Skip to content

ci: publish CI images to internal registry first#4002

Draft
realFlowControl wants to merge 5 commits into
masterfrom
florian/ci-images
Draft

ci: publish CI images to internal registry first#4002
realFlowControl wants to merge 5 commits into
masterfrom
florian/ci-images

Conversation

@realFlowControl

@realFlowControl realFlowControl commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

When building CI docker images, this PR changes the process to:

  • publish images to registry.ddbuild.io (Datadog internal container registry)
  • use those images directly for GitLab Jobs (they are authenticated anyway)
  • use the public-images downstream job to magically sync those images to Docker Hub for usage with GitHub CI and external contributors

Wins

  • no logging in to Docker Hub to get a PAT
  • no manually starting a GitLab CI run anymore (with that PAT)
  • no manual syncing public Docker Hub images to our internal registry (well running a script and making a PR and finding someone to approve)

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@realFlowControl
Publish CI images to internal ddbuild registry
82cb287 
- Update .gitlab/ci-images.yml to change the default CI_REGISTRY to registry.ddbuild.io and target the ddbuild registry path registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci.
- Make docker logins dynamic to support local builds, Docker Hub logins, and AWS ECR logins depending on the target registry server.
- Bypass runner credential helper issues in Linux container environments by resetting ~/.docker/config.json.
- Make registry and base image names fully configurable in docker-compose.yml and Dockerfiles, allowing parent base images to be dynamically resolved from ddbuild during child compilation steps.
@realFlowControl
Consume built CI images from internal ddbuild registry
8df0d66 
- Update all GitLab CI generator scripts (.gitlab/generate-*.php) to use internal CI images from registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci instead of pulling from Docker Hub via the mirror path.
- This ensures test jobs use the newly compiled images directly from our project's ECR registry namespace.
@datadog-official

datadog-official Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 114 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | appsec integration tests: [test8.4-release]   View in Datadog   GitLab

🧪 1 Test failed

All test failures are known flaky.

❄️ Known flaky: extended heartbeat re-emits configuration, dependencies and integrations() from com.datadog.appsec.php.integration.TelemetryExtendedHeartbeatTests   View in Datadog 
java.lang.AssertionError: phpredis not emitted via app-started/app-integrations-change; saw: []. Expression: (phpredis in flushed). Values: flushed = []

java.lang.AssertionError: phpredis not emitted via app-started/app-integrations-change; saw: []. Expression: (phpredis in flushed). Values: flushed = []
	at org.codehaus.groovy.runtime.InvokerHelper.createAssertError(InvokerHelper.java:416)
	at com.datadog.appsec.php.integration.TelemetryExtendedHeartbeatTests.extended heartbeat re-emits configuration, dependencies and integrations(TelemetryExtendedHeartbeatTests.groovy:70)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)

Not introduced in this PR.

DataDog/apm-reliability/dd-trace-php | ASAN test_c: [8.5, arm64]   View in Datadog   GitLab

DataDog/apm-reliability/dd-trace-php | test_integrations_guzzle_latest: [7.3]   View in Datadog   GitLab

View all 114 failed jobs.

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🔄 Datadog auto-retried 65 jobs - 0 passed on retry View in Datadog

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: aee2a0b | Docs | Datadog PR Page | Give us feedback!

@realFlowControl realFlowControl changed the title Publish CI images to internal ddbuild registry ci: publish CI images to internal registry first Jun 22, 2026
@realFlowControl
Trigger public-images downstream sync to Docker Hub
e0355bf 
- Add a new 'ci-publish' stage to .gitlab-ci.yml.
- Implement 4 parallel matrix trigger jobs in .gitlab/ci-images.yml (Publish CentOS, Publish Bookworm, Publish Alpine, and Publish Windows) to run automatically after their respective build jobs succeed.
- Each trigger calls the DataDog/public-images pipeline, passing the corresponding internal ddbuild ECR image as source and targeting public Docker Hub as destination under the exact same tag.
@realFlowControl
Migrate current Bookworm image tags to version 9
8dee5f7 
- Update all occurrences of bookworm-8 and shared-ext-8 to bookworm-9 and shared-ext-9 globally across .gitlab CI test generators, .gitlab/ci-images.yml, and .github workflows.
- Update BOOKWORM_VERSION from 8 to 9 in tooling/bin/build-debug-artifact to ensure local debug builds pull and compile with the new version.
@realFlowControl
Speed up PECL compilation in bookworm via parallel MAKEFLAGS
aee2a0b 
- Export MAKEFLAGS=-j at the top of build-extensions.sh.
- This forces all underlying make invocations triggered by pecl install (including the heavy single-threaded gRPC, MongoDB, and parallel builds) to compile in parallel, drastically reducing build times on multi-core runner environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@realFlowControl