Skip to content

Add dependency on Maven Central deployment to OCI publish jobs #9204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open

Add dependency on Maven Central deployment to OCI publish jobs #9204

Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
92750c5
Add dependency to OCI publish jobs
sarahchen6 Jul 19, 2025
1b1e50f
Override new publishing-gate job
sarahchen6 Jul 23, 2025
e517ca3
Change stage order because publishing-gate depends on deploy_to_maven…
sarahchen6 Jul 23, 2025
cf25cce
Add verify_maven_central_deployment job
sarahchen6 Jul 28, 2025
54a68b3
Test verify_maven_central_deployment job by temporarily removing depe…
sarahchen6 Jul 28, 2025
14b13bc
Change to registry.ddbuild image
sarahchen6 Jul 28, 2025
fa4d9b9
Test failing version
sarahchen6 Jul 28, 2025
deff52d
Clean
sarahchen6 Jul 28, 2025
707e5f1
Change image for verify_maven_central_deployment job
sarahchen6 Jul 29, 2025
9e3f0ae
Fix verify_maven_central_deployment script
sarahchen6 Jul 29, 2025
dfd4777
Remove publishing-gate rules
sarahchen6 Jul 29, 2025
7cf08ea
Test verify job
sarahchen6 Jul 29, 2025
1b2c0e2
Add manual trigger
sarahchen6 Jul 29, 2025
9df1556
Fix verify script
sarahchen6 Jul 29, 2025
b1e0a9a
Add test-job to see what happens when verify job fails
sarahchen6 Jul 29, 2025
4f1db26
Clean test code
sarahchen6 Jul 29, 2025
cb9709f
Change retry rate
sarahchen6 Jul 29, 2025
f012fea
Try test-job again
sarahchen6 Jul 29, 2025
fe7374c
Clean again
sarahchen6 Jul 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ include:

stages:
- build
- shared-pipeline
- publish
- shared-pipeline
- benchmarks
- macrobenchmarks
- tests
Expand Down Expand Up @@ -880,6 +880,62 @@ requirements_json_test:
package-oci:
needs: [ build ]

# Verify Maven Central deployment is publicly available before publishing OCI images
verify_maven_central_deployment:
image: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
stage: publish
needs: [ deploy_to_maven_central ]
rules:
- if: '$POPULATE_CACHE'
when: never
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
when: on_success
- when: manual
allow_failure: true
script:
- |
export VERSION=${CI_COMMIT_TAG##v}
ARTIFACT_URLS=(
"https://repo1.maven.org/maven2/com/datadoghq/dd-java-agent/${VERSION}/dd-java-agent-${VERSION}.jar"
"https://repo1.maven.org/maven2/com/datadoghq/dd-trace-api/${VERSION}/dd-trace-api-${VERSION}.jar"
"https://repo1.maven.org/maven2/com/datadoghq/dd-trace-ot/${VERSION}/dd-trace-ot-${VERSION}.jar"
)
# Wait 5 mins initially, then try 5 times with a minute delay between each retry to see if the release artifacts are available
sleep 300
TRY=0
MAX_TRIES=5
DELAY=60
while [ $TRY -lt $MAX_TRIES ]; do
ARTIFACTS_AVAILABLE=true
for URL in "${ARTIFACT_URLS[@]}"; do
if ! curl --location --fail --silent --show-error -I "$URL"; then
ARTIFACTS_AVAILABLE=false
break
fi
done
if [ "$ARTIFACTS_AVAILABLE" = true ]; then
break
fi
TRY=$((TRY + 1))
if [ $TRY -eq $MAX_TRIES ]; then
echo "The release was not available after 10 mins. Manually re-run the job to try again."
exit 1
fi
sleep $DELAY
done

publishing-gate:
needs:
- job: verify_maven_central_deployment
optional: true
rules:
- if: '$POPULATE_CACHE'
when: never
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
when: on_success
- when: manual
allow_failure: true

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The publishing-gate job can be manually overridden in case verify_maven_central_deployment fails and we still want to publish OCI images.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't work as you expect. If verify_maven_central_deploymentfails, publishing-gate won't be runnable, manually or otherwise. There is no simple workaround supported by Gitlab. One option would be a pipeline variable, but then you have to rerun the entire pipeline

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried testing this by running a test-job with the same parameters as the publishing-gate job (commit here), and the behavior in CI seems like what we want 👀 . Here are the pipeline results where I force verify_maven_central_deployment to fail and am still able to manually run test-job: https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-java/-/pipelines/72112529.

It seems like even if verify_maven_central_deployment fails, we can still manually trigger publishing-gate..? From the docs here, publishing-gate can run as long as verify_maven_central_deployment completes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just kidding -- you can see here in @randomanderson 's reproduction (pipeline, code) that if verify_maven_central_deployment fails, then there's no way to run publishing-gate, which is a problem.

configure_system_tests:
variables:
SYSTEM_TESTS_SCENARIOS_GROUPS: "simple_onboarding,simple_onboarding_profiling,simple_onboarding_appsec,docker-ssi,lib-injection"
Expand Down