Skip to content

[chores] Add label guardrails in release process #2063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Drarig29 merged 8 commits into from
Jan 20, 2026
+86 −31
Merged

[chores] Add label guardrails in release process #2063

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
9c69986
[chores] Change job order in release process
Drarig29 Jan 19, 2026
3ee5b2d
Add `--tolerate-republish` option
Drarig29 Jan 19, 2026
c5d45b4
Add comment about it
Drarig29 Jan 19, 2026
7e6a97d
Add label management
Drarig29 Jan 19, 2026
657cd90
Also check "Do Not Merge" label
Drarig29 Jan 19, 2026
c48cd89
Make it clear in script
Drarig29 Jan 19, 2026
b8a9142
Check if `PR_LABELS` is not empty
Drarig29 Jan 20, 2026
7d94b9f
Always "post echo" to avoid double new lines
Drarig29 Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 27 additions & 21 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,8 @@ permissions:
contents: write # Required for the draft release

jobs:
pre-release-checks:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Install node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 22.19.0
- name: Install project dependencies
run: yarn install --immutable --mode=skip-build
- name: Check NPM packages
run: yarn check-npm-packages
env:
# Used to post comments on the PR
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

create-draft-release:
runs-on: ubuntu-latest
needs: pre-release-checks
outputs:
release-id: ${{ steps.draft-release.outputs.result }}
steps:
Expand Down Expand Up @@ -268,11 +249,34 @@ jobs:
data: await fs.readFile('./datadog-ci_darwin-arm64'),
})

pre-approval-checks:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Install node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 22.19.0
- run: yarn install --immutable --mode=skip-build
- name: Check NPM packages
run: yarn check-npm-packages
env:
# Used to post comments on the PR
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# Requires an approval
npm-publish:
runs-on: ubuntu-latest
environment: npm
needs: [build-binary-ubuntu, build-binary-windows, build-binary-macos]
needs:
- pre-approval-checks
- build-binary-ubuntu
- build-binary-ubuntu-arm
- build-binary-windows
- build-binary-macos
- build-binary-macos-arm
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
Expand All @@ -281,7 +285,9 @@ jobs:
registry-url: 'https://registry.npmjs.org'
- run: yarn install --immutable
- run: yarn build
- run: yarn publish:all --provenance
# Given every package is version X.X.X (enforced by `yarn lint:packages`), we can skip
# already published packages with `--tolerate-republish` (for example when OIDC was not yet enabled)
- run: yarn publish:all --provenance --tolerate-republish

bump-ci-integrations:
name: Bump datadog-ci in integration
Expand Down
63 changes: 56 additions & 7 deletions bin/check-npm-packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ set -euo pipefail

MODE="check"
DRY_RUN=false
GITHUB_REPOSITORY=DataDog/datadog-ci

while [[ $# -gt 0 ]]; do
case $1 in
Expand Down Expand Up @@ -63,7 +64,41 @@ while IFS= read -r pkg; do
fi
done <<< "$local_packages"

# Exit early if everything is good
# Fetch PR information
PR_RESPONSE=""
PR_LABELS=""
if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls")
PR_LABELS=$(echo "$PR_RESPONSE" | jq '[.[0].labels[].name]' 2>/dev/null || true)

echo -e "${BLUE}PR labels:${NC} $PR_LABELS"
echo
fi

# In CI, check the labels on the PR
if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
Comment thread
Drarig29 marked this conversation as resolved.
Outdated
# Fail if `Do Not Merge` is set
if echo "$PR_LABELS" | grep -q "Do Not Merge"; then
echo -e "${RED}This PR is marked as \"Do Not Merge\" ❌${NC}"
exit 1
fi

# Fail if the PR has `oidc-setup-required ⚠️` WITHOUT `oidc-setup-done ✅`
if echo "$PR_LABELS" | grep -q "oidc-setup-required ⚠️"; then
if ! echo "$PR_LABELS" | grep -q "oidc-setup-done ✅"; then
echo -e "${RED}This PR requires OIDC setup on some packages. Please ask an admin to follow the instructions at https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC}"
exit 1
else
echo 'Continuing... No need to remove the `oidc-setup-required ⚠️` label.'
fi
else
echo 'Continuing... for the `oidc-setup-required ⚠️` label to possibly be added.'
fi
echo
fi

# Everything is good.
if [ ${#missing_packages[@]} -eq 0 ]; then
echo -e "${GREEN}All local packages exist on NPM ✅${NC}"
exit 0
Expand All @@ -76,11 +111,8 @@ for pkg in "${missing_packages[@]}"; do
done

# In CI environment, post a comment on the PR
if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
# Get the PR number and author associated with this commit
PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls")

if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
# PR_RESPONSE was already fetched above
PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty')
PR_AUTHOR=$(echo "$PR_RESPONSE" | jq -r '.[0].user.login // empty')

Expand All @@ -99,11 +131,18 @@ Hi @$PR_AUTHOR, please **ask an admin** to follow the instructions at https://da
# Post comment on the PR
curl -s -X POST \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')" > /dev/null

echo -e "${BLUE}Posted comment on PR #$PR_NUMBER (author: @$PR_AUTHOR)${NC}"

# Add the 'oidc-setup-required ⚠️' label to the PR
curl -s -X POST \
-H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/labels" \
-d '{"labels":["oidc-setup-required ⚠️"]}' > /dev/null

echo -e "${BLUE}Added 'oidc-setup-required ⚠️' label to PR #$PR_NUMBER${NC}"
else
# Fallback when PR is not found
echo -e "${RED}No PR found for commit $GITHUB_SHA${NC}"
Expand Down Expand Up @@ -181,3 +220,13 @@ if [ "$DRY_RUN" = true ]; then
else
echo -e "${GREEN}Successfully published ${#missing_packages[@]} package(s)${NC}"
fi

echo
echo -e "${RED}${BOLD}⚠️ You are not done!${NC} Please setup OIDC on each package at the links below."
echo

for pkg in "${missing_packages[@]}"; do
echo -e " - Opening ${BLUE}https://www.npmjs.com/package/$pkg/access${NC}"
open "https://www.npmjs.com/package/$pkg/access"
done
echo
Comment on lines +223 to +232
Copy link
Copy Markdown
Contributor Author

@Drarig29 Drarig29 Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image