Skip to content

Disallow manual triggers of populate_dep_cache#11829

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits into
masterfrom
sarahchen6/protect-caches
Jul 1, 2026
Merged

Disallow manual triggers of populate_dep_cache#11829
gh-worker-dd-mergequeue-cf854d[bot] merged 4 commits into
masterfrom
sarahchen6/protect-caches

Conversation

@sarahchen6

@sarahchen6 sarahchen6 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What Does This Do

Remove manual trigger from populate_dep_cache job. populate_dep_cache can still be triggered from GitLab: https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-java/-/pipeline_schedules

Motivation

If a corrupted PR runs the populate_dep_cache job, all dep caches including for protected refs such as master and release tags will read in the corrupted cache. This could lead to security compromises, so disallow manual triggers of the populate_dep_cache job. The cache is otherwise populated from master either daily or when the GitLab workflow is manually triggered.

Additional Notes

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels in addition to any other useful labels
  • Avoid using close, fix, or any linking keywords when referencing an issue
    Use solves instead, and assign the PR milestone to the issue
  • Update the CODEOWNERS file on source file addition, migration, or deletion
  • Update public documentation with any new configuration flags or behaviors
  • Add your completed PR to the merge queue by commenting /merge. You can also:
    • Customize the commit message associated with the merge with /merge --commit-message "..."
    • Remove your PR from the merge queue with /merge -c
    • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
    • Get more information in this doc

Jira ticket: [PROJ-IDENT]

@sarahchen6 sarahchen6 added tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels Jul 1, 2026
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 56.94% (-0.01%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 714e60b | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.98 s 13.86 s [+0.2%; +1.6%] (maybe worse)
startup:insecure-bank:tracing:Agent 12.93 s 12.96 s [-1.1%; +0.7%] (no difference)
startup:petclinic:appsec:Agent 16.87 s 16.57 s [+0.7%; +2.9%] (maybe worse)
startup:petclinic:iast:Agent 16.84 s 16.93 s [-1.4%; +0.3%] (no difference)
startup:petclinic:profiling:Agent 16.90 s 17.00 s [-1.7%; +0.6%] (no difference)
startup:petclinic:sca:Agent 16.81 s 16.72 s [-0.5%; +1.6%] (no difference)
startup:petclinic:tracing:Agent 16.14 s 15.89 s [+0.6%; +2.5%] (maybe worse)

Commit: 714e60b7 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@sarahchen6 sarahchen6 changed the title Scope dependency caches to protected refs only Disallow manual triggers of populate_dep_cache Jul 1, 2026
@sarahchen6 sarahchen6 marked this pull request as ready for review July 1, 2026 19:45
@sarahchen6 sarahchen6 requested review from a team as code owners July 1, 2026 19:45
@sarahchen6 sarahchen6 requested review from AlexeyKuznetsov-DD and erikayasuda and removed request for a team July 1, 2026 19:45

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 714e60b7ff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .gitlab-ci.yml
Comment on lines 389 to 390
- if: '$POPULATE_CACHE'
when: on_success

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict cache-populating pipelines to trusted refs

With the manual fallback removed, this remaining rule still allows any manually-created pipeline that supplies a non-empty POPULATE_CACHE variable to run the cache-pushing matrix; GitLab documents that bare variable rules match when the variable is defined/non-empty and that manual pipelines can include CI/CD variables (https://docs.gitlab.com/ci/jobs/job_rules/#ci/cd-variable-expressions, https://docs.gitlab.com/ci/pipelines/#run-a-pipeline-manually). In that scenario an untrusted branch can still push the shared dependency-* caches (DEPENDENCY_CACHE_POLICY: push with unprotect: true), so the intended protection against corrupted PR caches is bypassed unless this rule is also constrained to a trusted source/ref such as the scheduled/default-branch path.

Useful? React with 👍 / 👎.

@sarahchen6

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 1, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-01 19:58:08 UTC ℹ️ Start processing command /merge


2026-07-01 19:58:13 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-07-01 21:15:14 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 2c5c7cc into master Jul 1, 2026
593 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the sarahchen6/protect-caches branch July 1, 2026 21:15
@github-actions github-actions Bot added this to the 1.64.0 milestone Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants