_changes == 'true' + with: + token: "${{ steps.octo-sts.outputs.token }}" + branch: "${{ steps.define-branch.outputs.branch }}" + command: push + commits: "${{ steps.create-commit.outputs.commit }}" - # - name: Create pull request - # if: steps.check-changes.outputs.commit_changes == 'true' - # env: - # GH_TOKEN: ${{ steps.octo-sts.outputs.token }} - # # base may need to be `release/v*` - # run: | - # gh pr create --title "Pin system tests for release branch" \ - # --base master \ - # --head ${{ steps.define-branch.outputs.branch }} \ - # --label "tag: dependencies" \ - # --label "tag: no release notes" \ - # --body "This PR pins the system-tests reference for the release branch." + - name: Create pull request + if: steps.check-changes.outputs.commit_changes == 'true' + env: + GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + # base may need to be `release/v*` + run: | + gh pr create --title "Pin system tests for release branch" \ + --base master \ + --head ${{ steps.define-branch.outputs.branch }} \ + --label "tag: dependencies" \ + --label "tag: no release notes" \ + --body "This PR pins the system-tests reference for the release branch." From 1cd0e1a7f5de327521cd22ebbab2bfe5a063fd31 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 08:50:28 -0600 Subject: [PATCH 05/10] Hard code release base branch --- .github/workflows/pin-system-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index e881abb0035..945f9b53658 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -93,7 +93,7 @@ jobs: # base may need to be `release/v*` run: | gh pr create --title "Pin system tests for release branch" \ - --base master \ + --base release/v1.56.x \ --head ${{ steps.define-branch.outputs.branch }} \ --label "tag: dependencies" \ --label "tag: no release notes" \ From 7ed86ca220a1d63423973a9492c71bfd56e71928 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 08:57:33 -0600 Subject: [PATCH 06/10] Create and push branch in one step --- .github/workflows/pin-system-tests.yaml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index 945f9b53658..30aae299acb 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -39,18 +39,12 @@ jobs: BRANCH=${{ steps.define-branch.outputs.branch }} if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH already exists - skipping creation" + echo "Branch $BRANCH already exists - please delete it and re-run the workflow." + exit 0 else echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" echo "Branch $BRANCH does not exist - creating it now" fi - - - name: Create and push branch - if: steps.check-branch.outputs.creating_new_branch == 'true' - id: create-branch - run: | - git checkout -b "${{ steps.define-branch.outputs.branch }}" - git push -u origin "${{ steps.define-branch.outputs.branch }}" - name: Update system-tests references to latest commit SHA on main run: ./tooling/update_system_test_reference.sh @@ -79,15 +73,17 @@ jobs: - name: Push changes uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 - if: steps.check-changes.outputs.commit_changes == 'true' + if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true' with: token: "${{ steps.octo-sts.outputs.token }}" branch: "${{ steps.define-branch.outputs.branch }}" + head-sha: "${{ github.sha }}" + create-branch: true command: push commits: "${{ steps.create-commit.outputs.commit }}" - name: Create pull request - if: steps.check-changes.outputs.commit_changes == 'true' + if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true' env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} # base may need to be `release/v*` From d60e55c2524b7297e15d4b29d02c7aa0f6e2f7f1 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 09:02:13 -0600 Subject: [PATCH 07/10] Make draft --- .github/workflows/pin-system-tests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index 30aae299acb..dfbd6a161f4 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -94,3 +94,4 @@ jobs: --label "tag: dependencies" \ --label "tag: no release notes" \ --body "This PR pins the system-tests reference for the release branch." + --draft From 50aa6d5c08752959264979ddf15ef455cf29e292 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 09:28:16 -0600 Subject: [PATCH 08/10] Missing slash --- .github/workflows/pin-system-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index dfbd6a161f4..4f506284d04 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -93,5 +93,5 @@ jobs: --head ${{ steps.define-branch.outputs.branch }} \ --label "tag: dependencies" \ --label "tag: no release notes" \ - --body "This PR pins the system-tests reference for the release branch." + --body "This PR pins the system-tests reference for the release branch." \ --draft From 4f539e2f5c692ce050899bfc61ea96f750c47255 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 10:13:03 -0600 Subject: [PATCH 09/10] Change workflow trigger to release branch creation --- .github/workflows/pin-system-tests.yaml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index 4f506284d04..a527bbf3f64 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -4,17 +4,16 @@ on: workflow_dispatch: inputs: tag: - description: 'The minor release tag (e.g. v1.54.0)' + description: 'The minor release branch name (e.g. release/v1.54.x)' required: true type: string - # for testing - push: - branches: - - sarahchen6/pin-system-tests-workflow + # run workflow when a release branch is created + create: jobs: pin-system-tests: name: "Pin system tests" + if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v') runs-on: ubuntu-latest permissions: contents: write # may not be needed @@ -81,6 +80,16 @@ jobs: create-branch: true command: push commits: "${{ steps.create-commit.outputs.commit }}" + + - name: Define base branch + id: define-base-branch + run: | + if [[ -n "${{ github.event.inputs.tag }}" ]]; then + BASE_BRANCH=${{ github.event.inputs.tag }} + else + BASE_BRANCH=${GITHUB_REF#refs/heads/} + fi + echo "base_branch=${BASE_BRANCH}" >> $GITHUB_OUTPUT - name: Create pull request if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true' @@ -89,7 +98,7 @@ jobs: # base may need to be `release/v*` run: | gh pr create --title "Pin system tests for release branch" \ - --base release/v1.56.x \ + --base ${{ steps.define-base-branch.outputs.base_branch }} \ --head ${{ steps.define-branch.outputs.branch }} \ --label "tag: dependencies" \ --label "tag: no release notes" \ From 3c43b8ea9be574da69d379f713516348b25cd2d4 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Fri, 12 Dec 2025 10:18:08 -0600 Subject: [PATCH 10/10] Refine trust policy --- .../chainguard/self.pin-system-tests.create-pr.sts.yaml | 8 ++++---- .github/workflows/pin-system-tests.yaml | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml index 85e1f7aa343..c2b192475a7 100644 --- a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml +++ b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml @@ -1,11 +1,11 @@ issuer: https://token.actions.githubusercontent.com -subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/.+ +subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|test/v.+) claim_pattern: - event_name: (push|workflow_dispatch) - ref: refs/heads/.+ - job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/.+ + event_name: (create|workflow_dispatch) + ref: refs/heads/(master|test/v.+) + job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|test/v.+) permissions: contents: write diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml index a527bbf3f64..725eedf3178 100644 --- a/.github/workflows/pin-system-tests.yaml +++ b/.github/workflows/pin-system-tests.yaml @@ -13,6 +13,7 @@ on: jobs: pin-system-tests: name: "Pin system tests" + # CHANGE BACK TO release/v* if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v') runs-on: ubuntu-latest permissions: @@ -95,7 +96,7 @@ jobs: if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true' env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} - # base may need to be `release/v*` + # REMOVE DRAFT run: | gh pr create --title "Pin system tests for release branch" \ --base ${{ steps.define-base-branch.outputs.base_branch }} \