DataDog
diff --git a/‎.github/chainguard/self.read.members.sts.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/chainguard/self.read.members.sts.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/chainguard/self.write.pr.sts.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/chainguard/self.write.pr.sts.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pr-title-semver-check.yml‎
Lines changed: 29 additions & 98 deletions b/‎.github/workflows/pr-title-semver-check.yml‎
Lines changed: 29 additions & 98 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 60 additions & 5 deletions b/‎.github/workflows/test.yml‎
Lines changed: 60 additions & 5 deletions
@@ -3,8 +3,8 @@ issuer: https://token.actions.githubusercontent.com
 subject_pattern: "repo:DataDog/libdatadog.*"
 
 claim_pattern:
-  ref: "refs/heads/(main|release)"
-  ref_protected: "true"
+  ref: "refs/heads/(main|release|igor/.*|julio/.*)"
+  # ref_protected: "true"
 
 permissions:
   members: read
 
@@ -3,8 +3,8 @@ issuer: https://token.actions.githubusercontent.com
 subject_pattern: "repo:DataDog/libdatadog.*"
 
 claim_pattern:
-  ref: "refs/heads/(main|release)"
-  ref_protected: "true"
+  ref: "refs/heads/(main|release|igor/.*|julio/.*)"
+  # ref_protected: "true"
   job_workflow_ref: DataDog/libdatadog/\.github/workflows/release-proposal-dispatch\.yml@.+
 
 permissions:
 
@@ -4,7 +4,7 @@ permissions:
   pull-requests: read
 on:
   pull_request:
-    types: ['opened', 'edited', 'reopened', 'synchronize']
+    types: ['opened', 'edited', 'reopened', 'synchronize', 'labeled', 'unlabeled']
     branches-ignore:
       - "v[0-9]+.[0-9]+.[0-9]+.[0-9]+"
       - release
@@ -15,6 +15,7 @@ env:
 
 jobs:
   detect-changes:
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-pr-title-semver-check') }}
     runs-on: ubuntu-latest
     outputs:
       changed_crates: ${{ steps.detect.outputs.crates }}
@@ -78,7 +79,7 @@ jobs:
 
   semver-check:
     needs: detect-changes
-    if: needs.detect-changes.outputs.has_rust_changes == 'true'
+    if: ${{ needs.detect-changes.outputs.has_rust_changes == 'true' && !contains(github.event.pull_request.labels.*.name, 'skip-pr-title-semver-check') }}
     runs-on: ubuntu-latest
     outputs:
       result_json: ${{ steps.semver.outputs.result_json }}
@@ -156,7 +157,7 @@ jobs:
 
   validate:
     needs: [detect-changes, semver-check]
-    if: needs.detect-changes.outputs.has_rust_changes == 'true'
+    if: ${{ needs.detect-changes.outputs.has_rust_changes == 'true' && !contains(github.event.pull_request.labels.*.name, 'skip-pr-title-semver-check') }}
     runs-on: ubuntu-latest
     steps:
       - name: Validate PR title against semver changes
@@ -206,52 +207,30 @@ jobs:
           echo ""
 
           VALIDATION_FAILED="false"
+          FAILURE_REASONS=()
 
-          # Validation rules
+          # Rule: ci/docs/style/test/build cannot change the public API
           case "$TYPE" in
-          fix)
-            if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
+            ci|docs|style|test|build)
+              if [[ "$SEMVER_LEVEL" == "major" ]] || [[ "$SEMVER_LEVEL" == "minor" ]]; then
+                VALIDATION_FAILED="true"
+                FAILURE_REASONS+=("'$TYPE' cannot have major or minor API changes. Use a different PR type, or avoid public API changes.")
+              fi
+              ;;
+            feat|fix|refactor|chore|perf|revert)
+              # These can be any semver level (subject to breaking change rules below)
+              ;;
+            *)
               VALIDATION_FAILED="true"
-            elif [[ "$SEMVER_LEVEL" == "minor" ]] || [[ "$SEMVER_LEVEL" == "none" ]]; then
-              VALIDATION_FAILED="true"
-            fi
-            ;;
-
-          feat)
-            if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
-              VALIDATION_FAILED="true"
-            elif [[ "$SEMVER_LEVEL" == "patch" ]] || [[ "$SEMVER_LEVEL" == "none" ]]; then
-              VALIDATION_FAILED="true"
-            fi
-            ;;
-
-          chore|ci|docs|style|test|build|perf)
-            # Breaking change marker shouldn't be there.
-            if [[ -n "$IS_BREAKING_CHANGE" ]]; then
-              VALIDATION_FAILED="true"
-            fi
-
-            # These should not change public API
-            if [[ "$SEMVER_LEVEL" == "major" ]] || [[ "$SEMVER_LEVEL" == "minor" ]]; then
-              VALIDATION_FAILED="true"
-            fi
-            ;;
-
-          refactor)
-            if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
-              VALIDATION_FAILED="true"
-            fi
-            ;;
-
-          revert)
-            # Revert commits are allowed to have any semver level
-            ;;
+              FAILURE_REASONS+=("Unknown PR type: '$TYPE'. Valid types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert")
+              ;;
+          esac
 
