Update AgentTestRunner to use JUnit5 - Continuation

.github/chainguard/self.add-release-to-cloudfoundry.sts.yaml

@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: release
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/add-release-to-cloudfoundry\.yaml@refs/heads/master
+
+permissions:
+  contents: write

.github/workflows/README.md

@@ -151,8 +151,9 @@ find .github/workflows -name "*.yaml" -exec  awk '/uses:/{print $2 ","}' {} \; |
 ## Testing
 
 Workflows can be locally tested using the [`act` CLI](https://github.com/nektos/act/).
+Docker and [GiHub CLI](https://cli.github.com/) need also to be installed.
 The [.github/workflows/tests/](./tests) folder contains test scripts and event payloads to locally trigger workflows.
 
 > [!WARNING]
-> Locally running workflows will still query GitHub backend and will update the GitHub project accordingly.
+> Local workflow tests run against the repository and will potentially alter existing issues, milestones and releases.  
 > Pay extra attention to the workflow jobs you trigger to not create development disruption.

.github/workflows/add-release-to-cloudfoundry.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout "cloudfoundry" branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           ref: cloudfoundry
       - name: Get release version

.github/workflows/analyze-changes.yaml

@@ -3,9 +3,6 @@ name: Analyze changes
 on:
   push:
     branches: [ master ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
 
 # Cancel long-running jobs when a new commit is pushed
 concurrency:
@@ -15,8 +12,6 @@ concurrency:
 jobs:
   codeql:
     name: Analyze changes with GitHub CodeQL
-    # Don’t run on PR, only when pushing to master
-    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -25,12 +20,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           submodules: 'recursive'
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -40,7 +35,7 @@ jobs:
             ${{ runner.os }}-gradle-
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5
         with:
           languages: 'java'
           build-mode: 'manual'
@@ -57,12 +52,10 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5
 
   trivy:
     name: Analyze changes with Trivy
-    # Don’t run on PR, only when pushing to master
-    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -71,12 +64,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           submodules: 'recursive'
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -122,7 +115,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/run-system-tests.yaml

@@ -15,13 +15,13 @@ jobs:
       group: APM Larger Runners
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           submodules: 'recursive'
           fetch-depth: 0
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: |
             ~/.gradle/caches
@@ -54,6 +54,7 @@ jobs:
     secrets: inherit
     permissions:
       contents: read
+      id-token: write
       packages: write
     with:
       library: java

.github/workflows/update-docker-build-image.yaml

@@ -25,7 +25,7 @@ jobs:
           policy: self.update-docker-build-image.create-pr
 
       - name: Checkout the repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Define the Docker build image tag to use
         id: define-tag
         run: |

.github/workflows/update-gradle-dependencies.yaml

@@ -19,7 +19,7 @@ jobs:
           policy: self.update-gradle-dependencies.create-pr
 
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           submodules: "recursive"
       - name: Download ghcommit CLI

.github/workflows/update-jmxfetch-submodule.yaml

@@ -19,7 +19,7 @@ jobs:
           policy: self.update-jmxfetch-submodule.create-pr
 
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
 
       - name: Update Submodule
         run: |

.gitlab-ci.yml

@@ -7,8 +7,8 @@ include:
 
 stages:
   - build
-  - shared-pipeline
   - publish
+  - shared-pipeline
   - benchmarks
   - macrobenchmarks
   - tests
@@ -26,8 +26,8 @@ variables:
   DEPENDENCY_CACHE_POLICY: pull
   BUILD_CACHE_POLICY: pull
   GRADLE_VERSION: "8.14.3" # must match gradle-wrapper.properties
-  MAVEN_REPOSITORY_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/maven-central/"
-  GRADLE_PLUGIN_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/gradle-plugin-portal-proxy/"
+  MAVEN_REPOSITORY_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/"
+  GRADLE_PLUGIN_PROXY: "https://depot-read-api-java.us1.ddbuild.io/magicmirror/magicmirror/@current/"
   BUILDER_IMAGE_VERSION_PREFIX: "v25.07-" # use either an empty string (e.g. "") for latest images or a version followed by a hyphen (e.g. "v25.05-")
   REPO_NOTIFICATION_CHANNEL: "#apm-java-escalations"
   DEFAULT_TEST_JVMS: /^(8|11|17|21|stable)$/
@@ -580,7 +580,7 @@ muzzle-dep-report:
     CI_USE_TEST_AGENT: "true"
     CI_AGENT_HOST: local-agent
   services:
-    - name: ghcr.io/datadog/dd-apm-test-agent/ddapm-test-agent:v1.27.1
+    - name: ghcr.io/datadog/dd-apm-test-agent/ddapm-test-agent:v1.31.1
       alias: local-agent
       variables:
         LOG_LEVEL: "DEBUG"
@@ -880,6 +880,88 @@ requirements_json_test:
 package-oci:
   needs: [ build ]
 
+override_verify_maven_central:
+  image: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
+  stage: publish
+  needs: [ ]
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - when: manual
+      allow_failure: true
+  script:
+    - touch OVERRIDE_MAVEN_VERIFY
+  cache: # Cache is used to signal between the override_verify_maven_central and verify_maven_central_deployment jobs
+    - key: $CI_PIPELINE_ID-OVERRIDE_SIGNAL
+      paths:
+        - OVERRIDE_MAVEN_VERIFY
+      policy: push
+      unprotect: true
+
+# Verify Maven Central deployment is publicly available before publishing OCI images
+verify_maven_central_deployment:
+  image: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
+  stage: publish
+  needs: [ deploy_to_maven_central ]
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: never
+    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
+      when: on_success
+    - when: manual
+      allow_failure: true
+  cache: # Cache is used to signal between the override_verify_maven_central and verify_maven_central_deployment jobs
+    - key: $CI_PIPELINE_ID-OVERRIDE_SIGNAL
+      paths:
+        - OVERRIDE_MAVEN_VERIFY
+      policy: pull
+      unprotect: true
+  script:
+    - if [ -f OVERRIDE_MAVEN_VERIFY ]; then echo "SKIPPING MAVEN VERIFICATION"; exit 0; fi
+    - |
+      export VERSION=${CI_COMMIT_TAG##v}
+      ARTIFACT_URLS=(
+        "https://repo1.maven.org/maven2/com/datadoghq/dd-java-agent/${VERSION}/dd-java-agent-${VERSION}.jar"
+        "https://repo1.maven.org/maven2/com/datadoghq/dd-trace-api/${VERSION}/dd-trace-api-${VERSION}.jar"
+        "https://repo1.maven.org/maven2/com/datadoghq/dd-trace-ot/${VERSION}/dd-trace-ot-${VERSION}.jar"
+      )
+      # Wait 5 mins initially, then try 5 times with a minute delay between each retry to see if the release artifacts are available
+      sleep 300
+      TRY=0
+      MAX_TRIES=5
+      DELAY=60
+      while [ $TRY -lt $MAX_TRIES ]; do
+        ARTIFACTS_AVAILABLE=true
+        for URL in "${ARTIFACT_URLS[@]}"; do
+          if ! curl --location --fail --silent --show-error -I "$URL"; then
+            ARTIFACTS_AVAILABLE=false
+            break
+          fi
+        done
+        if [ "$ARTIFACTS_AVAILABLE" = true ]; then
+          break
+        fi
+        TRY=$((TRY + 1))
+        if [ $TRY -eq $MAX_TRIES ]; then
+          echo "The release was not available after 10 mins. Manually re-run the job to try again."
+          exit 1
+        fi
+        sleep $DELAY
+      done
+
+publishing-gate:
+  stage: publish
+  needs:
+    - job: verify_maven_central_deployment
+      optional: true # Required for releases only
+  rules:
+    - if: '$POPULATE_CACHE'
+      when: on_success
+    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
+      when: on_success
+    - when: manual
+      allow_failure: true
+
 configure_system_tests:
   variables:
     SYSTEM_TESTS_SCENARIOS_GROUPS: "simple_onboarding,simple_onboarding_profiling,simple_onboarding_appsec,docker-ssi,lib-injection"