Merge remote-tracking branch 'origin/master' into vandonr/jdbc-ff

Author: vandonr

.github/chainguard/self.update-system-tests.push.sts.yaml

@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v[0-9]+.[0-9]+.0)
+
+claim_pattern:
+  event_name: (push|workflow_dispatch)
+  ref: refs/(heads/master|tags/v[0-9]+\.[0-9]+\.0)
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master
+
+permissions:
+  contents: write

.github/workflows/create-release-branch.yaml

@@ -0,0 +1,84 @@
+name: Create Release Branch and Pin System-Tests
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.0'  # Trigger on minor release tags (e.g. v1.54.0)
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The minor release tag (e.g. v1.54.0)'
+        required: true
+        type: string
+
+jobs:
+  create-release-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-system-tests.push
+
+      - name: Determine tag
+        id: determine-tag
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            TAG=${{ github.event.inputs.tag }}
+          else
+            TAG=${GITHUB_REF#refs/tags/}
+          fi
+          if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then
+            echo "Error: Tag $TAG is not in the expected format: vX.Y.0"
+            exit 1
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Define branch name from tag
+        id: define-branch
+        run: |
+          TAG=${{ steps.determine-tag.outputs.tag }}
+          BRANCH="release/${TAG%.0}.x"
+          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout dd-trace-java
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+      - name: Check if branch already exists
+        id: check-branch
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH already exists - skipping following steps"
+          else
+            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH does not exist - proceeding with following steps"
+          fi
+
+      - name: Update system-tests references to latest commit SHA on main
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        run: BRANCH=main ./tooling/update_system_test_reference.sh
+
+      - name: Commit changes
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      
+      - name: Push changes
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"

.github/workflows/run-system-tests.yaml

@@ -60,14 +60,17 @@ jobs:
   main:
     needs:
     - build
-    uses:  DataDog/system-tests/.github/workflows/system-tests.yml@main
+    # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+    uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only
     secrets: inherit
     permissions:
       contents: read
       id-token: write
       packages: write
     with:
       library: java
+       # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+      ref: main # system tests are pinned for releases only
       binaries_artifact: binaries
       desired_execution_time: 900  # 15 minutes
       scenarios_groups: tracer-release

.gitlab-ci.yml

@@ -3,7 +3,7 @@ include:
   - local: ".gitlab/benchmarks.yml"
   - local: ".gitlab/macrobenchmarks.yml"
   - local: ".gitlab/exploration-tests.yml"
-  - local: ".gitlab/ci-visibility-tests.yml"
+  #  - local: ".gitlab/ci-visibility-tests.yml"
 
 stages:
   - build
@@ -167,15 +167,14 @@ default:
   before_script:
     - source .gitlab/gitlab-utils.sh
     # Akka token added to SSM from https://account.akka.io/token
-    - export AKKA_REPO_TOKEN=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.akka_repo_token --with-decryption --query "Parameter.Value" --out text)
+    - export ORG_GRADLE_PROJECT_akkaRepositoryToken=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.akka_repo_token --with-decryption --query "Parameter.Value" --out text)
     - mkdir -p .gradle
     - export GRADLE_USER_HOME=$(pwd)/.gradle
     - |
       # Don't put jvm args here as it will be picked up by child gradle processes used in tests
       cat << EOF > $GRADLE_USER_HOME/gradle.properties
       mavenRepositoryProxy=$MAVEN_REPOSITORY_PROXY
       gradlePluginProxy=$GRADLE_PLUGIN_PROXY
-      akkaRepositoryToken=$AKKA_REPO_TOKEN
       EOF
     - |
       # replace maven central part by MAVEN_REPOSITORY_PROXY in .mvn/wrapper/maven-wrapper.properties
@@ -727,7 +726,7 @@ test_smoke_graalvm:
     NON_DEFAULT_JVMS: "true"
   parallel:
     matrix:
-      - testJvm: ["graalvm17", "graalvm21"]
+      - testJvm: ["graalvm17", "graalvm21", "graalvm25"]
 
 test_smoke_semeru8_debugger:
   extends: .test_job

.gitlab/ci-visibility-tests.yml

@@ -1,19 +1,77 @@
-run-ci-visibility-test-environment:
-  stage: ci-visibility-tests
-  when: manual
-  needs: []
-  trigger:
-    project: DataDog/apm-reliability/test-environment
-    branch: main
-    strategy: depend
-  variables:
-    UPSTREAM_PACKAGE_JOB: build
-    UPSTREAM_PROJECT_ID: $CI_PROJECT_ID
-    UPSTREAM_PROJECT_NAME: $CI_PROJECT_NAME
-    UPSTREAM_PIPELINE_ID: $CI_PIPELINE_ID
-    UPSTREAM_BRANCH: $CI_COMMIT_BRANCH
-    UPSTREAM_TAG: $CI_COMMIT_TAG
-    UPSTREAM_COMMIT_AUTHOR: $CI_COMMIT_AUTHOR
-    UPSTREAM_COMMIT_SHORT_SHA: $CI_COMMIT_SHORT_SHA
-    TRACER_LANG: java
-    JAVA_TRACER_REF_TO_TEST: $CI_COMMIT_BRANCH
+#check-ci-visibility-label:
+#  stage: publish
+#  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
+#  tags: [ "arch:amd64" ]
+#  needs: [ publish-artifacts-to-s3 ]
+#  id_tokens:
+#    DDOCTOSTS_ID_TOKEN:
+#      aud: dd-octo-sts
+#  rules:
+#    # - if: '$POPULATE_CACHE'
+#    #   when: never
+#    # - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+#    #   when: on_success
+#    - when: never
+#  before_script:
+#    - dd-octo-sts version
+#    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read
+#    - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read > github-token.txt
+#    - gh auth login --with-token < github-token.txt
+#  script:
+#    - |
+#      # Source utility functions
+#      source .gitlab/ci_visibility_utils.sh
+#      
+#      # Get PR number
+#      if ! PR_NUMBER=$(get_pr_number "${CI_COMMIT_BRANCH}"); then
+#        echo "No open PR found for branch ${CI_COMMIT_BRANCH}"
+#        exit 1
+#      fi
+#      
+#      echo "Found PR #${PR_NUMBER}"
+#      
+#      # Check if PR has the CI visibility label
+#      if pr_has_label "$PR_NUMBER" "comp: ci visibility"; then
+#        echo "PR_NUMBER=${PR_NUMBER}" > pr.env
+#        echo "PR #${PR_NUMBER} detected as CI Visibility PR"
+#        exit 0
+#      else
+#        echo "PR #${PR_NUMBER} not a CI Visibility PR, ignoring trigger"
+#        exit 1
+#      fi
+#  after_script:
+#    - dd-octo-sts revoke -t $(cat github-token.txt) || true
+#  artifacts:
+#    reports:
+#      dotenv: pr.env
+#  allow_failure: true
+#  retry:
+#    max: 2
+#    when: always
+#
+#run-ci-visibility-test-environment:
+#  stage: ci-visibility-tests
+#  needs:
+#    - job: check-ci-visibility-label
+#      artifacts: true
+#  rules:
+#    - if: '$POPULATE_CACHE'
+#      when: never
+#    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+#      when: on_success
+#  trigger:
+#    project: DataDog/apm-reliability/test-environment
+#    branch: main
+#    strategy: depend
+#  variables:
+#    UPSTREAM_PACKAGE_JOB: build
+#    UPSTREAM_PROJECT_ID: $CI_PROJECT_ID
+#    UPSTREAM_PROJECT_NAME: $CI_PROJECT_NAME
+#    UPSTREAM_PIPELINE_ID: $CI_PIPELINE_ID
+#    UPSTREAM_BRANCH: $CI_COMMIT_BRANCH
+#    UPSTREAM_TAG: $CI_COMMIT_TAG
+#    UPSTREAM_COMMIT_AUTHOR: $CI_COMMIT_AUTHOR
+#    UPSTREAM_COMMIT_SHORT_SHA: $CI_COMMIT_SHORT_SHA
+#    TRACER_LANG: java
+#    JAVA_TRACER_REF_TO_TEST: $CI_COMMIT_BRANCH
+#    JAVA_TRACER_PR_TO_TEST: $PR_NUMBER

.gitlab/ci_visibility_utils.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+function get_pr_number() {
+  local branch=$1
+
+  if [ -z "$branch" ]; then
+    echo "Error: Branch name is required" >&2
+    return 1
+  fi
+
+  local pr_number
+  pr_number=$(gh pr list --repo DataDog/dd-trace-java --head "$branch" --state open --json number --jq '.[0].number')
+
+  if [ -z "$pr_number" ]; then
+    echo "Error: No open PR found for branch $branch" >&2
+    return 1
+  fi
+
+  echo "$pr_number"
+  return 0
+}
+
+function get_pr_labels() {
+  local pr_number=$1
+
+  if [ -z "$pr_number" ]; then
+    echo "Error: PR number is required" >&2
+    return 1
+  fi
+
+  local labels
+  labels=$(gh pr view "$pr_number" --repo DataDog/dd-trace-java --json labels --jq '.labels[].name')
+
+  if [ -z "$labels" ]; then
+    echo "Warning: No labels found for PR #$pr_number" >&2
+    return 1
+  fi
+
+  echo "$labels"
+  return 0
+}
+
+function pr_has_label() {
+  local pr_number=$1
+  local target_label=$2
+
+  if [ -z "$pr_number" ] || [ -z "$target_label" ]; then
+    echo "Error: PR number and label are required" >&2
+    return 1
+  fi
+
+  local labels
+  if ! labels=$(get_pr_labels "$pr_number"); then
+    return 1
+  fi
+
+  if echo "$labels" | grep -q "$target_label"; then
+    return 0
+  else
+    return 1
+  fi
+}

BUILDING.md

@@ -8,6 +8,7 @@ This documentation provides information for developers to set up their environme
   * [Install the required JDKs](#install-the-required-jdks)
   * [Install git](#install-git)
   * [Install Docker Desktop](#install-docker-desktop)
+  * [Configure Akka Token](#configure-akka-token)
 * [Clone the repository and set up git](#clone-the-repository-and-set-up-git)
 * [Building the project](#building-the-project)
 
@@ -248,6 +249,18 @@ winget install --id Docker.DockerDesktop
 > [!NOTE]
 > Both git configurations (hooks and submodule) will only be applied to this project and won't apply globally in your setup.
 
+### Configure Akka Token
+> [!NOTE]
+> You can skip this step if you don’t need instrumentation for the **akka-http-10.6** module.
+> For background on why Akka now requires authentication, see this [article](https://akka.io/blog/why-we-are-changing-the-license-for-akka).
+
+To enable access to Akka artifacts hosted on Lightbend’s private repository, you’ll need to configure an authentication token.
+1. Obtain a repository token. Visit the Akka account [page](https://account.akka.io/token) to generate a secure repository token.
+2. Set up the environment variable. Create an environment variable named:
+```shell
+  ORG_GRADLE_PROJECT_akkaRepositoryToken=<your_token>
+```
+
 ## Building the project
 
 After everything is properly set up, you can move on to the next section to start a build or check [the contribution guidelines](CONTRIBUTING.md).

communication/src/main/java/datadog/communication/monitor/DDAgentStatsDConnection.java

@@ -162,7 +162,6 @@ private void doConnect() {
             log.debug("StatsD connected to {}", statsDAddress());
           }
         } catch (final Exception e) {
-          log.error("Unable to create StatsD client - {}", statsDAddress(), e);
           if (retries.getAndIncrement() < MAX_RETRIES) {
             if (log.isDebugEnabled()) {
               log.debug(
@@ -173,6 +172,8 @@ private void doConnect() {
           } else {
             log.debug("Max retries have been reached. Will not attempt again.");
           }
+        } catch (Throwable t) {
+          log.error("Unable to create StatsD client - {} - Will not retry", statsDAddress(), t);
         }
       }
     }
@@ -186,7 +187,7 @@ private void discoverConnectionSettings() {
 
     if (null == host) {
       if (!OperatingSystem.isWindows() && new File(DEFAULT_DOGSTATSD_SOCKET_PATH).exists()) {
-        log.info("Detected {}.  Using it to send StatsD data.", DEFAULT_DOGSTATSD_SOCKET_PATH);
+        log.info("Detected {}. Using it to send StatsD data.", DEFAULT_DOGSTATSD_SOCKET_PATH);
         host = DEFAULT_DOGSTATSD_SOCKET_PATH;
         port = 0; // tells dogstatsd client to treat host as a socket path
       } else {

dd-java-agent/agent-bootstrap/build.gradle

@@ -27,6 +27,9 @@ dependencies {
   api project(':components:json')
   api libs.slf4j
   // ^ Generally a bad idea for libraries, but we're shadowing.
+  api(variantOf(libs.instrumentjava, { classifier("all") })) {
+    transitive = false
+  }
 
   testImplementation project(':dd-java-agent:testing')
 }