-          *)
-            echo "$TYPE not handled";
+          # Rule: major API changes must have a breaking change marker
+          if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
             VALIDATION_FAILED="true"
-            ;;
-          esac
+            FAILURE_REASONS+=("Major API changes require a breaking change marker. Add '!' to PR title (e.g. 'feat!:' or 'feat(scope)!:') or add 'BREAKING CHANGE:' footer in PR body.")
+          fi
 
           if [[ "$VALIDATION_FAILED" == "true" ]]; then
             echo ""
@@ -267,69 +246,21 @@ jobs:
             echo "--------------------------------------------"
             echo "WHAT WAS DETECTED:"
             echo "--------------------------------------------"
-            # Show details for each crate
             echo "$SEMVER_RESULT_JSON" | jq -r '.crates[] | "Crate: \(.name)\n  Level: \(.level)\n  Reason: \(.reason)\n  Details:\n\(.details | split("\n") | map("    " + .) | join("\n"))\n"'
             echo ""
             echo "--------------------------------------------"
             echo "WHY THIS FAILED:"
             echo "--------------------------------------------"
-            case "$TYPE" in
-              fix)
-                if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
-                  echo "'fix' with major changes requires breaking change marker."
-                  echo "Add '!' to PR title (fix!:) or add 'BREAKING CHANGE:' footer in PR body."
-                elif [[ "$SEMVER_LEVEL" == "minor" ]]; then
-                  echo "'fix' cannot have minor-level changes (new public API)."
-                  echo "Use 'feat' type instead, or remove the new public API additions."
-                elif [[ "$SEMVER_LEVEL" == "none" ]]; then
-                  echo "'fix' requires changes to published crates."
-                  echo "Use 'chore' or 'ci' for non-published changes."
-                fi
-                ;;
-              feat)
-                if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
-                  echo "'feat' with major changes requires breaking change marker."
-                  echo "Add '!' to PR title (feat!:) or add 'BREAKING CHANGE:' footer in PR body."
-                elif [[ "$SEMVER_LEVEL" == "patch" ]]; then
-                  echo "'feat' requires minor-level changes (new public API)."
-                  echo "Use 'fix' for bug fixes, or ensure new items are marked 'pub'."
-                elif [[ "$SEMVER_LEVEL" == "none" ]]; then
-                  echo "'feat' requires changes to published crates."
-                  echo "Use 'chore' for non-published changes."
-                fi
-                ;;
-              chore|ci|docs|style|test|build|perf)
-                if [[ -n "$IS_BREAKING_CHANGE" ]]; then
-                  echo "'$TYPE' cannot have breaking change marker."
-                  echo "Remove '!' from title or use 'feat!', 'fix!', or 'refactor!' instead."
-                elif [[ "$SEMVER_LEVEL" == "major" ]]; then
-                  echo "'$TYPE' cannot have major-level changes (breaking API)."
-                  echo "Use 'refactor!' or 'feat!' for intentional breaking changes."
-                elif [[ "$SEMVER_LEVEL" == "minor" ]]; then
-                  echo "'$TYPE' cannot have minor-level changes (new public API)."
-                  echo "Use 'feat' for new features, or mark new items as pub(crate)."
-                fi
-                ;;
-              refactor)
-                if [[ "$SEMVER_LEVEL" == "major" ]] && [[ -z "$IS_BREAKING_CHANGE" ]]; then
-                  echo "'refactor' with major changes requires breaking change marker."
-                  echo "Add '!' to PR title (refactor!:) or add 'BREAKING CHANGE:' footer in PR body."
-                fi
-                ;;
-              *)
-                echo "Unknown PR type: '$TYPE'"
-                echo "Valid types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert"
-                ;;
-            esac
+            for reason in "${FAILURE_REASONS[@]}"; do
+              echo "- $reason"
+            done
             echo ""
             echo "--------------------------------------------"
             echo "VALID COMBINATIONS:"
             echo "--------------------------------------------"
-            echo "  fix      -> patch, or major (with '!')"
-            echo "  feat     -> minor, or major (with '!')"
-            echo "  refactor -> patch, minor, or major (with '!')"
-            echo "  chore/ci/docs/style/test/build/perf -> patch or none only"
-            echo "  revert   -> any level"
+            echo "  ci/docs/style/test/build -> patch or none only (no public API changes)"
+            echo "  all other types          -> any level allowed"
+            echo "  major changes            -> must have '!' or 'BREAKING CHANGE:' footer"
             echo ""
             exit 1
           else
 
@@ -298,7 +298,7 @@ jobs:
           .\build-profiling.ps1
 
   cross-centos7:
-    name: build and test using cross - on centos7
+    name: Test x86_64-unknown-linux-gnu on centOS7 docker image
     runs-on: ubuntu-latest
     concurrency:
       group: ci-${{ github.ref }}-cross-centos7
@@ -323,10 +323,65 @@ jobs:
         with:
           cache-targets: true # cache build artifacts
           cache-bin: true # cache the ~/.cargo/bin directory
-      - run: cargo install cross || true
-      - run: cross build --workspace --target x86_64-unknown-linux-gnu --exclude builder
-      - run: cross test --workspace --features libdd-crashtracker/generate-unit-test-files --target x86_64-unknown-linux-gnu --exclude builder  -- --skip "::single_threaded_tests::" --skip "tracing_integration_tests::"
-      - run: cross test --workspace --features libdd-crashtracker/generate-unit-test-files --target x86_64-unknown-linux-gnu --exclude builder --exclude bin_tests -- --skip "::tests::" --skip "::api_tests::" --test-threads 1 --skip "tracing_integration_tests::"
+      - name: Build CentOS 7 Docker image
+        run: docker build -t libdatadog-centos7 -f tools/docker/Dockerfile.centos .
+      - name: "cargo nextest run (centos7)"
+        # Run docker as a user, not the default root
+        # Mount and use the runner's toolchain as it's the same arch
+        # exclude tracing integration tests since they require docker in docker to run a test-agent
+        run: >-
+          docker run --rm
+          --user "$(id -u):$(id -g)" 
+          -v "${{ github.workspace }}:/workspace"
+          -v "${CARGO_HOME:-$HOME/.cargo}:/usr/local/cargo"
+          -v "${RUSTUP_HOME:-$HOME/.rustup}:/usr/local/rustup"
+          -e CARGO_HOME=/usr/local/cargo
+          -e RUSTUP_HOME=/usr/local/rustup
+          -e PATH=/usr/local/cargo/bin:/usr/local/rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin:/opt/rh/devtoolset-11/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+          -w /workspace
+          libdatadog-centos7
+          cargo nextest run --workspace --features libdd-crashtracker/generate-unit-test-files
+          --exclude builder --profile ci
+          -E '!test(tracing_integration_tests::)'
+      - name: Add file attributes to JUnit XML
+        if: success() || failure()
+        run: cargo run --bin add_junit_file_attributes -- target/nextest/ci/junit.xml
+      - name: Report Test Results
+        if: success() || failure()
+        uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # 4.3.1
+        with:
+          report_paths: "target/nextest/ci/junit.xml"
+          check_name: "[centos7] test report"
+          include_passed: true
+      - name: Upload test results to Datadog
+        if: success() || failure()
+        run: |
+          URL="https://github.com/DataDog/datadog-ci/releases/download/v4.2.2/datadog-ci_linux-x64"
+          OUTPUT="datadog-ci"
+          EXPECTED_CHECKSUM="3e1e9649d15d3feacced89ec90de66151046a58c7844217e4112362ad8dbf8d1"
+
+          echo "Downloading datadog-ci from $URL"
+          curl -L --fail --retry 3 -o "$OUTPUT" "$URL"
+          chmod +x "$OUTPUT"
+
+          ACTUAL_CHECKSUM=$(sha256sum "$OUTPUT" | cut -d' ' -f1)
+          echo "Expected checksum: $EXPECTED_CHECKSUM"
+          echo "Actual checksum: $ACTUAL_CHECKSUM"
+
+          if [ "$ACTUAL_CHECKSUM" != "$EXPECTED_CHECKSUM" ]; then
+            echo "Checksum verification failed!"
+            exit 1
+          fi
+          echo "Checksum verification passed"
+
+          ./"$OUTPUT" junit upload \
+            --service libdatadog \
+            --env ci \
+            --logs \
+            --tags arch:${{ runner.arch }},os:Linux,platform:centos7 \
+            target/nextest/ci/junit.xml
+        env:
+          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
 
   ffi_bake:
     strategy: