DataDog
diff --git a/‎.github/workflows/create-test-mirror-pr.yml‎
Lines changed: 42 additions & 99 deletions b/‎.github/workflows/create-test-mirror-pr.yml‎
Lines changed: 42 additions & 99 deletions
diff --git a/‎.github/workflows/update-mirror-digests.yml‎
Lines changed: 25 additions & 73 deletions b/‎.github/workflows/update-mirror-digests.yml‎
Lines changed: 25 additions & 73 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 3 deletions b/‎README.md‎
Lines changed: 3 additions & 3 deletions
@@ -13,22 +13,30 @@ jobs:
     permissions:
       id-token: write # Required for OIDC token federation
       contents: read
+      pull-requests: write
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
         with:
           scope: DataDog/images
           policy: dd-trace-java-docker-build.update-mirror
 
+      - name: Checkout DataDog/dd-trace-java-docker-build
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: dd-trace-java-docker-build
+
       - name: Checkout DataDog/images
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: DataDog/images
           token: ${{ steps.octo-sts.outputs.token }}
+          path: images
 
       - name: Capture images HEAD SHA
         id: images-head
         run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+        working-directory: images
 
       - name: Install crane
         run: |
@@ -38,90 +46,12 @@ jobs:
           sudo mv crane /usr/local/bin/crane
           rm crane.tar.gz
 
-      - name: Resolve digests and update mirror files
+      - name: Resolve digests and add new or update existing digests in mirror files
         id: update-mirror
         env:
           PR_NUMBER: ${{ github.event.inputs.pr_number }}
-        run: |
-          python3 - <<'PYEOF'
-          import subprocess, re, os
-
-          SOURCE_REPO = "ghcr.io/datadog/dd-trace-java-docker-build"
-          VARIANTS = [
-              "base", "7", "8", "11", "17", "21", "25", "tip",
-              "zulu8", "zulu11", "oracle8", "ibm8",
-              "semeru8", "semeru11", "semeru17",
-              "graalvm17", "graalvm21", "graalvm25",
-          ]
-
-          pr_number = os.environ["PR_NUMBER"]
-          if not pr_number.isdigit():
-              raise ValueError(f"PR_NUMBER must be numeric, got: {pr_number!r}")
-
-          prefix = f"{pr_number}_merge-"
-          print(f"Resolving digests for prefix: {prefix!r}")
-
-          digests = {}
-          for variant in VARIANTS:
-              tag = f"{prefix}{variant}"
-              result = subprocess.run(
-                  ["crane", "digest", f"{SOURCE_REPO}:{tag}"],
-                  capture_output=True, text=True, check=True,
-              )
-              digest = result.stdout.strip()
-              digests[variant] = digest
-              print(f"  {tag}: {digest}")
-
-          # Check whether entries already exist in mirror.yaml (use base as sentinel)
-          with open("mirror.yaml", "r") as f:
-              yaml_content = f.read()
-
-          entries_exist = f"{SOURCE_REPO}:{prefix}base" in yaml_content
-          mode = "update" if entries_exist else "add"
-          print(f"\nMode: {mode} ({'entries exist, updating digests only' if entries_exist else 'no entries found, adding new entries'})")
-
-          github_output = os.environ.get("GITHUB_OUTPUT", "")
-          if github_output:
-              with open(github_output, "a") as f:
-                  f.write(f"mode={mode}\n")
-
-          if mode == "add":
-              yaml_entries = []
-              for variant in VARIANTS:
-                  tag = f"{prefix}{variant}"
-                  source = f"{SOURCE_REPO}:{tag}"
-                  yaml_entries.append(
-                      f'  - source: "{source}"\n'
-                      f'    dest:\n'
-                      f'      repo: "dd-trace-java-docker-build"\n'
-                      f'      tag: "{tag}"\n'
-                      f'    replication_target: ""\n'
-                  )
-              with open("mirror.yaml", "a") as f:
-                  f.write("".join(yaml_entries))
-              print(f"Appended {len(yaml_entries)} entries to mirror.yaml")
-
-          # Always update mirror.lock.yaml: replace digest in-place if entry exists, append if not
-          with open("mirror.lock.yaml", "r") as f:
-              lock_content = f.read()
-
-          for variant in VARIANTS:
-              tag = f"{prefix}{variant}"
-              source = f"{SOURCE_REPO}:{tag}"
-              digest = digests[variant]
-              pattern = rf"(    - source: {re.escape(source)}\n      digest: )sha256:[a-f0-9]+"
-              if re.search(pattern, lock_content):
-                  lock_content = re.sub(pattern, rf"\g<1>{digest}", lock_content)
-                  print(f"Updated mirror.lock.yaml: {tag}")
-              else:
-                  lock_content = lock_content.rstrip("\n") + "\n"
-                  lock_content += f"    - source: {source}\n      digest: {digest}\n"
-                  print(f"Appended to mirror.lock.yaml: {tag}")
-
-          with open("mirror.lock.yaml", "w") as f:
-              f.write(lock_content)
-
-          PYEOF
+        run: bash "${GITHUB_WORKSPACE}/dd-trace-java-docker-build/scripts/create-test-mirror-entries.sh"
+        working-directory: images
 
       - name: Define branch name
         id: define-branch
@@ -136,14 +66,18 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add mirror.yaml mirror.lock.yaml
-          if [[ "$MODE" == "update" ]]; then
-            git commit -m "chore: Update dd-trace-java-docker-build test image digests for PR #${PR_NUMBER}"
-          else
-            git commit -m "chore: Add dd-trace-java-docker-build test images for PR #${PR_NUMBER}"
+          if git diff --cached --quiet; then
+            echo "No changes detected in mirror files; skipping commit."
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
+          git commit -m "chore: Update dd-trace-java-docker-build test image digests for PR #${PR_NUMBER}"
+          echo "has_changes=true" >> "$GITHUB_OUTPUT"
           echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+        working-directory: images
 
       - name: Push changes
+        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
         uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
@@ -152,22 +86,31 @@ jobs:
           create-branch: true
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
+          working-directory: images
 
-      - name: Create or identify pull request
+      - name: Create pull request
+        id: images-pr
+        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
           PR_NUMBER: ${{ github.event.inputs.pr_number }}
         run: |
-          BRANCH="${{ steps.define-branch.outputs.branch }}"
-          EXISTING_PR=$(gh pr list --repo DataDog/images --head "$BRANCH" --json url -q '.[0].url' 2>/dev/null || true)
-          if [[ -n "$EXISTING_PR" ]]; then
-            echo "PR already exists: $EXISTING_PR"
-          else
-            gh pr create \
-              --repo DataDog/images \
-              --draft \
-              --title "Add dd-trace-java-docker-build test images for PR #${PR_NUMBER}" \
-              --base master \
-              --head "$BRANCH" \
-              --body "Adds mirror entries for \`${PR_NUMBER}_merge-*\` test images from DataDog/dd-trace-java-docker-build#${PR_NUMBER}. To use in dd-trace-java CI, set \`TESTER_IMAGE_VERSION_PREFIX: \"${PR_NUMBER}_merge-\"\` in \`.gitlab-ci.yml\`."
-          fi
+          PR_URL=$(gh pr create \
+            --repo DataDog/images \
+            --draft \
+            --title "Update dd-trace-java-docker-build test images for PR #${PR_NUMBER}" \
+            --base master \
+            --head "${{ steps.define-branch.outputs.branch }}" \
+            --body "Adds/updates mirror entries for \`${PR_NUMBER}_merge-*\` test images from DataDog/dd-trace-java-docker-build#${PR_NUMBER}. These images should be removed after testing.")
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Comment on source PR with mirror cleanup reminder
+        if: ${{ steps.update-mirror.outputs.mode == 'add' && steps.create-commit.outputs.has_changes == 'true' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.inputs.pr_number }}
+          IMAGES_PR_URL: ${{ steps.images-pr.outputs.pr_url }}
+        run: |
+          gh pr comment "${PR_NUMBER}" \
+            --repo DataDog/dd-trace-java-docker-build \
+            --body "Mirrored test images for \`${PR_NUMBER}_merge-*\` were added in ${IMAGES_PR_URL}. When you've finished validating the image, please remove the mirrored test images."
@@ -20,15 +20,22 @@ jobs:
           scope: DataDog/images
           policy: dd-trace-java-docker-build.update-mirror
 
+      - name: Checkout DataDog/dd-trace-java-docker-build
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: dd-trace-java-docker-build
+
       - name: Checkout DataDog/images
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: DataDog/images
           token: ${{ steps.octo-sts.outputs.token }}
+          path: images
 
       - name: Capture images HEAD SHA
         id: images-head
         run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+        working-directory: images
 
       - name: Install crane
         run: |
@@ -38,17 +45,17 @@ jobs:
           sudo mv crane /usr/local/bin/crane
           rm crane.tar.gz
 
-      - name: Get baseline digest for ci-base image
+      - name: Get baseline digest for ci-base image # base variant used to check freshness
         id: baseline
         run: |
-          BASELINE=$(awk '/source:.*dd-trace-java-docker-build:ci-base/{found=1; next} found && /digest:/{print $2; exit}' mirror.lock.yaml || true)
+          BASELINE=$(awk '/source:.*dd-trace-java-docker-build:ci-base/{found=1; next} found && /digest:/{print $2; exit}' images/mirror.lock.yaml || true)
           echo "digest=${BASELINE}" >> "$GITHUB_OUTPUT"
           echo "Baseline ci-base digest: ${BASELINE:-<none found>}"
 
       - name: Wait for new ci-base image to be published
         run: |
           BASELINE="${{ steps.baseline.outputs.digest }}"
-          DEADLINE=$((SECONDS + 1800)) # 30 min timeout
+          DEADLINE=$((SECONDS + 1800))
           echo "Waiting for ci-base digest to differ from: ${BASELINE:-<none>}"
           while [[ $SECONDS -lt $DEADLINE ]]; do
             CURRENT=$(crane digest ghcr.io/datadog/dd-trace-java-docker-build:ci-base 2>/dev/null || true)
@@ -59,91 +66,35 @@ jobs:
             echo "No change yet (current: ${CURRENT:-unavailable}), retrying in 60s..."
             sleep 60
           done
-          echo "::error::Timeout after 30 minutes: ci-base digest did not change"
+          echo "::error::Timeout after 30 minutes: ci-base digest did not change from existing mirror"
           exit 1
 
-      - name: Resolve digests and update mirror files
-        run: |
-          python3 - <<'PYEOF'
-          import subprocess, re
-
-          SOURCE_REPO = "ghcr.io/datadog/dd-trace-java-docker-build"
-          VARIANTS = [
-              "base", "7", "8", "11", "17", "21", "25", "tip",
-              "zulu8", "zulu11", "oracle8", "ibm8",
-              "semeru8", "semeru11", "semeru17",
-              "graalvm17", "graalvm21", "graalvm25",
-          ]
-
-          # Verify all ci-* entries are already present in both files before proceeding
-          with open("mirror.yaml", "r") as f:
-              yaml_content = f.read()
-          with open("mirror.lock.yaml", "r") as f:
-              lock_content = f.read()
-
-          missing_yaml = [v for v in VARIANTS if f"{SOURCE_REPO}:ci-{v}" not in yaml_content]
-          missing_lock = [v for v in VARIANTS if f"{SOURCE_REPO}:ci-{v}" not in lock_content]
-          if missing_yaml or missing_lock:
-              if missing_yaml:
-                  print(f"::error::ci-* entries missing from mirror.yaml: {missing_yaml}")
-              if missing_lock:
-                  print(f"::error::ci-* entries missing from mirror.lock.yaml: {missing_lock}")
-              print("Bootstrap the ci-* entries manually before running this workflow.")
-              raise SystemExit(1)
-
-          print("Resolving digests for ci-* variants...")
-          digests = {}
-          for variant in VARIANTS:
-              tag = f"ci-{variant}"
-              result = subprocess.run(
-                  ["crane", "digest", f"{SOURCE_REPO}:{tag}"],
-                  capture_output=True, text=True, check=True,
-              )
-              digest = result.stdout.strip()
-              digests[variant] = digest
-              print(f"  {tag}: {digest}")
-
-          # Update existing digest entries in mirror.lock.yaml in-place
-          for variant in VARIANTS:
-              tag = f"ci-{variant}"
-              source = f"{SOURCE_REPO}:{tag}"
-              digest = digests[variant]
-              pattern = rf"(    - source: {re.escape(source)}\n      digest: )sha256:[a-f0-9]+"
-              lock_content = re.sub(pattern, rf"\g<1>{digest}", lock_content)
-              print(f"Updated mirror.lock.yaml: {tag}")
-
-          with open("mirror.lock.yaml", "w") as f:
-              f.write(lock_content)
-
-          PYEOF
-
-      - name: Check for changes
-        id: check-changes
-        run: |
-          if [[ -z "$(git status -s)" ]]; then
-            echo "No changes to commit."
-            echo "commit_changes=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "commit_changes=true" >> "$GITHUB_OUTPUT"
-          fi
+      - name: Resolve digests and update mirror.lock.yaml files
+        run: bash "${GITHUB_WORKSPACE}/dd-trace-java-docker-build/scripts/update-ci-image-digests.sh"
+        working-directory: images
 
       - name: Define branch name
-        if: steps.check-changes.outputs.commit_changes == 'true'
         id: define-branch
         run: echo "branch=ci/update-dd-trace-java-docker-build-ci-digests-$(date +'%Y%m%d')" >> "$GITHUB_OUTPUT"
 
       - name: Commit changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
         id: create-commit
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add mirror.yaml mirror.lock.yaml
+          git add mirror.lock.yaml
+          if git diff --cached --quiet; then
+            echo "No changes detected in mirror files; skipping commit."
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           git commit -m "chore: Update dd-trace-java-docker-build ci-* image digests"
+          echo "has_changes=true" >> "$GITHUB_OUTPUT"
           echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+        working-directory: images
 
       - name: Push changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
+        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
         uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
@@ -152,9 +103,10 @@ jobs:
           create-branch: true
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
+          working-directory: images
 
       - name: Create pull request
-        if: steps.check-changes.outputs.commit_changes == 'true'
+        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
 
@@ -34,8 +34,8 @@ Images are built per PR for ease in testing. These test images are prefixed with
 To test these images in `dd-trace-java` CI:
 
 1. Open a PR in [DataDog/dd-trace-java-docker-build](https://github.com/DataDog/dd-trace-java-docker-build) with the changes you want to test. Let's say these changes are made in PR #123 ([example](https://github.com/DataDog/dd-trace-java-docker-build/pull/123)).
-2. Run the [Create test image mirror PR](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/create-test-mirror-pr.yml) workflow with `pr_number=123`. This automatically opens a PR in [DataDog/images](https://github.com/DataDog/images) that adds mirror entries for the `123_merge-*` test images. The PR should be automatically merged by the `dd-prapprover` bot.
+2. Run the [Create test image mirror PR](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/create-test-mirror-pr.yml) workflow with `PR_NUMBER=123`. This automatically opens a PR in [DataDog/images](https://github.com/DataDog/images) that adds mirror entries for the `123_merge-*` test images. Merge the PR if not done automatically by the `dd-prapprover` bot.
 3. Open a PR in [DataDog/dd-trace-java](https://github.com/DataDog/dd-trace-java) that sets `BUILDER_IMAGE_VERSION_PREFIX: "123_merge-"` in `.gitlab-ci.yml`. Here, you can check your test images with `DataDog/dd-trace-java` CI.
-4. Every time you want to test changes made in PR #123, ensure the test image SHAs in `DataDog/images` are updated. This should be done by running the [Create test image mirror PR](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/create-test-mirror-pr.yml) workflow with `pr_number=123`.
+4. Every time you want to test changes made in PR #123, ensure the test image SHAs in `DataDog/images` are updated. This is done by running the [Create test image mirror PR](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/create-test-mirror-pr.yml) workflow each time with `PR_NUMBER=123`.
 5. When the test images look good and `DataDog/dd-trace-java` CI is green, merge your `DataDog/dd-trace-java-docker-build` PR #123, close the test `DataDog/dd-trace-java` PR, and **remove the test images from the `DataDog/images` repo**.
-6. Finally, run the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow. The [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow will automatically open a PR in `DataDog/images`, updating the pinned `ci-*` digests.
+6. Finally, run the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow. The [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow will automatically open a PR in `DataDog/images`, updating the pinned `ci-*` digests. `dd-trace-java` CI should automatically pick up these updated images a few minutes after the PR is merged.