DataDog · AlexeyKuznetsov-DD · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
@@ -30,7 +30,7 @@ jobs:
             ${{ runner.os }}-gradle-
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -49,7 +49,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
 
   trivy:
     name: Analyze changes with Trivy
@@ -114,7 +114,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

@@ -52,7 +52,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
         with:
           name: binaries
           path: workspace/dd-java-agent/build/libs/

@@ -3,7 +3,7 @@ include:
   - local: ".gitlab/benchmarks.yml"
   - local: ".gitlab/macrobenchmarks.yml"
   - local: ".gitlab/exploration-tests.yml"
-  #  - local: ".gitlab/ci-visibility-tests.yml"
+  - local: ".gitlab/ci-visibility-tests.yml"
 
 stages:
   - build
@@ -138,7 +138,7 @@ default:
     KUBERNETES_CPU_REQUEST: 8
     KUBERNETES_MEMORY_REQUEST: 8Gi
     KUBERNETES_MEMORY_LIMIT: 8Gi
-    CACHE_TYPE: lib #default
+    CACHE_TYPE: "lib" #default
     FF_USE_FASTZIP: "true"
     CACHE_COMPRESSION_LEVEL: "slowest"
 
@@ -148,10 +148,11 @@ default:
   cache:
     - key: dependency-$CACHE_TYPE # Dependencies cache
       paths:
-        # Cached dependencies and wrappers for gradle
+        # Cached dependencies and wrappers for Gradle and Maven:
         - .gradle/wrapper
         - .gradle/caches
         - .gradle/notifications
+        - .mvn/caches
       policy: $DEPENDENCY_CACHE_POLICY
       unprotect: true
       fallback_keys: # Use fallback keys because all cache types are not populated. See note under: populate_dep_cache
@@ -174,6 +175,7 @@ default:
     - export GRADLE_USER_HOME=$(pwd)/.gradle
     # replace maven central part by MAVEN_REPOSITORY_PROXY in .mvn/wrapper/maven-wrapper.properties
     - sed -i "s|https://repo.maven.apache.org/maven2/|$MAVEN_REPOSITORY_PROXY|g" .mvn/wrapper/maven-wrapper.properties
+    - mkdir -p .mvn/caches
     - export GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xms$GRADLE_MEM -Xmx$GRADLE_MEM -XX:ErrorFile=/tmp/hs_err_pid%p.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp'"
     - export GRADLE_ARGS=" --build-cache --stacktrace --no-daemon --parallel --max-workers=$GRADLE_WORKERS"
     - *normalize_node_index
@@ -246,7 +248,7 @@ build:
   extends: .gradle_build
   variables:
     BUILD_CACHE_POLICY: push
-    CACHE_TYPE: lib
+    CACHE_TYPE: "lib"
     DEPENDENCY_CACHE_POLICY: pull
   script:
     - if [ $CI_PIPELINE_SOURCE == "schedule" ] ; then ./gradlew resolveAndLockAll --write-locks $GRADLE_ARGS; fi
@@ -358,14 +360,24 @@ spotless:
   script:
     - ./gradlew --version
     - ./gradlew spotlessCheck $GRADLE_ARGS
+  after_script:
+    - *cgroup_info
+    - source .gitlab/gitlab-utils.sh
+    - gitlab_section_start "collect-reports" "Collecting reports"
+    - .gitlab/collect_reports.sh
+    - gitlab_section_end "collect-reports"
+  artifacts:
+    when: always
+    paths:
+      - ./check_reports
 
 test_published_artifacts:
   extends: .gradle_build
   image: ghcr.io/datadog/dd-trace-java-docker-build:${BUILDER_IMAGE_VERSION_PREFIX}7 # Needs Java7 for some tests
   stage: tests
   needs: [ build ]
   variables:
-    CACHE_TYPE: lib
+    CACHE_TYPE: "lib"
   script:
     - mvn_local_repo=$(./mvnw help:evaluate -Dexpression=settings.localRepository -q -DforceStdout)
     - rm -rf "${mvn_local_repo}/com/datadoghq"
@@ -393,7 +405,7 @@ test_published_artifacts:
   needs: [ build ]
   stage: tests
   variables:
-    CACHE_TYPE: lib
+    CACHE_TYPE: "lib"
   script:
     - *gitlab_base_ref_params
     - ./gradlew --version
@@ -429,12 +441,14 @@ check_inst:
   parallel: 4
   variables:
     GRADLE_TARGET: ":instrumentationCheck"
+    CACHE_TYPE: "inst"
 
 check_smoke:
   extends: .check_job
   parallel: 4
   variables:
     GRADLE_TARGET: ":smokeCheck"
+    CACHE_TYPE: "smoke"
 
 check_profiling:
   extends: .check_job
@@ -454,7 +468,7 @@ muzzle:
     matrix:
       - CI_SPLIT: ["1/8", "2/8", "3/8", "4/8", "5/8", "6/8", "7/8", "8/8"]
   variables:
-    CACHE_TYPE: inst
+    CACHE_TYPE: "inst"
   script:
     - export SKIP_BUILDSCAN="true"
     - ./gradlew --version
@@ -476,7 +490,7 @@ muzzle-dep-report:
   needs: [ build_tests ]
   stage: tests
   variables:
-    CACHE_TYPE: inst
+    CACHE_TYPE: "inst"
   script:
     - export SKIP_BUILDSCAN="true"
     - ./gradlew --version
@@ -644,7 +658,7 @@ test_flaky:
   extends: .test_job_with_test_agent
   variables:
     GRADLE_PARAMS: "-PrunFlakyTests"
-    CACHE_TYPE: "base"
+    CACHE_TYPE: "smoke"
     testJvm: "8"
     CONTINUE_ON_FAILURE: "true"
   rules:
@@ -809,7 +823,7 @@ deploy_to_maven_central:
   stage: publish
   needs: [ build ]
   variables:
-    CACHE_TYPE: lib
+    CACHE_TYPE: "lib"
   rules:
     - if: '$POPULATE_CACHE'
       when: never

