mirror_images: introduce dd-repo-tools wrapper and seed config

[pawelchcki]

Summary

• Add utils/mirror_images.sh — thin wrapper around the shared dd-repo-tools/mirror_images.py (pinned to commit fb4f39a5).
• Seed mirror_images.yaml with the 29 real public images this repo's Dockerfiles/docker-compose files reference, plus ignore patterns that suppress 161 false-positive lint hits.

What's covered

Mirrored (→ registry.ddbuild.io/ci/system-tests/mirror/... by default):

• mcr.microsoft.com/dotnet/{aspnet,sdk}:* — multiple versions
• Docker Hub bare-name images: golang:1.25, maven:3-eclipse-temurin-21, node:13, node:18.10-slim, python:2.7, python:3.11-slim, ruby:3.1.3, rust:1.87-slim-bookworm, ubuntu:22.04, openjdk:7-alpine, debian:bookworm-slim, amazonlinux:2023, apache/spark:3.4.4, datadog/dd-trace-ci:php-8.2_bookworm-6, docker.io/datadog/dd-lib-ruby-init:latest
• gcr.io/datadoghq/agent:7.78.4
• ghcr.io/datadog/dd-trace-rb/dd-lib-ruby-init:latest_snapshot
• 669783387624.dkr.ecr.us-east-1.amazonaws.com/dockerhub/library/php:5.6-cli

Ignored (regex patterns in ignore.images):

• Dockerfile stage names: base, build, dd-lib-init_.+
• docker-compose local build targets: reverseproxy:latest, system-tests/.+:latest
• Build-time ARG-substituted refs: .*\${?RUNTIME}?.*, .*\${?TARGETARCH}?.*
• public\.ecr\.aws/.* — AWS's trusted public Docker Hub mirror, no re-mirroring needed

Mirroring to both registries

Same mirror_images.yaml feeds both destinations via env var (documented in the header):

# GitLab CI (default)
utils/mirror_images.sh lock && utils/mirror_images.sh mirror

# GitHub-hosted CI
MIRROR_DEST_REGISTRY=ghcr.io/datadog/system-tests \
  utils/mirror_images.sh lock -o mirror_images.ghcr.lock.yaml
MIRROR_DEST_REGISTRY=ghcr.io/datadog/system-tests \
  utils/mirror_images.sh mirror --lock-yaml mirror_images.ghcr.lock.yaml

Follow-up

utils/mirror_images.sh lint still reports 40 refs in 29 unique images — these are the actual Dockerfile FROM / docker-compose image: lines that need to be rewritten to use registry.ddbuild.io/ci/system-tests/mirror/.... That's a much larger refactor and is intentionally out of scope here.

Test plan

• utils/mirror_images.sh lint runs and only flags the expected 29 unmirrored sources (no base/build/system-tests/* noise).
• utils/mirror_images.sh lock resolves digests for all declared images.
• utils/mirror_images.sh mirror --dry-run shows the expected copy plan.
• Dry-run with MIRROR_DEST_REGISTRY=ghcr.io/datadog/system-tests targets ghcr.io paths.

[github-actions]

CODEOWNERS have been resolved as:

mirror_images.yaml                                                      @DataDog/system-tests-core
utils/mirror_images.sh                                                  @DataDog/system-tests-core

[datadog-datadog-prod-us1-2]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Testing the test | all-jobs-are-green     

🔄 Retry job. This looks flaky and may succeed on retry.

Multiple CI checks failed during the execution of the end-to-end jobs.

Testing the test | System Tests (python, dev) / End-to-end #1 / uwsgi-poc 1     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Error pulling image 'mcr.microsoft.com/mssql/server': access denied or repository does not exist.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: da023f3 | Docs | Datadog PR Page | Give us feedback!}