From e17bd820bff82648288f572c4660cf28ec968b5b Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 23 Oct 2025 10:17:38 -0400 Subject: [PATCH 1/5] Rename trust policy --- ...h.sts.yaml => self.update-system-tests.create-pr.sts.yaml} | 0 .github/workflows/create-release-branch.yaml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename .github/chainguard/{self.update-system-tests.push.sts.yaml => self.update-system-tests.create-pr.sts.yaml} (100%) diff --git a/.github/chainguard/self.update-system-tests.push.sts.yaml b/.github/chainguard/self.update-system-tests.create-pr.sts.yaml similarity index 100% rename from .github/chainguard/self.update-system-tests.push.sts.yaml rename to .github/chainguard/self.update-system-tests.create-pr.sts.yaml diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 10ec3cd0a95..bf34bcb667f 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -22,7 +22,7 @@ jobs: id: octo-sts with: scope: DataDog/dd-trace-java - policy: self.update-system-tests.push + policy: self.update-system-tests.create-pr - name: Determine tag id: determine-tag @@ -85,7 +85,7 @@ jobs: git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - + - name: Push changes to temp branch if: steps.check-branch.outputs.creating_new_branch == 'true' uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 From c536f26bbf445eaf75d0131df44c6b6b2509e7e3 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 23 Oct 2025 10:48:24 -0400 Subject: [PATCH 2/5] Clean BRANCH variable definition --- .github/workflows/create-release-branch.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index bf34bcb667f..7313b36c918 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -42,8 +42,7 @@ jobs: id: define-branch run: | TAG=${{ steps.determine-tag.outputs.tag }} - BRANCH="release/${TAG%.0}.x" - echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT" + echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" - name: Checkout dd-trace-java at tag uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 From 79dba6c4df43040ba64416b1c3b8e42195af4ee1 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 23 Oct 2025 10:54:06 -0400 Subject: [PATCH 3/5] Comment out logic that creates the initial release branch --- .github/workflows/create-release-branch.yaml | 48 ++++++++++---------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 7313b36c918..76c64b98204 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -15,7 +15,8 @@ jobs: create-release-branch: runs-on: ubuntu-latest permissions: - contents: write # Allow pushing the empty release branch + # contents: write # Allow pushing the empty release branch + contents: read id-token: write # Required for OIDC token federation steps: - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 @@ -42,42 +43,43 @@ jobs: id: define-branch run: | TAG=${{ steps.determine-tag.outputs.tag }} - echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" + # echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" + echo "branch=release/v0.0.x" >> "$GITHUB_OUTPUT" - name: Checkout dd-trace-java at tag uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 with: ref: ${{ github.sha }} - - name: Check if branch already exists - id: check-branch - run: | - BRANCH=${{ steps.define-branch.outputs.branch }} - if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then - echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH already exists - skipping following steps" - else - echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" - echo "Branch $BRANCH does not exist - proceeding with following steps" - fi + # - name: Check if branch already exists + # id: check-branch + # run: | + # BRANCH=${{ steps.define-branch.outputs.branch }} + # if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then + # echo "creating_new_branch=false" >> "$GITHUB_OUTPUT" + # echo "Branch $BRANCH already exists - skipping following steps" + # else + # echo "creating_new_branch=true" >> "$GITHUB_OUTPUT" + # echo "Branch $BRANCH does not exist - proceeding with following steps" + # fi - - name: Create and push empty release branch - if: steps.check-branch.outputs.creating_new_branch == 'true' - run: | - git checkout -b "${{ steps.define-branch.outputs.branch }}" - git push -u origin "${{ steps.define-branch.outputs.branch }}" + # - name: Create and push empty release branch + # if: steps.check-branch.outputs.creating_new_branch == 'true' + # run: | + # git checkout -b "${{ steps.define-branch.outputs.branch }}" + # git push -u origin "${{ steps.define-branch.outputs.branch }}" - name: Define temp branch name - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' id: define-temp-branch run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Update system-tests references to latest commit SHA on main - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' run: BRANCH=main ./tooling/update_system_test_reference.sh - name: Commit changes - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' id: create-commit run: | git config user.name "github-actions[bot]" @@ -86,7 +88,7 @@ jobs: echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - name: Push changes to temp branch - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 with: token: "${{ steps.octo-sts.outputs.token }}" @@ -97,7 +99,7 @@ jobs: commits: "${{ steps.create-commit.outputs.commit }}" - name: Create pull request from temp branch to release branch - if: steps.check-branch.outputs.creating_new_branch == 'true' + # if: steps.check-branch.outputs.creating_new_branch == 'true' env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | From f36e518fa6dd2099d8f103019aba18875d38cddb Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 23 Oct 2025 11:06:11 -0400 Subject: [PATCH 4/5] Remove ref param when checking out --- .github/workflows/create-release-branch.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 76c64b98204..40170d18127 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -48,8 +48,6 @@ jobs: - name: Checkout dd-trace-java at tag uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 - with: - ref: ${{ github.sha }} # - name: Check if branch already exists # id: check-branch From 66a71971cf6ab88728009e80b83492d8f498a76f Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 23 Oct 2025 13:40:51 -0400 Subject: [PATCH 5/5] Reorder to match other workflows --- .github/workflows/create-release-branch.yaml | 25 ++++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 40170d18127..0fadc2d4996 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -25,6 +25,9 @@ jobs: scope: DataDog/dd-trace-java policy: self.update-system-tests.create-pr + - name: Checkout dd-trace-java at tag + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 + - name: Determine tag id: determine-tag run: | @@ -43,11 +46,7 @@ jobs: id: define-branch run: | TAG=${{ steps.determine-tag.outputs.tag }} - # echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" - echo "branch=release/v0.0.x" >> "$GITHUB_OUTPUT" - - - name: Checkout dd-trace-java at tag - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 + echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT" # - name: Check if branch already exists # id: check-branch @@ -67,15 +66,15 @@ jobs: # git checkout -b "${{ steps.define-branch.outputs.branch }}" # git push -u origin "${{ steps.define-branch.outputs.branch }}" - - name: Define temp branch name - # if: steps.check-branch.outputs.creating_new_branch == 'true' - id: define-temp-branch - run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - - name: Update system-tests references to latest commit SHA on main # if: steps.check-branch.outputs.creating_new_branch == 'true' run: BRANCH=main ./tooling/update_system_test_reference.sh + - name: Define temp branch name + # if: steps.check-branch.outputs.creating_new_branch == 'true' + id: define-temp-branch + run: echo "temp-branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT + - name: Commit changes # if: steps.check-branch.outputs.creating_new_branch == 'true' id: create-commit @@ -90,7 +89,7 @@ jobs: uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1 with: token: "${{ steps.octo-sts.outputs.token }}" - branch: "${{ steps.define-temp-branch.outputs.branch }}" + branch: "${{ steps.define-temp-branch.outputs.temp-branch }}" head-sha: "${{ github.sha }}" create-branch: true command: push @@ -101,9 +100,9 @@ jobs: env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | - gh pr create --title "Pin system-tests for ${{ steps.define-branch.outputs.branch }}" \ + gh pr create --title "Pin system-tests for ${{ steps.define-branch.outputs.branch }}" \ --base "${{ steps.define-branch.outputs.branch }}" \ - --head "${{ steps.define-temp-branch.outputs.branch }}" \ + --head "${{ steps.define-temp-branch.outputs.temp-branch }}" \ --label "tag: dependencies" \ --label "tag: no release notes" \ --body "This PR pins the system-tests reference for the release branch."