Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
139 commits
Select commit Hold shift + click to select a range
4cf4023
Skip the latest broken org.apache.kafka:connect-runtime versions in t…
AlexeyKuznetsov-DD Jun 18, 2026
553bc3e
remove(appsec): delete dead DD_APPSEC_REPORTING_INBAND and DD_APPSEC_…
jandro996 Jun 18, 2026
4e8d69f
support for vertx 5.1 in tracing (#11655)
vandonr Jun 18, 2026
5e04aa9
Improved report to be more human-readable. (#11674)
AlexeyKuznetsov-DD Jun 18, 2026
477a0ce
Fix bug where calling 'context.with((ImplicitContextKeyed) null)' dro…
mcculls Jun 18, 2026
3ac2bc4
Optimize codenarc task on rerun (#11677)
bric3 Jun 18, 2026
0e13e90
Ignore capturing connection continuation for armeria (#11657)
amarziali Jun 19, 2026
139a1ba
Fix new instrumentation lock files leaking into core dependency-updat…
AlexeyKuznetsov-DD Jun 19, 2026
0fdd9c2
Update Gradle to 9.6.0 (#11682)
bric3 Jun 19, 2026
b9422d0
chore: Update Gradle dependencies (#11686)
dd-octo-sts[bot] Jun 22, 2026
fa230dd
feat(core): Improve http codec extractor tests (#11640)
PerfectSlayer Jun 22, 2026
40ec36c
Improve crash report message when signal is absent (#11681)
amarziali Jun 22, 2026
504877c
Remove testcontainer dependencies for buildId tests (#11689)
amarziali Jun 22, 2026
3efef48
Update smoke test latest tool versions (#11688)
dd-octo-sts[bot] Jun 22, 2026
3006004
feat(core): Improve http codec injector tests (#11690)
PerfectSlayer Jun 22, 2026
fa8fdf6
Add server.request.body.filenames support for Jetty (#10988)
jandro996 Jun 22, 2026
11c9d48
feat: Expand the jar checks to stricter agent jar validation (#11684)
bric3 Jun 22, 2026
04754ca
Fix waf.updates metric success:N/A tag from sequential counter metric…
jandro996 Jun 22, 2026
269ff67
fix: Forbid OkHostnameVerifier to prevent accidental use, CVE-2021-03…
bric3 Jun 22, 2026
319ed20
Cleanup of Spotbugs annotations. Removed Spotbugs from test scope. (#…
AlexeyKuznetsov-DD Jun 22, 2026
3ea05a0
Add missing repositories to Update Gradle dependencies workflow (#11696)
sarahchen6 Jun 22, 2026
ea827ba
Add SCA benchmark gitlab config (#11697)
sarahchen6 Jun 22, 2026
e3a0877
Pre-construct TagMap.Entry objects in InternalTagsAdder (#11555)
dougqh Jun 23, 2026
a723424
Update instrumentation Gradle dependencies (#11700)
dd-octo-sts[bot] Jun 23, 2026
635c6b8
Support Maven smoke test apps (#11695)
bric3 Jun 23, 2026
31472e8
Restrict release trust policy to git tag versions (#11630)
sarahchen6 Jun 23, 2026
b95abba
perf: improve performance of regexps in IAST and query obfuscator (#1…
manuel-alvarez-alvarez Jun 23, 2026
2d6e0b0
Bumps `javaparser-symbol-solver-core` from `3.24.4` to `3.28.2` (#11704)
AlexeyKuznetsov-DD Jun 23, 2026
741789f
Rename `AgentSpan.context()` to `AgentSpan.spanContext()` to disambig…
mcculls Jun 23, 2026
cc3000e
chore: Update Gradle dependencies (#11711)
dd-octo-sts[bot] Jun 23, 2026
8ae094c
Fix GraalVM native smoke-test OOM and configured MASS Gradle download…
AlexeyKuznetsov-DD Jun 23, 2026
e500e6a
Wire -Pjmh.includes and -PtestJvm into internal-api JMH config (#11703)
dougqh Jun 23, 2026
8206fbc
Atomics benchmark (#10862)
dougqh Jun 23, 2026
00c0301
Use highest version as baseline (#11714)
sarahchen6 Jun 23, 2026
d875e4f
chore(ci): bump the gh-actions-packages group with 2 updates (#11713)
dependabot[bot] Jun 23, 2026
11646d3
Update instrumentation Gradle dependencies (#11720)
dd-octo-sts[bot] Jun 23, 2026
c6f9664
Remove LegacyTagMap; OptimizedTagMap is the sole TagMap implementatio…
dougqh Jun 24, 2026
6ec6716
Agent integrations checks (#11692)
bric3 Jun 24, 2026
5071d55
APMLP-1263 replace TagMap.put with set (#11106)
dougqh Jun 24, 2026
7e083fd
Unbound virtual thread tests (#11729)
amarziali Jun 24, 2026
42ae556
feat(crashtracking): include JVM distribution details in crash report…
gyuheon0h Jun 24, 2026
16a5297
List iteration benchmark (#10888)
dougqh Jun 24, 2026
29af0b4
Add OTLP Trace Metrics Configs (#11653)
mhlidd Jun 24, 2026
0ac2d54
Adding lighter String processing methods to Strings (#10640)
dougqh Jun 24, 2026
b1db32e
Provide ability to capture continuations using the Context API (#11663)
mcculls Jun 25, 2026
b622864
fix: report correct block outcome tag in rasp.rule.match metric (#11723)
jandro996 Jun 25, 2026
cebb1b8
Avoid final field modification in Weaver instrumentation (#11728)
daniel-mohedano Jun 25, 2026
4e31214
chore: Move golden file and hard jar numbers to metadata (#11740)
bric3 Jun 25, 2026
d40d797
Improve Java testing experience with eventually / within and parent s…
PerfectSlayer Jun 26, 2026
323008a
Migrate SCA Reachability to method-level symbol database (sca-reachab…
jandro996 Jun 26, 2026
3d4423e
Fix javadoc warnings across modules (#11747)
AlexeyKuznetsov-DD Jun 26, 2026
4e7bb7b
Fix buildSrc Gradle warnings (#11746)
AlexeyKuznetsov-DD Jun 26, 2026
265cec1
Bump Guava to 33.6.0-jre and drop redundant usage (#11722)
AlexeyKuznetsov-DD Jun 26, 2026
35096e2
Add RxJava 3 instrumentation (#11506)
amarziali Jun 26, 2026
a1a064b
Migrate feature-flagging groovy tests to java (#11716)
sarahchen6 Jun 26, 2026
ffb48ae
Fix message handler spans appear disconnected from the incoming SQS t…
ygree Jun 26, 2026
e292db6
Revert "Add RxJava 3 instrumentation (#11506)" (#11761)
PerfectSlayer Jun 29, 2026
5243e52
Fix gradle-debug failing on configuration resolution (#11755)
AlexeyKuznetsov-DD Jun 29, 2026
c2dec5b
Migrate SQLCommenterTest from Groovy/Spock to JUnit 5 Java (#11735)
dougqh Jun 29, 2026
a60bbe2
Exclude ServiceNameSources from coverage (#11769)
amarziali Jun 29, 2026
4b5b0cf
Exclude patched OkHttp classes and trivial I/O classes from coverage …
mcculls Jun 29, 2026
52c3c44
Add coverage for ForeignMemoryWriterFactory (#11772)
amarziali Jun 29, 2026
673986e
chore: Update Gradle dependencies (#11766)
dd-octo-sts[bot] Jun 29, 2026
2f0dcd6
Improve test coverage for CiVis classes (#11768)
daniel-mohedano Jun 29, 2026
eb16bbe
Extend OTLP HTTP coverage to GRPC (#11771)
mcculls Jun 29, 2026
a8eff34
Overhaul set benchmarks: split Immutable / SingleThreaded, add Set.co…
dougqh Jun 29, 2026
75f8482
Cover continuation and listener behaviour when registering no-op mana…
mcculls Jun 29, 2026
33350a3
init (#11781)
mhlidd Jun 29, 2026
9c923aa
Exclude ProfilerContext from coverage (#11777)
amarziali Jun 29, 2026
59b2142
Drop per-call String allocation in SharedDBCommenter.containsTraceCom…
dougqh Jun 29, 2026
c5ef3ff
Add missing coverage tests for Matchers.AnyMatcher primitive overload…
dougqh Jun 29, 2026
810268d
Add missing coverage tests for Hashtable.D2 (#11779)
dougqh Jun 29, 2026
6fd35b5
Add missing coverage tests for OptimizedTagMap and EntryReadingHelper…
dougqh Jun 29, 2026
4399027
Cover disabled ratelimited logging. (#11776)
AlexeyKuznetsov-DD Jun 29, 2026
a8e41c5
Test explicit histogram boundaries and per-thread recordings (#11783)
mcculls Jun 29, 2026
9c178e4
Cover decoded trace sampling priority. (#11773)
AlexeyKuznetsov-DD Jun 29, 2026
8903488
Add FFE flag map adapter coverage (#11784)
leoromanovsky Jun 29, 2026
9f98ca9
Update instrumentation Gradle dependencies (#11767)
dd-octo-sts[bot] Jun 29, 2026
6e2b8f5
Extend WellKnownTagsTest coverage and migrate it to Java (#11790)
mcculls Jun 29, 2026
8d8ce8d
Extend W3CTraceParentTest coverage and migrate it to Java (#11791)
mcculls Jun 29, 2026
750f363
Add LLMObsContextTest (#11792)
mcculls Jun 30, 2026
bc90096
Add coverage and exclusions for dsm classes (#11775)
amarziali Jun 30, 2026
1648e0d
Use agent OTel metrics for OpenFeature evaluations (#11745)
sameerank Jun 30, 2026
d9b0bfe
Add TemporaryRequestContext unit tests (#11798)
claponcet Jun 30, 2026
29d82dd
Exclude OptimizedTagMap.EmptyHolder from coverage checks (#11795)
dougqh Jun 30, 2026
e280daf
Add direct coverage tests for Hashtable.D2.Entry (#11794)
dougqh Jun 30, 2026
76b02af
Add test coverage exclusion for ClientIpAddressData (#11799)
smola Jun 30, 2026
1abde6b
feat(dd-trace-api): Add 128 bit TID parsing tests (#11802)
PerfectSlayer Jun 30, 2026
8df9f05
Increase SCA vulnerability test coverage (#11785)
bric3 Jun 30, 2026
e4274f3
Enable and fix test coverage for SCA types in internal API (#11774)
bric3 Jun 30, 2026
ba6d7c6
Add `ProtocolVersion` tests and exclude specific classes from coverag…
bric3 Jun 30, 2026
eaad3c1
Add MessageAdapter content parts serialization test coverage (#11800)
smola Jun 30, 2026
b0cb50f
Remove default methods from CoreSpan; implement them in test doubles …
dougqh Jun 30, 2026
d7c22a5
chore(telemetry): Exclude `OtelSpiMetricPeriodicAction` from coverage…
bric3 Jun 30, 2026
04ea23a
Enable coverage when `testJvm` same as Gradle Daemon JDK or with `che…
bric3 Jun 30, 2026
dd95ecc
Allow Maven deployment to fail (#11756)
sarahchen6 Jun 30, 2026
54c670f
Run all system test VMs on master and merge queue (#11788)
sarahchen6 Jun 30, 2026
561c3b9
Overhaul map JMH benchmarks: remove thread contention and split by us…
dougqh Jun 30, 2026
015a24f
Return SubSequence from SQLCommenter.getFirstWord to avoid per-inject…
dougqh Jun 30, 2026
dcbee66
Introduces the api-management inferred proxy spans to Azure (#11804)
TophrC-dd Jun 30, 2026
2c3db21
Quickwin: remove unneded strictTraceWrites overrides (#11765)
amarziali Jun 30, 2026
2489b79
Refactored confusing mention of `JDK 7`. (#11818)
AlexeyKuznetsov-DD Jun 30, 2026
019fecb
Fix AppSec/IAST context dropped when trace.propagation.behavior.extra…
dougqh Jul 1, 2026
b1b6910
Per-component / tag cardinality limits in client-side stats (#11387)
dougqh Jul 1, 2026
98481ff
Add request_excluded tag to appsec.waf.requests metric (#11744)
jandro996 Jul 1, 2026
ee7f3cc
security fix for private headers that might be copied to a different …
vandonr Jul 1, 2026
466cc7c
Unify usage of OperatingSystem.architecture() (#11816)
AlexeyKuznetsov-DD Jul 1, 2026
4c81051
Clean outdated JFrog reference (#11813)
sarahchen6 Jul 1, 2026
602a81d
Restore app context attributes wiped by ddprof setContext on span act…
jbachorik Jul 1, 2026
31fd0ca
Update EventBridge DSM topic naming (#11603)
jeastham1993 Jul 1, 2026
dc67b24
Migrate simple try-with-resources use of AgentScope to ContextScope (…
mcculls Jul 1, 2026
f62f905
Avoid allocation when adding the same key-value to an existing Indexe…
mcculls Jul 1, 2026
b710ce8
Debugger fix coverage (#11807)
jpbempel Jul 1, 2026
d7ad296
Add custom `ImageNameSubstitutor` implementation that rewrites Docker…
AlexeyKuznetsov-DD Jul 1, 2026
46cbf67
Bump Gradle to 9.6.1 (#11787)
AlexeyKuznetsov-DD Jul 1, 2026
9d8cd4e
Bump develocity plugin to 4.5.0 (#11830)
AlexeyKuznetsov-DD Jul 1, 2026
9775a58
Fix Kotlin Debug source mapping (#11803)
jpbempel Jul 1, 2026
2c5c7cc
Disallow manual triggers of `populate_dep_cache` (#11829)
sarahchen6 Jul 1, 2026
3d19e7d
fix(lettuce5+): decorate Redis command spans with a resolved node con…
ygree Jul 1, 2026
94bcb7e
Run arm64 tests on merge queue and master (#11832)
AlexeyKuznetsov-DD Jul 2, 2026
4f5c4cc
Relax arm64 CI jobs and align coverage with amd64 (#11835)
AlexeyKuznetsov-DD Jul 2, 2026
6a2f484
fix for armeria 1.40 (#11827)
vandonr Jul 2, 2026
d3398ea
Remove unused SpotBugs suppressions from dd-smoke-tests (#11831)
AlexeyKuznetsov-DD Jul 2, 2026
ac29db2
Context tests improvement proposals (#11839)
PerfectSlayer Jul 2, 2026
24074e0
v1: serialize span links as structured data and honor baggage tag con…
AlexeyKuznetsov-DD Jul 2, 2026
fe1861d
mark flaky (#11842)
jpbempel Jul 2, 2026
4190a5a
Add evalution timeout for expressions (#11741)
jpbempel Jul 2, 2026
35a5317
Add tip to latest inst and debugger test matrices (#11848)
sarahchen6 Jul 2, 2026
2734057
Upgrade Shadow plugin to 9.4.2 (#11730)
bric3 Jul 3, 2026
0eeac73
chore: Use a named service type for test container parallel usage (#1…
bric3 Jul 3, 2026
bb6b14a
Add RxJava 3 instrumentation (#11849)
ValentinZakharov Jul 3, 2026
2068d0d
Prevent duplicate class inclusion in runtime artifacts (#11853)
bric3 Jul 3, 2026
936282c
Use canonical FFE fixtures (#11355)
leoromanovsky Jul 6, 2026
c05e1a9
Migrate dd-trace-core groovy files to java part 12
jpbempel Jun 5, 2026
90c0a6d
address comments
jpbempel Jun 11, 2026
0230254
fix asserts
jpbempel Jun 11, 2026
2f42144
fix comments
jpbempel Jun 12, 2026
be1d30b
address comments
jpbempel Jun 17, 2026
8796f31
rebase + use new converters
jpbempel Jul 6, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
4 changes: 2 additions & 2 deletions .github/chainguard/self.gitlab.release.sts.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
issuer: https://gitlab.ddbuild.io

subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:tag:ref:v.*"
subject_pattern: 'project_path:DataDog/apm-reliability/dd-trace-java:ref_type:tag:ref:v\d+\.\d+\.\d+'

claim_pattern:
project_path: "DataDog/apm-reliability/dd-trace-java"
ref_type: "tag"
ref: "v.*"
ref: 'v\d+\.\d+\.\d+'

permissions:
contents: "write"
5 changes: 5 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,8 @@ updates:
prefix: 'chore(build): '
cooldown:
default-days: 2

- package-ecosystem: gitsubmodule
directory: /
schedule:
interval: weekly
79 changes: 61 additions & 18 deletions .github/scripts/dependency_age.py
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,7 @@ def validate_lockfiles(args: argparse.Namespace) -> int:
elif published_at > cutoff:
hours_remaining = int((published_at - cutoff).total_seconds() / 3600) + 1
group_id, artifact_id, version = gav.split(":", 2)
baseline_version = next((c[len(f"{group_id}:{artifact_id}:"):] for c in baseline_coords if c.startswith(f"{group_id}:{artifact_id}:")), None)
baseline_version = highest_baseline_version(baseline_coords, group_id, artifact_id)
eligible = find_eligible_version(
group_id=group_id, artifact_id=artifact_id,
too_new_version=version, baseline_version=baseline_version,
Expand Down Expand Up @@ -501,6 +501,12 @@ def is_instrumentation_path(relative_path: str) -> bool:
# build summary of reverted/downgraded dependencies for PR descriptions
# path_filter restricts the summary to lockfiles whose relative path matches,
# so each PR (core vs instrumentation) only lists the dependencies it actually changes
#
# The summary is split into three on-screen sections, ordered by how urgently a human
# must act on them:
# 1. "Cannot verify age, reverted" — age could not be checked at all, needs manual resolution
# 2. "<N>h cooldown, reverted" — too new and no older eligible version exists, so reverted to baseline
# 3. "<N>h cooldown, updated to the previous version" — too new, downgraded to an older eligible version
def build_validation_summary(
*,
violations_by_file: dict[str, list[tuple[str, str, int]]],
Expand All @@ -509,34 +515,62 @@ def build_validation_summary(
min_age_hours: int,
path_filter: Callable[[str], bool],
) -> str:
header = ["## Dependency age policy", ""]
lines = list(header)
unverified: list[str] = []
cooldown_reverted: list[str] = []
cooldown_updated: list[str] = []
seen: set[str] = set()

for relative_path, replacements in replacements_by_file.items():
if not path_filter(relative_path):
continue
baseline_coords = baseline_lockfiles.get(relative_path, set())
for old_gav, (new_gav, hours_remaining) in replacements.items():
if old_gav not in seen:
seen.add(old_gav)
if new_gav in baseline_coords:
lines.append(f"- `{old_gav}` is {hours_remaining}h away from meeting {min_age_hours}h cooldown, reverted")
else:
new_version = new_gav.rsplit(":", 1)[1]
lines.append(f"- `{old_gav}` is {hours_remaining}h away from meeting {min_age_hours}h cooldown, updated to `{new_version}`")
if old_gav in seen:
continue
seen.add(old_gav)
if new_gav in baseline_coords:
# the only eligible version was the baseline, so this is effectively a revert
cooldown_reverted.append(f"- `{old_gav}` is {hours_remaining}h away from meeting cooldown")
else:
new_version = new_gav.rsplit(":", 1)[1]
cooldown_updated.append(f"- `{old_gav}` is {hours_remaining}h away from meeting cooldown, updated to `{new_version}`")
for relative_path, entries in violations_by_file.items():
if not path_filter(relative_path):
continue
for gav, kind, hours_remaining in entries:
if gav not in seen:
seen.add(gav)
if kind == "unverified":
lines.append(f"- `{gav}` — cannot verify age, reverted")
else:
lines.append(f"- `{gav}` is {hours_remaining}h away from meeting {min_age_hours}h cooldown, reverted")
if len(lines) == len(header): # nothing matched the filter
if gav in seen:
continue
seen.add(gav)
if kind == "unverified":
unverified.append(f"- `{gav}`")
else:
cooldown_reverted.append(f"- `{gav}` is {hours_remaining}h away from meeting cooldown")

blocks: list[str] = []
if unverified:
blocks.append(
"### :warning: Cannot verify age, reverted\n\n"
"The age of these dependencies could not be verified, so the lockfiles were reverted. "
"This likely means that the following dependencies are published to a repo not yet configured in the workflow. "
"If this is the case, add the missing repository as a `--repo-url` in the `Validate changed lock files` step of `.github/workflows/update-gradle-dependencies.yaml`. "
"**This needs to be resolved manually.**\n\n"
+ "\n".join(sorted(unverified))
)
if cooldown_reverted:
blocks.append(
f"### {min_age_hours}h cooldown, reverted\n\n"
"Too new and no older eligible version exists, so the lockfiles were reverted to the baseline.\n\n"
+ "\n".join(sorted(cooldown_reverted))
)
if cooldown_updated:
blocks.append(
f"### {min_age_hours}h cooldown, updated to the previous version\n\n"
"Too new, so an older eligible version was used instead.\n\n"
+ "\n".join(sorted(cooldown_updated))
)
if not blocks: # nothing matched the filter
return ""
return "\n".join(lines)
return "## Dependency age policy\n\n" + "\n\n".join(blocks)


