Draft
Conversation
Replaces the 25-line trigger stub (.gitlab-ci.yml) with a full
self-contained pipeline. CI now runs from within the repo — GitLab's
standard checkout eliminates the need to clone java-profiler separately.
Key changes:
- Root .gitlab-ci.yml: full pipeline (build, test, deploy, benchmarks,
reliability, jdk-integration, dd-trace-integration, image management)
- .gitlab/scripts/: adapted build/deploy/prepare/stresstests scripts;
removed git clone, cd java-profiler, capture/restore_git_ref
- .gitlab/common.yml: cache key no longer has java-profiler/ prefix
- .gitlab/build-deploy/: artifact paths drop java-profiler/ prefix;
upload-s3 uses CI_COMMIT_BRANCH instead of DDPROF_COMMIT_BRANCH
- .gitlab/{benchmarks,reliability,jdk-integration,dd-trace-integration}/:
sub-pipeline configs adapted for in-repo execution
- gitlab/: Dockerfiles, config.env, test-apps (formerly ci/)
- doc/: octo-sts policy documentation
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
**/build-*/ pattern was silently excluding .gitlab/build-deploy/. Add gitignore exception !.gitlab/build-deploy/ to prevent this. Also: dd_crash_uploader.sh is auto-generated at JVM startup (not a static file to copy). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…line) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- create-image-update-pr.sh: GITHUB_REPO + OCTO_STS_SCOPE -> DataDog/java-profiler - check-image-updates.sh: GITLAB_PROJECT_PATH -> DataDog/java-profiler - rebuild-images.sh: Dockerfile paths ci/ -> gitlab/ Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- gh-pages.sts.yaml: allows CI to push gh-pages reports - update-images.sts.yaml: allows CI to create image update PRs - async-profiler-build.ci.sts.yaml: update subject_pattern from apm-reliability/async-profiler-build to DataDog/java-profiler Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Required for git-cache-s3 / gitretriever infrastructure to work. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- config.env: SSM_PREFIX ci.async-profiler-build -> ci.java-profiler - create_key, deploy-artifact, upload-s3: KUBERNETES_SERVICE_ACCOUNT_OVERWRITE=java-profiler Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Collapse build-deploy/benchmarks/reliability child pipeline triggers into direct includes; jdk-integration-test kept as child pipeline (externally triggered with mutually exclusive variables) - Add unified stages list and default tags/interruptible in root - Extract .bootstrap-gh-tools, .deploy-sa, fix .cache-config-pull to extend .cache-config (policy: pull only) - Fix KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: async-profiler-build -> java-profiler - Replace deprecated except: with rules: in rebuild-images - Remove redundant dependencies: blocks superseded by needs: artifacts: true - Extract .reliability_job template; amd64/aarch64 extend it with ARCH var - Gate prepare:start on DOWNSTREAM != null to prevent spurious runs - Single get-versions job shared by benchmarks and reliability Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Add workflow:rules to prevent pipelines starting on non-default branch pushes (feature branches require manual/trigger/schedule) - Extend .deploy-sa on notify jobs so the pod gets IRSA credentials needed by postmessage to reach SSM for the Slack token Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- prepare.sh exits 1 (no API token available for clean cancel) - get-versions now needs prepare:start so it is skipped too Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
prepare:start writes CANCELLED=true to build.env and exits 0. default.before_script checks it and exits 0 immediately on all downstream jobs — pipeline stays green, no real work done. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
CI Test ResultsRun: #23641308283 | Commit:
Status Overview
Legend: ✅ passed | ❌ failed | ⚪ skipped | 🚫 cancelled Summary: Total: 32 | Passed: 32 | Failed: 0 Updated: 2026-03-27 10:25:58 UTC |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?:
Motivation:
Additional Notes:
How to test the change?:
For Datadog employees:
credentials of any kind, I've requested a review from
@DataDog/security-design-and-guidance.Unsure? Have a question? Request a review!