@@ -1,77 +1,44 @@
-#check-ci-visibility-label:
-#  stage: publish
-#  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
-#  tags: [ "arch:amd64" ]
-#  needs: [ publish-artifacts-to-s3 ]
-#  id_tokens:
-#    DDOCTOSTS_ID_TOKEN:
-#      aud: dd-octo-sts
-#  rules:
-#    # - if: '$POPULATE_CACHE'
-#    #   when: never
-#    # - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
-#    #   when: on_success
-#    - when: never
-#  before_script:
-#    - dd-octo-sts version
-#    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read
-#    - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read > github-token.txt
-#    - gh auth login --with-token < github-token.txt
-#  script:
-#    - |
-#      # Source utility functions
-#      source .gitlab/ci_visibility_utils.sh
-#      
-#      # Get PR number
-#      if ! PR_NUMBER=$(get_pr_number "${CI_COMMIT_BRANCH}"); then
-#        echo "No open PR found for branch ${CI_COMMIT_BRANCH}"
-#        exit 1
-#      fi
-#      
-#      echo "Found PR #${PR_NUMBER}"
-#      
-#      # Check if PR has the CI visibility label
-#      if pr_has_label "$PR_NUMBER" "comp: ci visibility"; then
-#        echo "PR_NUMBER=${PR_NUMBER}" > pr.env
-#        echo "PR #${PR_NUMBER} detected as CI Visibility PR"
-#        exit 0
-#      else
-#        echo "PR #${PR_NUMBER} not a CI Visibility PR, ignoring trigger"
-#        exit 1
-#      fi
-#  after_script:
-#    - dd-octo-sts revoke -t $(cat github-token.txt) || true
-#  artifacts:
-#    reports:
-#      dotenv: pr.env
-#  allow_failure: true
-#  retry:
-#    max: 2
-#    when: always
-#
-#run-ci-visibility-test-environment:
-#  stage: ci-visibility-tests
-#  needs:
-#    - job: check-ci-visibility-label
-#      artifacts: true
-#  rules:
-#    - if: '$POPULATE_CACHE'
-#      when: never
-#    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
-#      when: on_success
-#  trigger:
-#    project: DataDog/apm-reliability/test-environment
-#    branch: main
-#    strategy: depend
-#  variables:
-#    UPSTREAM_PACKAGE_JOB: build
-#    UPSTREAM_PROJECT_ID: $CI_PROJECT_ID
-#    UPSTREAM_PROJECT_NAME: $CI_PROJECT_NAME
-#    UPSTREAM_PIPELINE_ID: $CI_PIPELINE_ID
-#    UPSTREAM_BRANCH: $CI_COMMIT_BRANCH
-#    UPSTREAM_TAG: $CI_COMMIT_TAG
-#    UPSTREAM_COMMIT_AUTHOR: $CI_COMMIT_AUTHOR
-#    UPSTREAM_COMMIT_SHORT_SHA: $CI_COMMIT_SHORT_SHA
-#    TRACER_LANG: java
-#    JAVA_TRACER_REF_TO_TEST: $CI_COMMIT_BRANCH
-#    JAVA_TRACER_PR_TO_TEST: $PR_NUMBER
+ci-visibility-tests-check:
+  stage: ci-visibility-tests
+  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
+  tags: [ "arch:amd64" ]
+  needs: [ publish-artifacts-to-s3 ]
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+      when: on_success
+    - when: never
+  before_script:
+    - dd-octo-sts version
+    - dd-octo-sts debug --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read
+    - dd-octo-sts token --scope DataDog/dd-trace-java --policy self.gitlab.github-access.read > github-token.txt
+    - gh auth login --with-token < github-token.txt
+  script:
+    - .gitlab/ci_visibility_generate_job.sh
+  after_script:
+    - dd-octo-sts revoke -t $(cat github-token.txt) || true
+  artifacts:
+    paths:
+    - ci-visibility-test-environment.yml
+  retry:
+    max: 2
+    when: always
+
+ci-visibility-tests-trigger:
+  stage: ci-visibility-tests
+  needs: [ci-visibility-tests-check]
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH !~ /^(master|release\/)/'
+      when: on_success
+    - when: never
+  trigger:
+    include:
+      - artifact: ci-visibility-test-environment.yml
+        job: ci-visibility-tests-check
+    strategy: depend
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+set -e
+
+add_dummy_job() {
+  cat <<EOF >>ci-visibility-test-environment.yml
+skip-ci-visibility-tests:
+  stage: ci-visibility-tests
+  tags: [ "arch:amd64" ]
+  script:
+    - echo "PR does not have required label - CI Visibility test environment not triggered"
+EOF
+}
+
+# Generate yml
+cat <<EOF >ci-visibility-test-environment.yml
+stages:
+  - ci-visibility-tests
+
+EOF
+
+if [ -z "$CI_COMMIT_BRANCH" ]; then
+  echo "No branch detected - skipping trigger"
+  add_dummy_job
+  exit 0
+fi
+
+echo "Performing trigger checks for ci-visibility test-environment..."
+set +e
+pr_number=$(gh pr list --repo DataDog/dd-trace-java --head "$CI_COMMIT_BRANCH" --state open --json number --jq '.[0].number' 2>&1)
+pr_number_status=$?
+set -e
+
+if [ $pr_number_status -ne 0 ]; then
+  echo "Failed to query PR (gh command failed with status $pr_number_status ) - skipping trigger"
+  add_dummy_job
+  exit 0
+fi
+if [ -z "$pr_number" ]; then
+  echo "No open PR found for branch $CI_COMMIT_BRANCH - skipping trigger"
+  add_dummy_job
+  exit 0
+fi
+
+echo "PR #${pr_number} found, checking labels..."
+set +e
+labels=$(gh pr view "$pr_number" --repo DataDog/dd-trace-java --json labels --jq '.labels[].name' 2>&1)
+labels_status=$?
+set -e
+
+if [ $labels_status -ne 0 ]; then
+  echo "Failed to query PR labels (gh command failed with status $labels_status) - skipping trigger"
+  add_dummy_job
+  exit 0
+fi
+if [ -z "$labels" ] || ! echo "$labels" | grep -q "comp: ci visibility"; then
+  echo "PR #$pr_number is not a CI Visibility PR - skipping trigger"
+  add_dummy_job
+  exit 0
+fi
+
+echo "PR #$pr_number is a CI Visibility PR - triggering test environment"
+
+cat <<EOF >>ci-visibility-test-environment.yml
+ci-visibility-test-environment:
+  stage: ci-visibility-tests
+  trigger:
+    project: DataDog/apm-reliability/test-environment
+    branch: main
+    strategy: depend
+  variables:
+    UPSTREAM_PACKAGE_JOB: build
+    UPSTREAM_PROJECT_ID: "$CI_PROJECT_ID"
+    UPSTREAM_PROJECT_NAME: "$CI_PROJECT_NAME"
+    UPSTREAM_PIPELINE_ID: "$CI_PIPELINE_ID"
+    UPSTREAM_BRANCH: "$CI_COMMIT_BRANCH"
+    UPSTREAM_TAG: "$CI_COMMIT_TAG"
+    UPSTREAM_COMMIT_AUTHOR: "$CI_COMMIT_AUTHOR"
+    UPSTREAM_COMMIT_SHORT_SHA: "$CI_COMMIT_SHORT_SHA"
+    TRACER_LANG: java
+    JAVA_TRACER_REF_TO_TEST: "$CI_COMMIT_BRANCH"
+    JAVA_TRACER_PR_TO_TEST: "$pr_number"
+EOF