Skip to content

Use DD Octo STS for release tags#24535

Draft
dkirov-dd wants to merge 14 commits into
masterfrom
worktree-investigate-beta-tag-gh013
Draft

Use DD Octo STS for release tags#24535
dkirov-dd wants to merge 14 commits into
masterfrom
worktree-investigate-beta-tag-gh013

Conversation

@dkirov-dd

@dkirov-dd dkirov-dd commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Uses a repository-scoped DD Octo STS token to push integration release tags instead of the default GITHUB_TOKEN.

Tags are created and validated locally first. The workflow requests a write token only when new tags need pushing and the run is not a dry run, then pushes only those tags atomically. A shallow, tagless credential checkout preserves the local tags. The job summary shows prepared or pushed tags.

Adds the integrations-core self.release.tag-push trust policy. DataDog/integrations-extras#3059 and DataDog/marketplace#1666 must merge before this PR.

Motivation

Ruleset 13532795 rejected lustre-1.5.1b1 in run 29262592476 because github-actions[bot] cannot create protected tags. DD Octo STS is an approved App for this ruleset; conditional token creation also avoids consuming App quota on dry runs and no-op releases.

The release-script suite passes with 115 tests, and ddev test -fs ddev passes.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add qa/skip-qa because this release-tooling change has no Agent runtime impact
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@dkirov-dd dkirov-dd added the qa/skip-qa Automatically skip this PR for the next QA label Jul 13, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Validation Report

All 21 validations passed.

Show details
Validation Description Status
agent-reqs Verify check versions match the Agent requirements file
ci Validate CI configuration and code coverage settings
codeowners Validate every integration has a CODEOWNERS entry
config Validate default configuration files against spec.yaml
dep Verify dependency pins are consistent and Agent-compatible
http Validate integrations use the HTTP wrapper correctly
imports Validate check imports do not use deprecated modules
integration-style Validate check code style conventions
jmx-metrics Validate JMX metrics definition files and config
labeler Validate PR labeler config matches integration directories
legacy-signature Validate no integration uses the legacy Agent check signature
license-headers Validate Python files have proper license headers
licenses Validate third-party license attribution list
metadata Validate metadata.csv metric definitions
models Validate configuration data models match spec.yaml
openmetrics Validate OpenMetrics integrations disable the metric limit
package Validate Python package metadata and naming
qa-label Validate the pull request declares whether it needs QA for the next Agent release
readmes Validate README files have required sections
saved-views Validate saved view JSON file structure and fields
version Validate version consistency between package and changelog

View full run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dev/testing dev/tooling qa/skip-qa Automatically skip this PR for the next QA

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant