diff --git a/.github/chainguard/self.add-milestone.pull-request.sts.yaml b/.github/chainguard/self.add-milestone.pull-request.sts.yaml new file mode 100644 index 0000000000000..c96fbd056d6f2 --- /dev/null +++ b/.github/chainguard/self.add-milestone.pull-request.sts.yaml @@ -0,0 +1,36 @@ +# Trust policy for the add-milestone workflow in DataDog/integrations-core +# +# This policy grants the workflow permission to set a milestone on merged pull +# requests targeting master or release branches. +# +# Naming convention: +# self: Only this repository (DataDog/integrations-core) can use this policy +# add-milestone: Grants permissions to update pull request milestones +# pull-request: Intended for workflows triggered by pull_request events +# +# Security model: +# - Workflow runs on pull_request (closed) events targeting protected branches +# - ref restricts to master and protected X.Y.x release branches (protected by org rulesets) +# - job_workflow_ref is matched by pattern since PR events reference refs/pull/N/merge +# +# Permissions granted: +# - pull_requests: write - Set the milestone on the merged pull request +# +# Usage in workflows: +# - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 +# with: +# scope: DataDog/integrations-core +# policy: self.add-milestone.pull-request + +issuer: https://token.actions.githubusercontent.com + +subject: repo:DataDog/integrations-core:pull_request + +claim_pattern: + event_name: pull_request + job_workflow_ref: DataDog/integrations-core/\.github/workflows/add-milestone\.yml@.* + ref: refs/heads/(master|\d+\.\d+\.x) + repository: DataDog/integrations-core + +permissions: + pull_requests: write diff --git a/.github/workflows/add-milestone.yml b/.github/workflows/add-milestone.yml new file mode 100644 index 0000000000000..7b20d6d060796 --- /dev/null +++ b/.github/workflows/add-milestone.yml @@ -0,0 +1,60 @@ +name: Add Milestone on a Merged PR + +on: + pull_request: + types: + - closed + branches: + - master + - "[0-9]+.[0-9]+.x" + +permissions: {} + +jobs: + add-milestone-pr: + name: Add Milestone on PR + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + permissions: + id-token: write # Required for OIDC token federation with dd-octo-sts + contents: read + env: + GH_REPO: ${{ github.repository }} + steps: + - name: Checkout integrations-core repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Get GitHub token via dd-octo-sts + uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog/integrations-core + policy: self.add-milestone.pull-request + + - name: Get repo current milestone + id: current-milestone + run: | + # Use the current_milestone field in the release.json file. + MILESTONE=$(cat release.json | jq -r .current_milestone) + if [ -z "$MILESTONE" ]; then + echo "Error: Couldn't find the current_milestone field in the release.json file." + exit 1 + fi + + if [[ ! $MILESTONE =~ ^7\.[0-9]+\.[0-9]+$ ]]; then + echo "Error: Malformed milestone $MILESTONE. It should be of the form '7.x.y'." + exit 1 + fi + echo "MILESTONE=$MILESTONE" >> "$GITHUB_OUTPUT" + + - name: Set the merged PR milestone to current_milestone from release.json + run: | + echo "Setting milestone $MILESTONE to PR $NUMBER." + gh issue edit "$NUMBER" --milestone "$MILESTONE" + env: + GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + NUMBER: ${{ github.event.number }} + MILESTONE: ${{ steps.current-milestone.outputs.MILESTONE }} + diff --git a/release.json b/release.json new file mode 100644 index 0000000000000..3e194b93750db --- /dev/null +++ b/release.json @@ -0,0 +1,3 @@ +{ + "current_milestone": "7.79.0" +}