From e05ad0e4bfff5658339407518f61f974a23eda20 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 14 Aug 2025 13:06:22 -0400 Subject: [PATCH 1/4] Update cloudfoundry workflow --- .../add-release-to-cloudfoundry.yaml | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/add-release-to-cloudfoundry.yaml b/.github/workflows/add-release-to-cloudfoundry.yaml index f1c2750dea3..1a709414d83 100644 --- a/.github/workflows/add-release-to-cloudfoundry.yaml +++ b/.github/workflows/add-release-to-cloudfoundry.yaml @@ -7,8 +7,15 @@ jobs: update-releases: permissions: contents: write # Required to commit and push changes to the repository + id-token: write # Required for OIDC token federation runs-on: ubuntu-latest steps: + - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog/dd-trace-java + policy: self.add-release-to-cloudfoundry + - name: Checkout "cloudfoundry" branch uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 with: @@ -42,11 +49,22 @@ jobs: - name: Append release to Cloud Foundry repository run: | echo "${{ steps.get-release-version.outputs.VERSION }}: ${{ steps.get-release-url.outputs.URL }}" >> index.yml - - name: Commit and push changes - uses: planetscale/ghcommit-action@322be9669498a4be9ce66efc1169f8f43f6bd883 # v0.2.17 - with: - commit_message: "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry" - repo: ${{ github.repository }} - branch: cloudfoundry + - name: Configure git + id: configure-git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + - name: Commit changes + id: create-commit + run: | + git commit -a -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry" + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} + - name: Push changes + uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897 + if: ${{ steps.create-commit.outputs.commit != '' }} + with: + github-token: ${{ steps.octo-sts.outputs.token }} + local_branch_name: cloudfoundry + remote_branch_name: cloudfoundry From 184ac68dfd40ab2eb799b3753853fff6bbeb87dd Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 14 Aug 2025 13:27:16 -0400 Subject: [PATCH 2/4] Update docker workflow --- .../workflows/update-docker-build-image.yaml | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml index e42ed0057ae..0f01fb1a03f 100644 --- a/.github/workflows/update-docker-build-image.yaml +++ b/.github/workflows/update-docker-build-image.yaml @@ -15,7 +15,7 @@ jobs: update-docker-build-image: runs-on: ubuntu-latest permissions: - contents: write # Required to create and push branch + contents: read id-token: write # Required for OIDC token federation steps: - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 @@ -58,11 +58,12 @@ jobs: else echo "commit_changes=true" >> "$GITHUB_OUTPUT" fi - - name: Download ghcommit CLI + - name: Configure git if: steps.check-changes.outputs.commit_changes == 'true' + id: configure-git run: | - curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L - chmod +x /usr/local/bin/ghcommit + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Pick a branch name if: steps.check-changes.outputs.commit_changes == 'true' id: define-branch @@ -72,16 +73,23 @@ jobs: run: | git checkout -b ${{ steps.define-branch.outputs.branch }} git push -u origin ${{ steps.define-branch.outputs.branch }} --force - - name: Commit and push changes - if: steps.check-changes.outputs.commit_changes == 'true' env: GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} + - name: Commit changes + if: steps.check-changes.outputs.commit_changes == 'true' + id: create-commit run: | - ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add .gitlab-ci.yml --message "feat(ci): Update Docker build image" + git commit --message "feat(ci): Update Docker build image" .gitlab-ci.yml + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + - name: Push changes + uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897 + if: ${{ steps.create-commit.outputs.commit != '' }} + with: + github-token: ${{ steps.octo-sts.outputs.token }} + local_branch_name: ${{ steps.define-branch.outputs.branch }} + remote_branch_name: ${{ steps.define-branch.outputs.branch }} - name: Create pull request if: steps.check-changes.outputs.commit_changes == 'true' - env: - GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | gh pr create --title "Update Docker build image" \ --base master \ @@ -90,3 +98,5 @@ jobs: --label "type: enhancement" \ --label "tag: no release notes" \ --body "This PR updates the Docker build image to ${{ steps.define-tag.outputs.tag }}." + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} From 1bef4556ff45c833f7ae4fa0c4d79768e3307645 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 14 Aug 2025 13:55:40 -0400 Subject: [PATCH 3/4] Update jmxfetch workflow --- .../workflows/update-docker-build-image.yaml | 2 ++ .../workflows/update-jmxfetch-submodule.yaml | 34 +++++++++++++------ 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml index 0f01fb1a03f..2becec9fe19 100644 --- a/.github/workflows/update-docker-build-image.yaml +++ b/.github/workflows/update-docker-build-image.yaml @@ -81,6 +81,8 @@ jobs: run: | git commit --message "feat(ci): Update Docker build image" .gitlab-ci.yml echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} - name: Push changes uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897 if: ${{ steps.create-commit.outputs.commit != '' }} diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml index f24d7ab7394..3a58174b8af 100644 --- a/.github/workflows/update-jmxfetch-submodule.yaml +++ b/.github/workflows/update-jmxfetch-submodule.yaml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: write # Required to create and push branch + contents: read id-token: write # Required for OIDC token federation steps: - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 @@ -20,7 +20,6 @@ jobs: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 - - name: Update Submodule run: | git submodule update --remote -- dd-java-agent/agent-jmxfetch/integrations-core @@ -34,6 +33,12 @@ jobs: else echo "commit_changes=true" >> "$GITHUB_OUTPUT" fi + - name: Configure git + if: steps.check-changes.outputs.commit_changes == 'true' + id: configure-git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Pick a branch name if: steps.check-changes.outputs.commit_changes == 'true' id: define-branch @@ -43,20 +48,25 @@ jobs: run: | git checkout -b ${{ steps.define-branch.outputs.branch }} git push -u origin ${{ steps.define-branch.outputs.branch }} --force - - name: Commit and push changes - if: steps.check-changes.outputs.commit_changes == 'true' env: GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} + - name: Commit changes + if: steps.check-changes.outputs.commit_changes == 'true' + id: create-commit run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add dd-java-agent/agent-jmxfetch/integrations-core - git commit -m "Update agent-jmxfetch submodule" - git push origin ${{ steps.define-branch.outputs.branch }} + git commit --message "feat(ci): Update agent-jmxfetch submodule" dd-java-agent/agent-jmxfetch/integrations-core + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} + - name: Push changes + uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897 + if: ${{ steps.create-commit.outputs.commit != '' }} + with: + github-token: ${{ steps.octo-sts.outputs.token }} + local_branch_name: ${{ steps.define-branch.outputs.branch }} + remote_branch_name: ${{ steps.define-branch.outputs.branch }} - name: Create pull request if: steps.check-changes.outputs.commit_changes == 'true' - env: - GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | gh pr create --title "Update agent-jmxfetch submodule" \ --base master \ @@ -65,3 +75,5 @@ jobs: --label "type: enhancement" \ --label "tag: no release notes" \ --body "This PR updates the agent-jmxfetch submodule." + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} From 013f3af04d1a0e2f8e327b35c29328ffcc6bbf91 Mon Sep 17 00:00:00 2001 From: Sarah Chen Date: Thu, 14 Aug 2025 14:05:38 -0400 Subject: [PATCH 4/4] Update gradle workflow --- .../workflows/update-gradle-dependencies.yaml | 67 ++++++++----------- 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/.github/workflows/update-gradle-dependencies.yaml b/.github/workflows/update-gradle-dependencies.yaml index f2b3f6f9dc4..7d4738c8e92 100644 --- a/.github/workflows/update-gradle-dependencies.yaml +++ b/.github/workflows/update-gradle-dependencies.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest name: Update Gradle dependencies permissions: - contents: write # Required to create new branch + contents: read id-token: write # Required for OIDC token federation steps: - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 @@ -22,16 +22,20 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 with: submodules: "recursive" - - name: Download ghcommit CLI + - name: Configure git + id: configure-git run: | - curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L - chmod +x /usr/local/bin/ghcommit + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Pick a branch name - run: echo "BRANCH_NAME=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_ENV + id: define-branch + run: echo "branch=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT - name: Create branch run: | - git checkout -b $BRANCH_NAME - git push -u origin $BRANCH_NAME --force + git checkout -b ${{ steps.define-branch.outputs.branch }} --force + git push -u origin ${{ steps.define-branch.outputs.branch }} --force + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} - name: Update Gradle dependencies run: | GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \ @@ -42,46 +46,29 @@ jobs: JAVA_21_HOME=$JAVA_HOME_21_X64 \ ./gradlew resolveAndLockAll --write-locks --parallel --stacktrace --no-daemon --max-workers=4 - name: Commit changes + id: create-commit + run: | + git add . + git commit --message "chore: Update Gradle dependencies" + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT env: GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} - run: | - GH_ADD_ARGS="" - COUNT=0 - BRANCH_HEAD=$(git rev-parse HEAD) - for lockfile in $(git status --porcelain=v1 | awk '{ print $NF }'); do - echo "Found lockfile: $lockfile" - GH_ADD_ARGS="$GH_ADD_ARGS --add $lockfile" - COUNT=$((COUNT+1)) - if [ $COUNT -eq 10 ]; then - echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS" - OUTPUT=$(ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies" 2>&1) - echo $OUTPUT - if [[ $OUTPUT != *"Success. New commit"* ]]; then - exit 1 - fi - BRANCH_HEAD=${OUTPUT##*/} - echo "ghcommit output: $OUTPUT" - GH_ADD_ARGS="" - COUNT=0 - fi - done - # Check at uncommited files - echo "Checking uncommited files" - git status - # Create a PR from the created branch - if [ $COUNT -gt 0 ]; then - echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS" - ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies" - fi + - name: Push changes + uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897 + if: ${{ steps.create-commit.outputs.commit != '' }} + with: + github-token: ${{ steps.octo-sts.outputs.token }} + local_branch_name: ${{ steps.define-branch.outputs.branch }} + remote_branch_name: ${{ steps.define-branch.outputs.branch }} - name: Create pull request - env: - GH_TOKEN: ${{ steps.octo-sts.outputs.token }} run: | # use echo to set a multiline body for the PR - echo -e "This PR updates the Gradle dependencies. ⚠️ Don't forget to squash commits before merging. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \ + echo -e "This PR updates the Gradle dependencies. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \ gh pr create --title "Update Gradle dependencies" \ --base master \ - --head $BRANCH_NAME \ + --head ${{ steps.define-branch.outputs.branch }} \ --label "tag: dependencies" \ --label "tag: no release notes" \ --body-file - + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}