Add GHA workflow to create a release branch and pin system tests commit sha after minor release

sarahchen6 · sarahchen6 · commit 805a42e72e9f · 2025-10-16T14:21:01.000-04:00
diff --git a/.github/chainguard/self.update-system-tests.push.sts.yaml b/.github/chainguard/self.update-system-tests.push.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v[0-9]+.[0-9]+.0)
+
+claim_pattern:
+  event_name: (push|workflow_dispatch)
+  ref: refs/(heads/master|tags/v[0-9]+\.[0-9]+\.0)
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master
+
+permissions:
+  contents: write
diff --git a/.github/scripts/update_system_test_reference.sh b/.github/scripts/update_system_test_reference.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# This script updates the reference in a YAML file.
+
+# Check if required environment variables are set
+if [ -z "$TARGET" ]; then
+    echo "Error: TARGET environment variable is not set"
+    exit 1
+fi
+
+if [ -z "$REF" ]; then
+    echo "Error: REF environment variable is not set"
+    exit 1
+fi
+
+if [ -z "$PATTERN" ]; then
+    echo "Error: PATTERN environment variable is not set"
+    exit 1
+fi
+
+echo "Target: $TARGET"
+echo "Ref: $REF"
+
+# Remove leading and trailing forward slashes from pattern
+CLEAN_PATTERN=$(echo "$PATTERN" | sed 's/^\///;s/\/$//')
+echo "Pattern: $CLEAN_PATTERN"
+
+# Create a temporary file
+TEMP_FILE=$(mktemp)
+
+# Read the file and perform the substitution
+if [ -f "$TARGET" ]; then
+    # Perform the substitution and save to temporary file
+    # We use perl here because sed's regex support varies across platforms
+    perl -pe "s/$CLEAN_PATTERN/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE"
+
+    # Compare files to check if any changes were made
+    if cmp -s "$TARGET" "$TEMP_FILE"; then
+        echo "No references found in $TARGET"
+    else
+        # Copy the temp file back to the target
+        cp "$TEMP_FILE" "$TARGET"
+        echo "✓ Updated references in $TARGET"
+    fi
+else
+    echo "Error: Target file $TARGET does not exist"
+    rm -f "$TEMP_FILE"
+    exit 1
+fi
+
+# Clean up temporary file
+rm -f "$TEMP_FILE"
diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml
@@ -0,0 +1,115 @@
+name: Create Release Branch and Pin System-Tests
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.0'  # Trigger on minor release tags (e.g. v1.54.0)
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The minor release tag (e.g. v1.54.0)'
+        required: true
+        type: string
+
+jobs:
+  create-release-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.create-release-branch.push
+
+      - name: Determine tag
+        id: determine-tag
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            TAG=${{ github.event.inputs.tag }}
+          else
+            TAG=${GITHUB_REF#refs/tags/}
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "Processing release tag: ${TAG}"
+
+      - name: Validate tag format
+        run: |
+          TAG=${{ steps.determine-tag.outputs.tag }}
+          if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then
+            echo "Error: Tag $TAG is not a valid minor release tag (expected format: vX.Y.0)"
+            exit 1
+          fi
+          echo "Tag format is valid"
+
+      - name: Define branch name from tag
+        id: define-branch
+        run: |
+          TAG=${{ steps.determine-tag.outputs.tag }}
+          BRANCH=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+)\.0$/release\/\1.x/')
+          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+          echo "Target branch: ${BRANCH}"
+
+      - name: Checkout dd-trace-java
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+      - name: Check if branch already exists
+        id: check-branch
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH already exists, skipping following steps"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH does not exist, proceeding with following steps"
+          fi
+
+      - name: Checkout system-tests to get latest SHA
+        if: steps.check-branch.outputs.exists == 'false'
+        id: system-test-ref
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        with:
+          repository: "DataDog/system-tests"
+          path: system-tests
+          ref: main
+
+      - name: Update reference 1/2 in run-system-tests.yaml
+        if: steps.check-branch.outputs.exists == 'false'
+        run: .github/scripts/update_system_test_reference.sh
+        env:
+          TARGET: ".github/workflows/run-system-tests.yaml"
+          PATTERN: '(\s*system-tests\.yml@)(\S+)(\s+# system tests.*)'
+          REF: ${{ steps.system-test-ref.outputs.commit }}
+
+      - name: Update reference 2/2 in run-system-tests.yaml
+        if: steps.check-branch.outputs.exists == 'false'
+        run: .github/scripts/update_system_test_reference.sh
+        env:
+          TARGET: ".github/workflows/run-system-tests.yaml"
+          PATTERN: '(\s*ref: )(\S+)(\s+# system tests.*)'
+          REF: ${{ steps.system-test-ref.outputs.commit }}
+
+      - name: Commit changes
+        if: steps.check-branch.outputs.exists == 'false'
+        id: create-commit
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          SHA=${{ steps.system-test-ref.outputs.commit }}
+          
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      
+      - name: Push changes
+        if: steps.check-branch.outputs.exists == 'false'
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
diff --git a/.github/workflows/run-system-tests.yaml b/.github/workflows/run-system-tests.yaml
@@ -60,14 +60,15 @@ jobs:
   main:
     needs:
     - build
-    uses:  DataDog/system-tests/.github/workflows/system-tests.yml@main
+    uses:  DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference
     secrets: inherit
     permissions:
       contents: read
       id-token: write
       packages: write
     with:
       library: java
+      ref: main # system tests are pinned for releases only: the create-release-branch workflow depends on this comment to update the reference
       binaries_artifact: binaries
       desired_execution_time: 900  # 15 minutes
       scenarios_groups: tracer-release
