* Add central workflow_run-triggered PR comment poster

Introduces .github/workflows/post-pr-comment.yml and its trust policy. The
workflow runs on workflow_run from the default branch so fork PRs cannot
modify it. It consumes a well-known pr-comment artifact contract
(body.md + meta.json) produced by upstream workflows, resolves the PR
number from the event (not the artifact), validates the comment marker,
exchanges OIDC via dd-octo-sts, and posts or updates the comment.

The STS policy pins event_name=workflow_run, ref=refs/heads/master,
ref_protected=true, and job_workflow_ref to this workflow on master, so
only the master-committed version can ever mint the token. Scope is
limited to issues: write (PR conversation comments use the Issues API).

* Own the comment marker inside post-pr-comment.yml

The marker that find-comment uses to locate a previously posted comment
is now derived from github.event.workflow_run.name (slugified) instead
of read from an artifact file. The central workflow prepends the marker
to body.md before posting, so the find/post pair is consistent by
construction and producers cannot misconfigure it.

Also scopes find-comment to the dd-octo-sts[bot] author so a contributor
comment cannot be hijacked even if it happens to contain the marker
string. Artifact contract shrinks to just body.md (meta.json is gone).

* Pre-check artifact existence so missing uploads skip cleanly

Previously the download step used continue-on-error to tolerate runs
that produced no artifact, which left the step marked as failed in the
UI even though the job succeeded. Replace it with a gh api pre-check:
if the pr-comment artifact is absent we set an output that gates every
downstream step, and the download step itself only runs when we know
the artifact is there. A real download failure now surfaces as a real
failure, and the no-artifact case is a quiet, clean skip.

* Use the STS token end-to-end in post-pr-comment.yml

Move the dd-octo-sts exchange to the first step and route every API
call (artifact list, artifact download, commits/pulls lookup, find and
post comment) through the resulting ephemeral token. The workflow's
ambient permissions shrink to just id-token: write, which is the
prerequisite for minting the OIDC token; GITHUB_TOKEN itself now
carries no scopes.

The STS policy grows to cover the additional reads the workflow needs:
actions: read for the artifact, pull_requests: read for the PR lookup.
issues: write is unchanged.

* Add eula validation to the validate all orchestrator

The eula validation is needed by marketplace but was missing from the
orchestrator's VALIDATIONS dict, so ddev validate all would skip it.

* Add changelog entry

* Fix validate all tests to mock _load_validations

* suppress already exists noise in ddev release tag output

* add a summary log message for better visibility

* changelog

* address feedback

* improve repo_root handling to be properly set and unset at each test

* test(ddev): mock git_tag_list in release tag test

CI checkouts don't include historical release tags, so every integration
was counted as "new" and the summary line read "Tagged N" instead of
"Tagged 2". Snapshot the current release tags before bumping and patch
git_tag_list so the assertion is independent of the checkout's tag state.

* test(ddev): assert skipped count in release tag test

Exercise the mix new + skipped path in a single run.

…() TypeError (#23435)

* Fix traefik_mesh get_version() unused url parameter

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add changelog for traefik_mesh get_version fix

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add test_get_version to catch get_version() TypeError bug

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Fix changelog filename to match PR #23435

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Use dd_run_check + assert_metadata in test_get_version

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Fix ruff 0.11.10 formatting: split long call arguments

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* build: bump OpenSSL to 3.6.2 in all builder images

* Update dependency resolution

---------

Co-authored-by: dd-agent-integrations-bot[bot] <dd-agent-integrations-bot[bot]@users.noreply.github.com>