fix(ci): authenticate submodule clone in macrobenchmarks build-nginx-module#382
Merged
Conversation
…module The macrobenchmarks child pipeline's build-nginx-module job ran `git submodule update --init --recursive` directly in its script with no auth setup, which worked while only public GitHub submodules (dd-trace-cpp, libddwaf) existed but started failing on master once the private deps/inject-browser-sdk submodule was added. Include common.yml and extend .git-config so the runner clones submodules itself with GIT_SUBMODULE_STRATEGY=recursive, picking up the same-instance JOB-TOKEN auth and the github.com → gitlab insteadOf rewrite already used by build-nginx-fast/all.
There was a problem hiding this comment.
Pull request overview
Fixes the nightly macrobenchmarks pipeline failure introduced by the new private deps/inject-browser-sdk submodule by ensuring submodules are cloned by the GitLab runner with proper CI_JOB_TOKEN authentication (instead of an unauthenticated manual git submodule update in the job script).
Changes:
- Include
.gitlab/common.ymlfrom the macrobenchmarks pipeline so shared Git/submodule settings are available. - Make
build-nginx-moduleextend.git-configto enable runner-managed recursive submodule cloning with auth. - Remove the manual
git submodule sync && git submodule update --init --recursivestep (now redundant and previously unauthenticated).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: 68580dc | Docs | Datadog PR Page | Give us feedback! |
xlamorlette-datadog
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build-nginx-modulejob has been failing on master since Use stable config for RUM snippet creation #331 (May 6) added the privatedeps/inject-browser-sdksubmodule. Its script rangit submodule update --init --recursivewith no auth, so the clone ofhttps://gitlab.ddbuild.io/DataDog/inject-browser-sdkdied withcould not read Username for 'https://gitlab.ddbuild.io'.build-nginx-fast,build-nginx-all) don't fail because they extend.git-configin.gitlab/common.yml, which setsGIT_SUBMODULE_STRATEGY=recursive— the runner then performs the submodule clone itself and injectshttp.extraheaderJOB-TOKENauth for same-instance GitLab submodules.common.ymlfrombenchmarks.yml, extends.git-configonbuild-nginx-module, and drops the now-redundant manualgit submodule sync && git submodule update --init --recursiveline.Example failing job: https://gitlab.ddbuild.io/DataDog/apm-reliability/nginx-datadog/-/jobs/1690207190
IDMPL-451 Nginx: master CI: build-nginx-module broken.
Test plan
build-nginx-moduleto success (submodule clones, includingdeps/inject-browser-sdk, complete with auth).build-nginx-fastand the rest ofbuild-and-test-faststill pass (no regressions from the newinclude).