ci: allow dd-trace-*/libdatadog to write pr comments on libdatadog

[igoragoli]

What does this PR do?

Allows dd-trace-* and libdatadog to write PR comments on libdatadog.

Motivation

libdatadog will run benchmarks by triggering downstream dd-trace-* pipelines. Those pipelines need to report results back to libdatadog. One way to report results back is through PR comments.

Additional Notes

This policy can be tightened to make it absolutely secure, but the risks it incurs (an attacker might create PR comments on branches on dd-trace-* repos' CIs) are too low compared to the complexity of setting up and testing a more fleshed-out policy.

I'd be happy to update the policy if these risks are something we should address :)

How to test the change?

Should be verified ad-hoc with prototype PR comments, due to how dd-octo-sts works. Changes need to be on main to be effective.

[datadog-datadog-prod-us1]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 73.76% (-0.06%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 95e60dc | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.76 MB	7.76 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	83.99 MB	83.99 MB	0% (0 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.36 MB	10.36 MB	0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	95.08 MB	95.08 MB	0% (0 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	24.82 MB	24.82 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	87.33 KB	87.33 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	180.83 MB	180.83 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	928.05 MB	928.05 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	8.10 MB	8.10 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	87.33 KB	87.33 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.96 MB	23.96 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	47.83 MB	47.83 MB	0% (0 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.51 MB	21.51 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	88.71 KB	88.71 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	184.81 MB	184.80 MB	-0% (-8.00 KB) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	916.26 MB	916.26 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	6.25 MB	6.25 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	88.71 KB	88.71 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	25.69 MB	25.69 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	45.47 MB	45.47 MB	0% (0 B) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	74.87 MB	74.87 MB	0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.61 MB	8.61 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	90.29 MB	90.29 MB	0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.47 MB	10.47 MB	0% (0 B) 👌

[ekump]

Suggested change

	subject_pattern: "project_path:DataDog/apm-reliability/(dd-trace-.*|libdatadog):.*"
	permissions:
	pull_requests: write
	subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-[a-z0-9-]+:ref_type:branch:ref:(main|master)"
	claim_pattern:
	project_path: "DataDog/apm-reliability/dd-trace-[a-z0-9-]+"
	ref_type: "branch"
	ref_protected: "true"
	pipeline_source: "pipeline"
	ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-[a-z0-9-]+//.gitlab-ci.yml@refs/heads/(main|master)"
	permissions:
	pull_requests: write

The policy as-is is too lax. I don't think libdatadog should be included as a subject as we already have benchmark jobs triggered internally and use a different existing policy. They shouldn't share a policy with this workflow.

I don't know how these benchmarks are going to work, but my suggestion assumes they are going to run on the default branch of the SDKs.

[yannham]

The current plan is to have those benchmarks run on some branch of the SDK/tracers (but not the default one, since the idea is to auto update the SDK to some version of libdatadog corresponding to a PR, so this will be on a new, dedicated branch). At some point this SDK benchmark job needs to write back a comment here to report the result, which I think is the goal of this policy change. Hopes that clarifies. But also maybe there's a better way to orchestrate all of this, so open to suggestions here!

[ekump]

Got it. If it's a dedicated branch then my suggestion would still mostly work. You'd just need to update it to match on that branch name instead of main/master.