[pull] master from DataDog:master#495
Merged
Merged
Conversation
* Async Client * lint * lint * remove rate limit handeling and fix tests * cleanup * fix lint * fix lint * optimization * extract only needed data * fix lint * fix lint * Critical security and functionality fixes * Code Quality : add type annotations and document ressource management * new implmentation * fix lint * remove respx * fix tests * fix lint * fix test * lint
* Add central workflow_run-triggered PR comment poster Introduces .github/workflows/post-pr-comment.yml and its trust policy. The workflow runs on workflow_run from the default branch so fork PRs cannot modify it. It consumes a well-known pr-comment artifact contract (body.md + meta.json) produced by upstream workflows, resolves the PR number from the event (not the artifact), validates the comment marker, exchanges OIDC via dd-octo-sts, and posts or updates the comment. The STS policy pins event_name=workflow_run, ref=refs/heads/master, ref_protected=true, and job_workflow_ref to this workflow on master, so only the master-committed version can ever mint the token. Scope is limited to issues: write (PR conversation comments use the Issues API). * Own the comment marker inside post-pr-comment.yml The marker that find-comment uses to locate a previously posted comment is now derived from github.event.workflow_run.name (slugified) instead of read from an artifact file. The central workflow prepends the marker to body.md before posting, so the find/post pair is consistent by construction and producers cannot misconfigure it. Also scopes find-comment to the dd-octo-sts[bot] author so a contributor comment cannot be hijacked even if it happens to contain the marker string. Artifact contract shrinks to just body.md (meta.json is gone). * Pre-check artifact existence so missing uploads skip cleanly Previously the download step used continue-on-error to tolerate runs that produced no artifact, which left the step marked as failed in the UI even though the job succeeded. Replace it with a gh api pre-check: if the pr-comment artifact is absent we set an output that gates every downstream step, and the download step itself only runs when we know the artifact is there. A real download failure now surfaces as a real failure, and the no-artifact case is a quiet, clean skip. * Use the STS token end-to-end in post-pr-comment.yml Move the dd-octo-sts exchange to the first step and route every API call (artifact list, artifact download, commits/pulls lookup, find and post comment) through the resulting ephemeral token. The workflow's ambient permissions shrink to just id-token: write, which is the prerequisite for minting the OIDC token; GITHUB_TOKEN itself now carries no scopes. The STS policy grows to cover the additional reads the workflow needs: actions: read for the artifact, pull_requests: read for the PR lookup. issues: write is unchanged.
* Add eula validation to the validate all orchestrator The eula validation is needed by marketplace but was missing from the orchestrator's VALIDATIONS dict, so ddev validate all would skip it. * Add changelog entry * Fix validate all tests to mock _load_validations
* suppress already exists noise in ddev release tag output * add a summary log message for better visibility * changelog * address feedback * improve repo_root handling to be properly set and unset at each test * test(ddev): mock git_tag_list in release tag test CI checkouts don't include historical release tags, so every integration was counted as "new" and the summary line read "Tagged N" instead of "Tagged 2". Snapshot the current release tags before bumping and patch git_tag_list so the assertion is independent of the checkout's tag state. * test(ddev): assert skipped count in release tag test Exercise the mix new + skipped path in a single run.
…() TypeError (#23435) * Fix traefik_mesh get_version() unused url parameter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add changelog for traefik_mesh get_version fix Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add test_get_version to catch get_version() TypeError bug Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Fix changelog filename to match PR #23435 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Use dd_run_check + assert_metadata in test_get_version Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Fix ruff 0.11.10 formatting: split long call arguments Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* build: bump OpenSSL to 3.6.2 in all builder images * Update dependency resolution --------- Co-authored-by: dd-agent-integrations-bot[bot] <dd-agent-integrations-bot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )