Rework gitlab-ci workflow

Author: sarahchen6

.gitlab-ci.yml

@@ -800,12 +800,14 @@ deploy_to_maven_central:
       - 'workspace/dd-trace-api/build/libs/*.jar'
       - 'workspace/dd-trace-ot/build/libs/*.jar'
 
-get_github_token:
+deploy_artifacts_to_github:
   stage: publish
-  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1
-  tags: [ "arch:amd64" ]
+  image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0
+  tags: [ "docker-in-docker:amd64" ]
   needs: []  # DEBUG: Enforce no dependencies to run immediately
-  
+  services:
+    - docker:dind
+
   id_tokens:
     DDOCTOSTS_ID_TOKEN:
       aud: dd-octo-sts
@@ -817,43 +819,28 @@ get_github_token:
     #   when: on_success
     - when: manual # DEBUG: Allow manual trigger
       allow_failure: true
-
-  script:
-    - dd-octo-sts version
-    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release
-    - dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > github-token.txt
-    # DEBUG: Check token file
-    - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO")
-    - echo "Token file size:" $(wc -c < github-token.txt) "bytes"
-    - echo "Token preview:" $(head -c 10 github-token.txt)...
-
-  artifacts:
-    paths:
-      - github-token.txt
-    expire_in: 1 hour # tokens generated by dd-octo-sts only last for 1 hour
-
-deploy_artifacts_to_github:
-  stage: publish
-  image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0
-  rules:
-    - if: '$POPULATE_CACHE'
-      when: never
-    # - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
-    #   when: on_success
-    - when: manual # DEBUG: Allow manual trigger
-      allow_failure: true
-  # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken)
-  # This will deploy the artifacts built from the publishToSonatype task to the GitHub release
+  
   needs:
     - job: deploy_to_maven_central
       # The deploy_to_maven_central job is not run for release candidate versions
       optional: true
-    - job: get_github_token
 
   script:
-    # DEBUG: Check token file
+    # Get GitHub token using dd-octo-sts in a container
+    - docker run --rm 
+        -e DDOCTOSTS_ID_TOKEN 
+        -v $(pwd):/workspace 
+        registry.ddbuild.io/images/dd-octo-sts-ci-base:v68058725-73f34e7-2025.06-1 
+        sh -c "
+          dd-octo-sts version &&
+          dd-octo-sts debug --scope DataDog/dd-trace-java --policy dd-trace-java.release &&
+          dd-octo-sts token --scope DataDog/dd-trace-java --policy dd-trace-java.release > /workspace/github-token.txt
+        "
+
+    # Verify token was generated
     - echo "Token file exists:" $(test -f github-token.txt && echo "YES" || echo "NO")
     - echo "Token file size:" $(wc -c < github-token.txt) "bytes"
+    - echo "Token preview:" $(head -c 10 github-token.txt)...
 
     - gh auth login --with-token < github-token.txt
     - gh auth status  # Maybe helpful to have this output in logs?
@@ -863,6 +850,10 @@ deploy_artifacts_to_github:
     # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar
     # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar
     # - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar
+
+    # Clean up token file
+    - rm -f github-token.txt
+
   retry:
     max: 2
     when: always