getoutreach · ekalinichev · May 12, 2026 · May 12, 2026 · May 18, 2026 · May 18, 2026
@@ -28,6 +28,7 @@ contexts: &contexts
   - circleci-credentials
   - tray-webhooks
   - wizcli
+  - datadog
   ## <<Stencil::Block(extraContexts)>>
   - docker-registry
   - npm-credentials

@@ -12,7 +12,7 @@ require (
 	github.com/magefile/mage v1.17.2
 	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.35.1
-	google.golang.org/grpc v1.80.0
+	google.golang.org/grpc v1.81.1
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.5.2
 )
@@ -68,12 +68,12 @@ require (
 	github.com/zalando/go-keyring v0.2.6 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
-	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
-	go.opentelemetry.io/otel/metric v1.42.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
-	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/crypto v0.49.0 // indirect

@@ -15,3 +15,5 @@ vault = "2.0.0"
 gotestsum = "1.13.0"
 # Work around GitHub token rate limits
 wait-for-gh-rate-limit = "1.1.1"
+# Build Go apps/services
+mage = "1.14.0"
@@ -1,6 +1,6 @@
 description: Standard executor for machine runtimes
 machine:
-  image: ubuntu-2404:2024.11.1
+  image: ubuntu-2404:2026.05.1
   docker_layer_caching: true
 environment:
   TEST_RESULTS: /tmp/test-results

@@ -3,7 +3,7 @@ executor:
   name: testbed-docker-aws
   docker_image: $DOCKER_PULL_REGISTRY_URL/bootstrap/ci-docker
   docker_tag: latest
-resource_class: xlarge
+resource_class: xlarge.gen2
 parameters:
   push_registries:
     type: string

@@ -3,7 +3,7 @@ executor:
   name: testbed-docker-aws
   docker_image: $DOCKER_PULL_REGISTRY_URL/bootstrap/ci-docker
   docker_tag: latest
-resource_class: medium
+resource_class: medium.gen2
 parameters:
   push_registries:
     type: string

@@ -15,7 +15,7 @@ parameters:
   resource_class:
     description: The resource class to use for the e2e tests
     type: string
-    default: "xlarge"
+    default: "xlarge.gen2"
   no_output_timeout:
     description: The timeout that gets applied when CircleCI receives no output during the running of e2e tests.
     type: string

@@ -15,7 +15,7 @@ parameters:
   resource_class:
     description: The resource class to use for the release
     type: string
-    default: "large"
+    default: "large.gen2"
   release_failure_slack_channel:
     description: The slack channel to notify if the release fails
     type: string

@@ -15,7 +15,7 @@ parameters:
   resource_class:
     description: The resource class to use for the release
     type: string
-    default: "large"
+    default: "large.gen2"
   release_failure_slack_channel:
     description: The slack channel to notify if the release fails
     type: string

@@ -18,7 +18,7 @@ parameters:
   resource_class:
     description: The resource class to use for the release
     type: string
-    default: "large"
+    default: "large.gen2"
   docker_image:
     description: The docker image to use for running the test
     type: string

@@ -21,7 +21,7 @@ parameters:
   resource_class:
     description: Unused, needed so that it can be run with *rebuild-cache workflows
     type: string
-    default: "large"
+    default: "large.gen2"
   docker_image:
     description: Unused, needed so that it can be run with *rebuild-cache workflows
     type: string

@@ -18,7 +18,7 @@ parameters:
   resource_class:
     description: The resource class to use for the release
     type: string
-    default: "large"
+    default: "large.gen2"
   no_output_timeout:
     description: The timeout that gets applied when CircleCI receives no output during the running of tests.
     type: string

@@ -8,7 +8,7 @@ parameters:
     description: The resource class to use for the release
     type: string
     # This is to trigger the release job, small should be enough
-    default: "small"
+    default: "small.gen2"
   release_failure_slack_channel:
     description: The slack channel to notify if the release fails
     type: string

@@ -15,6 +15,9 @@ source "${LIB_DIR}/github.sh"
 # shellcheck source=../../lib/logging.sh
 source "${LIB_DIR}/logging.sh"
 
+# shellcheck source=../../lib/metrics.sh
+source "${LIB_DIR}/metrics.sh"
+
 # shellcheck source=../../lib/docker/authn/ghcr.sh
 source "${LIB_DIR}/docker/authn/ghcr.sh"
 
@@ -71,3 +74,6 @@ fi
 info_sub "Docker"
 
 GITHUB_TOKEN="$GITHUB_PACKAGES_TOKEN" ghcr_auth "$ORG"
+
+# Best-effort report of PAT rate-limit usage to Datadog.
+GITHUB_TOKEN="$GITHUB_PACKAGES_TOKEN" report_gh_rate_limit_to_datadog pat consumer:github_packages
@@ -23,6 +23,9 @@ source "${LIB_DIR}/github.sh"
 # shellcheck source=../../lib/logging.sh
 source "${LIB_DIR}/logging.sh"
 
+# shellcheck source=../../lib/metrics.sh
+source "${LIB_DIR}/metrics.sh"
+
 # shellcheck source=../../lib/mise.sh
 source "${LIB_DIR}/mise.sh"
 
@@ -82,6 +85,7 @@ registries=$(echo "$pullRegistry $pushRegistries" | tr ' ' '\n' | sort --unique
 
 info "🔓 Authenticating to Docker registries"
 
+usedGitHubPAT=false
 for crURL in $registries; do
   case $crURL in
   gcr.io/*)
@@ -95,9 +99,16 @@ for crURL in $registries; do
     info_sub "🔓 GHCR ($crURL)"
     # Need the PAT because app-based tokens cannot publish containers.
     GITHUB_TOKEN="$(github_pat_from_ci)" ghcr_auth "$(get_box_field org)"
+    usedGitHubPAT=true
     ;;
   *)
     warn "No authentication script found for registry: $crURL"
     ;;
   esac
 done
+
+# Best-effort report of PAT rate-limit usage to Datadog, after all
+# GHCR registries have authenticated.
+if [[ $usedGitHubPAT == true ]]; then
+  GITHUB_TOKEN="$(github_pat_from_ci)" report_gh_rate_limit_to_datadog pat consumer:docker_authn
+fi
@@ -60,9 +60,11 @@ if ! git diff --quiet "$OLD_CIRCLE_BRANCH"; then
 
   GITHUB_TOKEN="$(github_token)"
   if [[ -z $GITHUB_TOKEN ]]; then
-    warn "Failed to read Github personal access token" >&2
+    warn "Failed to read GitHub token" >&2
   fi
 
+  run_gh auth setup-git
+
   MISE_GITHUB_TOKEN="$GITHUB_TOKEN" GH_TOKEN="$GITHUB_TOKEN" \
     yarn --frozen-lockfile semantic-release --dry-run
 

@@ -70,6 +70,8 @@ if [[ $CIRCLE_BRANCH != "$prereleasesBranch" ]] && [[ $DRYRUN == "false" ]]; the
   exit 0
 fi
 
+run_gh auth setup-git
+
 # If we're in dry-run mode, skip creating the release.
 if [[ $DRYRUN == "true" ]]; then
   exit 0
@@ -85,7 +87,7 @@ if [[ $COMMIT_MESSAGE =~ "chore: Release" ]]; then
   # Retrieve the GH_TOKEN
   GH_TOKEN=$(github_token)
   if [[ -z $GH_TOKEN ]]; then
-    echo "Failed to read Github personal access token" >&2
+    echo "Failed to read GitHub token" >&2
   fi
   # Unset NPM_TOKEN to force it to use the configured ~/.npmrc
   NPM_TOKEN='' GH_TOKEN=$GH_TOKEN \

@@ -14,9 +14,11 @@ source "${LIB_DIR}/logging.sh"
 # Retrieve the GH_TOKEN
 GITHUB_TOKEN="$(github_token)"
 if [[ -z $GITHUB_TOKEN ]]; then
-  error "Failed to read GitHub personal access token"
+  error "Failed to read GitHub token"
 fi
 
+run_gh auth setup-git
+
 send_failure_notification() {
   if [[ -z $RELEASE_FAILURE_SLACK_CHANNEL ]]; then
     fatal "Failed to release"

@@ -89,6 +89,7 @@ if [[ -n $needRunFlags || -n $needConfigFlag ]]; then
     fatal "$errMsg"
   fi
   args+=("--config=${configPath}")
+  args+=("--path-prefix=$(basename "$workspaceFolder")")
 fi
 
 # If GOGC or GOMEMLIMIT aren't set, we attempt to set them to better