Skip to content

ci: publish docker image for system tests#4013

Merged
MilanGarnier merged 15 commits into
masterfrom
milan.garnier/publish-ci-builds
Jul 3, 2026
Merged

ci: publish docker image for system tests#4013
MilanGarnier merged 15 commits into
masterfrom
milan.garnier/publish-ci-builds

Conversation

@MilanGarnier

@MilanGarnier MilanGarnier commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a CI job at dd-trace-php/.gitlab/generate-package.php which pushes the build to github's container registry (similarly to what already exists for prod builds). This is necessary to enable LIBRARY_TARGET_BRANCH to work for the PHP target in utils/scripts/load-binary.sh. (mimicking what already exists for dd-trace-dotnet)

The endgoal is to have DataDog/system-tests#7209 picking up the right branch

Reviewer checklist

@MilanGarnier MilanGarnier requested a review from a team as a code owner June 24, 2026 13:15
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jun 24, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 5 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | ASAN test_c: [8.3, amd64]   View in Datadog   GitLab

DataDog/apm-reliability/dd-trace-php | Loader test on amd64 libc: [5.6, nts, buster]   View in Datadog   GitLab

DataDog/apm-reliability/dd-trace-php | PHP language tests: [8.2, amd64, zts]   View in Datadog   GitLab

View all 5 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 54.08% (-0.03%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4744634 | Docs | Datadog PR Page | Give us feedback!

@MilanGarnier MilanGarnier force-pushed the milan.garnier/publish-ci-builds branch from c7decf8 to 5894a60 Compare June 24, 2026 13:17

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c7decf82b6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread .gitlab/generate-package.php Outdated
@MilanGarnier MilanGarnier changed the title ci: new CI job "publish docker image for system tests" ci: publish docker image for system tests Jun 24, 2026
@DataDog DataDog deleted a comment from chatgpt-codex-connector Bot Jun 24, 2026
@realFlowControl

Copy link
Copy Markdown
Member

I just recently learned that https://github.com/DataDog/public-images exists, could this do the syncing of the image for us?

@MilanGarnier

MilanGarnier commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

@realFlowControl I didn't know publish-images either, but from what I understand, the tool seems to be centered aroung publishing releases across various sources, whereas what I want to do here is to push once a build, exclusively for system-tests to use. (but I'm really not an expert here)

@MilanGarnier MilanGarnier marked this pull request as draft June 24, 2026 15:32
MilanGarnier and others added 2 commits June 26, 2026 10:48
…blish jobs

- Remove after_script revocation from the token job: GitLab uploads
  artifacts after after_script, so the token was being revoked before
  the downstream job could use it. The 1-hour artifact expiry is
  sufficient, matching the pattern in "generate github token".
- Add GITHUB_TOKEN: "[MASKED]" to prevent the token value from
  appearing in CI logs.
- Add comment documenting that the jobs intentionally run on every
  branch (for ad-hoc system test runs against in-progress branches).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pr-commenter

pr-commenter Bot commented Jun 26, 2026

Copy link
Copy Markdown

Benchmarks [ tracer ]

Benchmark execution time: 2026-06-30 13:06:19

Comparing candidate commit 495dcd1 in PR branch milan.garnier/publish-ci-builds with baseline commit 81891ec in branch master.

Found 0 performance improvements and 2 performance regressions! Performance is the same for 192 metrics, 0 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:SamplingRuleMatchingBench/benchRegexMatching1

  • 🟥 execution_time [+42.280ns; +125.520ns] or [+2.883%; +8.559%]

scenario:SamplingRuleMatchingBench/benchRegexMatching4

  • 🟥 execution_time [+50.756ns; +120.244ns] or [+3.403%; +8.061%]

@MilanGarnier MilanGarnier force-pushed the milan.garnier/publish-ci-builds branch from b7b488c to f87131d Compare June 26, 2026 12:49
@MilanGarnier MilanGarnier marked this pull request as ready for review June 30, 2026 11:46

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 495dcd14b8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread .gitlab/generate-package.php

@bwoebi bwoebi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, I don't mind this. I just don't know whether there is any problem in having that gigabyte sized dockerfile produced with every commit.
This will quickly occupy terabytes.
Do we have to pay for that? Must we clean up old images eventually? Or is this already handled?

@MilanGarnier

MilanGarnier commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

So, I don't mind this. I just don't know whether there is any problem in having that gigabyte sized dockerfile produced with every commit. This will quickly occupy terabytes. Do we have to pay for that? Must we clean up old images eventually? Or is this already handled?

@bwoebi Those are very good questions. I investigated and I made a few improvements to adjust the scope of this PR:

  • I ended up adding a workflow responsible for deleting the last uploaded image when branches are closed. It mimics the way it currently works in the dotnet tracer, except that it's not hidden behind a PR tag. (https://github.com/DataDog/dd-trace-dotnet/blob/e5a508263cdf2131bc183d201866491f8479c948/.github/workflows/delete-pr-image.yml)
  • Since we push images with a given tags may already be present on ghcr, The publishing job checks and tries to delete the image present with that given tag before uploading. This should prevent piling up untagged images
  • I disabled the publishing on the default branch, since it already gets published differently, the goal of this PR being to run system tests on feature branches in the first place

@realFlowControl

Copy link
Copy Markdown
Member

Hey @MilanGarnier, just a heads up: I merged #4002 and you might see conflicts in your PR

@@ -0,0 +1,31 @@
name: "Delete Docker image on PR close"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you tie this to PRs, you probably also should restrict publishing docker images to branches having an associated PR as well.

@MilanGarnier MilanGarnier Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a test in the publish job, the job will exit with a warning if it runs on a branch without an associated PR
Maybe an exit 0 in that case can be desired, but I guess a warning makes it clearer that running the system tests on a feature branch will require an open PR and not only having the remote branch exist.

Gate upload to having a PR open

@bwoebi bwoebi Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good (with exit 3)

@MilanGarnier MilanGarnier merged commit d262f72 into master Jul 3, 2026
1974 of 2157 checks passed
@MilanGarnier MilanGarnier deleted the milan.garnier/publish-ci-builds branch July 3, 2026 14:01
@github-actions github-actions Bot added this to the 1.23.0 milestone Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants