-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy path.gitlab-ci.yml
More file actions
238 lines (226 loc) · 6.91 KB
/
Copy path.gitlab-ci.yml
File metadata and controls
238 lines (226 loc) · 6.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
image: alpine
variables:
REGISTRY: registry.ddbuild.io
PREPARE_IMAGE: registry.ddbuild.io/images/benchmarking-platform-tools-ubuntu:latest
# Image with dd-octo-sts for GitHub token exchange (check-image-updates, rebuild-images-pr)
DD_OCTO_STS_IMAGE: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
FORCE_BUILD:
value: ""
description: "Force build even if no new commits (any non-empty value)"
RUN_RELIABILITY:
value: "false"
description: "Run reliability and chaos tests. Set automatically when the test:reliability label is on the PR."
MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/"
default:
tags: ["arch:amd64"]
interruptible: true
before_script:
- '[ "${CANCELLED:-}" != "true" ] || { echo "No PR for this branch — skipping job"; exit 0; }'
- export ORG_GRADLE_PROJECT_mavenRepositoryProxy=${MAVEN_REPOSITORY_PROXY}
stages:
- images
- generate-signing-key
- prepare
- sanitizer
- build
- stresstest
- deploy
- integration-test
- reliability
- benchmarks
- post-benchmarks
- fuzz
- notify
# Detects newer images in registry and creates GitHub PR with updates
check-image-updates:
stage: images
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule" && $CHECK_IMAGE_UPDATES == "true"'
when: always
- if: '$CI_PIPELINE_SOURCE == "web"'
when: manual
allow_failure: true
extends: .bootstrap-gh-tools
tags: ["arch:arm64"]
image: ${DD_OCTO_STS_IMAGE}
id_tokens:
DDOCTOSTS_ID_TOKEN:
aud: dd-octo-sts
script:
- set -euo pipefail
- echo "Checking for image updates..."
- .gitlab/scripts/check-image-updates.sh > updates.json
- |
update_count=$(jq 'length' updates.json)
echo "Found ${update_count} update(s)"
if [ "$update_count" -gt 0 ]; then
echo "Updates available:"
jq . updates.json
.gitlab/scripts/create-image-update-pr.sh updates.json
else
echo "All images are up to date"
fi
artifacts:
when: always
paths:
- updates.json
expire_in: 7 days
rebuild-images:
stage: images
rules:
- if: '$CI_COMMIT_TAG'
when: never
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
- when: manual
allow_failure: true
tags: ["arch:amd64"]
variables:
REBUILD_IMAGES: "" # comma/space-separated short names, or empty = all
image: ${DOCKER_IMAGE}
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
script:
- set -euo pipefail
- .gitlab/scripts/rebuild-images.sh
artifacts:
when: always
paths:
- updates.json
expire_in: 1 day
rebuild-images-pr:
stage: images
rules:
- if: '$CI_COMMIT_TAG'
when: never
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
- when: on_success
needs:
- job: rebuild-images
artifacts: true
extends: .bootstrap-gh-tools
tags: ["arch:arm64"]
image: ${DD_OCTO_STS_IMAGE}
id_tokens:
DDOCTOSTS_ID_TOKEN:
aud: dd-octo-sts
script:
- set -euo pipefail
- .gitlab/scripts/create-image-update-pr.sh updates.json
create_key:
stage: generate-signing-key
when: manual
needs: []
tags: ["arch:amd64"]
variables:
PROJECT_NAME: "java-profiler"
EXPORT_TO_KEYSERVER: "true"
KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: java-profiler
image: $REGISTRY/ci/agent-key-management-tools/gpg:1
script:
- /create.sh
artifacts:
expire_in: 13 mos
paths:
- pubkeys
# Shared version detection used by benchmarks and reliability pipelines
get-versions:
extends: .get-versions
needs:
- job: prepare:start
artifacts: false
# Triggered externally from async-profiler-build with JDK build parameters;
# kept as a child pipeline because it is mutually exclusive with the main build
jdk-integration-test:
stage: build
rules:
- if: '$JDK_VERSION == null || $DEBUG_LEVEL == null || $HASH == null || $DOWNSTREAM == null'
when: never
- if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline" || $CI_PIPELINE_SOURCE == "web"'
when: always
allow_failure: false
- when: always
trigger:
include: .gitlab/jdk-integration/.gitlab-ci.yml
strategy: depend
forward:
pipeline_variables: true
# Generates a child pipeline YAML for reliability/chaos tests when the PR
# carries the test:reliability label (RUN_RELIABILITY=true in build.env).
generate-reliability-child-pipeline:
stage: reliability
tags: ["arch:amd64"]
image: $PREPARE_IMAGE
needs:
- job: prepare:start
artifacts: true
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
- if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null'
when: never
- when: on_success
script:
- |
if [ "${RUN_RELIABILITY:-}" = "true" ]; then
echo "Label test:reliability detected — enabling reliability child pipeline"
cp .gitlab/reliability/pr-child.gitlab-ci.yml generated-reliability.yml
else
cat > generated-reliability.yml << 'NOOP'
skip-reliability:
image: registry.ddbuild.io/images/benchmarking-platform-tools-ubuntu:latest
tags: ["arch:amd64"]
script:
- echo "Label test:reliability not set — skipping"
rules:
- when: always
NOOP
fi
artifacts:
paths:
- generated-reliability.yml
expire_in: 1 day
run-reliability-tests:
stage: reliability
variables:
DDPROF_COMMIT_BRANCH: "$DDPROF_COMMIT_BRANCH"
DDPROF_COMMIT_SHA: "$DDPROF_COMMIT_SHA"
needs:
- job: generate-reliability-child-pipeline
artifacts: true
- job: prepare:start
artifacts: true
# Reliability/chaos tests download com.datadoghq:ddprof:<branch>-SNAPSHOT from
# Maven snapshots; that artifact is published by deploy-artifact. Without this
# gate the child pipeline can start before the snapshot exists (cold branch) or
# download a stale snapshot from a previous push. optional: true so release
# branches, where deploy-artifact never runs, stay satisfiable.
- job: deploy-artifact
artifacts: false
optional: true
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
- if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null'
when: never
- when: on_success
trigger:
include:
- artifact: generated-reliability.yml
job: generate-reliability-child-pipeline
strategy: depend
forward:
pipeline_variables: true
include:
- local: .gitlab/common.yml
- local: .adms/python/gitlab.yaml
- local: .gitlab/benchmarks/images.yml
- local: .gitlab/build-deploy/images.yml
- local: .gitlab/build-deploy/.gitlab-ci.yml
- local: .gitlab/benchmarks/.gitlab-ci.yml
- local: .gitlab/reliability/.gitlab-ci.yml
- local: .gitlab/dd-trace-integration/.gitlab-ci.yml
- local: .gitlab/sanitizer-tests/.gitlab-ci.yml
- local: .gitlab/fuzzing/.gitlab-ci.yml