Stricter agent jar validation upon build

[bric3]

What Does This Do

• Maintains the size check.
• Verify some required entries
• Ensure there's a minimum number of classes in the whole jar
• Ensure products are correctly included and have at least one class
• Light size check on the indexes
• Fixed list of packages that should not appear in the jar
• Run the checks during the build job to catch issues earlier

Motivation

Improve the safety of publishing a bad agent jar.

Additional Notes

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge. You can also:
  • Customize the commit message associated with the merge with /merge --commit-message "..."
  • Remove your PR from the merge queue with /merge -c
  • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
  • Get more information in this doc

Jira ticket: [PROJ-IDENT]

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/apm-reliability/dd-trace-java | linux-java-spring-petclinic-sca-load-parallel     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 74022b7 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 74022b7a6a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	13.95 s	13.88 s	[-0.3%; +1.2%] (no difference)
startup:insecure-bank:tracing:Agent	12.89 s	12.94 s	[-1.0%; +0.2%] (no difference)
startup:petclinic:appsec:Agent	16.58 s	16.67 s	[-1.5%; +0.5%] (no difference)
startup:petclinic:iast:Agent	16.81 s	16.91 s	[-1.4%; +0.3%] (no difference)
startup:petclinic:profiling:Agent	16.71 s	16.56 s	[+0.1%; +1.8%] (maybe worse)
startup:petclinic:sca:Agent	16.92 s	16.65 s	[+0.8%; +2.5%] (maybe worse)
startup:petclinic:tracing:Agent	15.92 s	16.03 s	[-1.8%; +0.5%] (no difference)

Commit: 74022b7a · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[PerfectSlayer]

Looking good but if anyone want to have another pair of eyes, that could be handy :)

How did you come up from the check cases? Are they based on past issues or mostly come to check most of the tricky parts of the build?

[PerfectSlayer]

❔ question: ‏Would there be a way to not hardcode this number but to derive it from the project sources (with minimal cost, of course 😬 )?

[bric3]

Agreed, I don't like the hard numbers there, and quite frankly that's the part I like the less, but that's the cheapest check I found for what the purpose of this check, which is to avoid regressions in the build.

I believe it's doable, however I believe it's probably too complex to be worth it "at this time".

• How to include modules (and their dependencies) that actually end-up in the final jar, which is not always the case within :dd-java-agent. Maybe with convention plugin something is feasible, but this initiative is still at the early stages.
• Also this number acts as a "minimum" threshold, if we derived it could be skewed (build file changes, etc.) without properly noticing.

[PerfectSlayer]

❔ question: Same here, not sure how we can do better to avoid magic numbers here‏

[bric3]

In this case I think it's the right call, this number is a threshold. If it's derived from the actual size, we could miss the size increase.

[bric3]

@PerfectSlayer

How did you come up from the check cases?
Are they based on past issues or mostly come to check most of the tricky parts of the build?

A bit of both. The oltp issue was one of the main driver. And I expanded from that. I also listed a few other items to prevent inadvertent changes.

Also, I anticipate this build file can and will be reworked, and I'd rather err on the cautious side.

[PerfectSlayer]

I came here to comment about the golden instrumentation list (that could introduce toll for limited benefits) but it seems to be gone already? 👀

[bric3]

@PerfectSlayer

I came here to comment about the golden instrumentation list (that could introduce toll for limited benefits) but it seems to be gone already? 👀

Sorry, it was meant to be in a stacked PR. So I removed that commit and opened a new PR #11692

[bric3]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-06-22 12:47:23 UTC ℹ️ Start processing command /merge

---

2026-06-22 12:47:28 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

---

2026-06-22 13:47:06 UTC ℹ️ MergeQueue: This merge request was merged