Merge branch 'master' into mcculls/remove-trie-resources-from-agent-jar

mcculls · web-flow · commit 1d338955bfa0 · 2025-10-21T10:19:29.000+01:00
diff --git a/.github/chainguard/self.update-system-tests.push.sts.yaml b/.github/chainguard/self.update-system-tests.push.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v[0-9]+.[0-9]+.0)
+
+claim_pattern:
+  event_name: (push|workflow_dispatch)
+  ref: refs/(heads/master|tags/v[0-9]+\.[0-9]+\.0)
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master
+
+permissions:
+  contents: write
diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml
@@ -0,0 +1,84 @@
+name: Create Release Branch and Pin System-Tests
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.0'  # Trigger on minor release tags (e.g. v1.54.0)
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The minor release tag (e.g. v1.54.0)'
+        required: true
+        type: string
+
+jobs:
+  create-release-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-system-tests.push
+
+      - name: Determine tag
+        id: determine-tag
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            TAG=${{ github.event.inputs.tag }}
+          else
+            TAG=${GITHUB_REF#refs/tags/}
+          fi
+          if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.0$ ]]; then
+            echo "Error: Tag $TAG is not in the expected format: vX.Y.0"
+            exit 1
+          fi
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+      - name: Define branch name from tag
+        id: define-branch
+        run: |
+          TAG=${{ steps.determine-tag.outputs.tag }}
+          BRANCH="release/${TAG%.0}.x"
+          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout dd-trace-java
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+      - name: Check if branch already exists
+        id: check-branch
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH already exists - skipping following steps"
+          else
+            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH does not exist - proceeding with following steps"
+          fi
+
+      - name: Update system-tests references to latest commit SHA on main
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        run: BRANCH=main ./tooling/update_system_test_reference.sh
+
+      - name: Commit changes
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      
+      - name: Push changes
+        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
diff --git a/.github/workflows/run-system-tests.yaml b/.github/workflows/run-system-tests.yaml
@@ -60,14 +60,17 @@ jobs:
   main:
     needs:
     - build
-    uses:  DataDog/system-tests/.github/workflows/system-tests.yml@main
+    # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+    uses: DataDog/system-tests/.github/workflows/system-tests.yml@main # system tests are pinned for releases only
     secrets: inherit
     permissions:
       contents: read
       id-token: write
       packages: write
     with:
       library: java
+       # If you change the following comment, update the pattern in the update_system_test_reference.sh script to match.
+      ref: main # system tests are pinned for releases only
       binaries_artifact: binaries
       desired_execution_time: 900  # 15 minutes
       scenarios_groups: tracer-release
diff --git a/.gitlab/ci-visibility-tests.yml b/.gitlab/ci-visibility-tests.yml
@@ -1,7 +1,64 @@
+check-ci-visibility-label:
+  stage: publish
+  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
+  tags: [ "arch:amd64" ]
+  needs: [ publish-artifacts-to-s3 ]
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+      when: on_success
+    - when: never
+  before_script:
+    - dd-octo-sts version
+    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read
+    - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read > github-token.txt
+    - gh auth login --with-token < github-token.txt
+  script:
+    - |
+      # Source utility functions
+      source .gitlab/ci_visibility_utils.sh
+      
+      # Get PR number
+      if ! PR_NUMBER=$(get_pr_number "${CI_COMMIT_BRANCH}"); then
+        echo "No open PR found for branch ${CI_COMMIT_BRANCH}"
+        exit 1
+      fi
+      
+      echo "Found PR #${PR_NUMBER}"
+      
+      # Check if PR has the CI visibility label
+      if pr_has_label "$PR_NUMBER" "comp: ci visibility"; then
+        echo "PR_NUMBER=${PR_NUMBER}" > pr.env
+        echo "PR #${PR_NUMBER} detected as CI Visibility PR"
+        exit 0
+      else
+        echo "PR #${PR_NUMBER} not a CI Visibility PR, ignoring trigger"
+        exit 1
+      fi
+  after_script:
+    - dd-octo-sts revoke -t $(cat github-token.txt) || true
+  artifacts:
+    reports:
+      dotenv: pr.env
+  allow_failure: true
+  retry:
+    max: 2
+    when: always
+
 run-ci-visibility-test-environment:
   stage: ci-visibility-tests
-  when: manual
-  needs: []
+  needs:
+    - job: check-ci-visibility-label
+      artifacts: true
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+      when: on_success
   trigger:
     project: DataDog/apm-reliability/test-environment
     branch: main
@@ -17,3 +74,4 @@ run-ci-visibility-test-environment:
     UPSTREAM_COMMIT_SHORT_SHA: $CI_COMMIT_SHORT_SHA
     TRACER_LANG: java
     JAVA_TRACER_REF_TO_TEST: $CI_COMMIT_BRANCH
+    JAVA_TRACER_PR_TO_TEST: $PR_NUMBER
diff --git a/.gitlab/ci_visibility_utils.sh b/.gitlab/ci_visibility_utils.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+function get_pr_number() {
+  local branch=$1
+
+  if [ -z "$branch" ]; then
+    echo "Error: Branch name is required" >&2
+    return 1
+  fi
+
+  local pr_number
+  pr_number=$(gh pr list --repo DataDog/dd-trace-java --head "$branch" --state open --json number --jq '.[0].number')
+
+  if [ -z "$pr_number" ]; then
+    echo "Error: No open PR found for branch $branch" >&2
+    return 1
+  fi
+
+  echo "$pr_number"
+  return 0
+}
+
+function get_pr_labels() {
+  local pr_number=$1
+
+  if [ -z "$pr_number" ]; then
+    echo "Error: PR number is required" >&2
+    return 1
+  fi
+
+  local labels
+  labels=$(gh pr view "$pr_number" --repo DataDog/dd-trace-java --json labels --jq '.labels[].name')
+
+  if [ -z "$labels" ]; then
+    echo "Warning: No labels found for PR #$pr_number" >&2
+    return 1
+  fi
+
+  echo "$labels"
+  return 0
+}
+
+function pr_has_label() {
+  local pr_number=$1
+  local target_label=$2
+
+  if [ -z "$pr_number" ] || [ -z "$target_label" ]; then
+    echo "Error: PR number and label are required" >&2
+    return 1
+  fi
+
+  local labels
+  if ! labels=$(get_pr_labels "$pr_number"); then
+    return 1
+  fi
+
+  if echo "$labels" | grep -q "$target_label"; then
+    return 0
+  else
+    return 1
+  fi
+}
diff --git a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/Agent.java
@@ -184,6 +184,14 @@ public boolean isEnabledByDefault() {
   private static boolean distributedDebuggerEnabled = false;
   private static boolean agentlessLogSubmissionEnabled = false;
 
+  private static void safelySetContextClassLoader(ClassLoader classLoader) {
+    try {
+      // this method call can cause a SecurityException if a security manager is installed.
+      Thread.currentThread().setContextClassLoader(classLoader);
+    } catch (final Throwable ignored) {
+    }
+  }
+
   /**
    * Starts the agent; returns a boolean indicating if Agent started successfully
    *
@@ -924,7 +932,7 @@ private static synchronized void startJmxFetch() {
     } catch (final Throwable ex) {
       log.error("Throwable thrown while starting JmxFetch", ex);
     } finally {
-      Thread.currentThread().setContextClassLoader(contextLoader);
+      safelySetContextClassLoader(contextLoader);
     }
   }
 
@@ -1305,7 +1313,7 @@ private static boolean startProfilingAgent(
       } catch (final Throwable ex) {
         log.error(SEND_TELEMETRY, "Throwable thrown while starting profiling agent", ex);
       } finally {
-        Thread.currentThread().setContextClassLoader(contextLoader);
+        safelySetContextClassLoader(contextLoader);
       }
       StaticEventLogger.end("ProfilingAgent");
     }
@@ -1349,7 +1357,7 @@ private static void shutdownProfilingAgent(final boolean sync) {
     } catch (final Throwable ex) {
       log.error("Throwable thrown while shutting down profiling agent", ex);
     } finally {
-      Thread.currentThread().setContextClassLoader(contextLoader);
+      safelySetContextClassLoader(contextLoader);
     }
   }
 
@@ -1383,7 +1391,7 @@ private static synchronized void startDebuggerAgent(
     } catch (final Throwable ex) {
       log.error("Throwable thrown while starting debugger agent", ex);
     } finally {
-      Thread.currentThread().setContextClassLoader(contextLoader);
+      safelySetContextClassLoader(contextLoader);
     }
 
