Merge remote-tracking branch 'origin/master' into vandonr/jdbc-ff

Author: vandonr

.editorconfig

@@ -26,7 +26,7 @@ ij_java_line_comment_add_space_on_reformat = false
 ij_java_line_comment_at_first_column = false
 
 
-[*.groovy]
+[{*.groovy,*.gradle}]
 ij_groovy_class_count_to_use_import_on_demand = 99
 ij_groovy_imports_layout = $*,|,*,|
 ij_groovy_names_count_to_use_import_on_demand = 99

.github/CODEOWNERS

@@ -115,6 +115,9 @@
 **/datastreams/                                                              @DataDog/data-streams-monitoring
 **/DataStreams*                                                              @DataDog/data-streams-monitoring
 
+# @DataDog/feature-flagging-and-experimentation-sdk
+/products/feature-flagging/                           @DataDog/feature-flagging-and-experimentation-sdk
+
 # @DataDog/profiling-java
 /dd-java-agent/agent-profiling/                                                             @DataDog/profiling-java
 /dd-java-agent/agent-crashtracking/                                                         @DataDog/profiling-java

.github/chainguard/self.update-system-tests.push.sts.yaml

@@ -36,6 +36,14 @@ _Action:_ Check the pull request did not introduce unexpected label.
 
 _Recovery:_ Update the pull request or add a comment to trigger the action again.
 
+### create-release-branch [🔗](create-release-branch.yaml)
+
+_Trigger:_ When a git tag matching the pattern "vM.N.0" is pushed (e.g. for a minor release).
+
+_Action:_ Create a release branch that corresponds to the pushed tag (e.g. "release/vM.N.x").
+
+_Recovery:_ Manually create the branch from the "vM.N.0" git tag.
+
 ### draft-release-notes-on-tag [🔗](draft-release-notes-on-tag.yaml)
 
 _Trigger:_ When creating a tag, or manually (providing a tag)
@@ -61,6 +69,15 @@ _Recovery:_ Manually [close the related milestone and create a new one](https://
 
 _Notes:_ This action will not apply to release candidate versions using `-RC` tags.
 
+### prune-old-pull-requests [🔗](prune-old-pull-requests.yaml)
+
+_Trigger:_ Every month or manually.
+
+_Action:_ Mark as stale and comment on pull requests with no update during the last quarter.
+Close them if no following update within a week.
+
+_Recovery:_ Manually trigger the action again.
+
 ### update-docker-build-image [🔗](update-docker-build-image.yaml)
 
 _Trigger:_ Quarterly released, loosely [a day after the new image tag is created](https://github.com/DataDog/dd-trace-java-docker-build/blob/master/.github/workflows/docker-tag.yml).
@@ -93,25 +110,15 @@ _Action:_
 
 _Recovery:_ Check at the milestone for the related issues and update them manually.
 
-
-### prune-old-pull-requests [🔗](prune-old-pull-requests.yaml)
-
-_Trigger:_ Every month or manually.
-
-_Action:_ Mark as stale and comment on pull requests with no update during the last quarter.
-Close them if no following update within a week.
-
-_Recovery:_ Manually trigger the action again.
-
 ## Code Quality and Security
 
 ### analyze-changes [🔗](analyze-changes.yaml)
 
-_Trigger:_ When pushing commits to `master`.
+_Trigger:_ Every day or manually.
 
 _Action:_
 
-* Run [GitHub CodeQL](https://codeql.github.com/) action, upload result to GitHub security tab -- do not apply to pull request, only when pushing to `master`,
+* Run [GitHub CodeQL](https://codeql.github.com/) action, upload result to GitHub security tab -- do not apply to pull request, only to `master`,
 * Run [Trivy security scanner](https://github.com/aquasecurity/trivy) on built artifacts and upload result to GitHub security tab and Datadog Code Analysis.
 
 _Notes:_ Results are sent on both production and staging environments.
@@ -122,14 +129,6 @@ _Trigger:_ When creating a PR commits to `master` or a `release/*` branch with a
 
 _Action:_ Notify the PR author through comments that about the Git Submodule update.
 
-### update-gradle-dependencies [🔗](update-gradle-dependencies.yaml)
-
-_Trigger:_ Every week or manually.
-
-_Action:_ Create a PR updating the Grade dependencies and their locking files.
-
-_Recovery:_ Manually trigger the action again.
-
 ### run-system-tests [🔗](run-system-tests.yaml)
 
 _Trigger:_ When pushing commits to `master` or manually.
@@ -138,6 +137,14 @@ _Action:_ Build the Java Client Library and runs [the system tests](https://gith
 
 _Recovery:_ Manually trigger the action on the desired branch.
 
+### update-gradle-dependencies [🔗](update-gradle-dependencies.yaml)
+
+_Trigger:_ Every week or manually.
+
+_Action:_ Create a PR updating the Grade dependencies and their locking files.
+
+_Recovery:_ Manually trigger the action again.
+
 ### update-jmxfetch-submodule [🔗](update-jmxfetch-submodule.yaml)
 
 _Trigger:_ Monthly or manually

.github/workflows/README.md

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout "cloudfoundry" branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           ref: cloudfoundry
       - name: Get release version
@@ -53,7 +53,8 @@ jobs:
             exit 0;
           fi
 
-          git commit -a -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
+          git add --all
+          git commit -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
         uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1

.github/workflows/add-release-to-cloudfoundry.yaml

@@ -1,13 +1,9 @@
 name: Analyze changes
 
 on:
-  push:
-    branches: [ master ]
-
-# Cancel long-running jobs when a new commit is pushed
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  schedule:
+    - cron: "0 20 * * *"
+  workflow_dispatch:
 
 jobs:
   codeql:
@@ -20,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           submodules: 'recursive'
       - name: Cache Gradle dependencies
@@ -34,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -53,7 +49,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
 
   trivy:
     name: Analyze changes with Trivy
@@ -65,7 +61,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           submodules: 'recursive'
 
@@ -118,7 +114,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/analyze-changes.yaml

@@ -45,7 +45,7 @@ jobs:
               repo: context.repo.repo
             })
             const commentMarker = '<!-- dd-trace-java-check-pr-labels-workflow -->'
-            const blockingComment = comments.data.find(comment => comment.body.includes(commentMarker))
+            let blockingComment = comments.data.find(comment => comment.body.includes(commentMarker))
             // Create or update blocking comment if there are invalid labels
             if (hasInvalidLabels) {
               const commentBody = '**PR Blocked - Invalid Label**\n\n' +

.github/workflows/check-pull-request-labels.yaml

@@ -1,9 +1,9 @@
-name: Create Release Branch and Pin System-Tests
+name: Create Release Branch
 
 on:
   push:
     tags:
-      - 'v[0-9]+.[0-9]+.0'  # Trigger on minor release tags (e.g. v1.54.0)
+      - 'v[0-9]+.[0-9]+.0' # Trigger on minor release tags (e.g. v1.54.0)
   workflow_dispatch:
     inputs:
       tag:
@@ -15,15 +15,8 @@ jobs:
   create-release-branch:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      id-token: write # Required for OIDC token federation
+      contents: write # Allow pushing the release branch
     steps:
-      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
-        id: octo-sts
-        with:
-          scope: DataDog/dd-trace-java
-          policy: self.update-system-tests.push
-
       - name: Determine tag
         id: determine-tag
         run: |
@@ -42,43 +35,27 @@ jobs:
         id: define-branch
         run: |
           TAG=${{ steps.determine-tag.outputs.tag }}
-          BRANCH="release/${TAG%.0}.x"
-          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+          echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT"
 
-      - name: Checkout dd-trace-java
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+      - name: Checkout dd-trace-java at tag
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        with:
+          ref: ${{ steps.determine-tag.outputs.tag }}
 
       - name: Check if branch already exists
         id: check-branch
         run: |
           BRANCH=${{ steps.define-branch.outputs.branch }}
           if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
             echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH already exists - skipping following steps"
+            echo "Branch $BRANCH already exists - skipping creation"
           else
             echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH does not exist - proceeding with following steps"
+            echo "Branch $BRANCH does not exist - creating it now"
           fi
 
-      - name: Update system-tests references to latest commit SHA on main
+      - name: Create and push release branch
         if: steps.check-branch.outputs.creating_new_branch == 'true'
-        run: BRANCH=main ./tooling/update_system_test_reference.sh
-
-      - name: Commit changes
-        if: steps.check-branch.outputs.creating_new_branch == 'true'
-        id: create-commit
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
-          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
-      
-      - name: Push changes
-        if: steps.check-branch.outputs.creating_new_branch == 'true'
-        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
-        with:
-          token: "${{ steps.octo-sts.outputs.token }}"
-          branch: "${{ steps.define-branch.outputs.branch }}"
-          branch-from: "${{ github.sha }}"
-          command: push
-          commits: "${{ steps.create-commit.outputs.commit }}"
+          git checkout -b "${{ steps.define-branch.outputs.branch }}"
+          git push -u origin "${{ steps.define-branch.outputs.branch }}"

.github/workflows/create-release-branch.yaml

@@ -23,7 +23,7 @@ jobs:
       group: APM Larger Runners
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           submodules: 'recursive'
           fetch-depth: 0
@@ -52,7 +52,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
         with:
           name: binaries
           path: workspace/dd-java-agent/build/libs/
@@ -84,4 +84,15 @@ jobs:
     if: ${{ always() }}
     needs: [build, main]
     steps:
-    - run: exit 0
+      - name: Fail if build failed
+        if: ${{ needs.build.result != 'success' }}
+        run: |
+          echo "❌ Build job did not succeed: ${{ needs.build.result }}"
+          exit 1
+      - name: Fail if main failed or is skipped
+        if: ${{ needs.main.result != 'success' }}
+        run: |
+          echo "❌ Main job did not succeed: ${{ needs.main.result }}"
+          exit 1    
+      - name: Success
+        run: echo "✅ All required jobs succeeded."

.github/workflows/run-system-tests.yaml

@@ -25,7 +25,7 @@ jobs:
           policy: self.update-docker-build-image.create-pr
 
       - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Define the Docker build image tag to use
         id: define-tag
         run: |
@@ -78,7 +78,8 @@ jobs:
           branch: "${{ steps.define-branch.outputs.branch }}"
           # for scheduled runs, sha is the tip of the default branch
           # for dispatched runs, sha is the tip of the branch it was dispatched on
-          branch-from: "${{ github.sha }}"
+          head-sha: "${{ github.sha }}"
+          create-branch: true
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request