Merge remote-tracking branch 'origin/main' into release

dd-octo-sts[bot] · dd-octo-sts[bot] · commit bd1168835d1f · 2026-02-16T13:58:57.000Z
diff --git a/.github/workflows/release-proposal-dispatch.yml b/.github/workflows/release-proposal-dispatch.yml
@@ -55,12 +55,41 @@ jobs:
           fi
           echo "No release proposal is ongoing."
 
+  check-membership:
+    permissions:
+      id-token: write # Enable OIDC
+    runs-on: ubuntu-latest
+    needs: check-proposal-ongoing
+    steps:
+      - uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1
+        id: octo-sts
+        with:
+          scope: DataDog/libdatadog  # target repository
+          policy: self.read.members  # trust policy in target repo, without the .sts.yaml extension
+
+      - name: Check if user is in the team allowed to make crate releases
+        id: check
+        uses: TheModdingInquisition/actions-team-membership@057d91bb80f2976a1bc6dfab5b4ae1da9aebbd89 #v1.0.1
+        with:
+          team: 'apm-common-components-core'
+          organization: 'Datadog'
+          token: ${{ steps.octo-sts.outputs.token }} # Needs 'read:org' scope
+          exit: false
+
+      - name: Check output
+        run: |
+          permitted=${{ steps.check.outputs.permitted }}
+          if [[ "$permitted" != "true" ]]; then
+            echo "User is not part of apm-common-components-core"
+            exit 1
+          fi
+    
   update-release-branch:
     permissions:
       id-token: write # Enable OIDC
       contents: write
     runs-on: ubuntu-latest
-    needs: check-proposal-ongoing
+    needs: check-membership
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
@@ -104,8 +133,6 @@ jobs:
       contents: write
     needs: update-release-branch
     runs-on: ubuntu-latest
-    # TODO: uncomment this when we have a way to test this workflow
-    # if: ${{ github.repository_owner == 'datadog' }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
diff --git a/repository.datadog.yml b/repository.datadog.yml
@@ -13,4 +13,4 @@ rules:
   - require: all-files-are-owned
   - require: commit-signatures
     excluded_emails:
-      - '41898282+github-actions[bot]@users.noreply.github.com' # version-bump bots
+      - '200755185+dd-octo-sts[bot]@users.noreply.github.com' # version-bump bots
