[chores] Guard NPM publish with approvals on release PR

RELEASING.md

@@ -6,19 +6,25 @@ To release a new version of `datadog-ci`:
 2. Run `yarn version:all <major|minor|patch>`.
 3. Commit the change `vX.X.X` and tag it with `git tag vX.X.X`.
    - You may refer to [Semantic Versioning](https://semver.org/#summary) to determine what level to increment.
-4. Push the branch **along with the tag** using `git push --tags origin name-of-the-branch`. Create a PR, and get at least one approval.
-   - **Find and open** the workflow run corresponding to your tag [in this list](https://github.com/DataDog/datadog-ci/actions/workflows/publish-release.yml).
-   - Copy the release notes from the summary, and paste them in the description of your PR. This ensures the feature PRs have a link to your release PR.
+4. Push the branch along with the tag using `git push --tags`, and create a PR.
+   - Find and open the workflow run corresponding to your tag [in this list](https://github.com/DataDog/datadog-ci/actions/workflows/publish-release.yml).
+   - Copy the release notes from the draft release, and paste them in the description of your PR. This ensures the feature PRs have a link to your release PR.
    - Add the `release` label to your PR.
    - See this [example PR](https://github.com/DataDog/datadog-ci/pull/1215).
-5. Once you've received at least one approval, merge the PR **with the "Create a merge commit" strategy**.
-   - You may notice that a **GitHub** job is waiting for an approval, and some **_GitLab_** jobs are pending: this is expected (see **step 8**). You can merge the PR when *only those jobs* are left.
-   - The "Create a merge commit" strategy is required for **step 8**, and for the GitHub Release to point to an existing commit once the PR is merged.
-6. The `npm-publish` job is waiting for an approval from a datadog-ci maintainer: ask for approval and wait for it and its downstream jobs to succeed.
-7. Go to the draft GitHub Release, and publish it as **latest**.
+5. Request an approval from a datadog-ci admin.
+   - If a `oidc-setup-required ⚠️` label is added to your PR, ask an admin for assistance.
+6. Wait for your PR to be approved.
+   - Retry the `pre-approval-checks` job if needed.
+7. The `npm-publish` job should now be waiting for an approval from a datadog-ci admin.
+   - Ask for approval and wait for it and its downstream jobs to succeed.
+8. Once all jobs are successful, merge the PR **with the "Create a merge commit" strategy**.
+   - The "Create a merge commit" strategy is required for the GitHub Release to point to an existing commit once the PR is merged.
+9. Go to the draft GitHub Release, and publish it as **latest**.
    - There should be 5 binaries available in the release's assets.
-8. Finally, go to the [_GitLab_ pipelines](https://gitlab.ddbuild.io/DataDog/datadog-ci/-/pipelines?scope=tags&status=manual), find the pipeline for your tag, and start the `build` stage to run the Docker image build jobs.
-   - Make sure all the jobs and downstream jobs succeed.
+10. **Important**: Finally, release the Docker image from GitLab.
+    - Go to the [**GitLab** pipelines](https://gitlab.ddbuild.io/DataDog/datadog-ci/-/pipelines?scope=tags&status=manual)
+    - Find the pipeline for your tag, and start the `build` stage to run the Docker image build jobs.
+    - Make sure all the jobs and downstream jobs succeed.
 
 Thanks for creating a release! 🎉
 
@@ -39,4 +45,4 @@ To overwrite a release candidate:
   - Overwrite the tag to point to your new commit with `git tag --force vX.X.X`.
   - Force push with `git push --force` and `git push --tags --force`.
 - Update your PR description with the new release notes.
-- Continue from step 4 of the Release Process.
+- Continue the release process as usual.

bin/check-npm-packages.sh

@@ -6,9 +6,11 @@ set -euo pipefail
 # It can also first-time publish missing packages when run with --fix.
 #
 # Usage:
-#   ./bin/check-npm-packages.sh                  # Check mode (default) - exits 1 if packages are missing
-#   ./bin/check-npm-packages.sh --fix            # Fix mode - publishes missing packages
-#   ./bin/check-npm-packages.sh --fix --dry-run  # Fix mode with dry-run - simulates publishing
+#   bin/check-npm-packages.sh                  # Check mode (default) - exits 1 if packages are missing
+#   bin/check-npm-packages.sh --fix            # Fix mode - publishes missing packages
+#   bin/check-npm-packages.sh --fix --dry-run  # Fix mode with dry-run - simulates publishing
+#
+# To debug the CI check mode locally, use: `GITHUB_TOKEN=$(gh auth token) GITHUB_SHA=<commit-sha> bin/check-npm-packages.sh`
 
 MODE="check"
 DRY_RUN=false
@@ -64,15 +66,27 @@ while IFS= read -r pkg; do
 	fi
 done <<< "$local_packages"
 
-# Fetch PR information
+# Fetch release PR information
 PR_RESPONSE=""
 PR_LABELS=""
+PR_NUMBER=""
+PR_APPROVALS=0
 if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
 	PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
 		"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls")
+	PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty')
 	PR_LABELS=$(echo "$PR_RESPONSE" | jq '[.[0].labels[].name]' 2>/dev/null || true)
 
 	echo -e "${BLUE}PR labels:${NC} $PR_LABELS"
+
+	# Fetch review approvals for the PR
+	if [ -n "$PR_NUMBER" ]; then
+		PR_REVIEWS=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+			"https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews")
+		# Count unique approvals (latest review per user that is APPROVED)
+		PR_APPROVALS=$(echo "$PR_REVIEWS" | jq '[group_by(.user.login) | .[] | max_by(.submitted_at) | select(.state == "APPROVED")] | length')
+		echo -e "${BLUE}PR approvals:${NC} $PR_APPROVALS"
+	fi
 	echo
 fi
 
@@ -99,9 +113,18 @@ if [ -n "$PR_LABELS" ]; then
 	echo
 fi
 
-# Everything is good.
 if [ ${#missing_packages[@]} -eq 0 ]; then
+	# No missing packages ✅
 	echo -e "${GREEN}All local packages exist on NPM ✅${NC}"
+	echo
+
+	# Check that the PR has at least one approval
+	if [ -n "$PR_NUMBER" ] && [ "$PR_APPROVALS" -lt 1 ]; then
+		echo -e "${RED}This PR requires at least one approval before approving the NPM deployment. Please ask an admin to approve the PR. ❌${NC}"
+		echo
+		exit 1
+	fi
+
 	exit 0
 fi
 
@@ -114,7 +137,6 @@ echo
 
 # In CI environment, post a comment on the PR
 if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
-	PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty')
 	PR_AUTHOR=$(echo "$PR_RESPONSE" | jq -r '.[0].user.login // empty')
 
 	DIFF_OUTPUT=$(diff -u --label "Published packages (Actual)" --label "Local packages (Expected)" \