feat(ci): Add workflow to enforce Datadog merge queue

PerfectSlayer · PerfectSlayer · commit 9f379869262d · 2026-02-17T10:45:05.000+01:00
diff --git a/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml b/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
@@ -0,0 +1,11 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: enqueued
+  job_workflow_ref: DataDog/dd-trace-java/.github/workflows/enforce-datadog-merge-queue.yaml@refs/heads/master
+
+permissions:
+  issues: write
+  pull_requests: write
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -36,6 +36,19 @@ _Action:_ Check the pull request did not introduce unexpected label.
 
 _Recovery:_ Update the pull request or add a comment to trigger the action again.
 
+### enforce-datadog-merge-queue [🔗](enforce-datadog-merge-queue.yaml)
+
+_Trigger:_ When creating or updating a pull request, or when a pull request is added to GitHub merge queue.
+
+_Actions:_
+
+* Pass the `Merge queue check` status check on pull requests so they remain in a mergeable state,
+* When a pull request is enqueued in GitHub merge queue, post a `/merge` comment to trigger the Datadog merge queue,
+* Fail the `Merge queue check` status check on merge groups to prevent GitHub from merging directly.
+
+_Recovery:_ The workflow is expected to fail to block GitHub merge queue.
+This redirects GitHub's "Merge when ready" button to the Datadog merge queue system.
+
 ### create-release-branch [🔗](create-release-branch.yaml)
 
 _Trigger:_ When a git tag matching the pattern "vM.N.0" is pushed (e.g. for a minor release).
diff --git a/.github/workflows/enforce-datadog-merge-queue.yaml b/.github/workflows/enforce-datadog-merge-queue.yaml
@@ -0,0 +1,40 @@
+name: Enforce Datadog Merge Queue
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, enqueued]
+    branches:
+      - master
+  merge_group:
+
+jobs:
+  enforce_datadog_merge_queue:
+    name: Merge queue check
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required for OIDC token federation
+    steps:
+      - name: Block GitHub merge queue
+        if: github.event_name == 'merge_group'
+        run: |
+          echo "Merge is handled by the Datadog merge queue system. Use the /merge command to enqueue your PR for merging."
+          exit 1
+      - name: Get OIDC token
+        if: github.event.action == 'enqueued'
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.enforce-datadog-merge-queue.comment-pr
+      - name: Post /merge comment
+        if: github.event.action == 'enqueued'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # 8.0.0
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: '/merge'
+            });
