ci: add gitlab.github-access.read octo-sts policy

[brettlangdon]

This will enable us to use dd-octo-sts and short lived GitHub API tokens from our GitLab pipeline.

This policy needs to exist on the main branch before we can use it.

We need API read access on all commits (branches, PRs, etc).

• contents: read - needed by needs_testrun to get the list of changed files in a PR
• actions: read - needed by download wheels from GHA to find action, check status, and download the artifacts
• pull_requests: read - needed by needs_testrun to get the PR associated with the current commit

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

.github/chainguard/gitlab.github-access.read.sts.yaml                   @DataDog/python-guild @DataDog/apm-core-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 276 ± 5 ms.

The average import time from base is: 290 ± 10 ms.

The import time difference between this PR and base is: -17.5 ± 0.4 ms.

Import time breakdown

The following import paths have grown:

ddtrace.auto 0.089 ms (0.03%)

ddtrace 0.089 ms (0.03%)

ddtrace.trace 0.089 ms (0.03%)

ddtrace._trace.tracer 0.089 ms (0.03%)

ddtrace.internal.schema.processor 0.089 ms (0.03%)

The following import paths have shrunk:

ddtrace.auto 6.018 ms (2.18%)

ddtrace.bootstrap.sitecustomize 4.060 ms (1.47%)

ddtrace.bootstrap.preload 2.819 ms (1.02%)

ddtrace.internal.remoteconfig.client 0.948 ms (0.34%)

ddtrace.internal.products 0.159 ms (0.06%)

importlib.metadata 0.159 ms (0.06%)

csv 0.159 ms (0.06%)

ddtrace.internal.remoteconfig.worker 0.065 ms (0.02%)

ddtrace._trace.trace_handlers 0.474 ms (0.17%)

ddtrace._trace._inferred_proxy 0.233 ms (0.08%)

ddtrace.propagation.http 0.233 ms (0.08%)

ddtrace.internal._tagset 0.069 ms (0.02%)

ddtrace.contrib.trace_utils 0.104 ms (0.04%)

ddtrace.contrib.internal.trace_utils 0.104 ms (0.04%)

ddtrace.contrib.internal.trace_utils_base 0.049 ms (0.02%)

ddtrace.appsec._common_module_patches 0.401 ms (0.15%)

ddtrace.appsec._asm_request_context 0.401 ms (0.15%)

ddtrace.appsec._utils 0.401 ms (0.15%)

ddtrace 1.958 ms (0.71%)

ddtrace.settings._config 0.548 ms (0.20%)

ddtrace.internal.gitmetadata 0.275 ms (0.10%)

ddtrace.ext.ci 0.275 ms (0.10%)

ddtrace.ext.git 0.275 ms (0.10%)

tempfile 0.275 ms (0.10%)

ddtrace.internal._file_queue 0.076 ms (0.03%)

secrets 0.076 ms (0.03%)

hmac 0.076 ms (0.03%)

_hashlib 0.076 ms (0.03%)

ddtrace.internal.schema 0.029 ms (0.01%)

ddtrace.trace 0.319 ms (0.12%)

ddtrace._trace.tracer 0.168 ms (0.06%)

ddtrace.internal.processor.endpoint_call_counter 0.168 ms (0.06%)

ddtrace._trace.filters 0.150 ms (0.05%)

ddtrace._trace.processor 0.150 ms (0.05%)

ddtrace._trace.sampler 0.089 ms (0.03%)

ddtrace._trace.span 0.089 ms (0.03%)

ddtrace.internal._rand 0.047 ms (0.02%)

ddtrace.internal.sampling 0.042 ms (0.02%)

ddtrace._logger 0.256 ms (0.09%)

ddtrace.internal.telemetry 0.256 ms (0.09%)

ddtrace.internal.telemetry.writer 0.159 ms (0.06%)

ddtrace.internal.telemetry.data 0.076 ms (0.03%)

ddtrace.internal.packages 0.076 ms (0.03%)

_sysconfigdata__linux_x86_64-linux-gnu 0.076 ms (0.03%)

ddtrace.settings._agent 0.097 ms (0.04%)

socket 0.097 ms (0.04%)

_socket 0.097 ms (0.04%)

ddtrace._monkey 0.157 ms (0.06%)

ddtrace.appsec._listeners 0.092 ms (0.03%)

ddtrace.internal.core 0.092 ms (0.03%)

ddtrace.internal.core.event_hub 0.092 ms (0.03%)

ddtrace.settings.asm 0.065 ms (0.02%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-07-10 14:44:11

Comparing candidate commit 07449fb in PR branch brettlangdon/octo-sts.chainguard with baseline commit cd0ed4f in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 547 metrics, 2 unstable metrics.

scenario:iastaspects-format_map_aspect

• 🟥 execution_time [+420.184ns; +502.222ns] or [+12.994%; +15.531%]