ci: publish CI images to internal registry first

.github/workflows/prof_asan.yml

@@ -21,7 +21,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       RUST_TOOLCHAIN: nightly-2025-06-13
     container:
-      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-8
+      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-9
       # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
       options: --user root
 
@@ -86,7 +86,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
     container:
-      image: datadog/dd-trace-ci:php-8.5_bookworm-8
+      image: datadog/dd-trace-ci:php-8.5_bookworm-9
       options: --user root
 
     steps:

.gitlab-ci.yml

@@ -3,6 +3,7 @@ stages:
   - tests
   - deploy
   - ci-build
+  - ci-publish
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive

.gitlab/ci-images.yml

@@ -6,7 +6,9 @@ variables:
     value: ""
     description: "Your docker hub personal access token, can be created following this doc https://docs.docker.com/docker-hub/access-tokens/#create-an-access-token"
   CI_REGISTRY:
-    value: "docker.io"
+    value: "registry.ddbuild.io"
+  CI_REGISTRY_IMAGE:
+    value: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci"
 
 CentOS:
   stage: ci-build
@@ -36,7 +38,28 @@ CentOS:
         - php-7.0
   script:
     - cd dockerfiles/ci/centos/7
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+    - |
+      LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1)
+      if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then
+        echo "Using pre-configured runner credentials for registry.ddbuild.io"
+      elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        if ! command -v aws >/dev/null 2>&1; then
+          ARCH=$(uname -m)
+          if [ "$ARCH" = "x86_64" ]; then
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+          else
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
+          fi
+          unzip -q awscliv2.zip
+          ./aws/install >/dev/null
+          rm -rf aws awscliv2.zip
+        fi
+        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER"
+      elif [ -n "$CI_REGISTRY_TOKEN" ]; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER"
+      fi
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 Alpine:
@@ -67,7 +90,28 @@ Alpine:
         - 7.0-alpine
   script:
     - cd dockerfiles/ci/alpine_compile_extension
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+    - |
+      LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1)
+      if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then
+        echo "Using pre-configured runner credentials for registry.ddbuild.io"
+      elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        if ! command -v aws >/dev/null 2>&1; then
+          ARCH=$(uname -m)
+          if [ "$ARCH" = "x86_64" ]; then
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+          else
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
+          fi
+          unzip -q awscliv2.zip
+          ./aws/install >/dev/null
+          rm -rf aws awscliv2.zip
+        fi
+        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER"
+      elif [ -n "$CI_REGISTRY_TOKEN" ]; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER"
+      fi
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 Bookworm:
@@ -81,11 +125,11 @@ Bookworm:
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
   variables:
     DDCI_CONFIGURE_OTEL_EXPORTER: "true"
+    MAKE_JOBS: "2"
   parallel:
     matrix:
       - PHP_VERSION:
         - base
-      - PHP_VERSION:
         - php-8.5
         - php-8.4
         - php-8.3
@@ -99,10 +143,30 @@ Bookworm:
         - php-7.2
         - php-7.1
         - php-7.0
-        MAKE_JOBS: ["2"]
   script:
     - cd dockerfiles/ci/bookworm
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
+    - |
+      LOGIN_SERVER=$(echo "$CI_REGISTRY" | cut -d'/' -f1)
+      if [ "$LOGIN_SERVER" = "registry.ddbuild.io" ]; then
+        echo "Using pre-configured runner credentials for registry.ddbuild.io"
+      elif echo "$LOGIN_SERVER" | grep -q "dkr.ecr"; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        if ! command -v aws >/dev/null 2>&1; then
+          ARCH=$(uname -m)
+          if [ "$ARCH" = "x86_64" ]; then
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+          else
+            curl -s "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
+          fi
+          unzip -q awscliv2.zip
+          ./aws/install >/dev/null
+          rm -rf aws awscliv2.zip
+        fi
+        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$LOGIN_SERVER"
+      elif [ -n "$CI_REGISTRY_TOKEN" ]; then
+        mkdir -p ~/.docker && echo '{"auths":{}}' > ~/.docker/config.json
+        echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$LOGIN_SERVER"
+      fi
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 .windows_image_build:
@@ -168,7 +232,14 @@ Bookworm:
     New-Item -ItemType Directory -Force -Path $env:DOCKER_CONFIG | Out-Null
     Set-Content -Encoding ascii -Path (Join-Path $env:DOCKER_CONFIG "config.json") -Value '{"auths":{}}'
 
