Add workflow and debugging

(cherry picked from commit 3feedd7)

Author: sarahchen6

.gitlab-ci.yml

@@ -797,6 +797,35 @@ deploy_to_sonatype:
       - 'workspace/dd-trace-api/build/libs/*.jar'
       - 'workspace/dd-trace-ot/build/libs/*.jar'
 
+get_github_token:
+  stage: publish
+  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1
+  tags: [ "arch:amd64" ]
+  
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
+
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
+      when: on_success
+
+  script:
+    - dd-octo-sts version
+    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release
+    - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt
+    # DEBUG
+    - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO")
+    - echo "Token file size:" $(wc -c < github-token.txt) "bytes"
+    - echo "Token preview:" $(head -c 10 github-token.txt)...
+
+  artifacts:
+    paths:
+      - github-token.txt
+    expire_in: 1 hour # tokens generated by dd-octo-sts only last for 1 hour
+
 deploy_artifacts_to_github:
   stage: publish
   image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0
@@ -811,16 +840,21 @@ deploy_artifacts_to_github:
     - job: deploy_to_sonatype
       # The deploy_to_sonatype job is not run for release candidate versions
       optional: true
+    - job: get_github_token
+
   script:
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt
+    # - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt
+    # Debug token reception
+    - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO")
+    - echo "Token file size:" $(wc -c < github-token.txt) "bytes"
     - gh auth login --with-token < github-token.txt
     - gh auth status  # Maybe helpful to have this output in logs?
-    - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version
-    - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames
-    - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar
-    - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar
-    - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar
-    - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar
+    # - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version
+    # - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames
+    # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar
+    # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar
+    # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar
+    # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar
   retry:
     max: 2
     when: always