DataDog · NouemanKHAL · Mar 25, 2026 · Mar 25, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -0,0 +1,36 @@
+# Trust policy for the add-milestone workflow in DataDog/integrations-core
+#
+# This policy grants the workflow permission to set a milestone on merged pull
+# requests targeting master or release branches.
+#
+# Naming convention:
+#   self:          Only this repository (DataDog/integrations-core) can use this policy
+#   add-milestone: Grants permissions to update pull request milestones
+#   pull-request:  Intended for workflows triggered by pull_request events
+#
+# Security model:
+#   - Workflow runs on pull_request (closed) events targeting protected branches
+#   - ref restricts to master and protected X.Y.x release branches (protected by org rulesets)
+#   - job_workflow_ref is matched by pattern since PR events reference refs/pull/N/merge
+#
+# Permissions granted:
+#   - pull_requests: write  - Set the milestone on the merged pull request
+#
+# Usage in workflows:
+#   - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+#     with:
+#       scope: DataDog/integrations-core
+#       policy: self.add-milestone.pull-request
+
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/integrations-core:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/integrations-core/\.github/workflows/add-milestone\.yml@.*
+  ref: refs/heads/(master|\d+\.\d+\.x)
+  repository: DataDog/integrations-core
+
+permissions:
+  pull_requests: write
@@ -0,0 +1,60 @@
+name: Add Milestone on a Merged PR
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - master
+      - "[0-9]+.[0-9]+.x"
+
+permissions: {}
+
+jobs:
+  add-milestone-pr:
+    name: Add Milestone on PR
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC token federation with dd-octo-sts
+      contents: read
+    env:
+      GH_REPO: ${{ github.repository }}
+    steps:
+      - name: Checkout integrations-core repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get GitHub token via dd-octo-sts
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/integrations-core
+          policy: self.add-milestone.pull-request
+
+      - name: Get repo current milestone
+        id: current-milestone
+        run: |
+          # Use the current_milestone field in the release.json file.
+          MILESTONE=$(cat release.json | jq -r .current_milestone)
+          if [ -z "$MILESTONE" ]; then
+            echo "Error: Couldn't find the current_milestone field in the release.json file."
+            exit 1
+          fi
+
+          if [[ ! $MILESTONE =~ ^7\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: Malformed milestone $MILESTONE. It should be of the form '7.x.y'."
+            exit 1
+          fi
+          echo "MILESTONE=$MILESTONE" >> "$GITHUB_OUTPUT"
+
+      - name: Set the merged PR milestone to current_milestone from release.json
+        run: |
+          echo "Setting milestone $MILESTONE to PR $NUMBER."
+          gh issue edit "$NUMBER" --milestone "$MILESTONE"
+        env:
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+          NUMBER: ${{ github.event.number }}
+          MILESTONE: ${{ steps.current-milestone.outputs.MILESTONE }}
+
@@ -0,0 +1,3 @@
+{
+	"current_milestone": "7.79.0"
+}