fix(octo-sts): grant pull_requests:write so GitLab CI can post PR comments

[jbachorik]

What does this PR do?:

1. Changes the async-profiler-build.ci Octo-STS trust policy permission pull_requests from read to write.
2. Updates the PR template to drop the defunct @DataDog/security-design-and-guidance handle and reference the current security-review process.

Motivation:

GitLab CI back-reports benchmark and reliability/chaos results to the PR by upserting a comment via the GitHub REST API (POST /repos/DataDog/java-profiler/issues/{n}/comments, see .gitlab/scripts/upsert-github-pr-comment.sh). Because the target issue is a pull request, that endpoint requires pull_requests: write. With read, the call fails:

HTTP 403 {"message":"Resource not accessible by integration"}

The PR-lookup and comment-list (read) calls succeed; only the write fails. The GitHub Actions path already works because its policy (self.pr-comment) grants pull_requests: write.

Octo-STS evaluates trust policies from the repository's default branch, so this must land on main before the GitLab commenters can post. Split out from #589 so it can merge independently and unblock back-reporting.

Additional Notes:

The policy already grants contents: write and issues: write; this only widens pull_requests from read to write, consistent with its stated purpose ("manage issues").

Security review: per the current Change Review Policy, bewaire runs automatically on this PR. This change touches an Octo-STS credential policy — for explicit sign-off run the dd:platform-security-review skill or file the PSEC review form (https://datadoghq.atlassian.net/jira/software/c/projects/PSEC/forms/form/direct/7861446195161534/37715). The old @DataDog/security-design-and-guidance team is defunct (404) and is not a collaborator on this repo, so it cannot be requested as a reviewer.

How to test the change?:

After merge, a GitLab pipeline on an open PR runs the benchmark/reliability comment jobs; post-benchmarks-pr-comment / post-reliability-pr-comment should post a PR comment instead of returning HTTP 403.

For Datadog employees:

• If this PR touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a security review (bewaire auto-runs; dd:platform-security-review / PSEC form available for explicit sign-off).
• This PR doesn't touch any of that.
• JIRA: [JIRA-XXXX]

[dd-octo-sts]

CI Test Results

Run: #27416911650 | Commit: 66b0516 | Duration: 12m 58s (longest job)

✅ All 32 test jobs passed

Status Overview

JDK	glibc-aarch64/debug	glibc-amd64/debug	musl-aarch64/debug	musl-amd64/debug
8	-	✅	-	-
8-ibm	-	✅	-	-
8-j9	✅	✅	-	-
8-librca	-	-	✅	✅
8-orcl	-	✅	-	-
11	-	✅	-	-
11-j9	✅	✅	-	-
11-librca	-	-	✅	✅
17	✅	✅	-	-
17-graal	✅	✅	-	-
17-j9	✅	✅	-	-
17-librca	-	-	✅	✅
21	✅	✅	-	-
21-graal	✅	✅	-	-
21-librca	-	-	✅	✅
25	✅	✅	-	-
25-graal	✅	✅	-	-
25-librca	-	-	✅	✅

Legend: ✅ passed | ❌ failed | ⚪ skipped | 🚫 cancelled

Summary: Total: 32 | Passed: 32 | Failed: 0

---

Updated: 2026-06-12 13:10:58 UTC

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: af3ceda5fd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".