diff --git a/.cr-agent/config.yaml b/.cr-agent/config.yaml new file mode 100644 index 0000000000..28007d4936 --- /dev/null +++ b/.cr-agent/config.yaml @@ -0,0 +1,9 @@ +# Per-SDK overrides for cr-agent's review filtering. Any key here overrides the +# toolkit default (tools/cr-agent/defaults.yaml); omitted keys are inherited. +# +# Per severity: minimum confidence (1–5) a finding must reach to be published, +# or `off` to drop the whole severity. `max_comments` caps the published count. +filtering: + major: { min_confidence: 3 } + minor: { min_confidence: 5 } + max_comments: 8 diff --git a/.cr-agent/prompt.md b/.cr-agent/prompt.md new file mode 100644 index 0000000000..91badb2d8e --- /dev/null +++ b/.cr-agent/prompt.md @@ -0,0 +1 @@ +This is the dd-sdk-ios repository. Pay attention to Swift-specific concerns: ARC ownership, Swift concurrency, and main-thread requirements for UIKit code. diff --git a/.cr-agent/run.sh b/.cr-agent/run.sh new file mode 100755 index 0000000000..9a607e0743 --- /dev/null +++ b/.cr-agent/run.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# ----------------------------------------------------------- +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +# ----------------------------------------------------------- +# +# Entry point for the `Code Review` CI job. +# Clones rum-ai-toolkit over HTTPS using a short-lived dd-octo-sts token, +# mints a second dd-octo-sts token for posting PR comments, then hands off +# to the toolkit's `review.sh` which runs the `cr-agent`. + +set -eo pipefail + +# TODO: switch toolkit ref to `main` before merging to develop. +TOOLKIT_REF="ncreated/feat/cr-agent" +TOOLKIT_DIR="$CI_PROJECT_DIR/.rum-ai-toolkit" + +echo "▸ Minting rum-ai-toolkit clone token via dd-octo-sts..." +TOOLKIT_TOKEN=$(dd-octo-sts --disable-tracing token \ + --scope DataDog/rum-ai-toolkit --policy dd-sdk-ios.gitlab.clone) + +echo "▸ Cloning rum-ai-toolkit ($TOOLKIT_REF)..." +git clone --depth 1 --branch "$TOOLKIT_REF" \ + "https://x-access-token:${TOOLKIT_TOKEN}@github.com/DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" + +# Clone token no longer needed after clone; revoke it explicitly (least privilege). +dd-octo-sts --disable-tracing revoke -t "$TOOLKIT_TOKEN" + +echo "▸ Installing cr-agent venv..." +make -C "$TOOLKIT_DIR/tools/cr-agent" install + +echo "▸ Minting GitHub token via dd-octo-sts (policy: self.cr-agent)..." +GITHUB_TOKEN=$(dd-octo-sts --disable-tracing token --scope DataDog/dd-sdk-ios --policy self.cr-agent) +export GITHUB_TOKEN +trap 'dd-octo-sts --disable-tracing revoke -t "$GITHUB_TOKEN"' EXIT + +echo "▸ Handing off to review.sh..." +exec "$TOOLKIT_DIR/tools/cr-agent/review.sh" diff --git a/.gitignore b/.gitignore index 6469cfce90..d88afaa6b8 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,7 @@ artifacts/ # GSD planning files (local only) .planning/ + +# RUM AI Toolkit: +.rum-ai-toolkit/ +.cr-agent/sessions/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d4b1add6a9..b2c42320b8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -121,7 +121,7 @@ Build Dependencies: Lint: stage: lint - rules: + rules: - !reference [.test-pipeline-job, rules] - !reference [.benchmark-pipeline-job, rules] script: @@ -129,6 +129,21 @@ Lint: - make lint license-check - make rum-models-verify sr-models-verify +Code Review: + stage: lint + allow_failure: true + rules: + - if: '$CI_COMMIT_BRANCH != $DEVELOP_BRANCH && $CI_COMMIT_BRANCH != $MAIN_BRANCH' + id_tokens: + <<: *dd-octo-sts-id-token + artifacts: + paths: + - .cr-agent/sessions/ + when: always + expire_in: 1 week + script: + - ./.cr-agent/run.sh + API Surface Verify: stage: lint rules: