Merged with master.

Author: AlexeyKuznetsov-DD

.editorconfig

@@ -7,17 +7,54 @@ end_of_line=lf
 insert_final_newline=true
 indent_style=space
 indent_size=2
-
-[*.json]
-indent_style=space
-indent_size=2
+ij_continuation_indent_size=4
 
 [*.java]
-indent_style=space
-indent_size=2
-continuation_indent_size=4
+ij_java_class_count_to_use_import_on_demand = 99
+ij_java_insert_inner_class_imports = false
+ij_java_imports_layout = |,$*,|,*,|
+ij_java_layout_on_demand_import_from_same_package_first = true
+ij_java_layout_static_imports_separately = true
+ij_java_names_count_to_use_import_on_demand = 99
+ij_java_packages_to_use_import_on_demand = java.awt.*,javax.swing.*
+
+
+ij_java_block_comment_add_space = false
+ij_java_block_comment_at_first_column = false
+ij_java_line_comment_add_space = true
+ij_java_line_comment_add_space_on_reformat = false
+ij_java_line_comment_at_first_column = false
+
+
+[{*.groovy,*.gradle}]
+ij_groovy_class_count_to_use_import_on_demand = 99
+ij_groovy_imports_layout = $*,|,*,|
+ij_groovy_names_count_to_use_import_on_demand = 99
+ij_groovy_packages_to_use_import_on_demand = java.awt.*,javax.swing.*
+
+ij_groovy_block_comment_add_space = false
+ij_groovy_block_comment_at_first_column = false
+ij_groovy_line_comment_add_space = true
+ij_groovy_line_comment_add_space_on_reformat = false
+ij_groovy_line_comment_at_first_column = false
+
+[{*.kt,*.kts}]
+ij_kotlin_import_nested_classes = false
+ij_kotlin_imports_layout = *,java.**,javax.**,kotlin.**,^
+
+ij_kotlin_name_count_to_use_star_import = 99
+ij_kotlin_name_count_to_use_star_import_for_members = 99
+ij_kotlin_packages_to_use_import_on_demand = kotlinx.android.synthetic.**,io.ktor.**
+
+ij_kotlin_block_comment_add_space = false
+ij_kotlin_block_comment_at_first_column = false
+ij_kotlin_line_comment_add_space = true
+ij_kotlin_line_comment_add_space_on_reformat = false
+ij_kotlin_line_comment_at_first_column = false
+
 
 [{*.yml,*.yaml}]
-indent_style=space
-indent_size=2
+ij_yaml_line_comment_add_space = true
+ij_yaml_line_comment_add_space_on_reformat = false
+ij_yaml_line_comment_at_first_column = false
 

.github/chainguard/self.add-release-to-cloudfoundry.sts.yaml

@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v[0-9]+.[0-9]+.0)
+
+claim_pattern:
+  event_name: (push|workflow_dispatch)
+  ref: refs/(heads/master|tags/v[0-9]+\.[0-9]+\.0)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master
+
+permissions:
+  contents: write
+  pull_requests: write

.github/chainguard/self.update-system-tests.push.sts.yaml

@@ -107,11 +107,11 @@ _Recovery:_ Manually trigger the action again.
 
 ### analyze-changes [🔗](analyze-changes.yaml)
 
-_Trigger:_ When pushing commits to `master`.
+_Trigger:_ Every day or manually.
 
 _Action:_
 
-* Run [GitHub CodeQL](https://codeql.github.com/) action, upload result to GitHub security tab -- do not apply to pull request, only when pushing to `master`,
+* Run [GitHub CodeQL](https://codeql.github.com/) action, upload result to GitHub security tab -- do not apply to pull request, only to `master`,
 * Run [Trivy security scanner](https://github.com/aquasecurity/trivy) on built artifacts and upload result to GitHub security tab and Datadog Code Analysis.
 
 _Notes:_ Results are sent on both production and staging environments.

.github/workflows/README.md

@@ -56,7 +56,7 @@ jobs:
           git commit -a -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
-        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
         if: ${{ steps.create-commit.outputs.commit != '' }}
         with:
           branch: cloudfoundry

.github/workflows/add-release-to-cloudfoundry.yaml

@@ -1,13 +1,9 @@
 name: Analyze changes
 
 on:
-  push:
-    branches: [ master ]
-
-# Cancel long-running jobs when a new commit is pushed
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  schedule:
+    - cron: "0 20 * * *"
+  workflow_dispatch:
 
 jobs:
   codeql:
@@ -34,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
+        uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -53,7 +49,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
+        uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
 
   trivy:
     name: Analyze changes with Trivy
@@ -118,7 +114,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.29.5
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/analyze-changes.yaml

@@ -0,0 +1,110 @@
+name: Create Release Branch and Pin System-Tests
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.0'  # Trigger on minor release tags (e.g. v1.54.0)
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The minor release tag (e.g. v1.54.0)'
+        required: true
+        type: string
+
+jobs:
+  create-release-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Allow pushing the empty release branch
+      id-token: write # Required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-system-tests.push
+
+      - name: Determine tag
+        id: determine-tag
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            TAG=${{ github.event.inputs.tag }}
+          else
+            TAG=${GITHUB_REF#refs/tags/}
+          fi
+          if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then
+            echo "Error: Tag $TAG is not in the expected format: vX.Y.0"
+            exit 1
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Define branch name from tag
+        id: define-branch
+        run: |
+          TAG=${{ steps.determine-tag.outputs.tag }}
+          BRANCH="release/${TAG%.0}.x"
+          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout dd-trace-java at tag
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        with:
+          ref: ${{ github.sha }}
+
+      - name: Check if branch already exists
+        id: check-branch
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH already exists - skipping following steps"
+          else
+            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH does not exist - proceeding with following steps"
+          fi
+
+      - name: Create and push empty release branch
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        run: |
+          git checkout -b "${{ steps.define-branch.outputs.branch }}"
+          git push -u origin "${{ steps.define-branch.outputs.branch }}"
+
+      - name: Define temp branch name
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        id: define-temp-branch
+        run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+
+      - name: Update system-tests references to latest commit SHA on main
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        run: BRANCH=main ./tooling/update_system_test_reference.sh
+
+      - name: Commit changes
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      
+      - name: Push changes to temp branch
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-temp-branch.outputs.branch }}"
+          head-sha: "${{ github.sha }}"
+          create-branch: true
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
+
+      - name: Create pull request from temp branch to release branch
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        env:
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        run: |
+          gh pr create  --title "Pin system-tests for ${{ steps.define-branch.outputs.branch }}" \
+            --base "${{ steps.define-branch.outputs.branch }}" \
+            --head "${{ steps.define-temp-branch.outputs.branch }}" \
+            --label "tag: dependencies" \
+            --label "tag: no release notes" \
+            --body "This PR pins the system-tests reference for the release branch."

.github/workflows/create-release-branch.yaml

@@ -60,14 +60,17 @@ jobs:
   main:
     needs:
     - build
-    uses:  DataDog/system-tests/.github/workflows/system-tests.yml@main
+    # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+    uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only
     secrets: inherit
     permissions:
       contents: read
       id-token: write
       packages: write
     with:
       library: java
+       # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+      ref: main # system tests are pinned for releases only
       binaries_artifact: binaries
       desired_execution_time: 900  # 15 minutes
       scenarios_groups: tracer-release

.github/workflows/run-system-tests.yaml

@@ -71,14 +71,15 @@ jobs:
           git commit -m "feat(ci): Update Docker build image" .gitlab-ci.yml
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
-        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
         if: steps.check-changes.outputs.commit_changes == 'true'
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
           # for scheduled runs, sha is the tip of the default branch
           # for dispatched runs, sha is the tip of the branch it was dispatched on
-          branch-from: "${{ github.sha }}"
+          head-sha: "${{ github.sha }}"
+          create-branch: true
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request

.github/workflows/update-docker-build-image.yaml

@@ -26,6 +26,7 @@ jobs:
         env:
           ORG_GRADLE_PROJECT_akkaRepositoryToken: ${{ secrets.AKKA_REPO_TOKEN }}
         run: |
+          find . -name 'gradle.lockfile' -delete
           GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
           JAVA_HOME=$JAVA_HOME_8_X64 \
           JAVA_8_HOME=$JAVA_HOME_8_X64 \
@@ -57,14 +58,15 @@ jobs:
           git commit -a -m "chore: Update Gradle dependencies"
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
-        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
         if: steps.check-changes.outputs.commit_changes == 'true'
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
           # for scheduled runs, sha is the tip of the default branch
           # for dispatched runs, sha is the tip of the branch it was dispatched on
-          branch-from: "${{ github.sha }}"
+          head-sha: "${{ github.sha }}"
+          create-branch: true
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request