Skip to content

Use dd-octo-sts for Python version upgrades to enable workflow file modifications #21850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 11, 2025
Merged

Use dd-octo-sts for Python version upgrades to enable workflow file modifications #21850

merged 3 commits into from
Nov 11, 2025
+54 −7

Conversation

@Kyle-Neale
Copy link
Contributor

@Kyle-Neale Kyle-Neale commented Nov 6, 2025
edited
Loading

What does this PR do?

Integrates dd-octo-sts to obtain GitHub tokens with workflows permission, enabling fully automated Python version upgrades including modifications to workflow files.

Motivation

  • Added trust policy .github/chainguard/self.create-pull-requests.schedule.sts.yaml with workflows: write permission
  • Updated .github/workflows/upgrade-python-version.yml to use DataDog/dd-octo-sts-action instead of actions/create-github-app-token

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@Kyle-Neale Kyle-Neale marked this pull request as ready for review November 6, 2025 19:27
@Kyle-Neale Kyle-Neale requested review from a team as code owners November 6, 2025 19:27
AAraKKe
AAraKKe requested changes Nov 7, 2025
View reviewed changes
Copy link
Contributor

@AAraKKe AAraKKe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @Kyle-Neale!! So cool we are starting to use octo-sts 😁. This looks pretty nice, just a couple of small comments.

.github/chainguard/upgrade-python-version.sts.yaml Outdated
event_name: (schedule|workflow_dispatch)
ref: refs/heads/master
ref_protected: "true"
job_workflow_ref: DataDog/integrations-core/.github/workflows/upgrade-python-version.yml@refs/heads/master
Copy link
Contributor

@AAraKKe AAraKKe Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

request: While we are using the policy for this particular workflow, this policy is valid for creating PR if the workflow runs from master. I would probably allow any workflow to from this repo running from master to use it. Then we can migrate all workflows we create pull-requests from to use octo-sts and avoid the static app credentials we store in the repo.

I am guessing we can write something like DataDog/integrations-core/\.github/workflows/.*\.yml@refs/heads/master

Note: these are regexes (is this the plural of regex? XD). Make sure to add the \ before the ..

.github/chainguard/upgrade-python-version.sts.yaml Outdated
Copy link
Contributor

@AAraKKe AAraKKe Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

request: can we rename the policy following the same format they propose? It makes a lot of sense because these policies can be used from different places. Maybe naming it self.create-pull-requests.schedule.sts.yaml.

  • self: only this repo has access to this policy
  • create-pull-request: grants permissions to create pull requests
  • schedule: only for workflows running on schedule. The dispatch is there to ensure we can execute it outside of schedule.

I would also adds some comment to the file explaining what is the intention. I.e. intended to be us ed with the peter-evans/create-pull-request action.

@AAraKKe AAraKKe self-assigned this Nov 7, 2025
@github-actions
Copy link

github-actions bot commented Nov 7, 2025
edited
Loading

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

AAraKKe
AAraKKe approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@AAraKKe AAraKKe left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update! The comments are pretty useful being the first policy we have, in the future we can add less comments but it looks great.

@Kyle-Neale Kyle-Neale added this pull request to the merge queue Nov 11, 2025
Merged via the queue into master with commit 76dd1b2 Nov 11, 2025
30 checks passed
@Kyle-Neale Kyle-Neale deleted the kyle.neale/use-octo-sts-generated-token branch November 11, 2025 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AAraKKe AAraKKe AAraKKe approved these changes

Assignees

@AAraKKe AAraKKe

Labels

dev/testing dev/tooling team/agent-integrations team/saas-integrations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Kyle-Neale @AAraKKe