From b55c0a68b5605b605e87eb22c853c82e10d159a8 Mon Sep 17 00:00:00 2001 From: Maciek Grzybowski Date: Tue, 19 May 2026 17:41:35 +0200 Subject: [PATCH 1/4] ci: integrate cr-agent Code Review pipeline --- .cr-agent/prompt.md | 1 + .cr-agent/run.sh | 31 +++++++++++++++++++++++++++++++ .gitignore | 4 ++++ .gitlab-ci.yml | 18 +++++++++++++++++- 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 .cr-agent/prompt.md create mode 100755 .cr-agent/run.sh diff --git a/.cr-agent/prompt.md b/.cr-agent/prompt.md new file mode 100644 index 0000000000..91badb2d8e --- /dev/null +++ b/.cr-agent/prompt.md @@ -0,0 +1 @@ +This is the dd-sdk-ios repository. Pay attention to Swift-specific concerns: ARC ownership, Swift concurrency, and main-thread requirements for UIKit code. diff --git a/.cr-agent/run.sh b/.cr-agent/run.sh new file mode 100755 index 0000000000..f9a137a9cb --- /dev/null +++ b/.cr-agent/run.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# ----------------------------------------------------------- +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +# ----------------------------------------------------------- +# +# Entry point for the `Code Review` CI job. +# Clones rum-ai-toolkit, mints a short-lived GitHub token via dd-octo-sts, +# then hands off to the toolkit's `review.sh` which runs the `cr-agent`. + +set -eo pipefail + +# TODO: switch toolkit ref to `main` before merging to develop. +TOOLKIT_REF="ncreated/feat/cr-agent" +TOOLKIT_DIR="$CI_PROJECT_DIR/.rum-ai-toolkit" + +echo "▸ Cloning rum-ai-toolkit ($TOOLKIT_REF)..." +git clone --depth 1 --branch "$TOOLKIT_REF" \ + "git@github.com:DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" + +echo "▸ Installing cr-agent venv..." +make -C "$TOOLKIT_DIR/tools/cr-agent" install + +echo "▸ Minting GitHub token via dd-octo-sts (policy: self.cr-agent)..." +GITHUB_TOKEN=$(dd-octo-sts --disable-tracing token --scope DataDog/dd-sdk-ios --policy self.cr-agent) +export GITHUB_TOKEN +trap 'dd-octo-sts --disable-tracing revoke' EXIT + +echo "▸ Handing off to review.sh..." +exec "$TOOLKIT_DIR/tools/cr-agent/review.sh" diff --git a/.gitignore b/.gitignore index 6469cfce90..d88afaa6b8 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,7 @@ artifacts/ # GSD planning files (local only) .planning/ + +# RUM AI Toolkit: +.rum-ai-toolkit/ +.cr-agent/sessions/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d4b1add6a9..cda347a501 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -121,7 +121,7 @@ Build Dependencies: Lint: stage: lint - rules: + rules: - !reference [.test-pipeline-job, rules] - !reference [.benchmark-pipeline-job, rules] script: @@ -129,6 +129,22 @@ Lint: - make lint license-check - make rum-models-verify sr-models-verify +Code Review: + stage: lint + allow_failure: true + rules: + - if: '$CI_COMMIT_BRANCH != $DEVELOP_BRANCH && $CI_COMMIT_BRANCH != $MAIN_BRANCH' + id_tokens: + <<: *dd-octo-sts-id-token + artifacts: + paths: + - .cr-agent/sessions/ + when: always + expire_in: 1 week + script: + - ./tools/runner-setup.sh --ssh + - ./.cr-agent/run.sh + API Surface Verify: stage: lint rules: From 0736510002f533a7d33485411da2f6553116621c Mon Sep 17 00:00:00 2001 From: Maciek Grzybowski Date: Mon, 1 Jun 2026 10:25:59 +0200 Subject: [PATCH 2/4] ci: configure cr-agent filtering policy Adds .cr-agent/config.yaml with per-severity confidence thresholds tuned for dogfooding: major@3 (more permissive than toolkit default of 4), minor@5, cap 8. Critical threshold inherits the toolkit default (2). Co-Authored-By: Claude Sonnet 4.6 --- .cr-agent/config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .cr-agent/config.yaml diff --git a/.cr-agent/config.yaml b/.cr-agent/config.yaml new file mode 100644 index 0000000000..28007d4936 --- /dev/null +++ b/.cr-agent/config.yaml @@ -0,0 +1,9 @@ +# Per-SDK overrides for cr-agent's review filtering. Any key here overrides the +# toolkit default (tools/cr-agent/defaults.yaml); omitted keys are inherited. +# +# Per severity: minimum confidence (1–5) a finding must reach to be published, +# or `off` to drop the whole severity. `max_comments` caps the published count. +filtering: + major: { min_confidence: 3 } + minor: { min_confidence: 5 } + max_comments: 8 From cb4f56dd6fa6dae1100d705b4c4b722621b66335 Mon Sep 17 00:00:00 2001 From: Maciek Grzybowski Date: Tue, 2 Jun 2026 15:36:02 +0200 Subject: [PATCH 3/4] wip: clone with token replace --- .cr-agent/run.sh | 2 +- .gitlab-ci.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.cr-agent/run.sh b/.cr-agent/run.sh index f9a137a9cb..388f6f7bad 100755 --- a/.cr-agent/run.sh +++ b/.cr-agent/run.sh @@ -17,7 +17,7 @@ TOOLKIT_DIR="$CI_PROJECT_DIR/.rum-ai-toolkit" echo "▸ Cloning rum-ai-toolkit ($TOOLKIT_REF)..." git clone --depth 1 --branch "$TOOLKIT_REF" \ - "git@github.com:DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" + "https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" echo "▸ Installing cr-agent venv..." make -C "$TOOLKIT_DIR/tools/cr-agent" install diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cda347a501..b2c42320b8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -142,7 +142,6 @@ Code Review: when: always expire_in: 1 week script: - - ./tools/runner-setup.sh --ssh - ./.cr-agent/run.sh API Surface Verify: From 0169cdcd8af1c9901648f8efd1c27b88c64ea264 Mon Sep 17 00:00:00 2001 From: Maciek Grzybowski Date: Tue, 2 Jun 2026 18:27:07 +0200 Subject: [PATCH 4/4] wip: install toolkit with no ssh --- .cr-agent/run.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.cr-agent/run.sh b/.cr-agent/run.sh index 388f6f7bad..9a607e0743 100755 --- a/.cr-agent/run.sh +++ b/.cr-agent/run.sh @@ -6,8 +6,9 @@ # ----------------------------------------------------------- # # Entry point for the `Code Review` CI job. -# Clones rum-ai-toolkit, mints a short-lived GitHub token via dd-octo-sts, -# then hands off to the toolkit's `review.sh` which runs the `cr-agent`. +# Clones rum-ai-toolkit over HTTPS using a short-lived dd-octo-sts token, +# mints a second dd-octo-sts token for posting PR comments, then hands off +# to the toolkit's `review.sh` which runs the `cr-agent`. set -eo pipefail @@ -15,9 +16,16 @@ set -eo pipefail TOOLKIT_REF="ncreated/feat/cr-agent" TOOLKIT_DIR="$CI_PROJECT_DIR/.rum-ai-toolkit" +echo "▸ Minting rum-ai-toolkit clone token via dd-octo-sts..." +TOOLKIT_TOKEN=$(dd-octo-sts --disable-tracing token \ + --scope DataDog/rum-ai-toolkit --policy dd-sdk-ios.gitlab.clone) + echo "▸ Cloning rum-ai-toolkit ($TOOLKIT_REF)..." git clone --depth 1 --branch "$TOOLKIT_REF" \ - "https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" + "https://x-access-token:${TOOLKIT_TOKEN}@github.com/DataDog/rum-ai-toolkit.git" "$TOOLKIT_DIR" + +# Clone token no longer needed after clone; revoke it explicitly (least privilege). +dd-octo-sts --disable-tracing revoke -t "$TOOLKIT_TOKEN" echo "▸ Installing cr-agent venv..." make -C "$TOOLKIT_DIR/tools/cr-agent" install @@ -25,7 +33,7 @@ make -C "$TOOLKIT_DIR/tools/cr-agent" install echo "▸ Minting GitHub token via dd-octo-sts (policy: self.cr-agent)..." GITHUB_TOKEN=$(dd-octo-sts --disable-tracing token --scope DataDog/dd-sdk-ios --policy self.cr-agent) export GITHUB_TOKEN -trap 'dd-octo-sts --disable-tracing revoke' EXIT +trap 'dd-octo-sts --disable-tracing revoke -t "$GITHUB_TOKEN"' EXIT echo "▸ Handing off to review.sh..." exec "$TOOLKIT_DIR/tools/cr-agent/review.sh"