From 6567f92ab440aabbaaf555ce7fbae4676808841e Mon Sep 17 00:00:00 2001
From: NouemanKHAL <noueman.khalikine@datadoghq.com>
Date: Wed, 25 Mar 2026 12:04:22 +0100
Subject: [PATCH 1/4] add release.json to track current_milestone

---
 release.json | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 release.json

diff --git a/release.json b/release.json
new file mode 100644
index 0000000000000..3e194b93750db
--- /dev/null
+++ b/release.json
@@ -0,0 +1,3 @@
+{
+	"current_milestone": "7.79.0"
+}

From cebc642e706671524935ebf7c0d0125819e499ad Mon Sep 17 00:00:00 2001
From: NouemanKHAL <noueman.khalikine@datadoghq.com>
Date: Wed, 25 Mar 2026 12:05:27 +0100
Subject: [PATCH 2/4] add milestone workflow for merged PRs to master and
 release branches

---
 .github/workflows/add-milestone.yml | 52 +++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 .github/workflows/add-milestone.yml

diff --git a/.github/workflows/add-milestone.yml b/.github/workflows/add-milestone.yml
new file mode 100644
index 0000000000000..5a3a348122553
--- /dev/null
+++ b/.github/workflows/add-milestone.yml
@@ -0,0 +1,52 @@
+name: Add Milestone on a Merged PR
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - master
+      - "[0-9]+.[0-9]+.x"
+
+permissions: {}
+
+jobs:
+  add-milestone-pr:
+    name: Add Milestone on PR
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_REPO: ${{ github.repository }}
+    steps:
+      - name: Checkout integrations-core repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get repo current milestone
+        id: current-milestone
+        run: |
+          # Use the current_milestone field in the release.json file.
+          MILESTONE=$(cat release.json | jq -r .current_milestone)
+          if [ -z "$MILESTONE" ]; then
+            echo "Error: Couldn't find the current_milestone field in the release.json file."
+            exit 1
+          fi
+
+          if [[ ! $MILESTONE =~ ^7\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: Malformed milestone $MILESTONE. It should be of the form '7.x.y'."
+            exit 1
+          fi
+          echo "MILESTONE=$MILESTONE" >> "$GITHUB_OUTPUT"
+
+      - name: Set the merged PR milestone to current_milestone from release.json
+        run: |
+          echo "Setting milestone $MILESTONE to PR $NUMBER."
+          gh issue edit "$NUMBER" --milestone "$MILESTONE"
+        env:
+          NUMBER: ${{ github.event.number }}
+          MILESTONE: ${{ steps.current-milestone.outputs.MILESTONE }}
+

From 260ab5349beb4bfdbb3b2a729d42e5b8142ad491 Mon Sep 17 00:00:00 2001
From: NouemanKHAL <noueman.khalikine@datadoghq.com>
Date: Fri, 27 Mar 2026 08:34:59 +0100
Subject: [PATCH 3/4] move to dd-octo-sts

---
 .../self.add-milestone.pull-request.sts.yaml  | 36 +++++++++++++++++++
 .github/workflows/add-milestone.yml           | 12 +++++--
 2 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 .github/chainguard/self.add-milestone.pull-request.sts.yaml

diff --git a/.github/chainguard/self.add-milestone.pull-request.sts.yaml b/.github/chainguard/self.add-milestone.pull-request.sts.yaml
new file mode 100644
index 0000000000000..93f7b1959c69c
--- /dev/null
+++ b/.github/chainguard/self.add-milestone.pull-request.sts.yaml
@@ -0,0 +1,36 @@
+# Trust policy for the add-milestone workflow in DataDog/integrations-core
+#
+# This policy grants the workflow permission to set a milestone on merged pull
+# requests targeting master or release branches.
+#
+# Naming convention:
+#   self:          Only this repository (DataDog/integrations-core) can use this policy
+#   add-milestone: Grants permissions to update pull request milestones
+#   pull-request:  Intended for workflows triggered by pull_request events
+#
+# Security model:
+#   - Workflow runs on pull_request (closed) events targeting protected branches
+#   - ref_protected ensures the target branch is master or a protected X.Y.x branch
+#   - job_workflow_ref is matched by pattern since PR events reference refs/pull/N/merge
+#
+# Permissions granted:
+#   - pull_requests: write  - Set the milestone on the merged pull request
+#
+# Usage in workflows:
+#   - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+#     with:
+#       scope: DataDog/integrations-core
+#       policy: self.add-milestone.pull-request
+
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/integrations-core:pull_request
+
+claim_pattern:
+  ref: refs/heads/(master|\d+\.\d+\.x)
+  ref_protected: "true"
+  job_workflow_ref: DataDog/integrations-core/.github/workflows/add-milestone\.yml@.*
+  event_name: pull_request
+
+permissions:
+  pull_requests: write
diff --git a/.github/workflows/add-milestone.yml b/.github/workflows/add-milestone.yml
index 5a3a348122553..7b20d6d060796 100644
--- a/.github/workflows/add-milestone.yml
+++ b/.github/workflows/add-milestone.yml
@@ -16,9 +16,9 @@ jobs:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      id-token: write  # Required for OIDC token federation with dd-octo-sts
+      contents: read
     env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
     steps:
       - name: Checkout integrations-core repository
@@ -26,6 +26,13 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Get GitHub token via dd-octo-sts
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/integrations-core
+          policy: self.add-milestone.pull-request
+
       - name: Get repo current milestone
         id: current-milestone
         run: |
@@ -47,6 +54,7 @@ jobs:
           echo "Setting milestone $MILESTONE to PR $NUMBER."
           gh issue edit "$NUMBER" --milestone "$MILESTONE"
         env:
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
           NUMBER: ${{ github.event.number }}
           MILESTONE: ${{ steps.current-milestone.outputs.MILESTONE }}
 

From beeef7b6e11077e088d26793bb084b32ad44ae1c Mon Sep 17 00:00:00 2001
From: NouemanKHAL <noueman.khalikine@datadoghq.com>
Date: Fri, 27 Mar 2026 17:46:28 +0100
Subject: [PATCH 4/4] apply dd-octo-sts claude skill recommendations

---
 .../chainguard/self.add-milestone.pull-request.sts.yaml   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/chainguard/self.add-milestone.pull-request.sts.yaml b/.github/chainguard/self.add-milestone.pull-request.sts.yaml
index 93f7b1959c69c..c96fbd056d6f2 100644
--- a/.github/chainguard/self.add-milestone.pull-request.sts.yaml
+++ b/.github/chainguard/self.add-milestone.pull-request.sts.yaml
@@ -10,7 +10,7 @@
 #
 # Security model:
 #   - Workflow runs on pull_request (closed) events targeting protected branches
-#   - ref_protected ensures the target branch is master or a protected X.Y.x branch
+#   - ref restricts to master and protected X.Y.x release branches (protected by org rulesets)
 #   - job_workflow_ref is matched by pattern since PR events reference refs/pull/N/merge
 #
 # Permissions granted:
@@ -27,10 +27,10 @@ issuer: https://token.actions.githubusercontent.com
 subject: repo:DataDog/integrations-core:pull_request
 
 claim_pattern:
-  ref: refs/heads/(master|\d+\.\d+\.x)
-  ref_protected: "true"
-  job_workflow_ref: DataDog/integrations-core/.github/workflows/add-milestone\.yml@.*
   event_name: pull_request
+  job_workflow_ref: DataDog/integrations-core/\.github/workflows/add-milestone\.yml@.*
+  ref: refs/heads/(master|\d+\.\d+\.x)
+  repository: DataDog/integrations-core
 
 permissions:
   pull_requests: write