feat(ci): add days-since-last-pin daily workflow#22951
feat(ci): add days-since-last-pin daily workflow#22951
Conversation
- Add .github/workflows/days-since-last-pin.yml that runs daily at 9:42 UTC
- Computes days since INTEGRATIONS_CORE_VERSION was last updated in datadog-agent/release.json
- Posts gauge metric integrations_core.days_since_last_pin{team:agent-integrations} to Datadog API v2
Rationale: AI-6462 — need a CI dashboard counter that turns red when the agent repo hasn't been pinned in >4 days
|
This PR does not modify any files shipped with the agent. To help streamline the release process, please consider adding the |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 09fde01b31
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| print(f"Current pin: {current_pin}") | ||
|
|
||
| # Step 2: fetch recent commits to release.json | ||
| commits_url = f"{COMMITS_API_URL}?path=release.json&per_page=30" |
There was a problem hiding this comment.
per_page=30 means this job only inspects the newest 30 commits that touched release.json. If INTEGRATIONS_CORE_VERSION stays unchanged across more than 30 such commits, the loop never reaches the commit where the pin last changed, so last_pin_commit becomes the oldest item in that first page and the reported age is too small. Because this metric is supposed to drive a stale-pin alert, the dashboard can stay green even when the pin is older than the threshold.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Will check all commits in the last 30 days instead.
| pin_at_sha = get_integrations_core_version(sha) | ||
| except Exception as e: | ||
| print(f"Warning: could not fetch release.json at {sha}: {e}") | ||
| break |
There was a problem hiding this comment.
If any historical release.json fetch fails here (for example due to a transient GitHub API/raw-content error), the code logs a warning, breaks the scan, and still posts a metric based on the newest successfully read commit. In that case the workflow silently undercounts days_since_last_pin, which is worse than failing because it can suppress the very alert this workflow is meant to power.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Will raise an error if the fetch fails
…nce-last-pin - Extract 90-line embedded Python heredoc to .github/workflows/scripts/days_since_last_pin.py - Add actions/checkout step so the workflow can access the script file - Replace silent break-on-error with raise to fail the job on fetch errors - Split single step into compute + submit for step-level failure attribution - Add comment explaining the per_page=30 assumption Rationale: PR review found inline heredoc diverged from repo convention, and a mid-walk fetch failure would silently submit a falsely-healthy metric This commit made by [/dd:git:commit:quick](https://github.com/DataDog/claude-marketplace/tree/main/dd/commands/git/commit/quick.md)
- Replace per_page=30 with a since=30-days-ago query parameter and full pagination - release.json is updated for many dep changes (JMXFETCH, OMNIBUS_RUBY, etc.), so a fixed page count could exhaust without finding the pin-change commit - When no commits found in the window, report days=30 (pin is at least that old) Rationale: the sparse-commit assumption was wrong; time-bounded window is the correct approach This commit made by [/dd:git:commit:quick](https://github.com/DataDog/claude-marketplace/tree/main/dd/commands/git/commit/quick.md)
…cess - Add dd-octo-sts-action step to exchange OIDC token for a scoped token on DataDog/datadog-agent (contents:read only) - Pass dd-octo-sts token as GITHUB_TOKEN to the compute step instead of the built-in secrets.GITHUB_TOKEN - Add id-token:write permission to the job for OIDC federation Trust policy PR: DataDog/datadog-agent#48035 Rationale: scoped short-lived token is more secure than using the default GITHUB_TOKEN for cross-repo access This commit made by [/dd:git:commit:quick](https://github.com/DataDog/claude-marketplace/tree/main/dd/commands/git/commit/quick.md)
…t-pin (#48035) ## Summary Adds a dd-octo-sts trust policy authorizing `DataDog/integrations-core`'s daily `days-since-last-pin` workflow to read `release.json` from this repo. Needed for DataDog/integrations-core#22951 ## Context The `days-since-last-pin.yml` workflow in `integrations-core` (Jira: AI-6462) computes how many days it has been since `INTEGRATIONS_CORE_VERSION` was last updated in this repo's `release.json`, and posts a gauge metric to Datadog for CI dashboard alerting (turns red when > 4 days). ## Policy **File:** `.github/chainguard/integrations-core.github.read-release-json.schedule.sts.yaml` - **Source:** `DataDog/integrations-core` (scheduled + workflow_dispatch, runs on `master`) - **Permission:** `contents: read` on this repo (to read `release.json` at historical SHAs and query the commits API) - Restricted to the exact workflow file and default branch via `claim_pattern` ## Related PR DataDog/integrations-core#22951 Co-authored-by: david.kirov <david.kirov@datadoghq.com>
1 participant
Summary
.github/workflows/days-since-last-pin.ymlthat runs daily at 9:42 UTC (+workflow_dispatchfor manual triggering)release.jsonfromDataDog/datadog-agentand walks recent commits to determine whenINTEGRATIONS_CORE_VERSIONlast changedintegrations_core.days_since_last_pin{team:agent-integrations}to Datadog API v2run:steps (nouses:actions), so pinact validation is unaffectedRelated to DataDog/datadog-agent#48035
Motivation
Jira: AI-6462
The agent repo (
DataDog/datadog-agent) is pinned tointegrations-corebi-weekly via an auto-created PR that must be manually merged. This metric enables a CI dashboard widget (on the Agent Integrations Overview dashboard) that turns red when the pin is stale (> 4 days).Post-merge steps (manual)
Add a Query Value widget to the CI dashboard:
max:integrations_core.days_since_last_pin{team:agent-integrations}Test plan
workflow_dispatchfrom GitHub Actions UI after mergeintegrations_core.days_since_last_pin🤖 Generated with Claude Code