Enable performance SLO change tracking (#9447)

igoragoli · web-flow · commit fa788acdc2cf · 2025-09-05T10:09:36.000+02:00
* feat: add dd-octo-sts trust policy for GitLab CI GitHub access

Add read-only trust policy to enable GitLab CI jobs to access GitHub API
for SLO change tracking. Policy allows all branches and tags from the
DataDog/apm-reliability/dd-trace-java project.

* feat: update check-slo-breaches job to use dd-octo-sts for GitHub access

- Add id_tokens configuration for dd-octo-sts authentication
- Fetch GitHub token in before_script using dd-octo-sts
- Export GITHUB_TOKEN before running bp-runner for SLO tracking
- Revoke token in after_script for security

* add newline to trust policy

* fix: scope trust policy to master branch only

* fix: broaden trust policy scope to support manual runs on any branch

* feat: Remove notify-slo-breaches version pin to use improved notifications

* feat: update check-slo-breaches to use a template

* trigger pipeline

* trigger pipeline
diff --git a/.github/chainguard/self.gitlab.github-access.read.sts.yaml b/.github/chainguard/self.gitlab.github-access.read.sts.yaml
@@ -0,0 +1,7 @@
+issuer: https://gitlab.ddbuild.io
+
+subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:(branch|tag):ref:.*"
+
+permissions:
+  contents: read
+
diff --git a/.gitlab/macrobenchmarks.yml b/.gitlab/macrobenchmarks.yml
@@ -1,7 +1,8 @@
 include:
-  project: 'DataDog/benchmarking-platform-tools'
-  file: 'images/templates/gitlab/notify-slo-breaches.template.yml'
-  ref: '925e0a3e7dd628885f6fc69cdaea5c8cc9e212bc'
+  - project: 'DataDog/benchmarking-platform-tools'
+    file: 'images/templates/gitlab/notify-slo-breaches.template.yml'
+  - project: 'DataDog/benchmarking-platform-tools'
+    file: 'images/templates/gitlab/check-slo-breaches.template.yml'
 
 .macrobenchmarks:
   stage: macrobenchmarks
@@ -76,10 +77,9 @@ otel-latest:
 
 
 check-slo-breaches:
+  extends: .check-slo-breaches
   stage: macrobenchmarks
   interruptible: true
-  tags: ["arch:amd64"]
-  image: registry.ddbuild.io/images/benchmarking-platform-tools-ubuntu:latest
   rules:
     - if: $POPULATE_CACHE
       when: never
@@ -127,6 +127,7 @@ check-slo-breaches:
       - platform/artifacts/
     expire_in: 1 week
   variables:
+    DDOCTOSTS_POLICY: "self.gitlab.github-access.read"
     UPSTREAM_PROJECT_ID: $CI_PROJECT_ID # The ID of the current project. This ID is unique across all projects on the GitLab instance.
     UPSTREAM_PROJECT_NAME: $CI_PROJECT_NAME # "dd-trace-java"
     UPSTREAM_BRANCH: $CI_COMMIT_REF_NAME # The branch or tag name for which project is built.
