ci: add dd-octo-sts policy for GitLab SLO change tracking

[igoragoli]

What does this PR do?

Adds a chainguard policy for GitLab CI to get a short-lived GitHub token (contents:read) via dd-octo-sts.

Motivation:

Pre-release performance quality gates (#5571) submit SLO metrics that track file changes to SLO threshold files via the GitHub API. This policy enables that access from GitLab CI.

Change log entry

None.

How to test the change?

Declarative policy file, validated when check-slo-breaches job runs.

[github-actions]

Thank you for updating Change log entry section 👏

^{Visited at: 2026-04-09 14:50:15 UTC}

[igoragoli]

• ci: enable performance quality gates #5571
• ci: add dd-octo-sts policy for GitLab SLO change tracking #5570 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[datadog-datadog-prod-us1-2]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 95.36% (+0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1595023 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-04-10 09:58:25

Comparing candidate commit 7eb0343 in PR branch augusto/add-perf-quality-gate-dd-octo-sts-policy with baseline commit 058c2b8 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'