From f2d99f627765b3f89b7d24c6b64891713c1a1e55 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 10:37:41 +0200 Subject: [PATCH 01/21] Publish CI images to internal ddbuild registry - Update .gitlab/ci-images.yml to change the default CI_REGISTRY to registry.ddbuild.io and target the ddbuild registry path registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci. - Make docker logins dynamic to support local builds, Docker Hub logins, and AWS ECR logins depending on the target registry server. - Bypass runner credential helper issues in Linux container environments by resetting ~/.docker/config.json. - Make registry and base image names fully configurable in docker-compose.yml and Dockerfiles, allowing parent base images to be dynamically resolved from ddbuild during child compilation steps. --- .gitlab/ci-images.yml | 85 +++++++++++++++++-- dockerfiles/ci/alpine/docker-compose.yml | 4 +- dockerfiles/ci/alpine/php-8.0/Dockerfile | 3 +- .../ci/alpine_compile_extension/Dockerfile | 3 +- .../docker-compose.yml | 24 +++--- dockerfiles/ci/bookworm/docker-compose.yml | 30 +++---- dockerfiles/ci/centos/7/docker-compose.yml | 24 +++--- dockerfiles/ci/centos/7/php.Dockerfile | 3 +- dockerfiles/ci/windows/Dockerfile | 3 +- dockerfiles/ci/windows/basetools.Dockerfile | 3 +- dockerfiles/ci/windows/docker-compose.yml | 30 +++---- 11 files changed, 144 insertions(+), 68 deletions(-) diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml index c2b725f7d44..0e8fac1e7d9 100644 --- a/.gitlab/ci-images.yml +++ b/.gitlab/ci-images.yml @@ -6,7 +6,9 @@ variables: value: "" description: "Your docker hub personal access token, can be created following this doc https://docs.docker.com/docker-hub/access-tokens/#create-an-access-token" CI_REGISTRY: - value: "docker.io" + value: "registry.ddbuild.io" + CI_REGISTRY_IMAGE: + value: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" CentOS: stage: ci-build @@ -36,7 +38,28 @@ CentOS: - php-7.0 script: - cd dockerfiles/ci/centos/7 - - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY" + - | + LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) + if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then + echo "Using pre-configured runner credentials for registry.ddbuild.io" + elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + if ! command -v aws >/dev/null 2>&1; then + ARCH=$(uname -m) + if [ "$ARCH" = "x86_64" ]; then + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + else + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" + fi + unzip -q awscliv2.zip + ./aws/install >/dev/null + rm -rf aws awscliv2.zip + fi + aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" + elif [ -n "$CI_REGISTRY_TOKEN" ]; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" + fi - docker buildx bake --no-cache --pull --push $PHP_VERSION Alpine: @@ -67,7 +90,28 @@ Alpine: - 7.0-alpine script: - cd dockerfiles/ci/alpine_compile_extension - - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY" + - | + LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) + if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then + echo "Using pre-configured runner credentials for registry.ddbuild.io" + elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + if ! command -v aws >/dev/null 2>&1; then + ARCH=$(uname -m) + if [ "$ARCH" = "x86_64" ]; then + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + else + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" + fi + unzip -q awscliv2.zip + ./aws/install >/dev/null + rm -rf aws awscliv2.zip + fi + aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" + elif [ -n "$CI_REGISTRY_TOKEN" ]; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" + fi - docker buildx bake --no-cache --pull --push $PHP_VERSION Bookworm: @@ -81,11 +125,11 @@ Bookworm: image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" + MAKE_JOBS: "2" parallel: matrix: - PHP_VERSION: - base - - PHP_VERSION: - php-8.5 - php-8.4 - php-8.3 @@ -99,10 +143,30 @@ Bookworm: - php-7.2 - php-7.1 - php-7.0 - MAKE_JOBS: ["2"] script: - cd dockerfiles/ci/bookworm - - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY" + - | + LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) + if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then + echo "Using pre-configured runner credentials for registry.ddbuild.io" + elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + if ! command -v aws >/dev/null 2>&1; then + ARCH=$(uname -m) + if [ "$ARCH" = "x86_64" ]; then + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + else + curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" + fi + unzip -q awscliv2.zip + ./aws/install >/dev/null + rm -rf aws awscliv2.zip + fi + aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" + elif [ -n "$CI_REGISTRY_TOKEN" ]; then + mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json + echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" + fi - docker buildx bake --no-cache --pull --push $PHP_VERSION .windows_image_build: @@ -168,7 +232,14 @@ Bookworm: New-Item -ItemType Directory -Force -Path $env:DOCKER_CONFIG | Out-Null Set-Content -Encoding ascii -Path (Join-Path $env:DOCKER_CONFIG "config.json") -Value '{"auths":{}}' - $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY" + $loginServer = $env:CI_REGISTRY.Split('/')[0] + if ($loginServer -eq "registry.ddbuild.io") { + Write-Host "Using pre-configured runner credentials for registry.ddbuild.io" + } elseif ($loginServer -like "*dkr.ecr*") { + aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$loginServer" + } elseif ($env:CI_REGISTRY_TOKEN) { + $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$loginServer" + } if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } docker version diff --git a/dockerfiles/ci/alpine/docker-compose.yml b/dockerfiles/ci/alpine/docker-compose.yml index 525bb61fb44..eb4015cd527 100644 --- a/dockerfiles/ci/alpine/docker-compose.yml +++ b/dockerfiles/ci/alpine/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: base: - image: datadog/dd-trace-ci:alpine + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:alpine build: context: . x-bake: &bake @@ -12,7 +12,7 @@ services: - linux/amd64 php-8.0: - image: datadog/dd-trace-ci:php-8.0_alpine + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.0_alpine build: context: ./php-8.0 args: diff --git a/dockerfiles/ci/alpine/php-8.0/Dockerfile b/dockerfiles/ci/alpine/php-8.0/Dockerfile index 4ecb3c521d7..1017f7b4634 100644 --- a/dockerfiles/ci/alpine/php-8.0/Dockerfile +++ b/dockerfiles/ci/alpine/php-8.0/Dockerfile @@ -1,4 +1,5 @@ -FROM datadog/dd-trace-ci:alpine AS base +ARG CI_REGISTRY_IMAGE=datadog/dd-trace-ci +FROM ${CI_REGISTRY_IMAGE}:alpine AS base ARG phpVersion ENV PHP_INSTALL_DIR_DEBUG_ZTS=${PHP_INSTALL_DIR}/${phpVersion}-debug-zts diff --git a/dockerfiles/ci/alpine_compile_extension/Dockerfile b/dockerfiles/ci/alpine_compile_extension/Dockerfile index a7a694ec532..da8045e2ca5 100644 --- a/dockerfiles/ci/alpine_compile_extension/Dockerfile +++ b/dockerfiles/ci/alpine_compile_extension/Dockerfile @@ -1,4 +1,5 @@ -FROM datadog/dd-trace-ci:php-compile-extension-alpine +ARG CI_REGISTRY_IMAGE=datadog/dd-trace-ci +FROM ${CI_REGISTRY_IMAGE}:php-compile-extension-alpine ADD 0001-Backport-0a39890c-Fix-libxml2-2.12-build-due-to-API-.patch /patches/0001-Backport-0a39890c-Fix-libxml2-2.12-build-due-to-API-.patch ADD 0001-Sync-callback-signature-with-libxml2-2.9.8.patch /patches/0001-Sync-callback-signature-with-libxml2-2.9.8.patch diff --git a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml index 52892420c92..6ac3817ff0b 100644 --- a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml +++ b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: base-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine build: context: . dockerfile: base.Dockerfile @@ -15,7 +15,7 @@ services: - ../../:/app 7.0-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-7.0 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-7.0 build: context: . x-bake: *bake @@ -27,7 +27,7 @@ services: - ../../:/app 7.1-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-7.1 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-7.1 build: context: . x-bake: *bake @@ -39,7 +39,7 @@ services: - ../../:/app 7.2-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-7.2 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-7.2 build: context: . x-bake: *bake @@ -51,7 +51,7 @@ services: - ../../:/app 7.3-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-7.3 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-7.3 build: context: . x-bake: *bake @@ -63,7 +63,7 @@ services: - ../../:/app 7.4-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-7.4 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-7.4 build: context: . x-bake: *bake @@ -75,7 +75,7 @@ services: - ../../:/app 8.0-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.0 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.0 build: context: . x-bake: *bake @@ -87,7 +87,7 @@ services: - ../../:/app 8.1-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.1 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.1 build: context: . x-bake: *bake @@ -99,7 +99,7 @@ services: - ../../:/app 8.2-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.2 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.2 build: context: . x-bake: *bake @@ -111,7 +111,7 @@ services: - ../../:/app 8.3-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.3 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.3 build: context: . x-bake: *bake @@ -123,7 +123,7 @@ services: - ../../:/app 8.4-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.4 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.4 build: context: . x-bake: *bake @@ -135,7 +135,7 @@ services: - ../../:/app 8.5-alpine: - image: datadog/dd-trace-ci:php-compile-extension-alpine-8.5 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-compile-extension-alpine-8.5 build: context: . x-bake: *bake diff --git a/dockerfiles/ci/bookworm/docker-compose.yml b/dockerfiles/ci/bookworm/docker-compose.yml index 8f167dfb7e6..0f6a789fb6f 100644 --- a/dockerfiles/ci/bookworm/docker-compose.yml +++ b/dockerfiles/ci/bookworm/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: base: - image: datadog/dd-trace-ci:bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:bookworm-$BOOKWORM_NEXT_VERSION build: context: . x-bake: &bake @@ -11,11 +11,11 @@ services: - linux/arm64 - linux/amd64 args: &build-base - BUILD_BASE: datadog/dd-trace-ci:bookworm-$BOOKWORM_NEXT_VERSION + BUILD_BASE: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:bookworm-$BOOKWORM_NEXT_VERSION MAKE_JOBS: ${MAKE_JOBS:-} php-8.5: - image: datadog/dd-trace-ci:php-8.5_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.5_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.5/Dockerfile @@ -27,7 +27,7 @@ services: phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" php-8.4: - image: datadog/dd-trace-ci:php-8.4_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.4_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.4/Dockerfile @@ -39,7 +39,7 @@ services: phpSha256Hash: "a012c2c9724baf214a70b41b40a7e130906b8855e54268afa5bc4ae17bc9d823" php-8.3: - image: datadog/dd-trace-ci:php-8.3_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.3_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.3/Dockerfile @@ -51,7 +51,7 @@ services: phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f" php-8.2: - image: datadog/dd-trace-ci:php-8.2_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.2_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.2/Dockerfile @@ -63,7 +63,7 @@ services: phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870" php-8.1: - image: datadog/dd-trace-ci:php-8.1_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.1_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.1/Dockerfile @@ -75,7 +75,7 @@ services: phpSha256Hash: "4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff" php-8.0: - image: datadog/dd-trace-ci:php-8.0_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.0_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.0/Dockerfile @@ -87,7 +87,7 @@ services: phpSha256Hash: "449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c" php-8.0-shared-ext: - image: datadog/dd-trace-ci:php-8.0-shared-ext-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.0-shared-ext-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-8.0/Dockerfile @@ -100,7 +100,7 @@ services: phpSha256Hash: "449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c" php-7.4: - image: datadog/dd-trace-ci:php-7.4_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.4_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.4/Dockerfile @@ -112,7 +112,7 @@ services: phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e php-7.4-shared-ext: - image: datadog/dd-trace-ci:php-7.4-shared-ext-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.4-shared-ext-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.4/Dockerfile @@ -125,7 +125,7 @@ services: phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e php-7.3: - image: datadog/dd-trace-ci:php-7.3_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.3_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.3/Dockerfile @@ -137,7 +137,7 @@ services: phpSha256Hash: 9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8 php-7.2: - image: datadog/dd-trace-ci:php-7.2_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.2_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.2/Dockerfile @@ -149,7 +149,7 @@ services: phpSha256Hash: 8b2777c741e83f188d3ca6d8e98ece7264acafee86787298fae57e05d0dddc78 php-7.1: - image: datadog/dd-trace-ci:php-7.1_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.1_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.1/Dockerfile @@ -161,7 +161,7 @@ services: phpSha256Hash: 0055f368ffefe51d5a4483755bd17475e88e74302c08b727952831c5b2682ea2 php-7.0: - image: datadog/dd-trace-ci:php-7.0_bookworm-$BOOKWORM_NEXT_VERSION + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.0_bookworm-$BOOKWORM_NEXT_VERSION build: context: . dockerfile: php-7.0/Dockerfile diff --git a/dockerfiles/ci/centos/7/docker-compose.yml b/dockerfiles/ci/centos/7/docker-compose.yml index 2b427a95ba1..c4fc16bd172 100644 --- a/dockerfiles/ci/centos/7/docker-compose.yml +++ b/dockerfiles/ci/centos/7/docker-compose.yml @@ -2,7 +2,7 @@ version: '3' services: base: - image: 'datadog/dd-trace-ci:centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:centos-7' build: context: . dockerfile: base.Dockerfile @@ -20,7 +20,7 @@ services: phpVersion: "7.0" phpTarGzUrl: https://www.php.net/distributions/php-7.0.33.tar.gz phpSha256Hash: d71a6ecb6b13dc53fed7532a7f8f949c4044806f067502f8fb6f9facbb40452a - image: 'datadog/dd-trace-ci:php-7.0_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.0_centos-7' php-7.1: build: @@ -31,7 +31,7 @@ services: phpVersion: "7.1" phpTarGzUrl: https://www.php.net/distributions/php-7.1.33.tar.gz phpSha256Hash: 0055f368ffefe51d5a4483755bd17475e88e74302c08b727952831c5b2682ea2 - image: 'datadog/dd-trace-ci:php-7.1_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.1_centos-7' php-7.2: build: @@ -42,7 +42,7 @@ services: phpVersion: "7.2" phpTarGzUrl: https://www.php.net/distributions/php-7.2.34.tar.gz phpSha256Hash: 8b2777c741e83f188d3ca6d8e98ece7264acafee86787298fae57e05d0dddc78 - image: 'datadog/dd-trace-ci:php-7.2_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.2_centos-7' php-7.3: build: @@ -53,7 +53,7 @@ services: phpVersion: "7.3" phpTarGzUrl: https://www.php.net/distributions/php-7.3.33.tar.gz phpSha256Hash: 9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8 - image: 'datadog/dd-trace-ci:php-7.3_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.3_centos-7' php-7.4: build: @@ -64,7 +64,7 @@ services: phpVersion: "7.4" phpTarGzUrl: