From cc9825b4fd90503f8aaca44113f33f83361ca4ed Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Tue, 22 Jul 2025 13:34:04 -0400 Subject: [PATCH 1/2] Use dd-octo-sts to retrieve github release token (#9187) * Add octo-sts policy * Add workflow and debugging * Fix policy * Run jobs in CI for now * Allow manual trigger for job * No dependencies for github token retrieval * Allow policy for all branches for now * Comment out debug call * Clean * Adjust policy * Update policy contents Co-authored-by: Christoph Hamsen <37963496+xopham@users.noreply.github.com> * Update policy to work on tags Co-authored-by: Christoph Hamsen <37963496+xopham@users.noreply.github.com> * Rework gitlab-ci workflow * Name change and fix needs block * Rework workflow again * Try original retrieval * Edit gitlab-ci.yml file * Clean * Remove comment * Move trust policy to a separate PR * Add aws ssm fallback * Split deployment to two jobs: new dd-octo-sts method and old aws method that is manually triggered --------- Co-authored-by: Christoph Hamsen <37963496+xopham@users.noreply.github.com> --- .gitlab-ci.yml | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 47662f1b163..6602479fa70 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -188,6 +188,7 @@ default: after_script: - *cgroup_info +# TODO: Add a pre-release check to see if the dd-octo-sts token is working. # Checks and fail early if central credentials are incorrect, indeed, when a new token is generated # on the central publisher protal, it invalidates the old one. This checks prevents going further. # See https://datadoghq.atlassian.net/wiki/x/Oog5OgE @@ -799,7 +800,11 @@ deploy_to_sonatype: deploy_artifacts_to_github: stage: publish - image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 + image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1 + tags: [ "arch:amd64" ] + id_tokens: + DDOCTOSTS_ID_TOKEN: + aud: dd-octo-sts rules: - if: '$POPULATE_CACHE' when: never @@ -811,6 +816,42 @@ deploy_artifacts_to_github: - job: deploy_to_sonatype # The deploy_to_sonatype job is not run for release candidate versions optional: true + before_script: + # Get token + - dd-octo-sts version + - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.release + - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.release > github-token.txt + script: + - gh auth login --with-token < github-token.txt + - gh auth status # Maybe helpful to have this output in logs? + - export VERSION=${CI_COMMIT_TAG##v} # remove "v" from front of tag to get version + - cp workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar workspace/dd-java-agent/build/libs/dd-java-agent.jar # we upload two filenames + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-java-agent/build/libs/dd-java-agent-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-api/build/libs/dd-trace-api-${VERSION}.jar + - gh release upload --clobber --repo DataDog/dd-trace-java $CI_COMMIT_TAG workspace/dd-trace-ot/build/libs/dd-trace-ot-${VERSION}.jar + after_script: + - dd-octo-sts revoke -t $(cat github-token.txt) + retry: + max: 2 + when: always + +# This is the original job that uses the AWS SSM token retrieval method. Allow manual triggering in case the dd-octo-sts token is not working. +# TODO: Remove this job once the dd-octo-sts token is provably working. +deploy_artifacts_to_github_old: + stage: publish + image: registry.ddbuild.io/github-cli:v27480869-eafb11d-2.43.0 + rules: + - if: '$POPULATE_CACHE' + when: never + - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' + when: manual + # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) + # This will deploy the artifacts built from the publishToSonatype task to the GitHub release + needs: + - job: deploy_to_maven_central + # The deploy_to_maven_central job is not run for release candidate versions + optional: true script: - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt - gh auth login --with-token < github-token.txt From 71ca81c935edbc62b5ea0a065506bf3f7a9fc8b9 Mon Sep 17 00:00:00 2001 From: Mikayla Toffler Date: Tue, 22 Jul 2025 14:47:45 -0400 Subject: [PATCH 2/2] Change deploy_to_maven_central name back to deploy_to_sonatype --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6602479fa70..16f6803fbbe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -846,11 +846,11 @@ deploy_artifacts_to_github_old: when: never - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' when: manual - # Requires the deploy_to_maven_central job to have run first (the UP-TO-DATE gradle check across jobs is broken) + # Requires the deploy_to_sonatype job to have run first (the UP-TO-DATE gradle check across jobs is broken) # This will deploy the artifacts built from the publishToSonatype task to the GitHub release needs: - - job: deploy_to_maven_central - # The deploy_to_maven_central job is not run for release candidate versions + - job: deploy_to_sonatype + # The deploy_to_sonatype job is not run for release candidate versions optional: true script: - aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.gh_release_token --with-decryption --query "Parameter.Value" --out text > github-token.txt