ci: add GitLab pipeline to bump rshell in datadog-agent on new tag

[matt-dz]

Summary

Adds a GitLab CI pipeline that automatically opens a draft PR on DataDog/datadog-agent to bump the pinned rshell version whenever a new rshell tag (matching v*.*.*) is detected.

• Trigger — tag-only (rules: - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/) plus an opt-in manual path via Run pipeline on main with BUMP_VERSION=vX.Y.Z.
• Auth — dd-octo-sts mints a short-lived GitHub token via GitLab OIDC; no static secrets anywhere.
• Bump flow — clone datadog-agent → strip the lingering replace github.com/DataDog/rshell directive (one-time v0.0.11 transition) → go get → dda inv tidy → write a reno note → commit → push → open draft PR.
• Idempotent — no-ops if a PR for the same version already exists.
• Draft PR labels: changelog/no-changelog, ask-review; review requested from @DataDog/action-platform.

Mirrors the generate_windows_gitlab_runner_bump_pr pattern already in datadog-agent/.gitlab/distribute/trigger_release/agent.yml.

Prerequisites

• rshell is mirrored to gitlab.ddbuild.io/DataDog/rshell with Trigger pipelines for mirror updates enabled.
• Companion PR DataDog/datadog-agent#49490 adding the self.rshell.bump-rshell-version octo-sts policy must merge before this is effective.

Test plan

• Lint via GitLab CI Lint API once mirrored.
• Dry-run: push a throwaway tag on a fork, point the policy at a scratch datadog-agent fork, verify the PR opens as draft with the right title, labels, reviewers, and a clean go.mod/go.sum/reno diff.
• Delete scratch PR + tag.

[matt-dz]

@codex conduct a comprehensive security and code review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20d3ba3fda

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[matt-dz]

@codex conduct a comprehensive security and code review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3c0ac3884b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[matt-dz]

@codex conduct a comprehensive security and code review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b363e85897

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[matt-dz]

@codex conduct a comprehensive security and code review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 47b1847a6e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[matt-dz]

@codex conduct a comprehensive security and code review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 810ac250e0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Handle closed existing PRs before attempting create_pull

The idempotency check only looks for open PRs, so if a prior bump PR for the same bump-rshell-vX.Y.Z branch was closed, this path will still push and then call create_pull. GitHub rejects duplicate head/base PR creation for that branch, which turns retries or manual reruns for the same version into hard failures instead of a safe no-op/update path. Query state="all" (or explicitly closed) and reuse/reopen the existing PR when present.

Useful? React with 👍 / 👎.

[AlexandreYang]

ci: add GitLab pipeline to bump rshell in datadog-agent on new tag

@matt-dz
Q: Don't we already have existing tooling that will do this?

Example PRs like this: #198

By "🤖 Generated by DataDog Automated Dependency Management System"