https://www.php.net/distributions/php-7.4.33.tar.gz phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e - image: 'datadog/dd-trace-ci:php-7.4_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.4_centos-7' php-8.0: build: @@ -75,7 +75,7 @@ services: phpVersion: "8.0" phpTarGzUrl: https://www.php.net/distributions/php-8.0.30.tar.gz phpSha256Hash: 449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c - image: 'datadog/dd-trace-ci:php-8.0_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.0_centos-7' php-8.1: build: @@ -86,7 +86,7 @@ services: phpVersion: "8.1" phpTarGzUrl: https://www.php.net/distributions/php-8.1.32.tar.gz phpSha256Hash: "4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff" - image: 'datadog/dd-trace-ci:php-8.1_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.1_centos-7' php-8.2: build: @@ -97,7 +97,7 @@ services: phpVersion: "8.2" phpTarGzUrl: https://www.php.net/distributions/php-8.2.31.tar.gz phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870" - image: 'datadog/dd-trace-ci:php-8.2_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.2_centos-7' php-8.3: build: @@ -108,7 +108,7 @@ services: phpVersion: "8.3" phpTarGzUrl: https://www.php.net/distributions/php-8.3.31.tar.gz phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f" - image: 'datadog/dd-trace-ci:php-8.3_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.3_centos-7' php-8.4: build: @@ -119,7 +119,7 @@ services: phpVersion: "8.4" phpTarGzUrl: https://www.php.net/distributions/php-8.4.22.tar.gz phpSha256Hash: "a012c2c9724baf214a70b41b40a7e130906b8855e54268afa5bc4ae17bc9d823" - image: 'datadog/dd-trace-ci:php-8.4_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.4_centos-7' php-8.5: build: @@ -130,4 +130,4 @@ services: phpVersion: "8.5" phpTarGzUrl: https://www.php.net/distributions/php-8.5.7.tar.gz phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" - image: 'datadog/dd-trace-ci:php-8.5_centos-7' + image: '${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.5_centos-7' diff --git a/dockerfiles/ci/centos/7/php.Dockerfile b/dockerfiles/ci/centos/7/php.Dockerfile index 281af3e10e8..267435cb40f 100644 --- a/dockerfiles/ci/centos/7/php.Dockerfile +++ b/dockerfiles/ci/centos/7/php.Dockerfile @@ -1,4 +1,5 @@ -FROM datadog/dd-trace-ci:centos-7 AS base +ARG CI_REGISTRY_IMAGE=datadog/dd-trace-ci +FROM ${CI_REGISTRY_IMAGE}:centos-7 AS base ENV PHP_SRC_DIR=/usr/local/src/php ENV PHP_INSTALL_DIR=/opt/php diff --git a/dockerfiles/ci/windows/Dockerfile b/dockerfiles/ci/windows/Dockerfile index d3b7a1c4858..c8e48a59b4d 100644 --- a/dockerfiles/ci/windows/Dockerfile +++ b/dockerfiles/ci/windows/Dockerfile @@ -1,5 +1,6 @@ +ARG CI_REGISTRY_IMAGE=datadog/dd-trace-ci ARG vsVersion -FROM datadog/dd-trace-ci:windows-$vsVersion AS base +FROM ${CI_REGISTRY_IMAGE}:windows-$vsVersion AS base ARG phpTarGzUrl ARG phpVersion diff --git a/dockerfiles/ci/windows/basetools.Dockerfile b/dockerfiles/ci/windows/basetools.Dockerfile index 001f9f553e9..3910c325634 100644 --- a/dockerfiles/ci/windows/basetools.Dockerfile +++ b/dockerfiles/ci/windows/basetools.Dockerfile @@ -1,5 +1,6 @@ +ARG CI_REGISTRY_IMAGE=datadog/dd-trace-ci ARG vsVersion -FROM datadog/dd-trace-ci:windows-base-$vsVersion +FROM ${CI_REGISTRY_IMAGE}:windows-base-$vsVersion RUN powershell.exe "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $Env:chocolateyVersion = '0.10.15'; $Env:chocolateyUseWindowsCompression = 'false'; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')); ''" diff --git a/dockerfiles/ci/windows/docker-compose.yml b/dockerfiles/ci/windows/docker-compose.yml index 86fde8f34e9..81e4c384f1e 100644 --- a/dockerfiles/ci/windows/docker-compose.yml +++ b/dockerfiles/ci/windows/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: vc15-base: - image: datadog/dd-trace-ci:windows-base-vc15 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-base-vc15 build: platforms: - windows/amd64 @@ -11,7 +11,7 @@ services: dockerfile: vc15.Dockerfile vs16-base: - image: datadog/dd-trace-ci:windows-base-vs16 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-base-vs16 build: platforms: - windows/amd64 @@ -19,7 +19,7 @@ services: dockerfile: vs16.Dockerfile vs17-base: - image: datadog/dd-trace-ci:windows-base-vs17 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-base-vs17 build: platforms: - windows/amd64 @@ -27,7 +27,7 @@ services: dockerfile: vs17.Dockerfile vc15: - image: datadog/dd-trace-ci:windows-vc15 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-vc15 build: platforms: - windows/amd64 @@ -38,7 +38,7 @@ services: sdkVersion: "2.2.0" vs16: - image: datadog/dd-trace-ci:windows-vs16 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-vs16 build: platforms: - windows/amd64 @@ -49,7 +49,7 @@ services: sdkVersion: "2.2.0" vs17: - image: datadog/dd-trace-ci:windows-vs17 + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:windows-vs17 build: platforms: - windows/amd64 @@ -60,7 +60,7 @@ services: sdkVersion: "2.3.0" php-8.5: - image: datadog/dd-trace-ci:php-8.5_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.5_windows build: platforms: - windows/amd64 @@ -72,7 +72,7 @@ services: phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" php-8.4: - image: datadog/dd-trace-ci:php-8.4_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.4_windows build: platforms: - windows/amd64 @@ -84,7 +84,7 @@ services: phpSha256Hash: "a012c2c9724baf214a70b41b40a7e130906b8855e54268afa5bc4ae17bc9d823" php-8.3: - image: datadog/dd-trace-ci:php-8.3_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.3_windows build: platforms: - windows/amd64 @@ -96,7 +96,7 @@ services: phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f" php-8.2: - image: datadog/dd-trace-ci:php-8.2_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.2_windows build: platforms: - windows/amd64 @@ -108,7 +108,7 @@ services: phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870" php-8.1: - image: datadog/dd-trace-ci:php-8.1_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.1_windows build: platforms: - windows/amd64 @@ -120,7 +120,7 @@ services: phpSha256Hash: "4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff" php-8.0: - image: datadog/dd-trace-ci:php-8.0_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.0_windows build: platforms: - windows/amd64 @@ -132,7 +132,7 @@ services: phpSha256Hash: "449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c" php-7.4: - image: datadog/dd-trace-ci:php-7.4_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.4_windows build: platforms: - windows/amd64 @@ -144,7 +144,7 @@ services: phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e php-7.3: - image: datadog/dd-trace-ci:php-7.3_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.3_windows build: platforms: - windows/amd64 @@ -156,7 +156,7 @@ services: phpSha256Hash: 9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8 php-7.2: - image: datadog/dd-trace-ci:php-7.2_windows + image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-7.2_windows build: platforms: - windows/amd64 From f0c5cf5f1be2b9d7d7832063f40a6407afa64deb Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 11:33:43 +0200 Subject: [PATCH 02/21] Consume built CI images from internal ddbuild registry - Update all GitLab CI generator scripts (.gitlab/generate-*.php) to use internal CI images from registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci instead of pulling from Docker Hub via the mirror path. - This ensures test jobs use the newly compiled images directly from our project's ECR registry namespace. --- .gitlab/generate-appsec.php | 10 +++++----- .gitlab/generate-package.php | 26 +++++++++++++------------- .gitlab/generate-profiler.php | 8 ++++---- .gitlab/generate-shared.php | 18 +++++++++--------- .gitlab/generate-tracer.php | 6 +++--- 5 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php index 81f4df374c3..77a32944665 100644 --- a/.gitlab/generate-appsec.php +++ b/.gitlab/generate-appsec.php @@ -71,7 +71,7 @@ "test appsec extension": stage: test extends: .appsec_test - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_CPU_LIMIT: 3 @@ -393,7 +393,7 @@ "appsec code coverage": stage: test extends: .appsec_test - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 3Gi @@ -515,7 +515,7 @@ "appsec lint": stage: test extends: .appsec_test - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 9Gi @@ -537,7 +537,7 @@ "test appsec helper asan": stage: test extends: .appsec_test - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 3Gi @@ -563,7 +563,7 @@ #"fuzz appsec helper": # stage: test # extends: .appsec_test -# image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8 +# image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8 # variables: # KUBERNETES_CPU_REQUEST: 3 # KUBERNETES_MEMORY_REQUEST: 5Gi diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php index 2272b5fc7fa..fce55abc55e 100644 --- a/.gitlab/generate-package.php +++ b/.gitlab/generate-package.php @@ -5,7 +5,7 @@ $build_platforms = [ [ "triplet" => "x86_64-alpine-linux-musl", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-compile-extension-alpine-%s", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-compile-extension-alpine-%s", "arch" => "amd64", "host_os" => "linux-musl", "targets" => [ @@ -14,7 +14,7 @@ ], [ "triplet" => "aarch64-alpine-linux-musl", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-compile-extension-alpine-%s", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-compile-extension-alpine-%s", "arch" => "arm64", "host_os" => "linux-musl", "targets" => [ @@ -23,7 +23,7 @@ ], [ "triplet" => "x86_64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_centos-7", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_centos-7", "arch" => "amd64", "host_os" => "linux-gnu", "targets" => [ @@ -34,7 +34,7 @@ ], [ "triplet" => "aarch64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_centos-7", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_centos-7", "arch" => "arm64", "host_os" => "linux-gnu", "targets" => [ @@ -48,13 +48,13 @@ $asan_build_platforms = [ [ "triplet" => "x86_64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-8", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-8", "arch" => "amd64", "host_os" => "linux-gnu", ], [ "triplet" => "aarch64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-8", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-8", "arch" => "arm64", "host_os" => "linux-gnu", ] @@ -63,7 +63,7 @@ $windows_build_platforms = [ [ "triplet" => "x86_64-pc-windows-msvc", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_windows", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_windows", "arch" => "amd64", "host_os" => "windows-msvc", "targets" => [ @@ -321,7 +321,7 @@ "pecl build": stage: tracing - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-8" tags: [ "arch:amd64" ] needs: [ "prepare code" ] script: @@ -371,7 +371,7 @@ "aggregate tracing extension: []": stage: tracing - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-8" tags: [ "arch:amd64" ] script: ls ./ variables: @@ -770,7 +770,7 @@ "x-profiling phpt tests on Alpine": stage: verify - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-compile-extension-alpine-$PHP_VERSION" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-compile-extension-alpine-$PHP_VERSION" tags: [ "arch:amd64" ] parallel: matrix: @@ -1154,7 +1154,7 @@ "pecl tests": stage: verify - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_VERSION}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_VERSION}_bookworm-8" tags: [ "arch:amd64" ] services: - !reference [.services, request-replayer] @@ -1187,7 +1187,7 @@ "min install tests": stage: verify - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.0-shared-ext-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.0-shared-ext-8 tags: [ "arch:amd64" ] variables: MAX_TEST_PARALLELISM: 8 @@ -1365,7 +1365,7 @@ "Loader test on libc": stage: verify - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${MAJOR_MINOR}_${CONTAINER_SUFFIX}" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${MAJOR_MINOR}_${CONTAINER_SUFFIX}" tags: [ "arch:$ARCH" ] variables: VALGRIND: false diff --git a/.gitlab/generate-profiler.php b/.gitlab/generate-profiler.php index 0fd170a5699..50fde2ee4c9 100644 --- a/.gitlab/generate-profiler.php +++ b/.gitlab/generate-profiler.php @@ -26,7 +26,7 @@ "profiling tests": stage: test tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:${IMAGE_PREFIX}${PHP_MAJOR_MINOR}${IMAGE_SUFFIX} + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${IMAGE_PREFIX}${PHP_MAJOR_MINOR}${IMAGE_SUFFIX} # Setting the *_REQUEST and *_LIMIT variables to be the same, and setting # them for both the build and helper allows using Guaranteed QoS instead of # Burstable. This means nproc and similar tools will work as expected. @@ -95,7 +95,7 @@ "clippy NTS": stage: test tags: [ "arch:amd64" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 @@ -119,7 +119,7 @@ "Cargo test": stage: test tags: [ "arch:amd64" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.5_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.5_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 @@ -139,7 +139,7 @@ "PHP language tests": stage: test tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 diff --git a/.gitlab/generate-shared.php b/.gitlab/generate-shared.php index d3f5f0a4f0f..f3d88650327 100644 --- a/.gitlab/generate-shared.php +++ b/.gitlab/generate-shared.php @@ -14,14 +14,14 @@ "C components ASAN": tags: [ "arch:amd64" ] stage: test - image: "registry.ddbuild.io/images/mirror/${IMAGE}" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${IMAGE}" needs: [] parallel: matrix: - IMAGE: - - "datadog/dd-trace-ci:centos-7" - - "datadog/dd-trace-ci:php-compile-extension-alpine" - - "datadog/dd-trace-ci:bookworm-8" + - "centos-7" + - "php-compile-extension-alpine" + - "bookworm-8" script: - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi - if [ -d "/opt/catch2" ]; then export CMAKE_PREFIX_PATH=/opt/catch2; fi @@ -45,7 +45,7 @@ "C components UBSAN": tags: [ "arch:amd64" ] stage: test - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8" needs: [] script: - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi @@ -69,7 +69,7 @@ "Build & Test Tea": tags: [ "arch:amd64" ] stage: build - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" parallel: matrix: - PHP_MAJOR_MINOR: *no_asan_minor_major_targets @@ -98,7 +98,7 @@ .tea_test: tags: [ "arch:amd64" ] stage: test - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" interruptible: true rules: - if: $CI_COMMIT_BRANCH == "master" @@ -122,7 +122,7 @@ needs: [] variables: PHP_MAJOR_MINOR: "" - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" script: - | if ! command -v cc >/dev/null 2>&1 && ! command -v clang >/dev/null 2>&1 && ! command -v gcc >/dev/null 2>&1; then @@ -185,7 +185,7 @@ ?> "ZAI Shared Tests: []": extends: .tea_test - image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php--shared-ext-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php--shared-ext-8" needs: - job: "Build & Test Tea" parallel: diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php index 758881d56bb..a329243e192 100644 --- a/.gitlab/generate-tracer.php +++ b/.gitlab/generate-tracer.php @@ -67,7 +67,7 @@ function before_script_steps($with_docker_auth = false) { "compile extension: debug": stage: compile tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 parallel: matrix: - PHP_MAJOR_MINOR: *all_minor_major_targets @@ -119,7 +119,7 @@ function before_script_steps($with_docker_auth = false) { variables: CONTAINER_NAME: $CI_JOB_NAME_SLUG GIT_STRATEGY: none - IMAGE: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" + IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" script: | @@ -186,7 +186,7 @@ function before_script_steps($with_docker_auth = false) { .base_test: stage: test tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 timeout: 60m interruptible: true rules: From df2d1f366a297e054d852827a4a749eff202ebec Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 13:54:00 +0200 Subject: [PATCH 03/21] Trigger public-images downstream sync to Docker Hub - Add a new 'ci-publish' stage to .gitlab-ci.yml. - Implement 4 parallel matrix trigger jobs in .gitlab/ci-images.yml (Publish CentOS, Publish Bookworm, Publish Alpine, and Publish Windows) to run automatically after their respective build jobs succeed. - Each trigger calls the DataDog/public-images pipeline, passing the corresponding internal ddbuild ECR image as source and targeting public Docker Hub as destination under the exact same tag. --- .gitlab-ci.yml | 1 + .gitlab/ci-images.yml | 126 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b7d512b1dc1..c142347f552 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,6 +3,7 @@ stages: - tests - deploy - ci-build + - ci-publish variables: GIT_SUBMODULE_STRATEGY: recursive diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml index 0e8fac1e7d9..3fa257dc795 100644 --- a/.gitlab/ci-images.yml +++ b/.gitlab/ci-images.yml @@ -283,3 +283,129 @@ Bookworm: - "php-7.4" - "php-7.3" - "php-7.2" + +Publish CentOS: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: CentOS + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "centos-7" + - "php-8.5_centos-7" + - "php-8.4_centos-7" + - "php-8.3_centos-7" + - "php-8.2_centos-7" + - "php-8.1_centos-7" + - "php-8.0_centos-7" + - "php-7.4_centos-7" + - "php-7.3_centos-7" + - "php-7.2_centos-7" + - "php-7.1_centos-7" + - "php-7.0_centos-7" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" + +Publish Bookworm: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: Bookworm + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "bookworm-8" + - "php-8.5_bookworm-8" + - "php-8.4_bookworm-8" + - "php-8.3_bookworm-8" + - "php-8.2_bookworm-8" + - "php-8.1_bookworm-8" + - "php-8.0_bookworm-8" + - "php-8.0-shared-ext-8" + - "php-7.4_bookworm-8" + - "php-7.4-shared-ext-8" + - "php-7.3_bookworm-8" + - "php-7.2_bookworm-8" + - "php-7.1_bookworm-8" + - "php-7.0_bookworm-8" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" + +Publish Alpine: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: Alpine + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "php-compile-extension-alpine" + - "php-compile-extension-alpine-8.5" + - "php-compile-extension-alpine-8.4" + - "php-compile-extension-alpine-8.3" + - "php-compile-extension-alpine-8.2" + - "php-compile-extension-alpine-8.1" + - "php-compile-extension-alpine-8.0" + - "php-compile-extension-alpine-7.4" + - "php-compile-extension-alpine-7.3" + - "php-compile-extension-alpine-7.2" + - "php-compile-extension-alpine-7.1" + - "php-compile-extension-alpine-7.0" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" + +Publish Windows: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: "Windows 1: Tool Images" + - job: "Windows 2: PHP Images" + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "windows-base-vc15" + - "windows-base-vs16" + - "windows-base-vs17" + - "windows-vc15" + - "windows-vs16" + - "windows-vs17" + - "php-8.5_windows" + - "php-8.4_windows" + - "php-8.3_windows" + - "php-8.2_windows" + - "php-8.1_windows" + - "php-8.0_windows" + - "php-7.4_windows" + - "php-7.3_windows" + - "php-7.2_windows" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" From 606573dbe40f2d9b31d9b34b9228ecd685b5fff1 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 14:15:57 +0200 Subject: [PATCH 04/21] Migrate current Bookworm image tags to version 9 - Update all occurrences of bookworm-8 and shared-ext-8 to bookworm-9 and shared-ext-9 globally across .gitlab CI test generators, .gitlab/ci-images.yml, and .github workflows. - Update BOOKWORM_VERSION from 8 to 9 in tooling/bin/build-debug-artifact to ensure local debug builds pull and compile with the new version. --- .github/workflows/prof_asan.yml | 4 ++-- .gitlab/ci-images.yml | 28 ++++++++++++++-------------- .gitlab/generate-appsec.php | 10 +++++----- .gitlab/generate-package.php | 14 +++++++------- .gitlab/generate-profiler.php | 6 +++--- .gitlab/generate-shared.php | 12 ++++++------ .gitlab/generate-tracer.php | 4 ++-- docker-compose.yml | 26 +++++++++++++------------- tooling/bin/build-debug-artifact | 2 +- 9 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/workflows/prof_asan.yml b/.github/workflows/prof_asan.yml index f936cb9831a..25acae6ea89 100644 --- a/.github/workflows/prof_asan.yml +++ b/.github/workflows/prof_asan.yml @@ -21,7 +21,7 @@ jobs: CARGO_TARGET_DIR: /tmp/build-cargo RUST_TOOLCHAIN: nightly-2025-06-13 container: - image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-8 + image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-9 # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user options: --user root @@ -86,7 +86,7 @@ jobs: CARGO_TARGET_DIR: /tmp/build-cargo UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1 container: - image: datadog/dd-trace-ci:php-8.5_bookworm-8 + image: datadog/dd-trace-ci:php-8.5_bookworm-9 options: --user root steps: diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml index 3fa257dc795..1f76f673b7c 100644 --- a/.gitlab/ci-images.yml +++ b/.gitlab/ci-images.yml @@ -327,20 +327,20 @@ Publish Bookworm: parallel: matrix: - TAG_NAME: - - "bookworm-8" - - "php-8.5_bookworm-8" - - "php-8.4_bookworm-8" - - "php-8.3_bookworm-8" - - "php-8.2_bookworm-8" - - "php-8.1_bookworm-8" - - "php-8.0_bookworm-8" - - "php-8.0-shared-ext-8" - - "php-7.4_bookworm-8" - - "php-7.4-shared-ext-8" - - "php-7.3_bookworm-8" - - "php-7.2_bookworm-8" - - "php-7.1_bookworm-8" - - "php-7.0_bookworm-8" + - "bookworm-9" + - "php-8.5_bookworm-9" + - "php-8.4_bookworm-9" + - "php-8.3_bookworm-9" + - "php-8.2_bookworm-9" + - "php-8.1_bookworm-9" + - "php-8.0_bookworm-9" + - "php-8.0-shared-ext-9" + - "php-7.4_bookworm-9" + - "php-7.4-shared-ext-9" + - "php-7.3_bookworm-9" + - "php-7.2_bookworm-9" + - "php-7.1_bookworm-9" + - "php-7.0_bookworm-9" variables: IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php index 77a32944665..43dbddd6020 100644 --- a/.gitlab/generate-appsec.php +++ b/.gitlab/generate-appsec.php @@ -71,7 +71,7 @@ "test appsec extension": stage: test extends: .appsec_test - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_CPU_LIMIT: 3 @@ -393,7 +393,7 @@ "appsec code coverage": stage: test extends: .appsec_test - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 3Gi @@ -515,7 +515,7 @@ "appsec lint": stage: test extends: .appsec_test - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 9Gi @@ -537,7 +537,7 @@ "test appsec helper asan": stage: test extends: .appsec_test - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9 variables: KUBERNETES_CPU_REQUEST: 3 KUBERNETES_MEMORY_REQUEST: 3Gi @@ -563,7 +563,7 @@ #"fuzz appsec helper": # stage: test # extends: .appsec_test -# image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8 +# image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9 # variables: # KUBERNETES_CPU_REQUEST: 3 # KUBERNETES_MEMORY_REQUEST: 5Gi diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php index fce55abc55e..35f36595fc1 100644 --- a/.gitlab/generate-package.php +++ b/.gitlab/generate-package.php @@ -48,13 +48,13 @@ $asan_build_platforms = [ [ "triplet" => "x86_64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-8", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-9", "arch" => "amd64", "host_os" => "linux-gnu", ], [ "triplet" => "aarch64-unknown-linux-gnu", - "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-8", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_bookworm-9", "arch" => "arm64", "host_os" => "linux-gnu", ] @@ -321,7 +321,7 @@ "pecl build": stage: tracing - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-9" tags: [ "arch:amd64" ] needs: [ "prepare code" ] script: @@ -371,7 +371,7 @@ "aggregate tracing extension: []": stage: tracing - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-7.4_bookworm-9" tags: [ "arch:amd64" ] script: ls ./ variables: @@ -1154,7 +1154,7 @@ "pecl tests": stage: verify - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_VERSION}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_VERSION}_bookworm-9" tags: [ "arch:amd64" ] services: - !reference [.services, request-replayer] @@ -1187,7 +1187,7 @@ "min install tests": stage: verify - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.0-shared-ext-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.0-shared-ext-9 tags: [ "arch:amd64" ] variables: MAX_TEST_PARALLELISM: 8 @@ -1370,7 +1370,7 @@ variables: VALGRIND: false ARCH: "" - CONTAINER_SUFFIX: bookworm-8 + CONTAINER_SUFFIX: bookworm-9 needs: - job: "package loader: []" artifacts: true diff --git a/.gitlab/generate-profiler.php b/.gitlab/generate-profiler.php index 50fde2ee4c9..376f28195fa 100644 --- a/.gitlab/generate-profiler.php +++ b/.gitlab/generate-profiler.php @@ -95,7 +95,7 @@ "clippy NTS": stage: test tags: [ "arch:amd64" ] - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 @@ -119,7 +119,7 @@ "Cargo test": stage: test tags: [ "arch:amd64" ] - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.5_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.5_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 @@ -139,7 +139,7 @@ "PHP language tests": stage: test tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9 variables: KUBERNETES_CPU_REQUEST: 5 KUBERNETES_CPU_LIMIT: 5 diff --git a/.gitlab/generate-shared.php b/.gitlab/generate-shared.php index f3d88650327..8b34dda9eb0 100644 --- a/.gitlab/generate-shared.php +++ b/.gitlab/generate-shared.php @@ -21,7 +21,7 @@ - IMAGE: - "centos-7" - "php-compile-extension-alpine" - - "bookworm-8" + - "bookworm-9" script: - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi - if [ -d "/opt/catch2" ]; then export CMAKE_PREFIX_PATH=/opt/catch2; fi @@ -45,7 +45,7 @@ "C components UBSAN": tags: [ "arch:amd64" ] stage: test - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9" needs: [] script: - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi @@ -69,7 +69,7 @@ "Build & Test Tea": tags: [ "arch:amd64" ] stage: build - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9" parallel: matrix: - PHP_MAJOR_MINOR: *no_asan_minor_major_targets @@ -98,7 +98,7 @@ .tea_test: tags: [ "arch:amd64" ] stage: test - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9" interruptible: true rules: - if: $CI_COMMIT_BRANCH == "master" @@ -122,7 +122,7 @@ needs: [] variables: PHP_MAJOR_MINOR: "" - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9" script: - | if ! command -v cc >/dev/null 2>&1 && ! command -v clang >/dev/null 2>&1 && ! command -v gcc >/dev/null 2>&1; then @@ -185,7 +185,7 @@ ?> "ZAI Shared Tests: []": extends: .tea_test - image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php--shared-ext-8" + image: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php--shared-ext-9" needs: - job: "Build & Test Tea" parallel: diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php index a329243e192..546e9aca22b 100644 --- a/.gitlab/generate-tracer.php +++ b/.gitlab/generate-tracer.php @@ -67,7 +67,7 @@ function before_script_steps($with_docker_auth = false) { "compile extension: debug": stage: compile tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9 parallel: matrix: - PHP_MAJOR_MINOR: *all_minor_major_targets @@ -186,7 +186,7 @@ function before_script_steps($with_docker_auth = false) { .base_test: stage: test tags: [ "arch:${ARCH}" ] - image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8 + image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9 timeout: 60m interruptible: true rules: diff --git a/docker-compose.yml b/docker-compose.yml index 5c8542a2b73..49e4f6458e5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -72,19 +72,19 @@ services: # --- Alpine --- '8.0-alpine': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_alpine' } # --- Bookworm --- - '7.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_bookworm-8' } - '7.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.1_bookworm-8' } - '7.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.2_bookworm-8' } - '7.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.3_bookworm-8' } - '7.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4_bookworm-8' } - '7.4-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4-shared-ext-8' } - '8.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_bookworm-8' } - '8.0-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0-shared-ext-8' } - '8.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.1_bookworm-8' } - '8.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.2_bookworm-8' } - '8.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.3_bookworm-8' } - '8.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.4_bookworm-8' } - '8.5-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.5_bookworm-8' } + '7.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_bookworm-9' } + '7.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.1_bookworm-9' } + '7.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.2_bookworm-9' } + '7.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.3_bookworm-9' } + '7.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4_bookworm-9' } + '7.4-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.4-shared-ext-9' } + '8.0-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0_bookworm-9' } + '8.0-bookworm-shared-ext': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.0-shared-ext-9' } + '8.1-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.1_bookworm-9' } + '8.2-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.2_bookworm-9' } + '8.3-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.3_bookworm-9' } + '8.4-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.4_bookworm-9' } + '8.5-bookworm': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-8.5_bookworm-9' } # --- CentOS 6 --- '7.0-centos7': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.0_centos-7' } '7.1-centos7': { <<: *linux_php_service, image: 'datadog/dd-trace-ci:php-7.1_centos-7' } diff --git a/tooling/bin/build-debug-artifact b/tooling/bin/build-debug-artifact index dc8a72cc7ac..97fe09e97a2 100755 --- a/tooling/bin/build-debug-artifact +++ b/tooling/bin/build-debug-artifact @@ -115,7 +115,7 @@ case "$php_version" in esac # ─── Docker image selection ─────────────────────────────────────────────────── -BOOKWORM_VERSION=8 +BOOKWORM_VERSION=9 if [[ "$libc" == "musl" ]]; then DOCKER_IMAGE="datadog/dd-trace-ci:php-compile-extension-alpine-${php_version}" else From 276b24c8d65f0c0537356bb93c48064c6185ca4d Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 15:24:18 +0200 Subject: [PATCH 05/21] Speed up PECL compilation in bookworm via parallel MAKEFLAGS - Export MAKEFLAGS=-j at the top of build-extensions.sh. - This forces all underlying make invocations triggered by pecl install (including the heavy single-threaded gRPC, MongoDB, and parallel builds) to compile in parallel, drastically reducing build times on multi-core runner environments. --- dockerfiles/ci/bookworm/build-extensions.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dockerfiles/ci/bookworm/build-extensions.sh b/dockerfiles/ci/bookworm/build-extensions.sh index a619baaba14..b7f44f5784b 100755 --- a/dockerfiles/ci/bookworm/build-extensions.sh +++ b/dockerfiles/ci/bookworm/build-extensions.sh @@ -11,6 +11,8 @@ if [[ -z "${MAKE_JOBS:-}" || "${MAKE_JOBS}" == "0" ]]; then MAKE_JOBS="$(nproc)" fi +export MAKEFLAGS="-j$MAKE_JOBS" + XDEBUG_VERSIONS=(-3.1.2) if [[ $PHP_VERSION_ID -le 70 ]]; then XDEBUG_VERSIONS=(-2.7.2) From 4a5dbc1bc6b3c39d6f45676690121a91363597d0 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 21:10:55 +0200 Subject: [PATCH 06/21] Simplify registry authentication and remove unused variables - Remove obsolete CI_REGISTRY, CI_REGISTRY_USER, and CI_REGISTRY_TOKEN from .gitlab/ci-images.yml. - Remove all complex, dynamic ECR/Docker Hub login shell blocks and AWS CLI installations from CentOS, Alpine, Bookworm, and Windows build jobs. - Rely entirely on the runner's native, pre-configured credentials for registry.ddbuild.io, significantly simplifying the pipeline configuration. --- .gitlab/ci-images.yml | 88 ------------------------------------------- 1 file changed, 88 deletions(-) diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.yml index 1f76f673b7c..8f6892bc24e 100644 --- a/.gitlab/ci-images.yml +++ b/.gitlab/ci-images.yml @@ -1,12 +1,4 @@ variables: - CI_REGISTRY_USER: - value: "" - description: "Your docker hub username" - CI_REGISTRY_TOKEN: - value: "" - description: "Your docker hub personal access token, can be created following this doc https://docs.docker.com/docker-hub/access-tokens/#create-an-access-token" - CI_REGISTRY: - value: "registry.ddbuild.io" CI_REGISTRY_IMAGE: value: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" @@ -38,28 +30,6 @@ CentOS: - php-7.0 script: - cd dockerfiles/ci/centos/7 - - | - LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) - if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then - echo "Using pre-configured runner credentials for registry.ddbuild.io" - elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - if ! command -v aws >/dev/null 2>&1; then - ARCH=$(uname -m) - if [ "$ARCH" = "x86_64" ]; then - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - else - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" - fi - unzip -q awscliv2.zip - ./aws/install >/dev/null - rm -rf aws awscliv2.zip - fi - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" - elif [ -n "$CI_REGISTRY_TOKEN" ]; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" - fi - docker buildx bake --no-cache --pull --push $PHP_VERSION Alpine: @@ -90,28 +60,6 @@ Alpine: - 7.0-alpine script: - cd dockerfiles/ci/alpine_compile_extension - - | - LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) - if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then - echo "Using pre-configured runner credentials for registry.ddbuild.io" - elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - if ! command -v aws >/dev/null 2>&1; then - ARCH=$(uname -m) - if [ "$ARCH" = "x86_64" ]; then - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - else - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" - fi - unzip -q awscliv2.zip - ./aws/install >/dev/null - rm -rf aws awscliv2.zip - fi - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" - elif [ -n "$CI_REGISTRY_TOKEN" ]; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" - fi - docker buildx bake --no-cache --pull --push $PHP_VERSION Bookworm: @@ -145,28 +93,6 @@ Bookworm: - php-7.0 script: - cd dockerfiles/ci/bookworm - - | - LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1) - if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then - echo "Using pre-configured runner credentials for registry.ddbuild.io" - elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - if ! command -v aws >/dev/null 2>&1; then - ARCH=$(uname -m) - if [ "$ARCH" = "x86_64" ]; then - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - else - curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" - fi - unzip -q awscliv2.zip - ./aws/install >/dev/null - rm -rf aws awscliv2.zip - fi - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER" - elif [ -n "$CI_REGISTRY_TOKEN" ]; then - mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER" - fi - docker buildx bake --no-cache --pull --push $PHP_VERSION .windows_image_build: @@ -228,20 +154,6 @@ Bookworm: cd dockerfiles\ci\windows - $env:DOCKER_CONFIG = Join-Path $env:CI_PROJECT_DIR ".docker" - New-Item -ItemType Directory -Force -Path $env:DOCKER_CONFIG | Out-Null - Set-Content -Encoding ascii -Path (Join-Path $env:DOCKER_CONFIG "config.json") -Value '{"auths":{}}' - - $loginServer = $env:CI_REGISTRY.Split('/')[0] - if ($loginServer -eq "registry.ddbuild.io") { - Write-Host "Using pre-configured runner credentials for registry.ddbuild.io" - } elseif ($loginServer -like "*dkr.ecr*") { - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$loginServer" - } elseif ($env:CI_REGISTRY_TOKEN) { - $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$loginServer" - } - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - docker version if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } From b904efc235a065ea602c38a2ef66155df637cad8 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Mon, 22 Jun 2026 21:12:46 +0200 Subject: [PATCH 07/21] Update CI build documentation in README.md - Clean up dockerfiles/ci/README.md to document the new automated, secure internal ECR build flow. - Clarify that project collaborators no longer need to configure Personal Access Tokens (PATs) or credentials when building CI images. - Document how to trigger the manual sync to the public Docker Hub registry via downstream triggers in the 'ci-publish' stage. --- dockerfiles/ci/README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/dockerfiles/ci/README.md b/dockerfiles/ci/README.md index 808abe8d9b4..33c66449732 100644 --- a/dockerfiles/ci/README.md +++ b/dockerfiles/ci/README.md @@ -20,14 +20,10 @@ This is the preferred way of building the images. Find your pipeline with the changes you made in [GitLab-CI](https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-php/-/pipelines) -and manually start the jobs to build the images for the OS you need. You need to -add the following CI variables to the job run: +and manually start the jobs to build the images for the OS you need (under the `ci-build` stage). -- `CI_REGISTRY_USER`: should be your Docker Hub username -- `CI_REGISTRY_TOKEN`: should be your access token - -In case you don't have one, follow the [docs to create an access -token](https://docs.docker.com/docker-hub/access-tokens/#create-an-access-token). +* **Automated Registry Authentication**: The pipeline automatically and securely authenticates with our internal registry (`registry.ddbuild.io`) using the runner's native credentials, pushing built images directly to `registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci`. +* **Syncing to Docker Hub**: Once the build jobs succeed, manually trigger the corresponding `Publish ` job (under the `ci-publish` stage). This triggers a downstream child pipeline in the `public-images` service to copy the images from our internal registry to the public Docker Hub. ## Building locally and need more speed? From 8d5b7d543750e0656e41e1364cdf4535de3851b7 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Tue, 23 Jun 2026 12:24:11 +0200 Subject: [PATCH 08/21] ci-images: generate per-version buildx-bake build + mirror pipeline The image list (PHP versions and tags) is derived from the docker-compose.yml + .env files in each dockerfiles/ci// dir (single source of truth). .gitlab/generate-ci-images.php renders .gitlab/ci-images.yml.tpl, emitting per Linux OS: - build : one matrix job over PHP version; 'docker buildx bake --no-cache --pull --push' builds both arches (x-bake platforms from compose) on the amd64 runner's managed ci builder and pushes a multi-arch manifest to registry.ddbuild.io - publish:: manual mirror to Docker Hub via DataDog/public-images, dependency-free (just syncs whatever is in the internal registry) Static preamble + Windows jobs live in .gitlab/ci-images.static.yml (Windows is single-arch). The generator runs in generate-templates and is triggered as a child pipeline via the manual 'ci-images' job; the old .gitlab/ci-images.yml local include is removed. --- .gitlab-ci.yml | 18 +- .../{ci-images.yml => ci-images.static.yml} | 200 +++--------------- .gitlab/ci-images.yml.tpl | 37 ++++ .gitlab/generate-ci-images.php | 87 ++++++++ dockerfiles/ci/README.md | 39 +++- 5 files changed, 204 insertions(+), 177 deletions(-) rename .gitlab/{ci-images.yml => ci-images.static.yml} (53%) create mode 100644 .gitlab/ci-images.yml.tpl create mode 100644 .gitlab/generate-ci-images.php diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c142347f552..f3c306a2586 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,7 +18,6 @@ include: - project: DataDog/apm-reliability/libdatadog-build ref: 5826819695d93286569e70ed087ae6bf906ce2c3 file: templates/ci_authenticated_job.yml - - local: .gitlab/ci-images.yml generate-templates: stage: build @@ -57,6 +56,7 @@ generate-templates: - php ./.gitlab/generate-appsec.php | tee .gitlab/appsec-gen.yml - php ./.gitlab/generate-profiler.php | tee .gitlab/profiler-gen.yml - php ./.gitlab/generate-shared.php | tee .gitlab/shared-gen.yml + - php ./.gitlab/generate-ci-images.php | tee .gitlab/ci-images-gen.yml variables: GIT_SUBMODULE_STRATEGY: none artifacts: @@ -90,6 +90,22 @@ appsec-trigger: PARENT_PIPELINE_ID: $CI_PIPELINE_ID GIT_SUBMODULE_PATHS: libdatadog appsec/third_party/cpp-base64 appsec/third_party/libddwaf appsec/third_party/libddwaf-rust appsec/third_party/msgpack-c +# Manual maintenance pipeline that (re)builds the CI Docker images. Generated +# from dockerfiles/ci/*/docker-compose.yml + .env so versions live in one place. +# No strategy: depend — the parent must not wait on these manual jobs. +ci-images: + stage: ci-build + rules: + - when: manual + allow_failure: true + needs: + - job: generate-templates + artifacts: true + trigger: + include: + - artifact: .gitlab/ci-images-gen.yml + job: generate-templates + profiler-trigger: stage: tests needs: [ "generate-templates" ] diff --git a/.gitlab/ci-images.yml b/.gitlab/ci-images.static.yml similarity index 53% rename from .gitlab/ci-images.yml rename to .gitlab/ci-images.static.yml index 8f6892bc24e..fcfb7267d30 100644 --- a/.gitlab/ci-images.yml +++ b/.gitlab/ci-images.static.yml @@ -1,99 +1,48 @@ -variables: - CI_REGISTRY_IMAGE: - value: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" +# DO NOT EDIT THE GENERATED LINUX JOBS — they are produced by +# .gitlab/generate-ci-images.php from the docker-compose.yml + .env files. +# This file holds the STATIC preamble (stages, templates) and the Windows jobs, +# which have no multi-arch manifest and stay hand-maintained. -CentOS: - stage: ci-build - rules: - - when: manual - allow_failure: true - needs: [] - tags: ["arch:amd64"] - timeout: 4h - image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble - variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - parallel: - matrix: - - PHP_VERSION: - - base - - php-8.5 - - php-8.4 - - php-8.3 - - php-8.2 - - php-8.1 - - php-8.0 - - php-7.4 - - php-7.3 - - php-7.2 - - php-7.1 - - php-7.0 - script: - - cd dockerfiles/ci/centos/7 - - docker buildx bake --no-cache --pull --push $PHP_VERSION +stages: + - ci-build + - ci-publish -Alpine: +variables: + CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" + +.linux_image_build: stage: ci-build rules: - when: manual allow_failure: true needs: [] - tags: ["arch:amd64"] timeout: 4h image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" - parallel: - matrix: - - PHP_VERSION: - - base-alpine - - 8.5-alpine - - 8.4-alpine - - 8.3-alpine - - 8.2-alpine - - 8.1-alpine - - 8.0-alpine - - 7.4-alpine - - 7.3-alpine - - 7.2-alpine - - 7.1-alpine - - 7.0-alpine - script: - - cd dockerfiles/ci/alpine_compile_extension - - docker buildx bake --no-cache --pull --push $PHP_VERSION + KUBERNETES_CPU_REQUEST: "8" + KUBERNETES_CPU_LIMIT: "8" + KUBERNETES_MEMORY_REQUEST: "16Gi" + KUBERNETES_MEMORY_LIMIT: "16Gi" + MAKE_JOBS: "$KUBERNETES_CPU_LIMIT" -Bookworm: - stage: ci-build +.linux_publish: + stage: ci-publish rules: - when: manual allow_failure: true + # No deps: a publish just mirrors whatever already exists in + # registry.ddbuild.io to Docker Hub, so it can run without (re)building. needs: [] - tags: ["arch:amd64"] - timeout: 4h - image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble + trigger: + project: DataDog/public-images + branch: main + # $TAG is supplied per matrix entry by the generated publish jobs. variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - MAKE_JOBS: "2" - parallel: - matrix: - - PHP_VERSION: - - base - - php-8.5 - - php-8.4 - - php-8.3 - - php-8.2 - - php-8.1 - - php-8.0 - - php-8.0-shared-ext - - php-7.4 - - php-7.4-shared-ext - - php-7.3 - - php-7.2 - - php-7.1 - - php-7.0 - script: - - cd dockerfiles/ci/bookworm - - docker buildx bake --no-cache --pull --push $PHP_VERSION + IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG}" .windows_image_build: stage: ci-build @@ -196,98 +145,6 @@ Bookworm: - "php-7.3" - "php-7.2" -Publish CentOS: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: CentOS - trigger: - project: DataDog/public-images - branch: main - parallel: - matrix: - - TAG_NAME: - - "centos-7" - - "php-8.5_centos-7" - - "php-8.4_centos-7" - - "php-8.3_centos-7" - - "php-8.2_centos-7" - - "php-8.1_centos-7" - - "php-8.0_centos-7" - - "php-7.4_centos-7" - - "php-7.3_centos-7" - - "php-7.2_centos-7" - - "php-7.1_centos-7" - - "php-7.0_centos-7" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - -Publish Bookworm: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: Bookworm - trigger: - project: DataDog/public-images - branch: main - parallel: - matrix: - - TAG_NAME: - - "bookworm-9" - - "php-8.5_bookworm-9" - - "php-8.4_bookworm-9" - - "php-8.3_bookworm-9" - - "php-8.2_bookworm-9" - - "php-8.1_bookworm-9" - - "php-8.0_bookworm-9" - - "php-8.0-shared-ext-9" - - "php-7.4_bookworm-9" - - "php-7.4-shared-ext-9" - - "php-7.3_bookworm-9" - - "php-7.2_bookworm-9" - - "php-7.1_bookworm-9" - - "php-7.0_bookworm-9" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - -Publish Alpine: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: Alpine - trigger: - project: DataDog/public-images - branch: main - parallel: - matrix: - - TAG_NAME: - - "php-compile-extension-alpine" - - "php-compile-extension-alpine-8.5" - - "php-compile-extension-alpine-8.4" - - "php-compile-extension-alpine-8.3" - - "php-compile-extension-alpine-8.2" - - "php-compile-extension-alpine-8.1" - - "php-compile-extension-alpine-8.0" - - "php-compile-extension-alpine-7.4" - - "php-compile-extension-alpine-7.3" - - "php-compile-extension-alpine-7.2" - - "php-compile-extension-alpine-7.1" - - "php-compile-extension-alpine-7.0" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - Publish Windows: stage: ci-publish rules: @@ -321,3 +178,4 @@ Publish Windows: IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false diff --git a/.gitlab/ci-images.yml.tpl b/.gitlab/ci-images.yml.tpl new file mode 100644 index 00000000000..00ade98cd9e --- /dev/null +++ b/.gitlab/ci-images.yml.tpl @@ -0,0 +1,37 @@ + + $os, 'dir' => $dir, 'services' => $services]): ?> + + + build: + extends: .linux_image_build + tags: ["arch:amd64"] + parallel: + matrix: + - PHP_VERSION: + + - + + script: + - cd + - docker buildx bake --no-cache --pull --push "${PHP_VERSION}" + + + publish: + extends: .linux_publish + parallel: + matrix: + - TAG: + + - "" + + diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php new file mode 100644 index 00000000000..81af3dae44e --- /dev/null +++ b/.gitlab/generate-ci-images.php @@ -0,0 +1,87 @@ +/docker-compose.yml : service name -> image:TAG + * - dockerfiles/ci/bookworm/.env : $BOOKWORM_NEXT_VERSION etc. + * + * The compose service name is the `docker buildx bake` target and the build + * matrix value; the `image:` tag (with env vars resolved) is the published tag. + * Per Linux image the template emits one build matrix job over PHP versions + * (bake builds the multi-arch image and pushes it) plus a manual mirror/publish + * job per service. The static preamble (templates) and Windows jobs live in + * ci-images.static.yml (Windows is single-arch). + */ + +$root = dirname(__DIR__); + +// Resolve $VAR / ${VAR} from a key=value .env file. +function parse_env(string $path): array +{ + $env = []; + foreach (@file($path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) ?: [] as $line) { + if (preg_match('/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/', $line, $m)) { + $env[$m[1]] = $m[2]; + } + } + return $env; +} + +function substitute(string $s, array $env): string +{ + return preg_replace_callback('/\$\{?