-    $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY"
+    $loginServer = $env:CI_REGISTRY.Split('/')[0]
+    if ($loginServer -eq "registry.ddbuild.io") {
+        Write-Host "Using pre-configured runner credentials for registry.ddbuild.io"
+    } elseif ($loginServer -like "*dkr.ecr*") {
+        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$loginServer"
+    } elseif ($env:CI_REGISTRY_TOKEN) {
+        $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$loginServer"
+    }
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
     docker version
@@ -212,3 +283,129 @@ Bookworm:
         - "php-7.4"
         - "php-7.3"
         - "php-7.2"
+
+Publish CentOS:
+  stage: ci-publish
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: CentOS
+  trigger:
+    project: DataDog/public-images
+    branch: main
+  parallel:
+    matrix:
+      - TAG_NAME:
+        - "centos-7"
+        - "php-8.5_centos-7"
+        - "php-8.4_centos-7"
+        - "php-8.3_centos-7"
+        - "php-8.2_centos-7"
+        - "php-8.1_centos-7"
+        - "php-8.0_centos-7"
+        - "php-7.4_centos-7"
+        - "php-7.3_centos-7"
+        - "php-7.2_centos-7"
+        - "php-7.1_centos-7"
+        - "php-7.0_centos-7"
+  variables:
+    IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}"
+    IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}"
+    IMG_REGISTRIES: "dockerhub"
+
+Publish Bookworm:
+  stage: ci-publish
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: Bookworm
+  trigger:
+    project: DataDog/public-images
+    branch: main
+  parallel:
+    matrix:
+      - TAG_NAME:
+        - "bookworm-9"
+        - "php-8.5_bookworm-9"
+        - "php-8.4_bookworm-9"
+        - "php-8.3_bookworm-9"
+        - "php-8.2_bookworm-9"
+        - "php-8.1_bookworm-9"
+        - "php-8.0_bookworm-9"
+        - "php-8.0-shared-ext-9"
+        - "php-7.4_bookworm-9"
+        - "php-7.4-shared-ext-9"
+        - "php-7.3_bookworm-9"
+        - "php-7.2_bookworm-9"
+        - "php-7.1_bookworm-9"
+        - "php-7.0_bookworm-9"
+  variables:
+    IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}"
+    IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}"
+    IMG_REGISTRIES: "dockerhub"
+
+Publish Alpine:
+  stage: ci-publish
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: Alpine
+  trigger:
+    project: DataDog/public-images
+    branch: main
+  parallel:
+    matrix:
+      - TAG_NAME:
+        - "php-compile-extension-alpine"
+        - "php-compile-extension-alpine-8.5"
+        - "php-compile-extension-alpine-8.4"
+        - "php-compile-extension-alpine-8.3"
+        - "php-compile-extension-alpine-8.2"
+        - "php-compile-extension-alpine-8.1"
+        - "php-compile-extension-alpine-8.0"
+        - "php-compile-extension-alpine-7.4"
+        - "php-compile-extension-alpine-7.3"
+        - "php-compile-extension-alpine-7.2"
+        - "php-compile-extension-alpine-7.1"
+        - "php-compile-extension-alpine-7.0"
+  variables:
+    IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}"
+    IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}"
+    IMG_REGISTRIES: "dockerhub"
+
+Publish Windows:
+  stage: ci-publish
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: "Windows 1: Tool Images"
+    - job: "Windows 2: PHP Images"
+  trigger:
+    project: DataDog/public-images
+    branch: main
+  parallel:
+    matrix:
+      - TAG_NAME:
+        - "windows-base-vc15"
+        - "windows-base-vs16"
+        - "windows-base-vs17"
+        - "windows-vc15"
+        - "windows-vs16"
+        - "windows-vs17"
+        - "php-8.5_windows"
+        - "php-8.4_windows"
+        - "php-8.3_windows"
+        - "php-8.2_windows"
+        - "php-8.1_windows"
+        - "php-8.0_windows"
+        - "php-7.4_windows"
+        - "php-7.3_windows"
+        - "php-7.2_windows"
+  variables:
+    IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}"
+    IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}"
+    IMG_REGISTRIES: "dockerhub"

.gitlab/generate-appsec.php

@@ -71,7 +71,7 @@
 "test appsec extension":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_CPU_LIMIT: 3
@@ -393,7 +393,7 @@
 "appsec code coverage":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -515,7 +515,7 @@
 "appsec lint":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 9Gi
@@ -537,7 +537,7 @@
 "test appsec helper asan":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -563,7 +563,7 @@
 #"fuzz appsec helper":
 #  stage: test
 #  extends: .appsec_test
-#  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+#  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
 #  variables:
 #    KUBERNETES_CPU_REQUEST: 3
 #    KUBERNETES_MEMORY_REQUEST: 5Gi