From 0a31318150b96ff7ee4483e788a81705b8d0337b Mon Sep 17 00:00:00 2001 From: Gyuheon Oh Date: Thu, 23 Apr 2026 09:40:29 -0400 Subject: [PATCH 1/4] Make one call to app key enabled policy --- .gitlab-ci.yml | 4 ++-- .gitlab/release.yml | 10 +++------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9adea2b5882..9117d6c0e4a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -629,5 +629,5 @@ test-dd-sts: aud: rapid-seceng-sit script: - apt-get update && apt-get install -y curl - - 'curl -s -o /dev/null -w "API key request http status code: %{http_code}\n" -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab"' - - 'curl -s -o /dev/null -w "APP key request http status code: %{http_code}\n" -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key"' + - 'echo "API key policy response code: $(curl -s -o /dev/null -w %{http_code} -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab)"' + - 'echo "APP key policy response code: $(curl -s -o /dev/null -w %{http_code} -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key)"' diff --git a/.gitlab/release.yml b/.gitlab/release.yml index 9ef3d1a0f0a..c71f1d227b4 100644 --- a/.gitlab/release.yml +++ b/.gitlab/release.yml @@ -55,15 +55,11 @@ notify_datadog_release: before_script: - apt-get update && apt-get install --no-install-recommends -y curl jq - >- - DD_STS_API_KEY=$(curl -sS - -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" - "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab") - - >- - DD_STS_APP_KEY=$(curl -sS + DD_STS_RESPONSE=$(curl -sS -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key") - - export DD_API_KEY=$(echo "$DD_STS_API_KEY" | jq -re '.api_key') - - export DD_APP_KEY=$(echo "$DD_STS_APP_KEY" | jq -re '.application_key') + - export DD_API_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.api_key') + - export DD_APP_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.application_key') script: - | echo "Tag: ${CI_COMMIT_TAG} -> Commit SHA: ${CI_COMMIT_SHA}" From 2794c56715a1bbafb16860a44ef9e928c9b25f0f Mon Sep 17 00:00:00 2001 From: Gyuheon Oh Date: Thu, 23 Apr 2026 14:01:33 -0400 Subject: [PATCH 2/4] Manual verif job --- .gitlab/release.yml | 41 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/.gitlab/release.yml b/.gitlab/release.yml index c71f1d227b4..1f71730bc49 100644 --- a/.gitlab/release.yml +++ b/.gitlab/release.yml @@ -43,10 +43,37 @@ release_pypi_prod: variables: PYPI_REPOSITORY: pypi +# notify_datadog_release: +# extends: .release_base +# needs: [ "ddtrace package", "release_pypi_prod" ] +# image: ${PYPI_PUBLISH_IMAGE} +# id_tokens: +# DD_STS_OIDC_TOKEN: +# aud: rapid-seceng-sit +# tags: [ "arch:amd64" ] +# before_script: +# - apt-get update && apt-get install --no-install-recommends -y curl jq +# - >- +# DD_STS_RESPONSE=$(curl -sS +# -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" +# "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key") +# - export DD_API_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.api_key') +# - export DD_APP_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.application_key') +# script: +# - | +# echo "Tag: ${CI_COMMIT_TAG} -> Commit SHA: ${CI_COMMIT_SHA}" +# curl --retry 3 --retry-delay 2 --fail -X POST \ +# -H "Content-Type: application/json" \ +# -H "DD-API-KEY: ${DD_API_KEY}" \ +# -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +# -d "{\"meta\": {\"payload\": {\"version\": \"${CI_COMMIT_TAG}\", \"git_commit_sha\": \"${CI_COMMIT_SHA}\"}}}" \ +# https://api.datadoghq.com/api/v2/workflows/dd0d5405-b38c-4f4f-8f4c-c0cd4a65d4d6/instances + notify_datadog_release: - extends: .release_base + stage: release + when: manual allow_failure: true - needs: [ "ddtrace package", "release_pypi_prod" ] + needs: [] image: ${PYPI_PUBLISH_IMAGE} id_tokens: DD_STS_OIDC_TOKEN: @@ -60,12 +87,16 @@ notify_datadog_release: "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key") - export DD_API_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.api_key') - export DD_APP_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.application_key') + - '[ -n "$DD_API_KEY" ] && echo "DD_API_KEY is set (${#DD_API_KEY} chars)" || echo "DD_API_KEY is EMPTY"' + - '[ -n "$DD_APP_KEY" ] && echo "DD_APP_KEY is set (${#DD_APP_KEY} chars)" || echo "DD_APP_KEY is EMPTY"' script: - | - echo "Tag: ${CI_COMMIT_TAG} -> Commit SHA: ${CI_COMMIT_SHA}" - curl --retry 3 --retry-delay 2 --fail -X POST \ + echo "Testing workflow API with hardcoded values..." + PAYLOAD='{"version": "v0.0.0-dry-run", "git_commit_sha": "0000000000000000000000000000000000000000"}' + BODY=$(jq -n --arg input "$PAYLOAD" '{"meta": {"payload": {"input": $input}}}') + curl --retry 3 --retry-delay 2 -w "\nHTTP status: %{http_code}\n" -X POST \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ - -d "{\"meta\": {\"payload\": {\"version\": \"${CI_COMMIT_TAG}\", \"git_commit_sha\": \"${CI_COMMIT_SHA}\"}}}" \ + -d "$BODY" \ https://api.datadoghq.com/api/v2/workflows/dd0d5405-b38c-4f4f-8f4c-c0cd4a65d4d6/instances From 56ef8257a600ef3e984fd7ff043d090002ce5719 Mon Sep 17 00:00:00 2001 From: Gyuheon Oh Date: Thu, 23 Apr 2026 17:40:55 -0400 Subject: [PATCH 3/4] Payload needs to be on one 'input' string --- .gitlab-ci.yml | 4 ++-- .gitlab/release.yml | 40 ++++++---------------------------------- 2 files changed, 8 insertions(+), 36 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9117d6c0e4a..9adea2b5882 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -629,5 +629,5 @@ test-dd-sts: aud: rapid-seceng-sit script: - apt-get update && apt-get install -y curl - - 'echo "API key policy response code: $(curl -s -o /dev/null -w %{http_code} -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab)"' - - 'echo "APP key policy response code: $(curl -s -o /dev/null -w %{http_code} -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key)"' + - 'curl -s -o /dev/null -w "API key request http status code: %{http_code}\n" -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab"' + - 'curl -s -o /dev/null -w "APP key request http status code: %{http_code}\n" -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key"' diff --git a/.gitlab/release.yml b/.gitlab/release.yml index 1f71730bc49..0a6fb82a2b2 100644 --- a/.gitlab/release.yml +++ b/.gitlab/release.yml @@ -43,37 +43,10 @@ release_pypi_prod: variables: PYPI_REPOSITORY: pypi -# notify_datadog_release: -# extends: .release_base -# needs: [ "ddtrace package", "release_pypi_prod" ] -# image: ${PYPI_PUBLISH_IMAGE} -# id_tokens: -# DD_STS_OIDC_TOKEN: -# aud: rapid-seceng-sit -# tags: [ "arch:amd64" ] -# before_script: -# - apt-get update && apt-get install --no-install-recommends -y curl jq -# - >- -# DD_STS_RESPONSE=$(curl -sS -# -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" -# "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key") -# - export DD_API_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.api_key') -# - export DD_APP_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.application_key') -# script: -# - | -# echo "Tag: ${CI_COMMIT_TAG} -> Commit SHA: ${CI_COMMIT_SHA}" -# curl --retry 3 --retry-delay 2 --fail -X POST \ -# -H "Content-Type: application/json" \ -# -H "DD-API-KEY: ${DD_API_KEY}" \ -# -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -# -d "{\"meta\": {\"payload\": {\"version\": \"${CI_COMMIT_TAG}\", \"git_commit_sha\": \"${CI_COMMIT_SHA}\"}}}" \ -# https://api.datadoghq.com/api/v2/workflows/dd0d5405-b38c-4f4f-8f4c-c0cd4a65d4d6/instances - notify_datadog_release: - stage: release - when: manual + extends: .release_base allow_failure: true - needs: [] + needs: [ "ddtrace package", "release_pypi_prod" ] image: ${PYPI_PUBLISH_IMAGE} id_tokens: DD_STS_OIDC_TOKEN: @@ -87,14 +60,13 @@ notify_datadog_release: "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=dd-trace-py-gitlab-app-key") - export DD_API_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.api_key') - export DD_APP_KEY=$(echo "$DD_STS_RESPONSE" | jq -re '.application_key') - - '[ -n "$DD_API_KEY" ] && echo "DD_API_KEY is set (${#DD_API_KEY} chars)" || echo "DD_API_KEY is EMPTY"' - - '[ -n "$DD_APP_KEY" ] && echo "DD_APP_KEY is set (${#DD_APP_KEY} chars)" || echo "DD_APP_KEY is EMPTY"' script: + - sleep 3 - | - echo "Testing workflow API with hardcoded values..." - PAYLOAD='{"version": "v0.0.0-dry-run", "git_commit_sha": "0000000000000000000000000000000000000000"}' + echo "Tag: ${CI_COMMIT_TAG} -> Commit SHA: ${CI_COMMIT_SHA}" + PAYLOAD="{\"version\": \"${CI_COMMIT_TAG}\", \"git_commit_sha\": \"${CI_COMMIT_SHA}\"}" BODY=$(jq -n --arg input "$PAYLOAD" '{"meta": {"payload": {"input": $input}}}') - curl --retry 3 --retry-delay 2 -w "\nHTTP status: %{http_code}\n" -X POST \ + curl --retry 3 --retry-delay 2 --fail -X POST \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ From 4f4c220d100e3db73f3bf61f19d5ee4db7198146 Mon Sep 17 00:00:00 2001 From: Gyuheon Oh Date: Mon, 27 Apr 2026 16:12:27 -0400 Subject: [PATCH 4/4] Trigger CI