([A-Za-z_][A-Za-z0-9_]*)\}?/', function ($m) use ($env) { + return $env[$m[1]] ?? $m[0]; + }, $s); +} + +// Parse a docker-compose.yml into [service => tag], preserving file order. +function parse_compose(string $path, array $env): array +{ + $services = []; + $cur = null; + $inServices = false; + foreach (file($path, FILE_IGNORE_NEW_LINES) as $line) { + if (preg_match('/^services:\s*$/', $line)) { + $inServices = true; + continue; + } + if (!$inServices) { + continue; + } + if (preg_match('/^\S/', $line)) { // back to a top-level key + $inServices = false; + continue; + } + if (preg_match('/^ ([A-Za-z0-9][A-Za-z0-9._-]*):\s*$/', $line, $m)) { + $cur = $m[1]; + $services[$cur] = null; + continue; + } + // image: ${CI_REGISTRY_IMAGE:-...}:TAG (first image: wins per service) + if ($cur !== null && $services[$cur] === null + && preg_match('/^ image:\s*[\'"]?\$\{[^}]+\}:([^\s\'"]+)/', $line, $m)) { + $services[$cur] = substitute($m[1], $env); + } + } + return array_filter($services, fn($v) => $v !== null); +} + +$dirs = [ + "Bookworm" => "dockerfiles/ci/bookworm", + "CentOS" => "dockerfiles/ci/centos/7", + "Alpine" => "dockerfiles/ci/alpine_compile_extension", +]; + +$osList = []; +foreach ($dirs as $os => $dir) { + $services = parse_compose("$root/$dir/docker-compose.yml", parse_env("$root/$dir/.env")); + if (!$services) { + fwrite(STDERR, "WARNING: no services parsed for $os ($dir)\n"); + continue; + } + $osList[] = ["name" => $os, "dir" => $dir, "services" => $services]; +} + +require __DIR__ . "/ci-images.yml.tpl"; diff --git a/dockerfiles/ci/README.md b/dockerfiles/ci/README.md index 33c66449732..b453528352e 100644 --- a/dockerfiles/ci/README.md +++ b/dockerfiles/ci/README.md @@ -18,12 +18,41 @@ docker buildx bake --no-cache --pull --push This is the preferred way of building the images. -Find your pipeline with the changes you made in -[GitLab-CI](https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-php/-/pipelines) -and manually start the jobs to build the images for the OS you need (under the `ci-build` stage). +The image list (PHP versions and tags) is **not** hand-maintained in the +pipeline. It is derived from the `docker-compose.yml` and `.env` files in each +`dockerfiles/ci//` directory — the single source of truth. The pipeline is +generated from those by `.gitlab/generate-ci-images.php` (template +`.gitlab/ci-images.yml.tpl`, hand-written templates + Windows jobs in +`.gitlab/ci-images.static.yml`). To add or remove a PHP version, edit the +compose file + `.env`; the jobs follow automatically. -* **Automated Registry Authentication**: The pipeline automatically and securely authenticates with our internal registry (`registry.ddbuild.io`) using the runner's native credentials, pushing built images directly to `registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci`. -* **Syncing to Docker Hub**: Once the build jobs succeed, manually trigger the corresponding `Publish ` job (under the `ci-publish` stage). This triggers a downstream child pipeline in the `public-images` service to copy the images from our internal registry to the public Docker Hub. +The image jobs run in a **child pipeline**. In your pipeline +([GitLab-CI](https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-php/-/pipelines)), +manually start the `ci-images` job (stage `ci-build`) to spawn it. Inside that +child pipeline, per OS there are two kinds of jobs: + +1. **` build: []`** (manual) — runs `docker buildx bake --pull + --push` for that PHP version. `bake` reads the `x-bake` platforms from the + `docker-compose.yml` and builds **both** `amd64` and `arm64` on the amd64 + runner's managed `ci` builder, pushing a single multi-arch manifest to + `registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:`. Run the version(s) + you need. +2. **` publish`** (manual, one matrix job per OS with an instance per tag) + — triggers a downstream child pipeline in the `public-images` service to + mirror `…:` from `registry.ddbuild.io` to the public Docker Hub + (`datadog/dd-trace-ci`). + +Authentication to `registry.ddbuild.io` is automatic via the runner's native +credentials. + +### Publishing is independent of building + +The `publish` jobs have **no dependencies**: they simply sync whatever currently +exists in `registry.ddbuild.io` to Docker Hub. The normal flow is build → +publish, but you can run a `publish` job on its own to (re)provision Docker Hub +from images already present in the internal registry, without rebuilding +anything. It is up to you to ensure the image you publish actually exists in +`registry.ddbuild.io` first. ## Building locally and need more speed? From 458aff89b494151b6753c31673c2f0e1e60b8ff5 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 07:57:39 +0200 Subject: [PATCH 09/21] ci-images(bookworm): build PHP 8.5.8RC1 Point the php-8.5 image at the 8.5.8RC1 RC sources (php-8.5_bookworm tracks the latest 8.5.x). Reverts to a distributions/ tarball once 8.5.8 ships GA (~2 Jul 2026); just update phpTarGzUrl + phpSha256Hash. --- dockerfiles/ci/bookworm/docker-compose.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/ci/bookworm/docker-compose.yml b/dockerfiles/ci/bookworm/docker-compose.yml index 0f6a789fb6f..643c39a1779 100644 --- a/dockerfiles/ci/bookworm/docker-compose.yml +++ b/dockerfiles/ci/bookworm/docker-compose.yml @@ -23,8 +23,9 @@ services: args: <<: *build-base phpVersion: "8.5" - phpTarGzUrl: https://www.php.net/distributions/php-8.5.7.tar.gz - phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" + # 8.5.8RC1 (RC sources from ~daniels until 8.5.8 GA, ~2 Jul 2026). + phpTarGzUrl: https://downloads.php.net/~daniels/php-8.5.8RC1.tar.gz + phpSha256Hash: "57f93d2e0d76a26ac955e30cfab81dd910fc48e8bf78b3a15ff67df63a92ac72" php-8.4: image: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci}:php-8.4_bookworm-$BOOKWORM_NEXT_VERSION From af91c5c4cd95e6041c06fe971e3311c7c79910e2 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 08:11:46 +0200 Subject: [PATCH 10/21] ci-images: drop oversized job-pod resource limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bake delegates the compile to the managed "ci" buildx builder instance, so the job pod only orchestrates and doesn't need 8 CPU / 16Gi. Master set no KUBERNETES_* on these jobs either — fall back to cluster defaults. MAKE_JOBS (builder compile parallelism) is kept, pinned to a literal 8 since it no longer derives from KUBERNETES_CPU_LIMIT. --- .gitlab/ci-images.static.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitlab/ci-images.static.yml b/.gitlab/ci-images.static.yml index fcfb7267d30..c8a330ddbd1 100644 --- a/.gitlab/ci-images.static.yml +++ b/.gitlab/ci-images.static.yml @@ -20,11 +20,11 @@ variables: image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" - KUBERNETES_CPU_REQUEST: "8" - KUBERNETES_CPU_LIMIT: "8" - KUBERNETES_MEMORY_REQUEST: "16Gi" - KUBERNETES_MEMORY_LIMIT: "16Gi" - MAKE_JOBS: "$KUBERNETES_CPU_LIMIT" + # The heavy compile runs on the buildx "ci" builder instance, not this job + # pod, so the pod uses cluster defaults (master set no KUBERNETES_* either). + # MAKE_JOBS drives the builder's compile parallelism — keep it (was + # $KUBERNETES_CPU_LIMIT; pinned to a literal now that the limit is gone). + MAKE_JOBS: "8" .linux_publish: stage: ci-publish From f8825114426df582f14bfd8e70d0cc4f08f8e2c5 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 08:17:18 +0200 Subject: [PATCH 11/21] ci-images: trim stale/branch-history comments Drop comments that referenced earlier in-branch states (per-arch + manifest fuse design, master's KUBERNETES_* settings, the old MAKE_JOBS derivation) and fix the generator docblock that still said manifest / per-service publish. Comments now describe only the current state. --- .gitlab/ci-images.static.yml | 6 ++---- .gitlab/ci-images.yml.tpl | 13 +++++-------- .gitlab/generate-ci-images.php | 8 ++++---- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/.gitlab/ci-images.static.yml b/.gitlab/ci-images.static.yml index c8a330ddbd1..666a5e4d29d 100644 --- a/.gitlab/ci-images.static.yml +++ b/.gitlab/ci-images.static.yml @@ -20,10 +20,8 @@ variables: image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" - # The heavy compile runs on the buildx "ci" builder instance, not this job - # pod, so the pod uses cluster defaults (master set no KUBERNETES_* either). - # MAKE_JOBS drives the builder's compile parallelism — keep it (was - # $KUBERNETES_CPU_LIMIT; pinned to a literal now that the limit is gone). + # Compile runs on the buildx "ci" builder instance, not this job pod, so the + # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. MAKE_JOBS: "8" .linux_publish: diff --git a/.gitlab/ci-images.yml.tpl b/.gitlab/ci-images.yml.tpl index 00ade98cd9e..3673aa0f657 100644 --- a/.gitlab/ci-images.yml.tpl +++ b/.gitlab/ci-images.yml.tpl @@ -1,10 +1,9 @@ $os, 'dir' => $dir, 'services' => $services]): ?> build: @@ -20,10 +19,8 @@ - cd - docker buildx bake --no-cache --pull --push "${PHP_VERSION}" publish: diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php index 81af3dae44e..bfad06f9e66 100644 --- a/.gitlab/generate-ci-images.php +++ b/.gitlab/generate-ci-images.php @@ -1,7 +1,7 @@ /docker-compose.yml : service name -> image:TAG @@ -10,9 +10,9 @@ * The compose service name is the `docker buildx bake` target and the build * matrix value; the `image:` tag (with env vars resolved) is the published tag. * Per Linux image the template emits one build matrix job over PHP versions - * (bake builds the multi-arch image and pushes it) plus a manual mirror/publish - * job per service. The static preamble (templates) and Windows jobs live in - * ci-images.static.yml (Windows is single-arch). + * (bake builds and pushes the multi-arch image) plus a manual publish matrix job + * that mirrors the tags to Docker Hub. The static preamble (templates) and + * Windows jobs live in ci-images.static.yml (Windows is single-arch). */ $root = dirname(__DIR__); From 33e8a51c380a4127a23f0bcd6e94e872983a4633 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 08:21:07 +0200 Subject: [PATCH 12/21] ci-images: document the build/publish process in the CI README Add a short 'How it works' overview (source of truth, generator, buildx-bake multi-arch build, public-images mirror) and how-to sections for adding/updating a PHP version and the Docker Hub UNAUTHORIZED publish gotcha, while keeping the local-build instructions. --- dockerfiles/ci/README.md | 104 +++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 38 deletions(-) diff --git a/dockerfiles/ci/README.md b/dockerfiles/ci/README.md index b453528352e..f9787036f56 100644 --- a/dockerfiles/ci/README.md +++ b/dockerfiles/ci/README.md @@ -1,49 +1,50 @@ # datadog/dd-trace-ci -The older images can be found in the [DataDog/dd-trace-ci](https://github.com/DataDog/dd-trace-ci/tree/master/php) repo. - -Build and push a specific image: - -``` -docker buildx bake --no-cache --pull --push -``` - -Build and push all images: - -``` -docker buildx bake --no-cache --pull --push -``` +These are the CI images the dd-trace-php pipelines run on: one image per PHP +version per base OS (Debian "bookworm", CentOS 7, Alpine), plus Windows. They +are pushed to `registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci` (internal) and +mirrored to `datadog/dd-trace-ci` on Docker Hub (public). Older images live in +the [DataDog/dd-trace-ci](https://github.com/DataDog/dd-trace-ci/tree/master/php) +repo. + +## How it works + +* **Source of truth:** the `docker-compose.yml` + `.env` in each + `dockerfiles/ci//` directory. Each compose *service* is one image; the + service name is the `buildx bake` target, and its `image:` tag (with `.env` + vars resolved) is the published tag. PHP versions live here and nowhere else. +* **Pipeline generation:** `.gitlab/generate-ci-images.php` reads those compose + files and renders `.gitlab/ci-images.yml.tpl` into a GitLab child pipeline. + The hand-written parts — job templates and the Windows jobs — live in + `.gitlab/ci-images.static.yml`. The generator runs inside the + `generate-templates` job; the manual `ci-images` job (stage `ci-build`) + launches the generated child pipeline. +* **Build:** `docker buildx bake --no-cache --pull --push` builds the multi-arch + (`amd64` + `arm64`) image — the platforms come from the `x-bake` block in the + compose file — and pushes a single multi-arch manifest to the internal + registry. It runs on the amd64 runner's managed `ci` BuildKit builder, so the + build never needs a separate arm64 runner. The job pod only orchestrates; + the actual compile happens on the builder, and `MAKE_JOBS` sets its + parallelism. +* **Publish:** a `trigger` to the `DataDog/public-images` service mirrors the + internal image to Docker Hub. It has no dependency on the build (see below). ## Building via GitLab-CI This is the preferred way of building the images. -The image list (PHP versions and tags) is **not** hand-maintained in the -pipeline. It is derived from the `docker-compose.yml` and `.env` files in each -`dockerfiles/ci//` directory — the single source of truth. The pipeline is -generated from those by `.gitlab/generate-ci-images.php` (template -`.gitlab/ci-images.yml.tpl`, hand-written templates + Windows jobs in -`.gitlab/ci-images.static.yml`). To add or remove a PHP version, edit the -compose file + `.env`; the jobs follow automatically. - -The image jobs run in a **child pipeline**. In your pipeline +In your pipeline ([GitLab-CI](https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-php/-/pipelines)), -manually start the `ci-images` job (stage `ci-build`) to spawn it. Inside that -child pipeline, per OS there are two kinds of jobs: +manually start the `ci-images` job (stage `ci-build`) to spawn the child +pipeline. Per OS it has two kinds of jobs: -1. **` build: []`** (manual) — runs `docker buildx bake --pull - --push` for that PHP version. `bake` reads the `x-bake` platforms from the - `docker-compose.yml` and builds **both** `amd64` and `arm64` on the amd64 - runner's managed `ci` builder, pushing a single multi-arch manifest to +1. **` build: []`** (manual) — multi-arch build + push to `registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:`. Run the version(s) - you need. -2. **` publish`** (manual, one matrix job per OS with an instance per tag) - — triggers a downstream child pipeline in the `public-images` service to - mirror `…:` from `registry.ddbuild.io` to the public Docker Hub - (`datadog/dd-trace-ci`). - -Authentication to `registry.ddbuild.io` is automatic via the runner's native -credentials. + you need. Authentication to the internal registry is automatic via the + runner's native credentials. +2. **` publish`** (manual, a matrix with one instance per tag) — mirrors + `…:` from the internal registry to the public Docker Hub + (`datadog/dd-trace-ci`) via a downstream `public-images` pipeline. ### Publishing is independent of building @@ -54,13 +55,40 @@ from images already present in the internal registry, without rebuilding anything. It is up to you to ensure the image you publish actually exists in `registry.ddbuild.io` first. -## Building locally and need more speed? +### Adding or updating a PHP version + +* **Bump a patch / RC** (e.g. 8.5.7 → 8.5.8): in that OS's `docker-compose.yml`, + update the service's `phpTarGzUrl` and `phpSha256Hash`. The image tag is + major.minor, so the image just tracks the latest patch. (`tar xf` autodetects + compression, so a `.tar.gz`, `.tar.xz` or `.tar.bz2` URL all work — just use + the matching hash.) +* **Add a new minor**: add a service to the compose file; for bookworm also add + a `php-/Dockerfile` (copy the previous minor's and adjust the + `COPY php-/...` paths). The generator picks the new service up + automatically — no pipeline edits needed. + +### Troubleshooting: Docker Hub `UNAUTHORIZED` on publish + +If a `publish` job reaches Docker Hub but fails with `UNAUTHORIZED` pushing to +`datadog/dd-trace-ci`, the dd-trace-php side is usually correct — it means the +`public-images` Docker Hub service account is not allowed to push to that repo. +Ask the `public-images` / Agent Delivery owners to grant it write access; there +is nothing to change in this repo. + +## Building locally + +Build and push a specific image (or all of them) from the OS directory: + +``` +docker buildx bake --no-cache --pull --push +docker buildx bake --no-cache --pull --push +``` Building the containers that match your host platform is usually fast enough to just wait. But building the containers for the other platform (`arm64` vs. `amd64`) is super slow as those builds are running in QEMU. -Builder-Instances for the rescue: +Builder-Instances to the rescue: - Boot up an ARM64 and an AMD64 instance in AWS with Ubuntu - [Install Docker](https://docs.docker.com/engine/install/ubuntu/) on both - make Docker executable with the [ubuntu user](https://docs.docker.com/engine/install/linux-postinstall/) From 1f6e29ac6ce402da97152df1ca25fe1c462933b8 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 08:35:43 +0200 Subject: [PATCH 13/21] ci(prof_asan): drop temporary parallel 1.2.14 install step The bookworm-9 CI images are rebuilt with 'pecl install parallel' (latest, >= 1.2.14), so the workaround that reinstalled the fixed parallel over the old 1.2.13 from the image is no longer needed. --- .github/workflows/prof_asan.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/prof_asan.yml b/.github/workflows/prof_asan.yml index 25acae6ea89..46c8fe591e3 100644 --- a/.github/workflows/prof_asan.yml +++ b/.github/workflows/prof_asan.yml @@ -127,25 +127,6 @@ jobs: cargo build --profile profiler-release cp -v "$CARGO_TARGET_DIR/profiler-release/libdatadog_php_profiling.so" "$(php-config --extension-dir)/datadog-profiling.so" - # TODO(parallel): the php-8.5_bookworm-8 image ships parallel 1.2.13, which - # has a bug that intermittently trips UBSAN. Install the fixed 1.2.14 over - # it (ZTS-only; parallel requires ZTS). Remove this step once the CI images - # are rebuilt with parallel >= 1.2.14. - - name: Install fixed parallel 1.2.14 (ZTS only, temporary until images rebuilt) - if: matrix.php-build == 'zts' - run: | - set -eux - switch-php zts - scan_dir="$(php -r 'echo PHP_CONFIG_FILE_SCAN_DIR;')" - # pecl refuses to reinstall while the extension is loaded, so move its - # ini aside during the build, then restore it so the test run loads the - # freshly installed parallel.so. Use the direct package URL because the - # channel REST cache in the image can lag behind new releases. - mv "$scan_dir/parallel.ini" /tmp/parallel.ini.disabled - yes '' | pecl install -f https://pecl.php.net/get/parallel-1.2.14.tgz - mv /tmp/parallel.ini.disabled "$scan_dir/parallel.ini" - php --ri parallel | grep -i version - - name: Run phpt tests run: | set -eux From 575323363423b86ff6f257124dfaf4aab0dc33b4 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 08:42:54 +0200 Subject: [PATCH 14/21] ci(profiler): run PHP language tests on 8.5 The 8.5 tailcall VM crash is fixed in 8.5.8 (now built for bookworm via 8.5.8RC1), so 8.5 no longer needs excluding from the profiler language tests. The dedicated .php_language_profiler_targets anchor only existed for that exclusion and is now identical to .all_profiler_targets, so the language-test job uses that directly. --- .gitlab/generate-profiler.php | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.gitlab/generate-profiler.php b/.gitlab/generate-profiler.php index 376f28195fa..72b2300be2b 100644 --- a/.gitlab/generate-profiler.php +++ b/.gitlab/generate-profiler.php @@ -13,16 +13,6 @@ } ?> -# PHP 8.5 has a known tailcall VM crash; re-enable once PHP 8.5.8 is available. -.php_language_profiler_targets: &php_language_profiler_targets - - "profiling tests": stage: test tags: [ "arch:${ARCH}" ] @@ -157,7 +147,7 @@ XFAIL_LIST: dockerfiles/ci/xfail_tests/${PHP_MAJOR_MINOR}.list parallel: matrix: - - PHP_MAJOR_MINOR: *php_language_profiler_targets + - PHP_MAJOR_MINOR: *all_profiler_targets ARCH: amd64 FLAVOUR: [nts, zts] script: From ce65269e7fb5a0a911ddb89de98340f626d446d6 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 09:26:22 +0200 Subject: [PATCH 15/21] ci: pull Windows CI images from the Docker Hub mirror again Windows images aren't built/pushed/mirrored to the internal registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci (only the Linux images were migrated), so pulls 404'd (manifest unknown for php-8.4_windows). Revert the Windows image refs in the tracer/package generators back to the registry.ddbuild.io/images/mirror/datadog/dd-trace-ci mirror, matching master. --- .gitlab/generate-package.php | 2 +- .gitlab/generate-tracer.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php index 35f36595fc1..ffb27ad8810 100644 --- a/.gitlab/generate-package.php +++ b/.gitlab/generate-package.php @@ -63,7 +63,7 @@ $windows_build_platforms = [ [ "triplet" => "x86_64-pc-windows-msvc", - "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_windows", + "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_windows", "arch" => "amd64", "host_os" => "windows-msvc", "targets" => [ diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php index 546e9aca22b..c6f1dd1175f 100644 --- a/.gitlab/generate-tracer.php +++ b/.gitlab/generate-tracer.php @@ -119,7 +119,7 @@ function before_script_steps($with_docker_auth = false) { variables: CONTAINER_NAME: $CI_JOB_NAME_SLUG GIT_STRATEGY: none - IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" + IMAGE: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" script: | From d6fc7ce7f921c44fc74dde18f371d0ab85c8a1c8 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 16:17:27 +0200 Subject: [PATCH 16/21] ci-images: inline the static preamble into the template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Merge ci-images.static.yml into ci-images.yml.tpl: the literal preamble (stages, job templates, Windows jobs) now lives at the top of the template, above the PHP loops that generate the Linux jobs. Literal text in a .tpl is emitted verbatim, so the Windows PowerShell needs no escaping — the separate file and the file_get_contents indirection bought nothing. Generated output is unchanged. --- .gitlab/ci-images.static.yml | 179 -------------------------------- .gitlab/ci-images.yml.tpl | 182 ++++++++++++++++++++++++++++++++- .gitlab/generate-ci-images.php | 4 +- dockerfiles/ci/README.md | 8 +- 4 files changed, 187 insertions(+), 186 deletions(-) delete mode 100644 .gitlab/ci-images.static.yml diff --git a/.gitlab/ci-images.static.yml b/.gitlab/ci-images.static.yml deleted file mode 100644 index 666a5e4d29d..00000000000 --- a/.gitlab/ci-images.static.yml +++ /dev/null @@ -1,179 +0,0 @@ -# DO NOT EDIT THE GENERATED LINUX JOBS — they are produced by -# .gitlab/generate-ci-images.php from the docker-compose.yml + .env files. -# This file holds the STATIC preamble (stages, templates) and the Windows jobs, -# which have no multi-arch manifest and stay hand-maintained. - -stages: - - ci-build - - ci-publish - -variables: - CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" - -.linux_image_build: - stage: ci-build - rules: - - when: manual - allow_failure: true - needs: [] - timeout: 4h - image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble - variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - # Compile runs on the buildx "ci" builder instance, not this job pod, so the - # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. - MAKE_JOBS: "8" - -.linux_publish: - stage: ci-publish - rules: - - when: manual - allow_failure: true - # No deps: a publish just mirrors whatever already exists in - # registry.ddbuild.io to Docker Hub, so it can run without (re)building. - needs: [] - trigger: - project: DataDog/public-images - branch: main - # $TAG is supplied per matrix entry by the generated publish jobs. - variables: - IMG_REGISTRIES: "dockerhub" - IMG_SIGNING: false - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG}" - -.windows_image_build: - stage: ci-build - rules: - - when: manual - allow_failure: true - needs: [] - tags: ["windows-v2:2019"] - timeout: 6h - variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - GIT_STRATEGY: none - script: | - # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. - $containers = docker ps -aq 2>$null - if ($containers) { docker rm -f $containers 2>$null } - - # Use cmd.exe rd from the parent dir: handles junctions/symlinks that PS5.1 Remove-Item cannot. - Write-Host "Performing workspace cleanup..." - $workspace = $PWD.Path - Push-Location .. - cmd /c "rd /s /q ""$workspace""" - if (-not (Test-Path $workspace)) { - New-Item -ItemType Directory -Path $workspace -Force | Out-Null - } - Pop-Location - $remaining = Get-ChildItem -Path . -Force -ErrorAction SilentlyContinue - if ($remaining) { Write-Host "WARNING: could not remove: $($remaining.Name -join ', ')" } - Write-Host "Cleanup complete." - - # PS 5.1 ignores $PSNativeCommandUseErrorActionPreference; use $LASTEXITCODE checks instead. - $ErrorActionPreference = 'Stop' - - # Manual git clone with proper config. - Write-Host "Cloning repository..." - git config --global core.longpaths true - git config --global core.symlinks true - git clone --branch $env:CI_COMMIT_REF_NAME $env:CI_REPOSITORY_URL . - if ($LASTEXITCODE -ne 0) { - Write-Host "ERROR: git clone failed. Remaining workspace contents:" - Get-ChildItem -Force | Select-Object Name - exit $LASTEXITCODE - } - git checkout $env:CI_COMMIT_SHA - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - # Initialize submodules. - Write-Host "Initializing submodules..." - git submodule update --init --recursive - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - Write-Host "Git setup complete." - - # Download docker-compose to the workspace. - Write-Host "Downloading docker-compose..." - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - $dockerCompose = "$PWD\docker-compose.exe" - Start-BitsTransfer -Source "https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-windows-x86_64.exe" -Destination $dockerCompose - - cd dockerfiles\ci\windows - - docker version - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - & $dockerCompose version - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) { - if ([string]::IsNullOrWhiteSpace($target)) { continue } - - Write-Host "Building Windows CI image target $target..." - & $dockerCompose build --pull --no-cache $target - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - Write-Host "Pushing Windows CI image target $target..." - & $dockerCompose push $target - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - } - -"Windows 1: Tool Images": - extends: .windows_image_build - parallel: - matrix: - - WINDOWS_IMAGE_TARGETS: - - "vc15" - - "vs16" - - "vs17" - -"Windows 2: PHP Images": - extends: .windows_image_build - parallel: - matrix: - - WINDOWS_IMAGE_TARGETS: - - "php-8.5" - - "php-8.4" - - "php-8.3" - - "php-8.2" - - "php-8.1" - - "php-8.0" - - "php-7.4" - - "php-7.3" - - "php-7.2" - -Publish Windows: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: "Windows 1: Tool Images" - - job: "Windows 2: PHP Images" - trigger: - project: DataDog/public-images - branch: main - parallel: - matrix: - - TAG_NAME: - - "windows-base-vc15" - - "windows-base-vs16" - - "windows-base-vs17" - - "windows-vc15" - - "windows-vs16" - - "windows-vs17" - - "php-8.5_windows" - - "php-8.4_windows" - - "php-8.3_windows" - - "php-8.2_windows" - - "php-8.1_windows" - - "php-8.0_windows" - - "php-7.4_windows" - - "php-7.3_windows" - - "php-7.2_windows" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - IMG_SIGNING: false diff --git a/.gitlab/ci-images.yml.tpl b/.gitlab/ci-images.yml.tpl index 3673aa0f657..1e249e2fbdc 100644 --- a/.gitlab/ci-images.yml.tpl +++ b/.gitlab/ci-images.yml.tpl @@ -1,4 +1,184 @@ - +# Template for the CI image child pipeline, rendered to ci-images-gen.yml by +# .gitlab/generate-ci-images.php. Everything here is emitted as-is except the +# PHP loops at the bottom, which generate the per-OS Linux build/publish jobs +# from the docker-compose.yml + .env files. Edit this template — never the +# generated ci-images-gen.yml. The Windows jobs are hand-written (single-arch, +# no multi-arch manifest). + +stages: + - ci-build + - ci-publish + +variables: + CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" + +.linux_image_build: + stage: ci-build + rules: + - when: manual + allow_failure: true + needs: [] + timeout: 4h + image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble + variables: + DDCI_CONFIGURE_OTEL_EXPORTER: "true" + # Compile runs on the buildx "ci" builder instance, not this job pod, so the + # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. + MAKE_JOBS: "8" + +.linux_publish: + stage: ci-publish + rules: + - when: manual + allow_failure: true + # No deps: a publish just mirrors whatever already exists in + # registry.ddbuild.io to Docker Hub, so it can run without (re)building. + needs: [] + trigger: + project: DataDog/public-images + branch: main + # $TAG is supplied per matrix entry by the generated publish jobs. + variables: + IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG}" + +.windows_image_build: + stage: ci-build + rules: + - when: manual + allow_failure: true + needs: [] + tags: ["windows-v2:2019"] + timeout: 6h + variables: + DDCI_CONFIGURE_OTEL_EXPORTER: "true" + GIT_STRATEGY: none + script: | + # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. + $containers = docker ps -aq 2>$null + if ($containers) { docker rm -f $containers 2>$null } + + # Use cmd.exe rd from the parent dir: handles junctions/symlinks that PS5.1 Remove-Item cannot. + Write-Host "Performing workspace cleanup..." + $workspace = $PWD.Path + Push-Location .. + cmd /c "rd /s /q ""$workspace""" + if (-not (Test-Path $workspace)) { + New-Item -ItemType Directory -Path $workspace -Force | Out-Null + } + Pop-Location + $remaining = Get-ChildItem -Path . -Force -ErrorAction SilentlyContinue + if ($remaining) { Write-Host "WARNING: could not remove: $($remaining.Name -join ', ')" } + Write-Host "Cleanup complete." + + # PS 5.1 ignores $PSNativeCommandUseErrorActionPreference; use $LASTEXITCODE checks instead. + $ErrorActionPreference = 'Stop' + + # Manual git clone with proper config. + Write-Host "Cloning repository..." + git config --global core.longpaths true + git config --global core.symlinks true + git clone --branch $env:CI_COMMIT_REF_NAME $env:CI_REPOSITORY_URL . + if ($LASTEXITCODE -ne 0) { + Write-Host "ERROR: git clone failed. Remaining workspace contents:" + Get-ChildItem -Force | Select-Object Name + exit $LASTEXITCODE + } + git checkout $env:CI_COMMIT_SHA + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + # Initialize submodules. + Write-Host "Initializing submodules..." + git submodule update --init --recursive + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + Write-Host "Git setup complete." + + # Download docker-compose to the workspace. + Write-Host "Downloading docker-compose..." + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + $dockerCompose = "$PWD\docker-compose.exe" + Start-BitsTransfer -Source "https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-windows-x86_64.exe" -Destination $dockerCompose + + cd dockerfiles\ci\windows + + docker version + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + & $dockerCompose version + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) { + if ([string]::IsNullOrWhiteSpace($target)) { continue } + + Write-Host "Building Windows CI image target $target..." + & $dockerCompose build --pull --no-cache $target + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + Write-Host "Pushing Windows CI image target $target..." + & $dockerCompose push $target + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + } + +"Windows 1: Tool Images": + extends: .windows_image_build + parallel: + matrix: + - WINDOWS_IMAGE_TARGETS: + - "vc15" + - "vs16" + - "vs17" + +"Windows 2: PHP Images": + extends: .windows_image_build + parallel: + matrix: + - WINDOWS_IMAGE_TARGETS: + - "php-8.5" + - "php-8.4" + - "php-8.3" + - "php-8.2" + - "php-8.1" + - "php-8.0" + - "php-7.4" + - "php-7.3" + - "php-7.2" + +Publish Windows: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: "Windows 1: Tool Images" + - job: "Windows 2: PHP Images" + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "windows-base-vc15" + - "windows-base-vs16" + - "windows-base-vs17" + - "windows-vc15" + - "windows-vs16" + - "windows-vs17" + - "php-8.5_windows" + - "php-8.4_windows" + - "php-8.3_windows" + - "php-8.2_windows" + - "php-8.1_windows" + - "php-8.0_windows" + - "php-7.4_windows" + - "php-7.3_windows" + - "php-7.2_windows" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false $os, 'dir' => $dir, 'services' => $services]): ?> Date: Wed, 24 Jun 2026 16:48:58 +0200 Subject: [PATCH 17/21] ci-images: inline the template into the generator Fold ci-images.yml.tpl into generate-ci-images.php: the parsing/logic runs at the top, then a single `?>` drops into the literal pipeline preamble (stages, job templates, Windows jobs) followed by the PHP loops that emit the Linux jobs. One file instead of two; generated pipeline is unchanged. Docblock, emitted header comment and README updated to drop the now-gone .tpl. --- .gitlab/ci-images.yml.tpl | 214 ------------------------------- .gitlab/generate-ci-images.php | 224 ++++++++++++++++++++++++++++++++- dockerfiles/ci/README.md | 10 +- 3 files changed, 223 insertions(+), 225 deletions(-) delete mode 100644 .gitlab/ci-images.yml.tpl diff --git a/.gitlab/ci-images.yml.tpl b/.gitlab/ci-images.yml.tpl deleted file mode 100644 index 1e249e2fbdc..00000000000 --- a/.gitlab/ci-images.yml.tpl +++ /dev/null @@ -1,214 +0,0 @@ -# Template for the CI image child pipeline, rendered to ci-images-gen.yml by -# .gitlab/generate-ci-images.php. Everything here is emitted as-is except the -# PHP loops at the bottom, which generate the per-OS Linux build/publish jobs -# from the docker-compose.yml + .env files. Edit this template — never the -# generated ci-images-gen.yml. The Windows jobs are hand-written (single-arch, -# no multi-arch manifest). - -stages: - - ci-build - - ci-publish - -variables: - CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" - -.linux_image_build: - stage: ci-build - rules: - - when: manual - allow_failure: true - needs: [] - timeout: 4h - image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble - variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - # Compile runs on the buildx "ci" builder instance, not this job pod, so the - # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. - MAKE_JOBS: "8" - -.linux_publish: - stage: ci-publish - rules: - - when: manual - allow_failure: true - # No deps: a publish just mirrors whatever already exists in - # registry.ddbuild.io to Docker Hub, so it can run without (re)building. - needs: [] - trigger: - project: DataDog/public-images - branch: main - # $TAG is supplied per matrix entry by the generated publish jobs. - variables: - IMG_REGISTRIES: "dockerhub" - IMG_SIGNING: false - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG}" - -.windows_image_build: - stage: ci-build - rules: - - when: manual - allow_failure: true - needs: [] - tags: ["windows-v2:2019"] - timeout: 6h - variables: - DDCI_CONFIGURE_OTEL_EXPORTER: "true" - GIT_STRATEGY: none - script: | - # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. - $containers = docker ps -aq 2>$null - if ($containers) { docker rm -f $containers 2>$null } - - # Use cmd.exe rd from the parent dir: handles junctions/symlinks that PS5.1 Remove-Item cannot. - Write-Host "Performing workspace cleanup..." - $workspace = $PWD.Path - Push-Location .. - cmd /c "rd /s /q ""$workspace""" - if (-not (Test-Path $workspace)) { - New-Item -ItemType Directory -Path $workspace -Force | Out-Null - } - Pop-Location - $remaining = Get-ChildItem -Path . -Force -ErrorAction SilentlyContinue - if ($remaining) { Write-Host "WARNING: could not remove: $($remaining.Name -join ', ')" } - Write-Host "Cleanup complete." - - # PS 5.1 ignores $PSNativeCommandUseErrorActionPreference; use $LASTEXITCODE checks instead. - $ErrorActionPreference = 'Stop' - - # Manual git clone with proper config. - Write-Host "Cloning repository..." - git config --global core.longpaths true - git config --global core.symlinks true - git clone --branch $env:CI_COMMIT_REF_NAME $env:CI_REPOSITORY_URL . - if ($LASTEXITCODE -ne 0) { - Write-Host "ERROR: git clone failed. Remaining workspace contents:" - Get-ChildItem -Force | Select-Object Name - exit $LASTEXITCODE - } - git checkout $env:CI_COMMIT_SHA - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - # Initialize submodules. - Write-Host "Initializing submodules..." - git submodule update --init --recursive - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - Write-Host "Git setup complete." - - # Download docker-compose to the workspace. - Write-Host "Downloading docker-compose..." - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - $dockerCompose = "$PWD\docker-compose.exe" - Start-BitsTransfer -Source "https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-windows-x86_64.exe" -Destination $dockerCompose - - cd dockerfiles\ci\windows - - docker version - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - & $dockerCompose version - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) { - if ([string]::IsNullOrWhiteSpace($target)) { continue } - - Write-Host "Building Windows CI image target $target..." - & $dockerCompose build --pull --no-cache $target - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - - Write-Host "Pushing Windows CI image target $target..." - & $dockerCompose push $target - if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - } - -"Windows 1: Tool Images": - extends: .windows_image_build - parallel: - matrix: - - WINDOWS_IMAGE_TARGETS: - - "vc15" - - "vs16" - - "vs17" - -"Windows 2: PHP Images": - extends: .windows_image_build - parallel: - matrix: - - WINDOWS_IMAGE_TARGETS: - - "php-8.5" - - "php-8.4" - - "php-8.3" - - "php-8.2" - - "php-8.1" - - "php-8.0" - - "php-7.4" - - "php-7.3" - - "php-7.2" - -Publish Windows: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: "Windows 1: Tool Images" - - job: "Windows 2: PHP Images" - trigger: - project: DataDog/public-images - branch: main - parallel: - matrix: - - TAG_NAME: - - "windows-base-vc15" - - "windows-base-vs16" - - "windows-base-vs17" - - "windows-vc15" - - "windows-vs16" - - "windows-vs17" - - "php-8.5_windows" - - "php-8.4_windows" - - "php-8.3_windows" - - "php-8.2_windows" - - "php-8.1_windows" - - "php-8.0_windows" - - "php-7.4_windows" - - "php-7.3_windows" - - "php-7.2_windows" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - IMG_SIGNING: false - $os, 'dir' => $dir, 'services' => $services]): ?> - - - build: - extends: .linux_image_build - tags: ["arch:amd64"] - parallel: - matrix: - - PHP_VERSION: - - - - - script: - - cd - - docker buildx bake --no-cache --pull --push "${PHP_VERSION}" - - - publish: - extends: .linux_publish - parallel: - matrix: - - TAG: - - - "" - - diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php index 6ce3282326b..cb27b341734 100644 --- a/.gitlab/generate-ci-images.php +++ b/.gitlab/generate-ci-images.php @@ -1,7 +1,7 @@ /docker-compose.yml : service name -> image:TAG @@ -9,10 +9,11 @@ * * The compose service name is the `docker buildx bake` target and the build * matrix value; the `image:` tag (with env vars resolved) is the published tag. - * Per Linux image the template emits one build matrix job over PHP versions - * (bake builds and pushes the multi-arch image) plus a manual publish matrix job - * that mirrors the tags to Docker Hub. The template's literal preamble holds the - * job templates and the (single-arch) Windows jobs. + * This script prints a literal preamble (stages, job templates, and the + * single-arch Windows jobs), then loops over the parsed compose services to + * emit, per Linux OS, one build matrix job over PHP versions (bake builds and + * pushes the multi-arch image) plus a manual publish matrix job that mirrors + * the tags to Docker Hub. */ $root = dirname(__DIR__); @@ -83,5 +84,216 @@ function parse_compose(string $path, array $env): array } $osList[] = ["name" => $os, "dir" => $dir, "services" => $services]; } +?> +# CI image build + publish child pipeline, generated by +# .gitlab/generate-ci-images.php from the docker-compose.yml + .env files. +# Edit the generator, never this generated file. The Windows jobs are +# hand-written in the generator (single-arch, no multi-arch manifest). -require __DIR__ . "/ci-images.yml.tpl"; +stages: + - ci-build + - ci-publish + +variables: + CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci" + +.linux_image_build: + stage: ci-build + rules: + - when: manual + allow_failure: true + needs: [] + timeout: 4h + image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble + variables: + DDCI_CONFIGURE_OTEL_EXPORTER: "true" + # Compile runs on the buildx "ci" builder instance, not this job pod, so the + # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. + MAKE_JOBS: "8" + +.linux_publish: + stage: ci-publish + rules: + - when: manual + allow_failure: true + # No deps: a publish just mirrors whatever already exists in + # registry.ddbuild.io to Docker Hub, so it can run without (re)building. + needs: [] + trigger: + project: DataDog/public-images + branch: main + # $TAG is supplied per matrix entry by the generated publish jobs. + variables: + IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG}" + +.windows_image_build: + stage: ci-build + rules: + - when: manual + allow_failure: true + needs: [] + tags: ["windows-v2:2019"] + timeout: 6h + variables: + DDCI_CONFIGURE_OTEL_EXPORTER: "true" + GIT_STRATEGY: none + script: | + # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. + $containers = docker ps -aq 2>$null + if ($containers) { docker rm -f $containers 2>$null } + + # Use cmd.exe rd from the parent dir: handles junctions/symlinks that PS5.1 Remove-Item cannot. + Write-Host "Performing workspace cleanup..." + $workspace = $PWD.Path + Push-Location .. + cmd /c "rd /s /q ""$workspace""" + if (-not (Test-Path $workspace)) { + New-Item -ItemType Directory -Path $workspace -Force | Out-Null + } + Pop-Location + $remaining = Get-ChildItem -Path . -Force -ErrorAction SilentlyContinue + if ($remaining) { Write-Host "WARNING: could not remove: $($remaining.Name -join ', ')" } + Write-Host "Cleanup complete." + + # PS 5.1 ignores $PSNativeCommandUseErrorActionPreference; use $LASTEXITCODE checks instead. + $ErrorActionPreference = 'Stop' + + # Manual git clone with proper config. + Write-Host "Cloning repository..." + git config --global core.longpaths true + git config --global core.symlinks true + git clone --branch $env:CI_COMMIT_REF_NAME $env:CI_REPOSITORY_URL . + if ($LASTEXITCODE -ne 0) { + Write-Host "ERROR: git clone failed. Remaining workspace contents:" + Get-ChildItem -Force | Select-Object Name + exit $LASTEXITCODE + } + git checkout $env:CI_COMMIT_SHA + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + # Initialize submodules. + Write-Host "Initializing submodules..." + git submodule update --init --recursive + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + Write-Host "Git setup complete." + + # Download docker-compose to the workspace. + Write-Host "Downloading docker-compose..." + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + $dockerCompose = "$PWD\docker-compose.exe" + Start-BitsTransfer -Source "https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-windows-x86_64.exe" -Destination $dockerCompose + + cd dockerfiles\ci\windows + + docker version + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + & $dockerCompose version + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + foreach ($target in ($env:WINDOWS_IMAGE_TARGETS -split ' ')) { + if ([string]::IsNullOrWhiteSpace($target)) { continue } + + Write-Host "Building Windows CI image target $target..." + & $dockerCompose build --pull --no-cache $target + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + Write-Host "Pushing Windows CI image target $target..." + & $dockerCompose push $target + if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + } + +"Windows 1: Tool Images": + extends: .windows_image_build + parallel: + matrix: + - WINDOWS_IMAGE_TARGETS: + - "vc15" + - "vs16" + - "vs17" + +"Windows 2: PHP Images": + extends: .windows_image_build + parallel: + matrix: + - WINDOWS_IMAGE_TARGETS: + - "php-8.5" + - "php-8.4" + - "php-8.3" + - "php-8.2" + - "php-8.1" + - "php-8.0" + - "php-7.4" + - "php-7.3" + - "php-7.2" + +Publish Windows: + stage: ci-publish + rules: + - when: manual + allow_failure: true + needs: + - job: "Windows 1: Tool Images" + - job: "Windows 2: PHP Images" + trigger: + project: DataDog/public-images + branch: main + parallel: + matrix: + - TAG_NAME: + - "windows-base-vc15" + - "windows-base-vs16" + - "windows-base-vs17" + - "windows-vc15" + - "windows-vs16" + - "windows-vs17" + - "php-8.5_windows" + - "php-8.4_windows" + - "php-8.3_windows" + - "php-8.2_windows" + - "php-8.1_windows" + - "php-8.0_windows" + - "php-7.4_windows" + - "php-7.3_windows" + - "php-7.2_windows" + variables: + IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" + IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" + IMG_REGISTRIES: "dockerhub" + IMG_SIGNING: false + $os, 'dir' => $dir, 'services' => $services]): ?> + + + build: + extends: .linux_image_build + tags: ["arch:amd64"] + parallel: + matrix: + - PHP_VERSION: + + - + + script: + - cd + - docker buildx bake --no-cache --pull --push "${PHP_VERSION}" + + + publish: + extends: .linux_publish + parallel: + matrix: + - TAG: + + - "" + + diff --git a/dockerfiles/ci/README.md b/dockerfiles/ci/README.md index b126362a395..19185b0ce3c 100644 --- a/dockerfiles/ci/README.md +++ b/dockerfiles/ci/README.md @@ -14,11 +14,11 @@ repo. service name is the `buildx bake` target, and its `image:` tag (with `.env` vars resolved) is the published tag. PHP versions live here and nowhere else. * **Pipeline generation:** `.gitlab/generate-ci-images.php` reads those compose - files and renders `.gitlab/ci-images.yml.tpl` into a GitLab child pipeline. - The template's literal preamble holds the job templates and the hand-written - Windows jobs; its PHP loops generate the per-OS Linux build/publish jobs. The - generator runs inside the `generate-templates` job; the manual `ci-images` job - (stage `ci-build`) launches the generated child pipeline. + files and emits a GitLab child pipeline — a literal preamble (stages, job + templates, and the hand-written Windows jobs) followed by the per-OS Linux + build/publish jobs it generates from the compose services. The generator runs + inside the `generate-templates` job; the manual `ci-images` job (stage + `ci-build`) launches the generated child pipeline. * **Build:** `docker buildx bake --no-cache --pull --push` builds the multi-arch (`amd64` + `arm64`) image — the platforms come from the `x-bake` block in the compose file — and pushes a single multi-arch manifest to the internal From 4e5fd291ce2acef019019fe062ac1283d2bc96e2 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 17:03:05 +0200 Subject: [PATCH 18/21] ci: pass internal registry into centos/alpine builds; generate Windows jobs - centos/alpine compose now pass CI_REGISTRY_IMAGE as a build arg (anchor on base, merged into php services) so PHP images build FROM the freshly-built internal base instead of the Docker Hub fallback (matches bookworm BUILD_BASE). - Windows build + publish jobs are generated from docker-compose.yml; the build matrix now includes the windows-base-* services so they exist in the internal registry before publish. Linux + Windows publish share .image_publish. --- .gitlab/generate-ci-images.php | 94 +++++++------------ .../docker-compose.yml | 15 +++ dockerfiles/ci/centos/7/docker-compose.yml | 15 +++ 3 files changed, 63 insertions(+), 61 deletions(-) diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php index cb27b341734..6cd40698077 100644 --- a/.gitlab/generate-ci-images.php +++ b/.gitlab/generate-ci-images.php @@ -9,11 +9,11 @@ * * The compose service name is the `docker buildx bake` target and the build * matrix value; the `image:` tag (with env vars resolved) is the published tag. - * This script prints a literal preamble (stages, job templates, and the - * single-arch Windows jobs), then loops over the parsed compose services to - * emit, per Linux OS, one build matrix job over PHP versions (bake builds and - * pushes the multi-arch image) plus a manual publish matrix job that mirrors - * the tags to Docker Hub. + * This script prints a literal preamble (stages, job templates), then loops + * over the parsed compose services to emit, per Linux OS, one build matrix job + * over PHP versions (bake builds and pushes the multi-arch image) plus a manual + * publish matrix job that mirrors the tags to Docker Hub. Windows is emitted the + * same way but single-arch (no manifest) with its own build runner/script. */ $root = dirname(__DIR__); @@ -84,11 +84,19 @@ function parse_compose(string $path, array $env): array } $osList[] = ["name" => $os, "dir" => $dir, "services" => $services]; } + +// Windows is single-arch (no multi-arch manifest) and uses a different build +// runner/script, so it is emitted separately from the Linux loop below. It has +// no .env, so tags resolve with an empty env map. +$winServices = parse_compose("$root/dockerfiles/ci/windows/docker-compose.yml", []); +if (!$winServices) { + fwrite(STDERR, "WARNING: no services parsed for Windows\n"); +} ?> # CI image build + publish child pipeline, generated by # .gitlab/generate-ci-images.php from the docker-compose.yml + .env files. -# Edit the generator, never this generated file. The Windows jobs are -# hand-written in the generator (single-arch, no multi-arch manifest). +# Edit the generator, never this generated file. Windows is generated too +# (single-arch, no multi-arch manifest, different build runner/script). stages: - ci-build @@ -111,7 +119,7 @@ function parse_compose(string $path, array $env): array # pod uses cluster defaults. MAKE_JOBS sets the builder's compile parallelism. MAKE_JOBS: "8" -.linux_publish: +.image_publish: stage: ci-publish rules: - when: manual @@ -206,64 +214,28 @@ function parse_compose(string $path, array $env): array if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } } -"Windows 1: Tool Images": - extends: .windows_image_build - parallel: - matrix: - - WINDOWS_IMAGE_TARGETS: - - "vc15" - - "vs16" - - "vs17" - -"Windows 2: PHP Images": + +Windows build: extends: .windows_image_build parallel: matrix: - WINDOWS_IMAGE_TARGETS: - - "php-8.5" - - "php-8.4" - - "php-8.3" - - "php-8.2" - - "php-8.1" - - "php-8.0" - - "php-7.4" - - "php-7.3" - - "php-7.2" + + - "" + -Publish Windows: - stage: ci-publish - rules: - - when: manual - allow_failure: true - needs: - - job: "Windows 1: Tool Images" - - job: "Windows 2: PHP Images" - trigger: - project: DataDog/public-images - branch: main +Windows publish: + extends: .image_publish parallel: matrix: - - TAG_NAME: - - "windows-base-vc15" - - "windows-base-vs16" - - "windows-base-vs17" - - "windows-vc15" - - "windows-vs16" - - "windows-vs17" - - "php-8.5_windows" - - "php-8.4_windows" - - "php-8.3_windows" - - "php-8.2_windows" - - "php-8.1_windows" - - "php-8.0_windows" - - "php-7.4_windows" - - "php-7.3_windows" - - "php-7.2_windows" - variables: - IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}" - IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}" - IMG_REGISTRIES: "dockerhub" - IMG_SIGNING: false + - TAG: + + - "" + $os, 'dir' => $dir, 'services' => $services]): ?> publish: - extends: .linux_publish + extends: .image_publish parallel: matrix: - TAG: diff --git a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml index 6ac3817ff0b..62c580ce40d 100644 --- a/dockerfiles/ci/alpine_compile_extension/docker-compose.yml +++ b/dockerfiles/ci/alpine_compile_extension/docker-compose.yml @@ -11,6 +11,10 @@ services: platforms: - linux/arm64 - linux/amd64 + args: &build-base + # Build php images FROM the (possibly freshly built) internal base, + # not the Docker Hub fallback baked into the Dockerfile ARG default. + CI_REGISTRY_IMAGE: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci} volumes: - ../../:/app @@ -20,6 +24,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 7.0.33 phpSha256Hash: d71a6ecb6b13dc53fed7532a7f8f949c4044806f067502f8fb6f9facbb40452a phpApi: 20151012 @@ -32,6 +37,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 7.1.33 phpSha256Hash: 0055f368ffefe51d5a4483755bd17475e88e74302c08b727952831c5b2682ea2 phpApi: 20160303 @@ -44,6 +50,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 7.2.34 phpSha256Hash: 8b2777c741e83f188d3ca6d8e98ece7264acafee86787298fae57e05d0dddc78 phpApi: 20170718 @@ -56,6 +63,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 7.3.33 phpSha256Hash: 9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8 phpApi: 20180731 @@ -68,6 +76,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 7.4.33 phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e phpApi: 20190902 @@ -80,6 +89,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.0.30 phpSha256Hash: 449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c phpApi: 20200930 @@ -92,6 +102,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.1.31 phpSha256Hash: 618923b407c4575bfee085f00c4aaa16a5cc86d4b1eb893c0f352d61541bbfb1 phpApi: 20210902 @@ -104,6 +115,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.2.31 phpSha256Hash: 083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870 phpApi: 20220829 @@ -116,6 +128,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.3.31 phpSha256Hash: 4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f phpApi: 20230831 @@ -128,6 +141,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.4.22 phpSha256Hash: a012c2c9724baf214a70b41b40a7e130906b8855e54268afa5bc4ae17bc9d823 phpApi: 20240924 @@ -140,6 +154,7 @@ services: context: . x-bake: *bake args: + <<: *build-base phpVersion: 8.5.7 phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" phpApi: 20250925 diff --git a/dockerfiles/ci/centos/7/docker-compose.yml b/dockerfiles/ci/centos/7/docker-compose.yml index c4fc16bd172..7879c1ab7ac 100644 --- a/dockerfiles/ci/centos/7/docker-compose.yml +++ b/dockerfiles/ci/centos/7/docker-compose.yml @@ -10,6 +10,10 @@ services: platforms: - linux/arm64 - linux/amd64 + args: &build-base + # Build php images FROM the (possibly freshly built) internal base, + # not the Docker Hub fallback baked into the Dockerfile ARG default. + CI_REGISTRY_IMAGE: ${CI_REGISTRY_IMAGE:-datadog/dd-trace-ci} php-7.0: build: @@ -17,6 +21,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "7.0" phpTarGzUrl: https://www.php.net/distributions/php-7.0.33.tar.gz phpSha256Hash: d71a6ecb6b13dc53fed7532a7f8f949c4044806f067502f8fb6f9facbb40452a @@ -28,6 +33,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "7.1" phpTarGzUrl: https://www.php.net/distributions/php-7.1.33.tar.gz phpSha256Hash: 0055f368ffefe51d5a4483755bd17475e88e74302c08b727952831c5b2682ea2 @@ -39,6 +45,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "7.2" phpTarGzUrl: https://www.php.net/distributions/php-7.2.34.tar.gz phpSha256Hash: 8b2777c741e83f188d3ca6d8e98ece7264acafee86787298fae57e05d0dddc78 @@ -50,6 +57,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "7.3" phpTarGzUrl: https://www.php.net/distributions/php-7.3.33.tar.gz phpSha256Hash: 9a369c32c6f52036b0a890f290327f148a1904ee66aa56e2c9a7546da6525ec8 @@ -61,6 +69,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "7.4" phpTarGzUrl: https://www.php.net/distributions/php-7.4.33.tar.gz phpSha256Hash: 5a2337996f07c8a097e03d46263b5c98d2c8e355227756351421003bea8f463e @@ -72,6 +81,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.0" phpTarGzUrl: https://www.php.net/distributions/php-8.0.30.tar.gz phpSha256Hash: 449d2048fcb20a314d8c218097c6d1047a9f1c5bb72aa54d5d3eba0a27a4c80c @@ -83,6 +93,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.1" phpTarGzUrl: https://www.php.net/distributions/php-8.1.32.tar.gz phpSha256Hash: "4846836d1de27dbd28e89180f073531087029a77e98e8e019b7b2eddbdb1baff" @@ -94,6 +105,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.2" phpTarGzUrl: https://www.php.net/distributions/php-8.2.31.tar.gz phpSha256Hash: "083c2f61cc5f527eb293c4c468a91af46a9678785957e023b2796a9db290d870" @@ -105,6 +117,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.3" phpTarGzUrl: https://www.php.net/distributions/php-8.3.31.tar.gz phpSha256Hash: "4e7baaf0a690e954a20e7ced3dd633ce8cb8094e2b6b612a55e703ecbbdcbf4f" @@ -116,6 +129,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.4" phpTarGzUrl: https://www.php.net/distributions/php-8.4.22.tar.gz phpSha256Hash: "a012c2c9724baf214a70b41b40a7e130906b8855e54268afa5bc4ae17bc9d823" @@ -127,6 +141,7 @@ services: dockerfile: php.Dockerfile x-bake: *bake args: + <<: *build-base phpVersion: "8.5" phpTarGzUrl: https://www.php.net/distributions/php-8.5.7.tar.gz phpSha256Hash: "e5eba93fd6dd3241d0e61e932eb99a3783b40568553fb0e511b660ecd863a049" From 697bbea468d6315652921e2c5fec5b5693b1b898 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 17:09:45 +0200 Subject: [PATCH 19/21] ci: consume Windows CI images from the internal registry Now that the Windows build jobs push php-*_windows to registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci, point the tracer/package generators at the internal registry instead of the Docker Hub mirror, matching the Linux images. Re-applies what ce65269e7 reverted (the blocker - Windows not pushed to the internal registry - is fixed by this PR). The httpbin-windows and php-request-replayer-2.0-windows helper images stay on the mirror; they aren't built here. --- .gitlab/generate-package.php | 2 +- .gitlab/generate-tracer.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php index fe641f9d2a0..eb72abe8f63 100644 --- a/.gitlab/generate-package.php +++ b/.gitlab/generate-package.php @@ -63,7 +63,7 @@ $windows_build_platforms = [ [ "triplet" => "x86_64-pc-windows-msvc", - "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_windows", + "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_windows", "arch" => "amd64", "host_os" => "windows-msvc", "targets" => [ diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php index c6f1dd1175f..546e9aca22b 100644 --- a/.gitlab/generate-tracer.php +++ b/.gitlab/generate-tracer.php @@ -119,7 +119,7 @@ function before_script_steps($with_docker_auth = false) { variables: CONTAINER_NAME: $CI_JOB_NAME_SLUG GIT_STRATEGY: none - IMAGE: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" + IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" script: | From 0fb5a107f407cfdf133a8cfdb47856eeeb800454 Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 19:58:04 +0200 Subject: [PATCH 20/21] ci: set AWS_REGION on Windows image build jobs The Windows shell runner uses the host docker config, whose ecr-login credsStore fails `list` with MissingRegion during the anonymous mcr.microsoft.com base-image pull. Give the helper a region so it stops erroring, leaving the rest of the host config (incl. ambient registry.ddbuild.io auth) untouched. --- .gitlab/generate-ci-images.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php index 6cd40698077..9a718dcfa51 100644 --- a/.gitlab/generate-ci-images.php +++ b/.gitlab/generate-ci-images.php @@ -148,6 +148,12 @@ function parse_compose(string $path, array $env): array variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" GIT_STRATEGY: none + # The host docker config uses the ecr-login credsStore; its `list` errors + # with MissingRegion (e.g. on the anonymous mcr.microsoft.com base pull). + # Give the helper a region so it stops failing; leaves the rest of the + # host config (and its ambient registry.ddbuild.io auth) untouched. + AWS_REGION: "us-east-1" + AWS_DEFAULT_REGION: "us-east-1" script: | # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. $containers = docker ps -aq 2>$null From 68c282acd04bd6c73a5ff9506fa6da95c8ce5eee Mon Sep 17 00:00:00 2001 From: Florian Engelhardt Date: Wed, 24 Jun 2026 20:15:09 +0200 Subject: [PATCH 21/21] ci: use CI Identities for Windows internal-registry push; keep consuming from mirror The Windows shell runners have no working registry.ddbuild.io creds (host docker config only has the ECR cred helper, which fails with NoCredentialProviders). Drop the dead-end AWS_REGION workaround and add the CI Identities id_tokens to the Windows build jobs, the supported auth for non-K8s runners (onboarding pending, #ci-identities). The assume-role + docker-config script wiring is deferred until it can be verified post-onboarding. Windows jobs are all manual, so they don't block the pipeline. Until internal Windows images exist, revert the tracer/package generators to consume Windows images from the Docker Hub mirror (ce65269e7 state) to avoid 404s. --- .gitlab/generate-ci-images.php | 11 ++++------- .gitlab/generate-package.php | 2 +- .gitlab/generate-tracer.php | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.gitlab/generate-ci-images.php b/.gitlab/generate-ci-images.php index 9a718dcfa51..bf65ad017a8 100644 --- a/.gitlab/generate-ci-images.php +++ b/.gitlab/generate-ci-images.php @@ -143,17 +143,14 @@ function parse_compose(string $path, array $env): array - when: manual allow_failure: true needs: [] - tags: ["windows-v2:2019"] timeout: 6h + tags: ["windows-v2:2019"] + id_tokens: + CI_IDENTITIES_GITLAB_ID_TOKEN: + aud: ci-identities variables: DDCI_CONFIGURE_OTEL_EXPORTER: "true" GIT_STRATEGY: none - # The host docker config uses the ecr-login credsStore; its `list` errors - # with MissingRegion (e.g. on the anonymous mcr.microsoft.com base pull). - # Give the helper a region so it stops failing; leaves the rest of the - # host config (and its ambient registry.ddbuild.io auth) untouched. - AWS_REGION: "us-east-1" - AWS_DEFAULT_REGION: "us-east-1" script: | # Kill leftover containers; a previous run may still hold php_ddtrace.dll open. $containers = docker ps -aq 2>$null diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php index eb72abe8f63..fe641f9d2a0 100644 --- a/.gitlab/generate-package.php +++ b/.gitlab/generate-package.php @@ -63,7 +63,7 @@ $windows_build_platforms = [ [ "triplet" => "x86_64-pc-windows-msvc", - "image_template" => "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-%s_windows", + "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_windows", "arch" => "amd64", "host_os" => "windows-msvc", "targets" => [ diff --git a/.gitlab/generate-tracer.php b/.gitlab/generate-tracer.php index 546e9aca22b..c6f1dd1175f 100644 --- a/.gitlab/generate-tracer.php +++ b/.gitlab/generate-tracer.php @@ -119,7 +119,7 @@ function before_script_steps($with_docker_auth = false) { variables: CONTAINER_NAME: $CI_JOB_NAME_SLUG GIT_STRATEGY: none - IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" + IMAGE: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_windows" script: |