# replace specific coordinates in lockfiles (for version downgrades)
Expand Down Expand Up @@ -644,6 +678,15 @@ def fetch_available_versions(group_id: str, artifact_id: str, repo_urls: list[st
return []


# select the highest baseline version of group:artifact present in a lockfile.
def highest_baseline_version(baseline_coords: set[str], group_id: str, artifact_id: str) -> str | None:
prefix = f"{group_id}:{artifact_id}:"
versions = [coord[len(prefix):] for coord in baseline_coords if coord.startswith(prefix)]
if not versions:
return None
return max(versions, key=_version_sort_key)


# for a too-new coordinate, walk backward through available versions to find the newest one
# that meets the age cutoff and is newer than the baseline version
def find_eligible_version(
Expand Down
81 changes: 81 additions & 0 deletions .github/scripts/tests/test_dependency_age.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
import argparse
import contextlib
import io
import json
import os
import re
Expand All @@ -6,7 +9,9 @@
import sys
import tempfile
import unittest
from datetime import datetime, timezone
from pathlib import Path
from unittest import mock

REPO_ROOT = Path(__file__).resolve().parents[3]
SCRIPT = REPO_ROOT / ".github/scripts/dependency_age.py"
Expand Down Expand Up @@ -424,6 +429,82 @@ def test_summary_is_empty_when_filter_matches_nothing(self) -> None:
)
self.assertEqual(empty, "")

def test_summary_groups_outcomes_into_sections(self) -> None:
# one of each outcome: unverified, too-new revert, replacement-as-revert, replacement-as-update
summary = dependency_age.build_validation_summary(
violations_by_file={
"core/gradle.lockfile": [
("com.example:unverified-lib:1.0.0", "unverified", 0),
("com.example:too-new-lib:2.0.0", "too_new", 5),
],
},
replacements_by_file={
"core/gradle.lockfile": {
# eligible version equals the baseline -> effectively a revert
"com.example:revert-lib:3.0.0": ("com.example:revert-lib:2.9.0", 7),
# eligible version is newer than the baseline -> an update to a previous version
"com.example:update-lib:4.0.0": ("com.example:update-lib:3.9.0", 9),
},
},
baseline_lockfiles={
"core/gradle.lockfile": {"com.example:revert-lib:2.9.0"},
},
min_age_hours=48,
path_filter=lambda p: True,
)

# three section headings present, in priority order
unverified_idx = summary.index("### :warning: Cannot verify age, reverted")
reverted_idx = summary.index("### 48h cooldown, reverted")
updated_idx = summary.index("### 48h cooldown, updated to the previous version")
self.assertLess(unverified_idx, reverted_idx)
self.assertLess(reverted_idx, updated_idx)

# unverified entry lives under the manual-resolution section
self.assertIn("**This needs to be resolved manually.**", summary)
self.assertIn("- `com.example:unverified-lib:1.0.0`", summary)

# both the too-new violation and the revert-style replacement land in the reverted section
reverted_block = summary[reverted_idx:updated_idx]
self.assertIn("com.example:too-new-lib:2.0.0", reverted_block)
self.assertIn("com.example:revert-lib:3.0.0", reverted_block)

# the update names the older version that was used instead
updated_block = summary[updated_idx:]
self.assertIn("com.example:update-lib:4.0.0", updated_block)
self.assertIn("updated to `3.9.0`", updated_block)

def test_highest_baseline_version_picks_newest_of_coexisting_pins(self) -> None:
# A single lockfile can pin the same artifact at several versions (one per Gradle
# configuration). The baseline should be the newest so that only versions higher than
# the highest existing version are considered upgrades.
baseline_coords = {
"ch.qos.logback:logback-core:1.1.11",
"ch.qos.logback:logback-core:1.2.13",
"ch.qos.logback:logback-core:1.5.34",
"com.example:unrelated:9.9.9",
}
self.assertEqual(
dependency_age.highest_baseline_version(baseline_coords, "ch.qos.logback", "logback-core"),
"1.5.34",
)
self.assertIsNone(
dependency_age.highest_baseline_version(baseline_coords, "ch.qos.logback", "logback-classic")
)

def test_summary_omits_empty_sections(self) -> None:
# only too-new violations -> only the "reverted" section should appear
summary = dependency_age.build_validation_summary(
violations_by_file={"core/gradle.lockfile": [("com.example:core-lib:2.0.0", "too_new", 5)]},
replacements_by_file={},
baseline_lockfiles={},
min_age_hours=48,
path_filter=lambda p: True,
)
self.assertIn("### 48h cooldown, reverted", summary)
self.assertNotIn("Cannot verify age", summary)
self.assertNotIn("updated to the previous version", summary)


if __name__ == "__main__":
unittest.main()
2 changes: 1 addition & 1 deletion .github/workflows/add-release-to-cloudfoundry.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout "cloudfoundry" branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
ref: cloudfoundry
- name: Get release version
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/analyze-changes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
submodules: 'recursive'
- name: Cache Gradle dependencies
Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
submodules: 'recursive'

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/create-release-branch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT"

- name: Check out repo at tag
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
ref: ${{ steps.determine-tag.outputs.tag }}

Expand Down Expand Up @@ -82,7 +82,7 @@ jobs:
policy: self.pin-system-tests.create-pr

- name: Check out repo at release branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
ref: ${{ needs.create-release-branch.outputs.release-branch-name }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/run-system-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
group: APM Larger Runners
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
submodules: 'recursive'
fetch-depth: 0
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/update-gradle-dependencies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ jobs:
policy: self.update-gradle-dependencies.create-pr

- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0
with:
submodules: "recursive"

- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
- uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
with:
distribution: 'temurin'
java-version: '21'
Expand Down Expand Up @@ -68,14 +68,22 @@ jobs:
--min-age-hours "${MIN_DEPENDENCY_AGE_HOURS}" \
--repo-url "https://repo1.maven.org/maven2" \
--repo-url "https://repo.akka.io/${AKKA_REPO_TOKEN}/secure" \
--repo-url "https://packages.confluent.io/maven" \
--repo-url "https://repository.mulesoft.org/releases" \
--repo-url "https://repository.mulesoft.org/nexus/content/repositories/public" \
--github-output "$GITHUB_OUTPUT"

- name: Save instrumentation lock files
run: |
mkdir -p /tmp/instrumentation-lockfiles
find dd-smoke-tests dd-java-agent/instrumentation -name 'gradle.lockfile' -exec cp --parents {} /tmp/instrumentation-lockfiles/ \;
# Restore instrumentation dirs to original state (keep only core changes)
# Restore instrumentation dirs to original state (keep only core changes).
# git restore only reverts tracked files; brand-new lock files are untracked
# and would otherwise leak into the core PR, so delete the untracked ones too.
git restore -- 'dd-smoke-tests/' 'dd-java-agent/instrumentation/'
git ls-files --others --exclude-standard -- \
'dd-smoke-tests/*gradle.lockfile' 'dd-java-agent/instrumentation/*gradle.lockfile' \
| xargs -r rm -f

# ==================== Core modules PR ====================
- name: Check if core changes exist
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-jmxfetch-submodule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
policy: self.update-jmxfetch-submodule.create-pr

- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0

- name: Update Submodule
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/update-smoke-test-latest-versions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
policy: self.update-smoke-test-latest-versions.create-pr

- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # 6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # 7.0.0

- name: Define branch name
id: define-branch
Expand Down Expand Up @@ -68,6 +68,8 @@ jobs:
--artifact-id maven-surefire-plugin \
--prerelease-pattern alpha \
--prerelease-pattern beta \
--prerelease-pattern rc \
--prerelease-pattern '-m\d' \
--min-age-hours "${MIN_DEPENDENCY_AGE_HOURS}" \
--current-version "${{ steps.current.outputs.surefire_version }}" \
--github-output "$GITHUB_OUTPUT"
Expand Down
Loading