diff --git a/.github/chainguard/self.add-asset-to-gh-release.sts.yaml b/.github/chainguard/self.add-asset-to-gh-release.sts.yaml
new file mode 100644
index 00000000000..aa847569cae
--- /dev/null
+++ b/.github/chainguard/self.add-asset-to-gh-release.sts.yaml
@@ -0,0 +1,11 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: "repo:DataDog/dd-trace-php:ref:refs/heads/.+"
+
+claim_pattern:
+  event_name: workflow_dispatch
+  repository: DataDog/dd-trace-php
+  job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/add-asset-to-gh-release\.yml@refs/heads/.+
+
+permissions:
+  contents: write
diff --git a/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml b/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml
new file mode 100644
index 00000000000..93e7ddd633b
--- /dev/null
+++ b/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: "repo:DataDog/dd-trace-php:pull_request"
+
+claim_pattern:
+  event_name: pull_request
+  repository: DataDog/dd-trace-php
+  job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_add_pr_to_miletone\.yml@refs/(pull/[0-9]+/merge|heads/.+)
+
+permissions:
+  issues: write
+  pull_requests: write
diff --git a/.github/chainguard/self.auto-check-snapshots.sts.yaml b/.github/chainguard/self.auto-check-snapshots.sts.yaml
new file mode 100644
index 00000000000..4f2c63c2436
--- /dev/null
+++ b/.github/chainguard/self.auto-check-snapshots.sts.yaml
@@ -0,0 +1,11 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: "repo:DataDog/dd-trace-php:pull_request"
+
+claim_pattern:
+  event_name: pull_request
+  repository: DataDog/dd-trace-php
+  job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_check_snapshots\.yml@refs/(pull/[0-9]+/merge|heads/.+)
+
+permissions:
+  pull_requests: write
diff --git a/.github/chainguard/self.auto-label-prs.sts.yaml b/.github/chainguard/self.auto-label-prs.sts.yaml
new file mode 100644
index 00000000000..948e0a4cebc
--- /dev/null
+++ b/.github/chainguard/self.auto-label-prs.sts.yaml
@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: "repo:DataDog/dd-trace-php:pull_request"
+
+claim_pattern:
+  event_name: pull_request
+  repository: DataDog/dd-trace-php
+  job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_label_prs\.yml@refs/(pull/[0-9]+/merge|heads/.+)
+
+permissions:
+  contents: read
+  issues: write
+  pull_requests: write