Skip to content

Restrict release trust policy to git tag versions#11630

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
sarahchen6/restrict-tag
Jun 23, 2026
Merged

Restrict release trust policy to git tag versions#11630
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
sarahchen6/restrict-tag

Conversation

@sarahchen6

@sarahchen6 sarahchen6 commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What Does This Do

Restrict release trust policy to git tag versions matching the specific format v\d+\.\d+\.\d+ instead of just checking v.*

Motivation

Tighten restrictions on what we trust, and improve security

Additional Notes

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels in addition to any other useful labels
  • Avoid using close, fix, or any linking keywords when referencing an issue
    Use solves instead, and assign the PR milestone to the issue
  • Update the CODEOWNERS file on source file addition, migration, or deletion
  • Update public documentation with any new configuration flags or behaviors
  • Add your completed PR to the merge queue by commenting /merge. You can also:
    • Customize the commit message associated with the merge with /merge --commit-message "..."
    • Remove your PR from the merge queue with /merge -c
    • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
    • Get more information in this doc

Jira ticket: [PROJ-IDENT]

@sarahchen6 sarahchen6 added tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels Jun 11, 2026
@datadog-prod-us1-6

This comment has been minimized.

Sign in to view
@dd-octo-sts

dd-octo-sts Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 14.10 s 13.96 s [+0.0%; +2.0%] (maybe worse)
startup:insecure-bank:tracing:Agent 12.94 s 12.96 s [-0.9%; +0.6%] (no difference)
startup:petclinic:appsec:Agent 16.90 s 16.74 s [-0.2%; +2.2%] (no difference)
startup:petclinic:iast:Agent 16.84 s 16.89 s [-1.3%; +0.7%] (no difference)
startup:petclinic:profiling:Agent 16.14 s 16.81 s [-8.2%; +0.2%] (no difference)
startup:petclinic:sca:Agent 16.90 s 16.66 s [+0.6%; +2.3%] (maybe worse)
startup:petclinic:tracing:Agent 15.98 s 16.22 s [-2.5%; -0.4%] (maybe better)

Commit: 3707868a · CI Pipeline · Benchmarking Platform UI

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@sarahchen6 sarahchen6 marked this pull request as ready for review June 22, 2026 19:05
@sarahchen6 sarahchen6 requested a review from a team as a code owner June 22, 2026 19:05
@sarahchen6 sarahchen6 requested review from AlexeyKuznetsov-DD and PerfectSlayer and removed request for a team June 22, 2026 19:05
@PerfectSlayer PerfectSlayer added the tag: security Security related changes label Jun 23, 2026
@sarahchen6

sarahchen6 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-06-23 13:25:02 UTC ℹ️ Start processing command /merge

2026-06-23 13:25:07 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

2026-06-23 14:31:39 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 31472e8 into master Jun 23, 2026
594 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the sarahchen6/restrict-tag branch June 23, 2026 14:31
@github-actions github-actions Bot added this to the 1.64.0 milestone Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bric3 bric3 bric3 approved these changes

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@AlexeyKuznetsov-DD AlexeyKuznetsov-DD AlexeyKuznetsov-DD approved these changes

Assignees

No one assigned

Labels

comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes tag: security Security related changes

Projects

None yet

Milestone

1.64.0

Development

Successfully merging this pull request may close these issues.

4 participants

@sarahchen6 @bric3 @PerfectSlayer @AlexeyKuznetsov-DD