     StaticEventLogger.end("Debugger");
diff --git a/tooling/update_system_test_reference.sh b/tooling/update_system_test_reference.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script updates the system-tests reference in run-system-tests.yaml.
+# The reference will be updated with the latest commit SHA of the given branch (or `main` if not set) of https://github.com/DataDog/system-tests.
+# Usage: BRANCH=<branch-name> tooling/update_system_test_reference.sh
+
+# Set BRANCH to main if not set
+if [ -z "${BRANCH:-}" ]; then
+    BRANCH="main"
+    echo "BRANCH is not set. Defaulting to 'main'."
+fi
+
+TARGET=".github/workflows/run-system-tests.yaml" # target file to update
+PATTERN_1='(\s*system-tests\.yml@)(\S+)(\s+# system tests.*)' # pattern to update the "system-tests.yml@" reference
+PATTERN_2='(\s*ref: )(\S+)(\s+# system tests.*)' # pattern to update the "ref:" reference
+
+echo "Fetching latest commit SHA for system-tests branch: $BRANCH"
+REF=$(git ls-remote https://github.com/DataDog/system-tests "refs/heads/$BRANCH" | cut -f 1)
+if [ -z "$REF" ]; then
+    echo "Error: Failed to fetch commit SHA for branch $BRANCH"
+    exit 1
+fi
+echo "Fetched SHA: $REF"
+
+if [ ! -f "$TARGET" ]; then
+    echo "Error: Target file $TARGET does not exist"
+    exit 1
+fi
+
+# Save the substitution results to a temporary file first
+TEMP_FILE=$(mktemp)
+
+# Update the "system-tests.yml@" reference
+echo "Updating 'system-tests.yml@' reference..."
+perl -pe "s/$PATTERN_1/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE"
+cp "$TEMP_FILE" "$TARGET"
+
+# Update the "ref:" reference
+echo "Updating 'ref:' reference..."
+perl -pe "s/$PATTERN_2/\${1}$REF\${3}/g" "$TARGET" > "$TEMP_FILE"
+cp "$TEMP_FILE" "$TARGET"
+
+# Clean up temporary file
+rm -f "$TEMP_FILE"
+
+echo "Done updating system-tests references to $REF"

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,14 @@ public boolean isEnabledByDefault() {`
`184`	`184`	`private static boolean distributedDebuggerEnabled = false;`
`185`	`185`	`private static boolean agentlessLogSubmissionEnabled = false;`
`186`	`186`
	`187`	`+ private static void safelySetContextClassLoader(ClassLoader classLoader) {`
	`188`	`+ try {`
	`189`	`+ // this method call can cause a SecurityException if a security manager is installed.`
	`190`	`+ Thread.currentThread().setContextClassLoader(classLoader);`
	`191`	`+ } catch (final Throwable ignored) {`
	`192`	`+ }`
	`193`	`+ }`
	`194`	`+`
`187`	`195`	`/**`
`188`	`196`	`* Starts the agent; returns a boolean indicating if Agent started successfully`
`189`	`197`	`*`
`@@ -924,7 +932,7 @@ private static synchronized void startJmxFetch() {`
`924`	`932`	`} catch (final Throwable ex) {`
`925`	`933`	`log.error("Throwable thrown while starting JmxFetch", ex);`
`926`	`934`	`} finally {`
`927`		`- Thread.currentThread().setContextClassLoader(contextLoader);`
	`935`	`+ safelySetContextClassLoader(contextLoader);`
`928`	`936`	`}`
`929`	`937`	`}`
`930`	`938`
`@@ -1305,7 +1313,7 @@ private static boolean startProfilingAgent(`
`1305`	`1313`	`} catch (final Throwable ex) {`
`1306`	`1314`	`log.error(SEND_TELEMETRY, "Throwable thrown while starting profiling agent", ex);`
`1307`	`1315`	`} finally {`
`1308`		`- Thread.currentThread().setContextClassLoader(contextLoader);`
	`1316`	`+ safelySetContextClassLoader(contextLoader);`
`1309`	`1317`	`}`
`1310`	`1318`	`StaticEventLogger.end("ProfilingAgent");`
`1311`	`1319`	`}`
`@@ -1349,7 +1357,7 @@ private static void shutdownProfilingAgent(final boolean sync) {`
`1349`	`1357`	`} catch (final Throwable ex) {`
`1350`	`1358`	`log.error("Throwable thrown while shutting down profiling agent", ex);`
`1351`	`1359`	`} finally {`
`1352`		`- Thread.currentThread().setContextClassLoader(contextLoader);`
	`1360`	`+ safelySetContextClassLoader(contextLoader);`
`1353`	`1361`	`}`
`1354`	`1362`	`}`
`1355`	`1363`
`@@ -1383,7 +1391,7 @@ private static synchronized void startDebuggerAgent(`
`1383`	`1391`	`} catch (final Throwable ex) {`
`1384`	`1392`	`log.error("Throwable thrown while starting debugger agent", ex);`
`1385`	`1393`	`} finally {`
`1386`		`- Thread.currentThread().setContextClassLoader(contextLoader);`
	`1394`	`+ safelySetContextClassLoader(contextLoader);`
`1387`	`1395`	`}`
`1388`	`1396`
`1389`	`1397`	`StaticEventLogger.end("Debugger");`