From 9f379869262d79ccfcf74bb8136646ab4e2c3e8c Mon Sep 17 00:00:00 2001
From: Bruce Bujon <bruce.bujon@datadoghq.com>
Date: Fri, 13 Feb 2026 18:00:38 +0100
Subject: [PATCH 1/2] feat(ci): Add workflow to enforce Datadog merge queue

---
 ...ce-datadog-merge-queue.comment-pr.sts.yaml | 11 +++++
 .github/workflows/README.md                   | 13 ++++++
 .../enforce-datadog-merge-queue.yaml          | 40 +++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 .github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
 create mode 100644 .github/workflows/enforce-datadog-merge-queue.yaml

diff --git a/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml b/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
new file mode 100644
index 00000000000..033ffbedfa3
--- /dev/null
+++ b/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
@@ -0,0 +1,11 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: enqueued
+  job_workflow_ref: DataDog/dd-trace-java/.github/workflows/enforce-datadog-merge-queue.yaml@refs/heads/master
+
+permissions:
+  issues: write
+  pull_requests: write
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index cc8ae669849..f435c2ac5b6 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -36,6 +36,19 @@ _Action:_ Check the pull request did not introduce unexpected label.
 
 _Recovery:_ Update the pull request or add a comment to trigger the action again.
 
+### enforce-datadog-merge-queue [🔗](enforce-datadog-merge-queue.yaml)
+
+_Trigger:_ When creating or updating a pull request, or when a pull request is added to GitHub merge queue.
+
+_Actions:_
+
+* Pass the `Merge queue check` status check on pull requests so they remain in a mergeable state,
+* When a pull request is enqueued in GitHub merge queue, post a `/merge` comment to trigger the Datadog merge queue,
+* Fail the `Merge queue check` status check on merge groups to prevent GitHub from merging directly.
+
+_Recovery:_ The workflow is expected to fail to block GitHub merge queue.
+This redirects GitHub's "Merge when ready" button to the Datadog merge queue system.
+
 ### create-release-branch [🔗](create-release-branch.yaml)
 
 _Trigger:_ When a git tag matching the pattern "vM.N.0" is pushed (e.g. for a minor release).
diff --git a/.github/workflows/enforce-datadog-merge-queue.yaml b/.github/workflows/enforce-datadog-merge-queue.yaml
new file mode 100644
index 00000000000..9f9c64624ea
--- /dev/null
+++ b/.github/workflows/enforce-datadog-merge-queue.yaml
@@ -0,0 +1,40 @@
+name: Enforce Datadog Merge Queue
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, enqueued]
+    branches:
+      - master
+  merge_group:
+
+jobs:
+  enforce_datadog_merge_queue:
+    name: Merge queue check
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required for OIDC token federation
+    steps:
+      - name: Block GitHub merge queue
+        if: github.event_name == 'merge_group'
+        run: |
+          echo "Merge is handled by the Datadog merge queue system. Use the /merge command to enqueue your PR for merging."
+          exit 1
+      - name: Get OIDC token
+        if: github.event.action == 'enqueued'
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.enforce-datadog-merge-queue.comment-pr
+      - name: Post /merge comment
+        if: github.event.action == 'enqueued'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # 8.0.0
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: '/merge'
+            });

From 7fc80d49ab0f82c7c256bc39092be45b9c12634b Mon Sep 17 00:00:00 2001
From: Bruce Bujon <bruce.bujon@datadoghq.com>
Date: Tue, 17 Feb 2026 15:55:09 +0100
Subject: [PATCH 2/2] fix(ci): Fix chainguard

---
 .../self.enforce-datadog-merge-queue.comment-pr.sts.yaml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml b/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
index 033ffbedfa3..3193a73c449 100644
--- a/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
+++ b/.github/chainguard/self.enforce-datadog-merge-queue.comment-pr.sts.yaml
@@ -1,10 +1,10 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+subject: repo:DataDog/dd-trace-java:pull_request
 
 claim_pattern:
-  event_name: enqueued
-  job_workflow_ref: DataDog/dd-trace-java/.github/workflows/enforce-datadog-merge-queue.yaml@refs/heads/master
+  event_name: pull_request
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/enforce-datadog-merge-queue\.yaml@refs/heads/master
 
 permissions:
   issues: write