dd-trace-java-docker-build/.github/workflows/create-test-mirror-pr.yml at d11eb1a890591e1afadcab0b35ba58131486820c · DataDog/dd-trace-java-docker-build · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Create test image mirror PR

on:
  workflow_dispatch:
    inputs:
      pr_number:
        description: "PR number in dd-trace-java-docker-build (e.g. 123)"
        required: true

jobs:
  create-test-mirror-pr:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # Required for OIDC token federation
      contents: read
    steps:
      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
        id: octo-sts
        with:
          scope: DataDog/images
          policy: dd-trace-java-docker-build.update-mirror

      - name: Checkout DataDog/images
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: DataDog/images
          token: ${{ steps.octo-sts.outputs.token }}

      - name: Capture images HEAD SHA
        id: images-head
        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

      - name: Install crane
        run: |
          CRANE_VERSION="0.20.2"
          curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o crane.tar.gz
          tar -xzf crane.tar.gz crane
          sudo mv crane /usr/local/bin/crane
          rm crane.tar.gz

      - name: Resolve digests and update mirror files
        id: update-mirror
        env:
          PR_NUMBER: ${{ github.event.inputs.pr_number }}
        run: |
          python3 - <<'PYEOF'
          import subprocess, re, os

          SOURCE_REPO = "ghcr.io/datadog/dd-trace-java-docker-build"
          VARIANTS = [
              "base", "7", "8", "11", "17", "21", "25", "tip",
              "zulu8", "zulu11", "oracle8", "ibm8",
              "semeru8", "semeru11", "semeru17",
              "graalvm17", "graalvm21", "graalvm25",
          ]

          pr_number = os.environ["PR_NUMBER"]
          if not pr_number.isdigit():
              raise ValueError(f"PR_NUMBER must be numeric, got: {pr_number!r}")

          prefix = f"{pr_number}_merge-"
          print(f"Resolving digests for prefix: {prefix!r}")

          digests = {}
          for variant in VARIANTS:
              tag = f"{prefix}{variant}"
              result = subprocess.run(
                  ["crane", "digest", f"{SOURCE_REPO}:{tag}"],
                  capture_output=True, text=True, check=True,
              )
              digest = result.stdout.strip()
              digests[variant] = digest
              print(f"  {tag}: {digest}")

          # Check whether entries already exist in mirror.yaml (use base as sentinel)
          with open("mirror.yaml", "r") as f:
              yaml_content = f.read()

          entries_exist = f"{SOURCE_REPO}:{prefix}base" in yaml_content
          mode = "update" if entries_exist else "add"
          print(f"\nMode: {mode} ({'entries exist, updating digests only' if entries_exist else 'no entries found, adding new entries'})")

          github_output = os.environ.get("GITHUB_OUTPUT", "")
          if github_output:
              with open(github_output, "a") as f:
                  f.write(f"mode={mode}\n")

          if mode == "add":
              yaml_entries = []
              for variant in VARIANTS:
                  tag = f"{prefix}{variant}"
                  source = f"{SOURCE_REPO}:{tag}"
                  yaml_entries.append(
                      f'  - source: "{source}"\n'
                      f'    dest:\n'
                      f'      repo: "dd-trace-java-docker-build"\n'
                      f'      tag: "{tag}"\n'
                      f'    replication_target: ""\n'
                  )
              with open("mirror.yaml", "a") as f:
                  f.write("".join(yaml_entries))
              print(f"Appended {len(yaml_entries)} entries to mirror.yaml")

          # Always update mirror.lock.yaml: replace digest in-place if entry exists, append if not
          with open("mirror.lock.yaml", "r") as f:
              lock_content = f.read()

          for variant in VARIANTS:
              tag = f"{prefix}{variant}"
              source = f"{SOURCE_REPO}:{tag}"
              digest = digests[variant]
              pattern = rf"(    - source: {re.escape(source)}\n      digest: )sha256:[a-f0-9]+"
              if re.search(pattern, lock_content):
                  lock_content = re.sub(pattern, rf"\g<1>{digest}", lock_content)
                  print(f"Updated mirror.lock.yaml: {tag}")
              else:
                  lock_content = lock_content.rstrip("\n") + "\n"
                  lock_content += f"    - source: {source}\n      digest: {digest}\n"
                  print(f"Appended to mirror.lock.yaml: {tag}")

          with open("mirror.lock.yaml", "w") as f:
              f.write(lock_content)

          PYEOF

      - name: Define branch name
        id: define-branch
        run: echo "branch=ci/add-dd-trace-java-docker-build-test-images-pr${{ github.event.inputs.pr_number }}" >> "$GITHUB_OUTPUT"

      - name: Commit changes
        id: create-commit
        env:
          PR_NUMBER: ${{ github.event.inputs.pr_number }}
          MODE: ${{ steps.update-mirror.outputs.mode }}
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add mirror.yaml mirror.lock.yaml
          if [[ "$MODE" == "update" ]]; then
            git commit -m "chore: Update dd-trace-java-docker-build test image digests for PR #${PR_NUMBER}"
          else
            git commit -m "chore: Add dd-trace-java-docker-build test images for PR #${PR_NUMBER}"
          fi
          echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

      - name: Push changes
        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
        with:
          token: "${{ steps.octo-sts.outputs.token }}"
          branch: "${{ steps.define-branch.outputs.branch }}"
          head-sha: "${{ steps.images-head.outputs.sha }}"
          create-branch: true
          command: push
          commits: "${{ steps.create-commit.outputs.commit }}"

      - name: Create or identify pull request
        env:
          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
          PR_NUMBER: ${{ github.event.inputs.pr_number }}
        run: |
          BRANCH="${{ steps.define-branch.outputs.branch }}"
          EXISTING_PR=$(gh pr list --repo DataDog/images --head "$BRANCH" --json url -q '.[0].url' 2>/dev/null || true)
          if [[ -n "$EXISTING_PR" ]]; then
            echo "PR already exists: $EXISTING_PR"
          else
            gh pr create \
              --repo DataDog/images \
              --draft \
              --title "Add dd-trace-java-docker-build test images for PR #${PR_NUMBER}" \
              --base master \
              --head "$BRANCH" \
              --body "Adds mirror entries for \`${PR_NUMBER}_merge-*\` test images from DataDog/dd-trace-java-docker-build#${PR_NUMBER}. To use in dd-trace-java CI, set \`TESTER_IMAGE_VERSION_PREFIX: \"${PR_NUMBER}_merge-\"\` in \`.gitlab-ci.yml\`."
          fi