From b7d2ebbeec5ae64fc247e93e760a84aa4b2981eb Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Wed, 10 Jun 2026 15:10:14 +0200 Subject: [PATCH 01/20] feat(ci): restore benchmark PR comments + add reliability/chaos reporting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix benchmark comments: replace UPSTREAM_* dependency with DDPROF_COMMIT_BRANCH; aggregate all per-cell reports into one comment - Add reliability/chaos PR comments via dynamic child pipeline gated on test:reliability label (detected in prepare.sh) - Fix notifier jobs: when:always so failures are reported (not silenced) - Forward DDPROF_COMMIT_BRANCH/SHA to child pipeline via trigger variables - Use jq (with grep fallback) for label detection in prepare.sh - Fix cut -f2 → cut -f2- to preserve full FAIL reason text - Fix multiline REASON dotenv: grep -m1 + tr -d '\n' - Fix tr '+' '_' mangling reason value; scope git insteadOf to clone Co-Authored-By: Claude Sonnet 4.6 --- .gitlab-ci.yml | 60 ++++++++ .gitlab/benchmarks/.gitlab-ci.yml | 34 ++++- .gitlab/benchmarks/post-pr-comment.sh | 64 ++++++++ .gitlab/benchmarks/steps/post-pr-comment.sh | 13 -- .gitlab/reliability/post-pr-comment.sh | 83 +++++++++++ .gitlab/reliability/pr-child.gitlab-ci.yml | 155 ++++++++++++++++++++ .gitlab/scripts/prepare.sh | 8 + 7 files changed, 401 insertions(+), 16 deletions(-) create mode 100755 .gitlab/benchmarks/post-pr-comment.sh delete mode 100755 .gitlab/benchmarks/steps/post-pr-comment.sh create mode 100755 .gitlab/reliability/post-pr-comment.sh create mode 100644 .gitlab/reliability/pr-child.gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7ae3d7a66..bb48b4154 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -152,6 +152,66 @@ jdk-integration-test: forward: pipeline_variables: true +# Generates a child pipeline YAML for reliability/chaos tests when the PR +# carries the test:reliability label (RUN_RELIABILITY=true in build.env). +generate-reliability-child-pipeline: + stage: reliability + tags: ["arch:amd64"] + image: alpine + needs: + - job: prepare:start + artifacts: true + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + when: never + - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' + when: never + - when: on_success + script: + - | + if [ "${RUN_RELIABILITY:-}" = "true" ]; then + echo "Label test:reliability detected — enabling reliability child pipeline" + cp .gitlab/reliability/pr-child.gitlab-ci.yml generated-reliability.yml + else + cat > generated-reliability.yml << 'NOOP' + skip-reliability: + image: alpine + tags: ["arch:amd64"] + script: + - echo "Label test:reliability not set — skipping" + rules: + - when: always + NOOP + fi + artifacts: + paths: + - generated-reliability.yml + expire_in: 1 day + +run-reliability-tests: + stage: reliability + needs: + - job: generate-reliability-child-pipeline + artifacts: true + - job: prepare:start + artifacts: true + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + when: never + - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' + when: never + - when: on_success + trigger: + include: + - artifact: generated-reliability.yml + job: generate-reliability-child-pipeline + strategy: depend + forward: + pipeline_variables: true + variables: + DDPROF_COMMIT_BRANCH: "$DDPROF_COMMIT_BRANCH" + DDPROF_COMMIT_SHA: "$DDPROF_COMMIT_SHA" + include: - local: .gitlab/common.yml - local: .adms/python/gitlab.yaml diff --git a/.gitlab/benchmarks/.gitlab-ci.yml b/.gitlab/benchmarks/.gitlab-ci.yml index 893322996..30e4748d7 100644 --- a/.gitlab/benchmarks/.gitlab-ci.yml +++ b/.gitlab/benchmarks/.gitlab-ci.yml @@ -36,8 +36,8 @@ variables: if [ -z "${CANDIDATE_VERSION}" ]; then echo "Missing candidate version. Skipping."; exit 0; fi # fetch the common platform scripts - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/" - git clone --branch dd-trace-go https://github.com/DataDog/benchmarking-platform ${PLATFORM_DIR} + git -c url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf="https://github.com/DataDog/" \ + clone --branch dd-trace-go https://github.com/DataDog/benchmarking-platform ${PLATFORM_DIR} # apply the specific step scripts cp -r .gitlab/benchmarks/steps/* ${PLATFORM_DIR}/steps/ @@ -52,7 +52,6 @@ variables: ${PLATFORM_DIR}/steps/run-benchmarks.sh ${PLATFORM_DIR}/steps/analyze-results.sh ${PLATFORM_DIR}/steps/upload-results-to-s3.sh - ${PLATFORM_DIR}/steps/post-pr-comment.sh parallel: matrix: - RUN_MODE: ["cpu", "wall", "alloc", "memleak", "cpu,wall", "memleak,alloc", "cpu,wall,alloc,memleak"] @@ -76,6 +75,35 @@ benchmarks-candidate-aarch64: KUBERNETES_MEMORY_REQUEST: 200Gi KUBERNETES_MEMORY_LIMIT: 200Gi +post-benchmarks-pr-comment: + extends: .retry-config + stage: benchmarks + tags: ["arch:arm64"] + image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1 + id_tokens: + DDOCTOSTS_ID_TOKEN: + aud: dd-octo-sts + needs: + - job: prepare:start + artifacts: true + - job: benchmarks-candidate-amd64 + artifacts: true + - job: benchmarks-candidate-aarch64 + artifacts: true + rules: + - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' + when: never + - if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline"' + when: on_success + - if: '$CI_PIPELINE_SOURCE == "web"' + when: always + - if: '$CI_PIPELINE_SOURCE == "push"' + when: always + timeout: 5m + script: + - .gitlab/benchmarks/post-pr-comment.sh reports + allow_failure: true + publish-benchmark-gh-pages: stage: benchmarks tags: ["arch:arm64"] diff --git a/.gitlab/benchmarks/post-pr-comment.sh b/.gitlab/benchmarks/post-pr-comment.sh new file mode 100755 index 000000000..ff575d2d3 --- /dev/null +++ b/.gitlab/benchmarks/post-pr-comment.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash +# Post aggregated benchmark comparison results as a single PR comment. +# +# Expects all per-cell comparison-baseline-vs-candidate_*.md reports to be +# present under REPORTS_DIR (default: reports/). +# +# Required env: +# DDPROF_COMMIT_BRANCH – branch name used to locate the open PR +# CI_JOB_TOKEN – used to clone benchmarking-platform if needed +# Optional env: +# CI_PIPELINE_URL, DDPROF_COMMIT_SHA + +set -euo pipefail + +REPORTS_DIR="${1:-reports}" +REPO="DataDog/java-profiler" + +# Skip for main / unset branches (no PR to comment on) +if [ -z "${DDPROF_COMMIT_BRANCH:-}" ] || \ + [ "${DDPROF_COMMIT_BRANCH}" = "main" ] || \ + [ "${DDPROF_COMMIT_BRANCH}" = "master" ]; then + echo "Skipping PR comment for branch: ${DDPROF_COMMIT_BRANCH:-}" + exit 0 +fi + +# Acquire pr-commenter from benchmarking-platform if not already on PATH +if ! command -v pr-commenter >/dev/null 2>&1; then + PLATFORM_DIR=$(mktemp -d) + trap "rm -rf ${PLATFORM_DIR}" EXIT + git -c url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf="https://github.com/DataDog/" \ + clone --depth 1 --branch dd-trace-go https://github.com/DataDog/benchmarking-platform "${PLATFORM_DIR}" + export PATH="${PLATFORM_DIR}/tools:${PATH}" +fi + +# Aggregate all per-cell reports into a single comment body +SECTIONS="" +for md in "${REPORTS_DIR}"/comparison-baseline-vs-candidate_*.md; do + [ -f "${md}" ] || continue + label=$(basename "${md}" .md | sed 's/comparison-baseline-vs-candidate_//') + SECTIONS="${SECTIONS} +
${label} + +$(cat "${md}") + +
+" +done + +if [ -z "${SECTIONS}" ]; then + echo "No benchmark reports found under ${REPORTS_DIR} — skipping comment" + exit 0 +fi + +COMMENT_BODY="## Benchmark Results + +Pipeline: ${CI_PIPELINE_URL:-} Commit: \`${DDPROF_COMMIT_SHA:-unknown}\` + +${SECTIONS}" + +echo "${COMMENT_BODY}" | pr-commenter \ + --for-repo="${REPO}" \ + --for-pr="${DDPROF_COMMIT_BRANCH}" \ + --header="Benchmarks" \ + --on-duplicate=replace diff --git a/.gitlab/benchmarks/steps/post-pr-comment.sh b/.gitlab/benchmarks/steps/post-pr-comment.sh deleted file mode 100755 index 39134991a..000000000 --- a/.gitlab/benchmarks/steps/post-pr-comment.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -if [ -z "${UPSTREAM_PROJECT_NAME}" ]; then - echo "No upstream project defined. Skipping." - exit 0 -fi - -# Append $SUFFIX for unique names to match the configurations -ARCH=`uname -m` -SUFFIX=$(echo "$RUN_MODE" | tr ',' '_') -SUFFIX=${ARCH}_${SUFFIX} - -cat "$ARTIFACTS_DIR/comparison-baseline-vs-candidate_${SUFFIX}.md" | pr-commenter --for-repo="$UPSTREAM_PROJECT_NAME" --for-pr="$UPSTREAM_BRANCH" --header="Benchmarks [$ARCH $RUN_MODE]" --on-duplicate=replace diff --git a/.gitlab/reliability/post-pr-comment.sh b/.gitlab/reliability/post-pr-comment.sh new file mode 100755 index 000000000..3f263f791 --- /dev/null +++ b/.gitlab/reliability/post-pr-comment.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash +# Post aggregated reliability + chaos test results as a single PR comment. +# +# Reads REASON_* variables written to build.env by the reliability/chaos jobs +# and emits a ✅/❌ matrix with failure
blocks. +# +# Required env: +# DDPROF_COMMIT_BRANCH – branch name used to locate the open PR +# CI_JOB_TOKEN – used to clone benchmarking-platform if needed +# Optional env: +# CI_PIPELINE_URL + +set -euo pipefail + +REPO="DataDog/java-profiler" + +# Skip for main / unset branches +if [ -z "${DDPROF_COMMIT_BRANCH:-}" ] || \ + [ "${DDPROF_COMMIT_BRANCH}" = "main" ] || \ + [ "${DDPROF_COMMIT_BRANCH}" = "master" ]; then + echo "Skipping PR comment for branch: ${DDPROF_COMMIT_BRANCH:-}" + exit 0 +fi + +# Acquire pr-commenter from benchmarking-platform if not already on PATH +if ! command -v pr-commenter >/dev/null 2>&1; then + PLATFORM_DIR=$(mktemp -d) + trap "rm -rf ${PLATFORM_DIR}" EXIT + git -c url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf="https://github.com/DataDog/" \ + clone --depth 1 --branch dd-trace-go https://github.com/DataDog/benchmarking-platform "${PLATFORM_DIR}" + export PATH="${PLATFORM_DIR}/tools:${PATH}" +fi + +# ── Collect failures from REASON_* env vars ──────────────────────────────────── +rel_fail=0; rel_failures="" +chaos_fail=0; chaos_failures="" + +for key in $(compgen -v | grep -E '^REASON_.*X(jit|memory)$' | sort); do + reason="${!key}" + label="${key#REASON_}" + rel_fail=$((rel_fail + 1)) + rel_failures="${rel_failures} +
❌ ${label//_/ } + +\`\`\` +${reason//\`/} +\`\`\` + +
" +done + +for key in $(compgen -v | grep -E '^REASON_.*Xchaos$' | sort); do + reason="${!key}" + label="${key#REASON_}" + chaos_fail=$((chaos_fail + 1)) + chaos_failures="${chaos_failures} +
❌ chaos: ${label//_/ } + +\`\`\` +${reason//\`/} +\`\`\` + +
" +done + +# ── Assemble comment ──────────────────────────────────────────────────────────── +total_fail=$((rel_fail + chaos_fail)) +if [ "${total_fail}" -gt 0 ]; then + overall="❌ **${total_fail} failure(s) detected**" +else + overall="✅ **All reliability & chaos checks passed**" +fi + +COMMENT_BODY="## Reliability & Chaos Results + +${overall} Pipeline: ${CI_PIPELINE_URL:-} +${rel_failures}${chaos_failures}" + +echo "${COMMENT_BODY}" | pr-commenter \ + --for-repo="${REPO}" \ + --for-pr="${DDPROF_COMMIT_BRANCH}" \ + --header="Reliability & Chaos" \ + --on-duplicate=replace diff --git a/.gitlab/reliability/pr-child.gitlab-ci.yml b/.gitlab/reliability/pr-child.gitlab-ci.yml new file mode 100644 index 000000000..156012a36 --- /dev/null +++ b/.gitlab/reliability/pr-child.gitlab-ci.yml @@ -0,0 +1,155 @@ +# Child pipeline for reliability + chaos tests triggered on PRs +# labelled test:reliability. Runs the same matrix as the scheduled pipeline +# but with on_success rules and without needing parent-pipeline artifacts +# (chaos_check.sh rebuilds chaos.jar inline when the artifact is absent). + +stages: + - prepare + - test + - notify + +include: + - local: .gitlab/common.yml + - local: .gitlab/benchmarks/images.yml + +get-versions: + extends: .get-versions + needs: [] + +# ── Reliability (non-chaos) ────────────────────────────────────────────────── + +.reliability_pr_job: + stage: test + timeout: 6h + variables: + RUNTIME: "${RUNTIME:-120}" + needs: + - job: get-versions + artifacts: true + rules: + - when: on_success + parallel: + matrix: + - CONFIG: ["profiler", "profiler+tracer"] + VARIANT: ["jit", "memory"] + ALLOCATOR: ["gmalloc", "jemalloc", "tcmalloc"] + script: + - set +e + - echo "runtime=${RUNTIME}, config=${CONFIG}, variant=${VARIANT}, allocator=${ALLOCATOR}, arch=${ARCH}" + - .gitlab/reliability/run.sh "$RUNTIME" "$CONFIG" "$VARIANT" "$ALLOCATOR" "$ARCH" 2>err.log 1>out.log + - REASON=$(grep -m1 'FAIL:' err.log | cut -f2- -d':' | tr -d '\n') || true + - if [ -n "${REASON}" ]; then _key=$(printf 'REASON_%s_%s_%sX%s' "${CONFIG}" "${ALLOCATOR}" "${ARCH}" "${VARIANT}" | tr '+' '_'); echo "${_key}=${REASON}" >> build.env; exit 1; fi + after_script: + - | + if [[ "$CI_JOB_STATUS" == "failed" ]]; then + _key=$(printf 'REASON_%s_%s_%sX%s' "${CONFIG}" "${ALLOCATOR}" "${ARCH}" "${VARIANT}" | tr '+' '_') + grep -q "${_key}=" build.env 2>/dev/null || echo "${_key}=Unknown failure, perhaps timeout" >> build.env + fi + artifacts: + name: "results-${ARCH}" + when: always + paths: + - memwatch.log + - memwatch-trend.png + - hs_err.log + - err.log + - out.log + reports: + dotenv: build.env + expire_in: 1 day + +reliability-amd64: + extends: .reliability_pr_job + tags: ["arch:amd64"] + image: $BENCHMARK_IMAGE_AMD64 + variables: + ARCH: amd64 + +reliability-aarch64: + extends: .reliability_pr_job + tags: ["arch:arm64"] + image: $BENCHMARK_IMAGE_ARM64 + variables: + ARCH: aarch64 + +# ── Chaos ──────────────────────────────────────────────────────────────────── +# chaos_check.sh builds chaos.jar inline (via Gradle) when the artifact is +# absent, and downloads ddprof from Maven snapshots when no local jar exists. + +.reliability_chaos_pr_job: + stage: test + timeout: 6h + variables: + RUNTIME: "${RUNTIME:-120}" + needs: + - job: get-versions + artifacts: true + rules: + - when: on_success + parallel: + matrix: + - CONFIG: ["profiler", "profiler+tracer"] + ALLOCATOR: ["gmalloc", "jemalloc", "tcmalloc"] + CHAOS_JDK: ["21.0.3-tem", "25.0.3-tem"] + script: + - set +e + - echo "runtime=${RUNTIME}, config=${CONFIG}, allocator=${ALLOCATOR}, arch=${ARCH}, jdk=${CHAOS_JDK}" + - CHAOS_JDK="${CHAOS_JDK}" .gitlab/reliability/chaos_check.sh "$RUNTIME" "$CONFIG" "$ALLOCATOR" 2>err.log 1>out.log + - REASON=$(grep -m1 'FAIL:' err.log | cut -f2- -d':' | tr -d '\n') || true + - if [ -n "${REASON}" ]; then _key=$(printf 'REASON_%s_%s_%s_%sXchaos' "${CONFIG}" "${ALLOCATOR}" "${ARCH}" "${CHAOS_JDK//[.-]/_}" | tr '+' '_'); echo "${_key}=${REASON}" >> build.env; exit 1; fi + after_script: + - | + if [[ "$CI_JOB_STATUS" == "failed" ]]; then + _key=$(printf 'REASON_%s_%s_%s_%sXchaos' "${CONFIG}" "${ALLOCATOR}" "${ARCH}" "${CHAOS_JDK//[.-]/_}" | tr '+' '_') + grep -q "${_key}=" build.env 2>/dev/null || echo "${_key}=Unknown failure, perhaps timeout" >> build.env + fi + artifacts: + name: "chaos-results-${ARCH}" + when: always + paths: + - hs_err.log + - err.log + - out.log + reports: + dotenv: build.env + expire_in: 1 day + +reliability-chaos-amd64: + extends: .reliability_chaos_pr_job + tags: ["arch:amd64"] + image: $BENCHMARK_IMAGE_AMD64 + variables: + ARCH: amd64 + +reliability-chaos-aarch64: + extends: .reliability_chaos_pr_job + tags: ["arch:arm64"] + image: $BENCHMARK_IMAGE_ARM64 + variables: + ARCH: aarch64 + +# ── PR comment ─────────────────────────────────────────────────────────────── + +post-reliability-pr-comment: + extends: .retry-config + stage: notify + tags: ["arch:arm64"] + image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1 + id_tokens: + DDOCTOSTS_ID_TOKEN: + aud: dd-octo-sts + needs: + - job: reliability-amd64 + artifacts: true + - job: reliability-aarch64 + artifacts: true + - job: reliability-chaos-amd64 + artifacts: true + - job: reliability-chaos-aarch64 + artifacts: true + rules: + - when: always + timeout: 5m + script: + - .gitlab/reliability/post-pr-comment.sh + allow_failure: true diff --git a/.gitlab/scripts/prepare.sh b/.gitlab/scripts/prepare.sh index 1b803c0c0..38f841730 100755 --- a/.gitlab/scripts/prepare.sh +++ b/.gitlab/scripts/prepare.sh @@ -22,6 +22,14 @@ if [ "${CI_PIPELINE_SOURCE}" == "push" ] || [ "${CI_PIPELINE_SOURCE}" == "trigge echo "CANCELLED=true" >> build.env exit 0 fi + # Detect PR labels and export flags for downstream jobs + if command -v jq >/dev/null 2>&1; then + if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:reliability")' >/dev/null 2>&1; then + echo "RUN_RELIABILITY=true" >> build.env + fi + elif echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then + echo "RUN_RELIABILITY=true" >> build.env + fi fi fi From 932f745253f63eee88b7c8f5009494152664e024 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Wed, 10 Jun 2026 16:51:09 +0200 Subject: [PATCH 02/20] ci: retrigger pipeline From 47cdd8189f3ab7232819fcd08504807fa87f6c48 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:16:29 +0200 Subject: [PATCH 03/20] =?UTF-8?q?ci:=20add=20GitHub=E2=86=92GitLab=20trigg?= =?UTF-8?q?er=20for=20test:reliability=20and=20test:benchmark=20labels?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci.yml | 86 +++++++++++++++++++++++++++++++ .gitlab/benchmarks/.gitlab-ci.yml | 7 ++- .gitlab/scripts/prepare.sh | 12 ++++- 3 files changed, 102 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3e9030746..9ec9416c0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -129,6 +129,8 @@ jobs: outputs: configurations: ${{ steps.compute.outputs.configurations }} run_fuzz: ${{ steps.compute.outputs.run_fuzz }} + run_reliability: ${{ steps.compute.outputs.run_reliability }} + run_benchmark: ${{ steps.compute.outputs.run_benchmark }} steps: - name: Debounce label events if: github.event.action == 'labeled' @@ -161,8 +163,20 @@ jobs: else echo "run_fuzz=false" >> $GITHUB_OUTPUT fi + if echo "$labels" | grep -Fq "test:reliability"; then + echo "run_reliability=true" >> $GITHUB_OUTPUT + else + echo "run_reliability=false" >> $GITHUB_OUTPUT + fi + if echo "$labels" | grep -Fq "test:benchmark"; then + echo "run_benchmark=true" >> $GITHUB_OUTPUT + else + echo "run_benchmark=false" >> $GITHUB_OUTPUT + fi else echo "run_fuzz=false" >> $GITHUB_OUTPUT + echo "run_reliability=false" >> $GITHUB_OUTPUT + echo "run_benchmark=false" >> $GITHUB_OUTPUT fi configs="$configs]" @@ -236,3 +250,75 @@ jobs: with: name: fuzz-crashes path: ddprof-lib/fuzz/build/fuzz-crashes/ + + # Triggers the GitLab pipeline when test:reliability or test:benchmark labels + # are added. GitLab handles the actual execution and posts results back as PR + # comments via post-pr-comment.sh scripts. + trigger-gitlab-tests: + needs: [check-for-pr, compute-configurations] + if: >- + needs.check-for-pr.outputs.skip != 'true' && + (needs.compute-configurations.outputs.run_reliability == 'true' || needs.compute-configurations.outputs.run_benchmark == 'true') && + github.event_name == 'pull_request' && + github.event.pull_request.head.repo.fork == false + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Trigger GitLab pipeline + id: trigger + env: + GITLAB_TRIGGER_TOKEN: ${{ secrets.GITLAB_TRIGGER_TOKEN }} + GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }} + run: | + if [[ -z "$GITLAB_TRIGGER_TOKEN" || -z "$GITLAB_PROJECT_ID" ]]; then + echo "::warning::GITLAB_TRIGGER_TOKEN or GITLAB_PROJECT_ID not configured; skipping" + exit 0 + fi + args=( + -F "token=$GITLAB_TRIGGER_TOKEN" + -F "ref=${{ github.head_ref }}" + ) + if [[ "${{ needs.compute-configurations.outputs.run_reliability }}" == "true" ]]; then + args+=(-F "variables[RUN_RELIABILITY]=true") + fi + if [[ "${{ needs.compute-configurations.outputs.run_benchmark }}" == "true" ]]; then + args+=(-F "variables[RUN_BENCHMARKS]=true") + fi + response=$(curl --fail -sS \ + "https://gitlab.ddbuild.io/api/v4/projects/${GITLAB_PROJECT_ID}/trigger/pipeline" \ + "${args[@]}") + echo "pipeline_id=$(echo "$response" | jq -r '.id')" >> "$GITHUB_OUTPUT" + echo "pipeline_url=$(echo "$response" | jq -r '.web_url')" >> "$GITHUB_OUTPUT" + + - name: Post trigger confirmation + if: steps.trigger.outputs.pipeline_url != '' + run: | + tests="" + if [[ "${{ needs.compute-configurations.outputs.run_reliability }}" == "true" ]]; then + tests="${tests:+$tests, }reliability & chaos" + fi + if [[ "${{ needs.compute-configurations.outputs.run_benchmark }}" == "true" ]]; then + tests="${tests:+$tests, }benchmarks" + fi + { + echo "## ⚙️ GitLab Tests Triggered" + echo "" + echo "Running: **${tests}**" + echo "" + echo "| | |" + echo "|---|---|" + echo "| **Pipeline** | [View on GitLab](${{ steps.trigger.outputs.pipeline_url }}) |" + echo "| **Commit** | \`${{ github.sha }}\` |" + echo "" + echo "_Results will be posted as a separate comment when complete._" + } > gitlab-triggered.md + - name: Post PR comment + if: steps.trigger.outputs.pipeline_url != '' + uses: ./.github/actions/upsert-pr-comment + with: + body-file: gitlab-triggered.md + comment-id: ci-gitlab-trigger diff --git a/.gitlab/benchmarks/.gitlab-ci.yml b/.gitlab/benchmarks/.gitlab-ci.yml index 30e4748d7..6fcbf132c 100644 --- a/.gitlab/benchmarks/.gitlab-ci.yml +++ b/.gitlab/benchmarks/.gitlab-ci.yml @@ -17,7 +17,12 @@ variables: rules: - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' when: never - - if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline"' + - if: '$CI_PIPELINE_SOURCE == "trigger" && $RUN_BENCHMARKS == "true"' + when: on_success + - if: '$CI_PIPELINE_SOURCE == "trigger"' + when: manual + allow_failure: true + - if: '$CI_PIPELINE_SOURCE == "pipeline"' when: on_success - if: '$CI_PIPELINE_SOURCE == "web"' when: manual diff --git a/.gitlab/scripts/prepare.sh b/.gitlab/scripts/prepare.sh index 38f841730..a2b158927 100755 --- a/.gitlab/scripts/prepare.sh +++ b/.gitlab/scripts/prepare.sh @@ -27,8 +27,16 @@ if [ "${CI_PIPELINE_SOURCE}" == "push" ] || [ "${CI_PIPELINE_SOURCE}" == "trigge if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:reliability")' >/dev/null 2>&1; then echo "RUN_RELIABILITY=true" >> build.env fi - elif echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then - echo "RUN_RELIABILITY=true" >> build.env + if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:benchmark")' >/dev/null 2>&1; then + echo "RUN_BENCHMARKS=true" >> build.env + fi + else + if echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then + echo "RUN_RELIABILITY=true" >> build.env + fi + if echo "${API_RESPONSE}" | grep -q '"test:benchmark"'; then + echo "RUN_BENCHMARKS=true" >> build.env + fi fi fi fi From 37df588cee0086f0c42ebd080ee76b8753c88a19 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:29:02 +0200 Subject: [PATCH 04/20] ci: expose RUN_RELIABILITY/RUN_BENCHMARKS as documented GitLab pipeline variables --- .github/workflows/ci.yml | 72 ---------------------------------------- .gitlab-ci.yml | 6 ++++ 2 files changed, 6 insertions(+), 72 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ec9416c0..25a353dbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -250,75 +250,3 @@ jobs: with: name: fuzz-crashes path: ddprof-lib/fuzz/build/fuzz-crashes/ - - # Triggers the GitLab pipeline when test:reliability or test:benchmark labels - # are added. GitLab handles the actual execution and posts results back as PR - # comments via post-pr-comment.sh scripts. - trigger-gitlab-tests: - needs: [check-for-pr, compute-configurations] - if: >- - needs.check-for-pr.outputs.skip != 'true' && - (needs.compute-configurations.outputs.run_reliability == 'true' || needs.compute-configurations.outputs.run_benchmark == 'true') && - github.event_name == 'pull_request' && - github.event.pull_request.head.repo.fork == false - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - id-token: write - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Trigger GitLab pipeline - id: trigger - env: - GITLAB_TRIGGER_TOKEN: ${{ secrets.GITLAB_TRIGGER_TOKEN }} - GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }} - run: | - if [[ -z "$GITLAB_TRIGGER_TOKEN" || -z "$GITLAB_PROJECT_ID" ]]; then - echo "::warning::GITLAB_TRIGGER_TOKEN or GITLAB_PROJECT_ID not configured; skipping" - exit 0 - fi - args=( - -F "token=$GITLAB_TRIGGER_TOKEN" - -F "ref=${{ github.head_ref }}" - ) - if [[ "${{ needs.compute-configurations.outputs.run_reliability }}" == "true" ]]; then - args+=(-F "variables[RUN_RELIABILITY]=true") - fi - if [[ "${{ needs.compute-configurations.outputs.run_benchmark }}" == "true" ]]; then - args+=(-F "variables[RUN_BENCHMARKS]=true") - fi - response=$(curl --fail -sS \ - "https://gitlab.ddbuild.io/api/v4/projects/${GITLAB_PROJECT_ID}/trigger/pipeline" \ - "${args[@]}") - echo "pipeline_id=$(echo "$response" | jq -r '.id')" >> "$GITHUB_OUTPUT" - echo "pipeline_url=$(echo "$response" | jq -r '.web_url')" >> "$GITHUB_OUTPUT" - - - name: Post trigger confirmation - if: steps.trigger.outputs.pipeline_url != '' - run: | - tests="" - if [[ "${{ needs.compute-configurations.outputs.run_reliability }}" == "true" ]]; then - tests="${tests:+$tests, }reliability & chaos" - fi - if [[ "${{ needs.compute-configurations.outputs.run_benchmark }}" == "true" ]]; then - tests="${tests:+$tests, }benchmarks" - fi - { - echo "## ⚙️ GitLab Tests Triggered" - echo "" - echo "Running: **${tests}**" - echo "" - echo "| | |" - echo "|---|---|" - echo "| **Pipeline** | [View on GitLab](${{ steps.trigger.outputs.pipeline_url }}) |" - echo "| **Commit** | \`${{ github.sha }}\` |" - echo "" - echo "_Results will be posted as a separate comment when complete._" - } > gitlab-triggered.md - - name: Post PR comment - if: steps.trigger.outputs.pipeline_url != '' - uses: ./.github/actions/upsert-pr-comment - with: - body-file: gitlab-triggered.md - comment-id: ci-gitlab-trigger diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1b2d007fc..d16f8444e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,6 +8,12 @@ variables: FORCE_BUILD: value: "" description: "Force build even if no new commits (any non-empty value)" + RUN_RELIABILITY: + value: "" + description: "Set to 'true' to run reliability and chaos tests (triggered automatically when test:reliability label is on the PR at push time)" + RUN_BENCHMARKS: + value: "" + description: "Set to 'true' to run benchmark tests (triggered automatically when test:benchmark label is on the PR at push time)" MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/" default: From 34c4cb480a0786003a1630871413f64d928d98c5 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:34:25 +0200 Subject: [PATCH 05/20] fix(ci): restore unconditional benchmark runs on trigger-source pipelines --- .github/workflows/ci.yml | 7 ------- .gitlab/benchmarks/.gitlab-ci.yml | 7 +------ .gitlab/scripts/prepare.sh | 12 ++---------- 3 files changed, 3 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25a353dbd..b3b51d6ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -130,7 +130,6 @@ jobs: configurations: ${{ steps.compute.outputs.configurations }} run_fuzz: ${{ steps.compute.outputs.run_fuzz }} run_reliability: ${{ steps.compute.outputs.run_reliability }} - run_benchmark: ${{ steps.compute.outputs.run_benchmark }} steps: - name: Debounce label events if: github.event.action == 'labeled' @@ -168,15 +167,9 @@ jobs: else echo "run_reliability=false" >> $GITHUB_OUTPUT fi - if echo "$labels" | grep -Fq "test:benchmark"; then - echo "run_benchmark=true" >> $GITHUB_OUTPUT - else - echo "run_benchmark=false" >> $GITHUB_OUTPUT - fi else echo "run_fuzz=false" >> $GITHUB_OUTPUT echo "run_reliability=false" >> $GITHUB_OUTPUT - echo "run_benchmark=false" >> $GITHUB_OUTPUT fi configs="$configs]" diff --git a/.gitlab/benchmarks/.gitlab-ci.yml b/.gitlab/benchmarks/.gitlab-ci.yml index 6fcbf132c..30e4748d7 100644 --- a/.gitlab/benchmarks/.gitlab-ci.yml +++ b/.gitlab/benchmarks/.gitlab-ci.yml @@ -17,12 +17,7 @@ variables: rules: - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' when: never - - if: '$CI_PIPELINE_SOURCE == "trigger" && $RUN_BENCHMARKS == "true"' - when: on_success - - if: '$CI_PIPELINE_SOURCE == "trigger"' - when: manual - allow_failure: true - - if: '$CI_PIPELINE_SOURCE == "pipeline"' + - if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline"' when: on_success - if: '$CI_PIPELINE_SOURCE == "web"' when: manual diff --git a/.gitlab/scripts/prepare.sh b/.gitlab/scripts/prepare.sh index a2b158927..38f841730 100755 --- a/.gitlab/scripts/prepare.sh +++ b/.gitlab/scripts/prepare.sh @@ -27,16 +27,8 @@ if [ "${CI_PIPELINE_SOURCE}" == "push" ] || [ "${CI_PIPELINE_SOURCE}" == "trigge if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:reliability")' >/dev/null 2>&1; then echo "RUN_RELIABILITY=true" >> build.env fi - if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:benchmark")' >/dev/null 2>&1; then - echo "RUN_BENCHMARKS=true" >> build.env - fi - else - if echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then - echo "RUN_RELIABILITY=true" >> build.env - fi - if echo "${API_RESPONSE}" | grep -q '"test:benchmark"'; then - echo "RUN_BENCHMARKS=true" >> build.env - fi + elif echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then + echo "RUN_RELIABILITY=true" >> build.env fi fi fi From 082f273bc8fd779237c9dcc69ceab1e88e8cb837 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:41:14 +0200 Subject: [PATCH 06/20] ci: pre-fill RUN_RELIABILITY=true in GitLab UI; prepare.sh always writes the override --- .gitlab-ci.yml | 7 ++----- .gitlab/scripts/prepare.sh | 13 ++++++++++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d16f8444e..43f3cf577 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,11 +9,8 @@ variables: value: "" description: "Force build even if no new commits (any non-empty value)" RUN_RELIABILITY: - value: "" - description: "Set to 'true' to run reliability and chaos tests (triggered automatically when test:reliability label is on the PR at push time)" - RUN_BENCHMARKS: - value: "" - description: "Set to 'true' to run benchmark tests (triggered automatically when test:benchmark label is on the PR at push time)" + value: "true" + description: "Run reliability and chaos tests (overridden to false by prepare.sh when test:reliability label is absent)" MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/" default: diff --git a/.gitlab/scripts/prepare.sh b/.gitlab/scripts/prepare.sh index 38f841730..a241fa8ca 100755 --- a/.gitlab/scripts/prepare.sh +++ b/.gitlab/scripts/prepare.sh @@ -22,13 +22,20 @@ if [ "${CI_PIPELINE_SOURCE}" == "push" ] || [ "${CI_PIPELINE_SOURCE}" == "trigge echo "CANCELLED=true" >> build.env exit 0 fi - # Detect PR labels and export flags for downstream jobs + # Always write RUN_RELIABILITY to build.env so the dotenv artifact overrides + # the GitLab UI default (value: "true") for automated pipelines. if command -v jq >/dev/null 2>&1; then if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:reliability")' >/dev/null 2>&1; then echo "RUN_RELIABILITY=true" >> build.env + else + echo "RUN_RELIABILITY=false" >> build.env + fi + else + if echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then + echo "RUN_RELIABILITY=true" >> build.env + else + echo "RUN_RELIABILITY=false" >> build.env fi - elif echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then - echo "RUN_RELIABILITY=true" >> build.env fi fi fi From c79dcbe30028079b529dc3bd037dd9ce465c82eb Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:46:41 +0200 Subject: [PATCH 07/20] ci: expose RUN_RELIABILITY as spec.inputs so it appears in GitLab New Pipeline dialog --- .gitlab-ci.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 43f3cf577..dedd1ade1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,3 +1,12 @@ +spec: + inputs: + RUN_RELIABILITY: + description: "Run reliability and chaos tests (normally controlled by the test:reliability PR label)" + default: "true" + options: + - "true" + - "false" + image: alpine variables: @@ -8,9 +17,9 @@ variables: FORCE_BUILD: value: "" description: "Force build even if no new commits (any non-empty value)" - RUN_RELIABILITY: - value: "true" - description: "Run reliability and chaos tests (overridden to false by prepare.sh when test:reliability label is absent)" + # Expose the spec.inputs value as a regular env var for job scripts. + # prepare.sh (via dotenv artifact) overrides this for automated pipelines. + RUN_RELIABILITY: $[[ inputs.RUN_RELIABILITY ]] MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/" default: From 4903383d66631d9544275498f442928b5b8c2ade Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:52:33 +0200 Subject: [PATCH 08/20] ci: revert to variables+description for RUN_RELIABILITY (spec.inputs unsupported in root yml) --- .gitlab-ci.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index dedd1ade1..dc8902c6c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,12 +1,3 @@ -spec: - inputs: - RUN_RELIABILITY: - description: "Run reliability and chaos tests (normally controlled by the test:reliability PR label)" - default: "true" - options: - - "true" - - "false" - image: alpine variables: @@ -17,9 +8,9 @@ variables: FORCE_BUILD: value: "" description: "Force build even if no new commits (any non-empty value)" - # Expose the spec.inputs value as a regular env var for job scripts. - # prepare.sh (via dotenv artifact) overrides this for automated pipelines. - RUN_RELIABILITY: $[[ inputs.RUN_RELIABILITY ]] + RUN_RELIABILITY: + value: "true" + description: "Run reliability and chaos tests. Overridden by prepare.sh based on the test:reliability PR label in automated pipelines." MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/" default: From 2287bad0cf01be604f0ca3dd73e6d6d3a2463553 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 11:55:50 +0200 Subject: [PATCH 09/20] fix(ci): move trigger variables to job level (not inside trigger: block) --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index dc8902c6c..b134a8317 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -194,6 +194,9 @@ generate-reliability-child-pipeline: run-reliability-tests: stage: reliability + variables: + DDPROF_COMMIT_BRANCH: "$DDPROF_COMMIT_BRANCH" + DDPROF_COMMIT_SHA: "$DDPROF_COMMIT_SHA" needs: - job: generate-reliability-child-pipeline artifacts: true @@ -212,9 +215,6 @@ run-reliability-tests: strategy: depend forward: pipeline_variables: true - variables: - DDPROF_COMMIT_BRANCH: "$DDPROF_COMMIT_BRANCH" - DDPROF_COMMIT_SHA: "$DDPROF_COMMIT_SHA" include: - local: .gitlab/common.yml From ab202da1cd63dc1369965d08e073e7d7b7b95f8b Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 12:08:48 +0200 Subject: [PATCH 10/20] ci: default RUN_RELIABILITY to false --- .gitlab-ci.yml | 4 ++-- .gitlab/scripts/prepare.sh | 13 +++---------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b134a8317..ba043dcf9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,8 +9,8 @@ variables: value: "" description: "Force build even if no new commits (any non-empty value)" RUN_RELIABILITY: - value: "true" - description: "Run reliability and chaos tests. Overridden by prepare.sh based on the test:reliability PR label in automated pipelines." + value: "false" + description: "Run reliability and chaos tests. Set automatically when the test:reliability label is on the PR." MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/" default: diff --git a/.gitlab/scripts/prepare.sh b/.gitlab/scripts/prepare.sh index a241fa8ca..38f841730 100755 --- a/.gitlab/scripts/prepare.sh +++ b/.gitlab/scripts/prepare.sh @@ -22,20 +22,13 @@ if [ "${CI_PIPELINE_SOURCE}" == "push" ] || [ "${CI_PIPELINE_SOURCE}" == "trigge echo "CANCELLED=true" >> build.env exit 0 fi - # Always write RUN_RELIABILITY to build.env so the dotenv artifact overrides - # the GitLab UI default (value: "true") for automated pipelines. + # Detect PR labels and export flags for downstream jobs if command -v jq >/dev/null 2>&1; then if echo "${API_RESPONSE}" | jq -e '[.[0].labels[].name] | any(. == "test:reliability")' >/dev/null 2>&1; then echo "RUN_RELIABILITY=true" >> build.env - else - echo "RUN_RELIABILITY=false" >> build.env - fi - else - if echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then - echo "RUN_RELIABILITY=true" >> build.env - else - echo "RUN_RELIABILITY=false" >> build.env fi + elif echo "${API_RESPONSE}" | grep -q '"test:reliability"'; then + echo "RUN_RELIABILITY=true" >> build.env fi fi fi From 0176e6c4672cc7d88f54ef7daaa46e14e883f06f Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 15:44:11 +0200 Subject: [PATCH 11/20] fix(ci): replace alpine with approved registry image in reliability jobs --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ba043dcf9..83ce0def5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -161,7 +161,7 @@ jdk-integration-test: generate-reliability-child-pipeline: stage: reliability tags: ["arch:amd64"] - image: alpine + image: $PREPARE_IMAGE needs: - job: prepare:start artifacts: true @@ -179,7 +179,7 @@ generate-reliability-child-pipeline: else cat > generated-reliability.yml << 'NOOP' skip-reliability: - image: alpine + image: registry.ddbuild.io/images/benchmarking-platform-tools-ubuntu:latest tags: ["arch:amd64"] script: - echo "Label test:reliability not set — skipping" From 0b3a1d735a9daf5559ecec0793d4c73dcdaae555 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 16:18:05 +0200 Subject: [PATCH 12/20] fix(ci): replace bash-style default ${RUNTIME:-120} with plain value 120 --- .gitlab/reliability/pr-child.gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/reliability/pr-child.gitlab-ci.yml b/.gitlab/reliability/pr-child.gitlab-ci.yml index 156012a36..d35da70c4 100644 --- a/.gitlab/reliability/pr-child.gitlab-ci.yml +++ b/.gitlab/reliability/pr-child.gitlab-ci.yml @@ -22,7 +22,7 @@ get-versions: stage: test timeout: 6h variables: - RUNTIME: "${RUNTIME:-120}" + RUNTIME: "120" needs: - job: get-versions artifacts: true @@ -80,7 +80,7 @@ reliability-aarch64: stage: test timeout: 6h variables: - RUNTIME: "${RUNTIME:-120}" + RUNTIME: "120" needs: - job: get-versions artifacts: true From 2b981d016b2b921e4e9203c5670fc9b74bfa542a Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 17:28:30 +0200 Subject: [PATCH 13/20] fix(ci): include crash signal and frame in chaos failure report --- .gitlab/reliability/chaos_check.sh | 10 +++++++++- .gitlab/reliability/post-pr-comment.sh | 6 ++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.gitlab/reliability/chaos_check.sh b/.gitlab/reliability/chaos_check.sh index 93730c1f9..844a8522b 100755 --- a/.gitlab/reliability/chaos_check.sh +++ b/.gitlab/reliability/chaos_check.sh @@ -160,6 +160,14 @@ RC=$? echo "RC=$RC" if [ $RC -ne 0 ]; then - echo "FAIL:Chaos harness crashed (RC=$RC)" >&2 + CRASH_MSG="Chaos harness crashed (RC=${RC})" + HS_ERR="${HERE}/../../hs_err.log" + if [ -f "${HS_ERR}" ]; then + SIG=$(grep -m1 '^siginfo:' "${HS_ERR}" 2>/dev/null | tr -d '\n' | cut -c1-120) + FRAME=$(grep -m1 'libjavaProfiler\|AsyncProfiler' "${HS_ERR}" 2>/dev/null | sed 's/^[[:space:]]*//' | tr -d '\n' | cut -c1-120) + [ -n "${SIG}" ] && CRASH_MSG="${CRASH_MSG};${SIG}" + [ -n "${FRAME}" ] && CRASH_MSG="${CRASH_MSG};${FRAME}" + fi + echo "FAIL:${CRASH_MSG}" >&2 exit 1 fi diff --git a/.gitlab/reliability/post-pr-comment.sh b/.gitlab/reliability/post-pr-comment.sh index 3f263f791..c7a42d3b7 100755 --- a/.gitlab/reliability/post-pr-comment.sh +++ b/.gitlab/reliability/post-pr-comment.sh @@ -39,11 +39,12 @@ for key in $(compgen -v | grep -E '^REASON_.*X(jit|memory)$' | sort); do reason="${!key}" label="${key#REASON_}" rel_fail=$((rel_fail + 1)) + detail=$(printf '%s' "${reason//\`/}" | tr ';' '\n') rel_failures="${rel_failures}
❌ ${label//_/ } \`\`\` -${reason//\`/} +${detail} \`\`\`
" @@ -53,11 +54,12 @@ for key in $(compgen -v | grep -E '^REASON_.*Xchaos$' | sort); do reason="${!key}" label="${key#REASON_}" chaos_fail=$((chaos_fail + 1)) + detail=$(printf '%s' "${reason//\`/}" | tr ';' '\n') chaos_failures="${chaos_failures}
❌ chaos: ${label//_/ } \`\`\` -${reason//\`/} +${detail} \`\`\`
" From 378126e1589b9bd8e05285ff9d78581757d5c83b Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Thu, 11 Jun 2026 18:15:47 +0200 Subject: [PATCH 14/20] fix(ci): use dd-octo-sts to clone benchmarking-platform (CI_JOB_TOKEN cross-project not allowed) --- .gitlab/benchmarks/post-pr-comment.sh | 5 +++-- .gitlab/reliability/post-pr-comment.sh | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitlab/benchmarks/post-pr-comment.sh b/.gitlab/benchmarks/post-pr-comment.sh index ff575d2d3..1dd35e7ce 100755 --- a/.gitlab/benchmarks/post-pr-comment.sh +++ b/.gitlab/benchmarks/post-pr-comment.sh @@ -27,8 +27,9 @@ fi if ! command -v pr-commenter >/dev/null 2>&1; then PLATFORM_DIR=$(mktemp -d) trap "rm -rf ${PLATFORM_DIR}" EXIT - git -c url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf="https://github.com/DataDog/" \ - clone --depth 1 --branch dd-trace-go https://github.com/DataDog/benchmarking-platform "${PLATFORM_DIR}" + GH_CLONE_TOKEN=$(dd-octo-sts token --scope DataDog/java-profiler --policy async-profiler-build.ci 2>/dev/null) + git clone --depth 1 --branch dd-trace-go \ + "https://x-access-token:${GH_CLONE_TOKEN}@github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" export PATH="${PLATFORM_DIR}/tools:${PATH}" fi diff --git a/.gitlab/reliability/post-pr-comment.sh b/.gitlab/reliability/post-pr-comment.sh index c7a42d3b7..2e0244444 100755 --- a/.gitlab/reliability/post-pr-comment.sh +++ b/.gitlab/reliability/post-pr-comment.sh @@ -26,8 +26,9 @@ fi if ! command -v pr-commenter >/dev/null 2>&1; then PLATFORM_DIR=$(mktemp -d) trap "rm -rf ${PLATFORM_DIR}" EXIT - git -c url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf="https://github.com/DataDog/" \ - clone --depth 1 --branch dd-trace-go https://github.com/DataDog/benchmarking-platform "${PLATFORM_DIR}" + GH_CLONE_TOKEN=$(dd-octo-sts token --scope DataDog/java-profiler --policy async-profiler-build.ci 2>/dev/null) + git clone --depth 1 --branch dd-trace-go \ + "https://x-access-token:${GH_CLONE_TOKEN}@github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" export PATH="${PLATFORM_DIR}/tools:${PATH}" fi From 549012a6808c1c0386d9993aea638b42f6675767 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 08:25:54 +0200 Subject: [PATCH 15/20] fix(ci): clone benchmarking-platform without auth (public repo) --- .gitlab/benchmarks/post-pr-comment.sh | 3 +-- .gitlab/reliability/post-pr-comment.sh | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.gitlab/benchmarks/post-pr-comment.sh b/.gitlab/benchmarks/post-pr-comment.sh index 1dd35e7ce..8f234eb70 100755 --- a/.gitlab/benchmarks/post-pr-comment.sh +++ b/.gitlab/benchmarks/post-pr-comment.sh @@ -27,9 +27,8 @@ fi if ! command -v pr-commenter >/dev/null 2>&1; then PLATFORM_DIR=$(mktemp -d) trap "rm -rf ${PLATFORM_DIR}" EXIT - GH_CLONE_TOKEN=$(dd-octo-sts token --scope DataDog/java-profiler --policy async-profiler-build.ci 2>/dev/null) git clone --depth 1 --branch dd-trace-go \ - "https://x-access-token:${GH_CLONE_TOKEN}@github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" + "https://github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" export PATH="${PLATFORM_DIR}/tools:${PATH}" fi diff --git a/.gitlab/reliability/post-pr-comment.sh b/.gitlab/reliability/post-pr-comment.sh index 2e0244444..a7455c721 100755 --- a/.gitlab/reliability/post-pr-comment.sh +++ b/.gitlab/reliability/post-pr-comment.sh @@ -26,9 +26,8 @@ fi if ! command -v pr-commenter >/dev/null 2>&1; then PLATFORM_DIR=$(mktemp -d) trap "rm -rf ${PLATFORM_DIR}" EXIT - GH_CLONE_TOKEN=$(dd-octo-sts token --scope DataDog/java-profiler --policy async-profiler-build.ci 2>/dev/null) git clone --depth 1 --branch dd-trace-go \ - "https://x-access-token:${GH_CLONE_TOKEN}@github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" + "https://github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" export PATH="${PLATFORM_DIR}/tools:${PATH}" fi From b388ca59b59e571f36ca687d15b8b880ceaa6cc0 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 10:00:33 +0200 Subject: [PATCH 16/20] fix(ci): post PR comments via GitHub API + dd-octo-sts token (drop pr-commenter) --- .gitlab/benchmarks/post-pr-comment.sh | 35 +++-------- .gitlab/reliability/post-pr-comment.sh | 35 +++-------- .gitlab/scripts/upsert-github-pr-comment.sh | 68 +++++++++++++++++++++ 3 files changed, 86 insertions(+), 52 deletions(-) create mode 100755 .gitlab/scripts/upsert-github-pr-comment.sh diff --git a/.gitlab/benchmarks/post-pr-comment.sh b/.gitlab/benchmarks/post-pr-comment.sh index 8f234eb70..de410dff9 100755 --- a/.gitlab/benchmarks/post-pr-comment.sh +++ b/.gitlab/benchmarks/post-pr-comment.sh @@ -6,31 +6,13 @@ # # Required env: # DDPROF_COMMIT_BRANCH – branch name used to locate the open PR -# CI_JOB_TOKEN – used to clone benchmarking-platform if needed # Optional env: # CI_PIPELINE_URL, DDPROF_COMMIT_SHA set -euo pipefail REPORTS_DIR="${1:-reports}" -REPO="DataDog/java-profiler" - -# Skip for main / unset branches (no PR to comment on) -if [ -z "${DDPROF_COMMIT_BRANCH:-}" ] || \ - [ "${DDPROF_COMMIT_BRANCH}" = "main" ] || \ - [ "${DDPROF_COMMIT_BRANCH}" = "master" ]; then - echo "Skipping PR comment for branch: ${DDPROF_COMMIT_BRANCH:-}" - exit 0 -fi - -# Acquire pr-commenter from benchmarking-platform if not already on PATH -if ! command -v pr-commenter >/dev/null 2>&1; then - PLATFORM_DIR=$(mktemp -d) - trap "rm -rf ${PLATFORM_DIR}" EXIT - git clone --depth 1 --branch dd-trace-go \ - "https://github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" - export PATH="${PLATFORM_DIR}/tools:${PATH}" -fi +HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Aggregate all per-cell reports into a single comment body SECTIONS="" @@ -51,14 +33,15 @@ if [ -z "${SECTIONS}" ]; then exit 0 fi -COMMENT_BODY="## Benchmark Results +BODY_FILE=$(mktemp) +trap 'rm -f "${BODY_FILE}"' EXIT +cat > "${BODY_FILE}" <}" - exit 0 -fi - -# Acquire pr-commenter from benchmarking-platform if not already on PATH -if ! command -v pr-commenter >/dev/null 2>&1; then - PLATFORM_DIR=$(mktemp -d) - trap "rm -rf ${PLATFORM_DIR}" EXIT - git clone --depth 1 --branch dd-trace-go \ - "https://github.com/DataDog/benchmarking-platform" "${PLATFORM_DIR}" - export PATH="${PLATFORM_DIR}/tools:${PATH}" -fi +HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # ── Collect failures from REASON_* env vars ──────────────────────────────────── rel_fail=0; rel_failures="" @@ -73,13 +55,14 @@ else overall="✅ **All reliability & chaos checks passed**" fi -COMMENT_BODY="## Reliability & Chaos Results +BODY_FILE=$(mktemp) +trap 'rm -f "${BODY_FILE}"' EXIT +cat > "${BODY_FILE}" < +# +# comment-id : unique slug used as an HTML marker to find/replace the comment +# branch : head branch name used to locate the open PR +# body-file : path to a file holding the markdown comment body +# +# Requires in CI: dd-octo-sts CLI + DDOCTOSTS_ID_TOKEN id_token, curl, jq. +# Token policy async-profiler-build.ci grants issues:write + pull_requests:read. + +set -euo pipefail + +COMMENT_ID="${1:?comment-id required}" +BRANCH="${2:?branch required}" +BODY_FILE="${3:?body-file required}" +REPO="DataDog/java-profiler" +API="https://api.github.com/repos/${REPO}" + +log() { echo "[upsert-pr-comment] $*" >&2; } + +if [ -z "${BRANCH}" ] || [ "${BRANCH}" = "main" ] || [ "${BRANCH}" = "master" ]; then + log "Skipping PR comment for branch: ${BRANCH:-}" + exit 0 +fi +if [ ! -s "${BODY_FILE}" ]; then + log "Empty body file (${BODY_FILE}) — nothing to post" + exit 0 +fi + +# 1. Obtain a GitHub token via dd-octo-sts (no stored secrets). +TOKEN=$(dd-octo-sts token --scope "${REPO}" --policy async-profiler-build.ci 2>/dev/null || true) +if [ -z "${TOKEN}" ]; then + log "Failed to obtain GitHub token via dd-octo-sts — skipping comment" + exit 0 +fi +AUTH=(-H "Authorization: Bearer ${TOKEN}" -H "Accept: application/vnd.github+json") + +# 2. Resolve the open PR for this branch. +PR=$(curl -fsS "${AUTH[@]}" "${API}/pulls?head=DataDog:${BRANCH}&state=open&per_page=1" \ + | jq -r '.[0].number // empty') +if [ -z "${PR}" ]; then + log "No open PR found for branch ${BRANCH} — skipping comment" + exit 0 +fi + +# 3. Prepend a stable marker and build the JSON payload safely. +MARKER="" +BODY="${MARKER}"$'\n'"$(cat "${BODY_FILE}")" +PAYLOAD=$(jq -n --arg body "${BODY}" '{body: $body}') + +# 4. Find an existing marker comment and PATCH it, otherwise POST a new one. +CID=$(curl -fsS "${AUTH[@]}" "${API}/issues/${PR}/comments?per_page=100" \ + | jq -r --arg m "${MARKER}" '.[] | select(.body | contains($m)) | .id' | head -n1) + +if [ -n "${CID}" ]; then + curl -fsS -X PATCH "${AUTH[@]}" "${API}/issues/comments/${CID}" -d "${PAYLOAD}" >/dev/null + log "Updated comment ${CID} on PR #${PR}" +else + curl -fsS -X POST "${AUTH[@]}" "${API}/issues/${PR}/comments" -d "${PAYLOAD}" >/dev/null + log "Created comment on PR #${PR}" +fi From 469aee57bf4f824dc0e73bc7da41d8242dff34ab Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 10:33:25 +0200 Subject: [PATCH 17/20] fix(ci): run benchmarks automatically on push-source PR pipelines --- .gitlab/benchmarks/.gitlab-ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitlab/benchmarks/.gitlab-ci.yml b/.gitlab/benchmarks/.gitlab-ci.yml index 30e4748d7..34568a6a2 100644 --- a/.gitlab/benchmarks/.gitlab-ci.yml +++ b/.gitlab/benchmarks/.gitlab-ci.yml @@ -22,8 +22,11 @@ variables: - if: '$CI_PIPELINE_SOURCE == "web"' when: manual allow_failure: true + # codesync mirrors GitHub PR pushes as push-source pipelines; run benchmarks + # automatically and non-blocking (allow_failure). The before_script CANCELLED + # gate skips branches with no open PR. - if: '$CI_PIPELINE_SOURCE == "push"' - when: manual + when: on_success allow_failure: true script: | # setup the env From d15d987e5508ac28a023efc946865d96b95846d3 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 10:37:01 +0200 Subject: [PATCH 18/20] fix(ci): harden PR-comment helper (trim/validate token, GH API headers, surface HTTP errors) --- .gitlab/scripts/upsert-github-pr-comment.sh | 47 +++++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/.gitlab/scripts/upsert-github-pr-comment.sh b/.gitlab/scripts/upsert-github-pr-comment.sh index c8c7276eb..c7a60a738 100755 --- a/.gitlab/scripts/upsert-github-pr-comment.sh +++ b/.gitlab/scripts/upsert-github-pr-comment.sh @@ -25,6 +25,31 @@ API="https://api.github.com/repos/${REPO}" log() { echo "[upsert-pr-comment] $*" >&2; } +# gh_api [data] — performs a GitHub API call, capturing both the +# response body and HTTP status. On HTTP >= 400 it logs the status and body +# (turning opaque "curl 403" failures into actionable diagnostics) and returns 1. +# On success the response body is written to stdout. +gh_api() { + local method="$1" url="$2" data="${3:-}" + local args=(-sS -X "${method}" + -H "Authorization: Bearer ${TOKEN}" + -H "Accept: application/vnd.github+json" + -H "X-GitHub-Api-Version: 2022-11-28" + -H "User-Agent: java-profiler-ci" + -w $'\n%{http_code}') + [ -n "${data}" ] && args+=(-d "${data}") + local resp status body + resp=$(curl "${args[@]}" "${url}") || { log "curl failed for ${method} ${url}"; return 1; } + status="${resp##*$'\n'}" + body="${resp%$'\n'*}" + if [ "${status}" -ge 400 ]; then + log "GitHub API ${method} ${url} -> HTTP ${status}" + log "Response: ${body}" + return 1 + fi + printf '%s' "${body}" +} + if [ -z "${BRANCH}" ] || [ "${BRANCH}" = "main" ] || [ "${BRANCH}" = "master" ]; then log "Skipping PR comment for branch: ${BRANCH:-}" exit 0 @@ -34,17 +59,23 @@ if [ ! -s "${BODY_FILE}" ]; then exit 0 fi -# 1. Obtain a GitHub token via dd-octo-sts (no stored secrets). -TOKEN=$(dd-octo-sts token --scope "${REPO}" --policy async-profiler-build.ci 2>/dev/null || true) +# 1. Obtain a GitHub token via dd-octo-sts (no stored secrets). Trim whitespace +# and validate the format, mirroring publish-gh-pages.sh — a token polluted +# with log noise/newlines produces a malformed header and a GitHub 403. +TOKEN=$(dd-octo-sts token --scope "${REPO}" --policy async-profiler-build.ci 2>/tmp/octo-sts.err || true) +TOKEN="${TOKEN//[$'\t\r\n ']/}" if [ -z "${TOKEN}" ]; then log "Failed to obtain GitHub token via dd-octo-sts — skipping comment" + [ -s /tmp/octo-sts.err ] && log "dd-octo-sts: $(head -3 /tmp/octo-sts.err)" + exit 0 +fi +if [[ ! "${TOKEN}" =~ ^(ghs_|ghp_|github_pat_|v1\.|[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.) ]]; then + log "dd-octo-sts returned an unexpected token format (first 8 chars: ${TOKEN:0:8}) — skipping" exit 0 fi -AUTH=(-H "Authorization: Bearer ${TOKEN}" -H "Accept: application/vnd.github+json") # 2. Resolve the open PR for this branch. -PR=$(curl -fsS "${AUTH[@]}" "${API}/pulls?head=DataDog:${BRANCH}&state=open&per_page=1" \ - | jq -r '.[0].number // empty') +PR=$(gh_api GET "${API}/pulls?head=DataDog:${BRANCH}&state=open&per_page=1" | jq -r '.[0].number // empty') if [ -z "${PR}" ]; then log "No open PR found for branch ${BRANCH} — skipping comment" exit 0 @@ -56,13 +87,13 @@ BODY="${MARKER}"$'\n'"$(cat "${BODY_FILE}")" PAYLOAD=$(jq -n --arg body "${BODY}" '{body: $body}') # 4. Find an existing marker comment and PATCH it, otherwise POST a new one. -CID=$(curl -fsS "${AUTH[@]}" "${API}/issues/${PR}/comments?per_page=100" \ +CID=$(gh_api GET "${API}/issues/${PR}/comments?per_page=100" \ | jq -r --arg m "${MARKER}" '.[] | select(.body | contains($m)) | .id' | head -n1) if [ -n "${CID}" ]; then - curl -fsS -X PATCH "${AUTH[@]}" "${API}/issues/comments/${CID}" -d "${PAYLOAD}" >/dev/null + gh_api PATCH "${API}/issues/comments/${CID}" "${PAYLOAD}" >/dev/null log "Updated comment ${CID} on PR #${PR}" else - curl -fsS -X POST "${AUTH[@]}" "${API}/issues/${PR}/comments" -d "${PAYLOAD}" >/dev/null + gh_api POST "${API}/issues/${PR}/comments" "${PAYLOAD}" >/dev/null log "Created comment on PR #${PR}" fi From a403026dce8732a4fe248798a8a218d01c1d8962 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 12:04:38 +0200 Subject: [PATCH 19/20] fix(ci): grant pull_requests:write for PR comments; run benchmarks on any source --- .../async-profiler-build.ci.sts.yaml | 5 +++- .gitlab/benchmarks/.gitlab-ci.yml | 26 ++++++++++--------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/chainguard/async-profiler-build.ci.sts.yaml b/.github/chainguard/async-profiler-build.ci.sts.yaml index 1c7cd6a2a..339ec1a03 100644 --- a/.github/chainguard/async-profiler-build.ci.sts.yaml +++ b/.github/chainguard/async-profiler-build.ci.sts.yaml @@ -6,4 +6,7 @@ subject_pattern: "project_path:DataDog/java-profiler:ref_type:branch:ref:.*" permissions: contents: write issues: write - pull_requests: read + # write (not read) is required to post comments on pull requests via the + # issues/comments endpoint — GitLab CI back-reports benchmark & reliability + # results to the PR (see .gitlab/scripts/upsert-github-pr-comment.sh). + pull_requests: write diff --git a/.gitlab/benchmarks/.gitlab-ci.yml b/.gitlab/benchmarks/.gitlab-ci.yml index 34568a6a2..960383af6 100644 --- a/.gitlab/benchmarks/.gitlab-ci.yml +++ b/.gitlab/benchmarks/.gitlab-ci.yml @@ -17,16 +17,17 @@ variables: rules: - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' when: never - - if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline"' - when: on_success + - if: '$CI_PIPELINE_SOURCE == "schedule"' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never - if: '$CI_PIPELINE_SOURCE == "web"' when: manual allow_failure: true - # codesync mirrors GitHub PR pushes as push-source pipelines; run benchmarks - # automatically and non-blocking (allow_failure). The before_script CANCELLED + # Run automatically and non-blocking on any other source (push/trigger/api/ + # etc.) — mirrors the integration-test rules. The before_script CANCELLED # gate skips branches with no open PR. - - if: '$CI_PIPELINE_SOURCE == "push"' - when: on_success + - when: on_success allow_failure: true script: | # setup the env @@ -96,12 +97,13 @@ post-benchmarks-pr-comment: rules: - if: '$JDK_VERSION != null || $DEBUG_LEVEL != null || $HASH != null || $DOWNSTREAM != null' when: never - - if: '$CI_PIPELINE_SOURCE == "trigger" || $CI_PIPELINE_SOURCE == "pipeline"' - when: on_success - - if: '$CI_PIPELINE_SOURCE == "web"' - when: always - - if: '$CI_PIPELINE_SOURCE == "push"' - when: always + - if: '$CI_PIPELINE_SOURCE == "schedule"' + when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' + when: never + # Always run when the candidate jobs ran, regardless of source, so results + # are posted back to the PR. + - when: always timeout: 5m script: - .gitlab/benchmarks/post-pr-comment.sh reports From eea64019c272b81cd8a4b6581587641f73d728b0 Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 12 Jun 2026 12:11:20 +0200 Subject: [PATCH 20/20] ci: drop sts policy change (split into #595) --- .github/chainguard/async-profiler-build.ci.sts.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/chainguard/async-profiler-build.ci.sts.yaml b/.github/chainguard/async-profiler-build.ci.sts.yaml index 339ec1a03..1c7cd6a2a 100644 --- a/.github/chainguard/async-profiler-build.ci.sts.yaml +++ b/.github/chainguard/async-profiler-build.ci.sts.yaml @@ -6,7 +6,4 @@ subject_pattern: "project_path:DataDog/java-profiler:ref_type:branch:ref:.*" permissions: contents: write issues: write - # write (not read) is required to post comments on pull requests via the - # issues/comments endpoint — GitLab CI back-reports benchmark & reliability - # results to the PR (see .gitlab/scripts/upsert-github-pr-comment.sh). - pull_requests: write + pull_requests: read