From 0aa1ff34f094f8ffe7979d6a3d4fccda3b47cd7d Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Tue, 12 May 2026 16:19:23 +0200 Subject: [PATCH] Add dd-octo-sts chainguard policy files Add 4 policy files under .github/chainguard/ declaring the issuer, subject, event, and permission constraints for every workflow that will be migrated from secrets.GITHUB_TOKEN to DataDog/dd-octo-sts-action. These policies must be on the default branch before the corresponding workflow changes can use them. --- .../self.add-asset-to-gh-release.sts.yaml | 11 +++++++++++ .../self.auto-add-pr-to-milestone.sts.yaml | 12 ++++++++++++ .../chainguard/self.auto-check-snapshots.sts.yaml | 11 +++++++++++ .github/chainguard/self.auto-label-prs.sts.yaml | 13 +++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 .github/chainguard/self.add-asset-to-gh-release.sts.yaml create mode 100644 .github/chainguard/self.auto-add-pr-to-milestone.sts.yaml create mode 100644 .github/chainguard/self.auto-check-snapshots.sts.yaml create mode 100644 .github/chainguard/self.auto-label-prs.sts.yaml diff --git a/.github/chainguard/self.add-asset-to-gh-release.sts.yaml b/.github/chainguard/self.add-asset-to-gh-release.sts.yaml new file mode 100644 index 00000000000..aa847569cae --- /dev/null +++ b/.github/chainguard/self.add-asset-to-gh-release.sts.yaml @@ -0,0 +1,11 @@ +issuer: https://token.actions.githubusercontent.com + +subject_pattern: "repo:DataDog/dd-trace-php:ref:refs/heads/.+" + +claim_pattern: + event_name: workflow_dispatch + repository: DataDog/dd-trace-php + job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/add-asset-to-gh-release\.yml@refs/heads/.+ + +permissions: + contents: write diff --git a/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml b/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml new file mode 100644 index 00000000000..93e7ddd633b --- /dev/null +++ b/.github/chainguard/self.auto-add-pr-to-milestone.sts.yaml @@ -0,0 +1,12 @@ +issuer: https://token.actions.githubusercontent.com + +subject_pattern: "repo:DataDog/dd-trace-php:pull_request" + +claim_pattern: + event_name: pull_request + repository: DataDog/dd-trace-php + job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_add_pr_to_miletone\.yml@refs/(pull/[0-9]+/merge|heads/.+) + +permissions: + issues: write + pull_requests: write diff --git a/.github/chainguard/self.auto-check-snapshots.sts.yaml b/.github/chainguard/self.auto-check-snapshots.sts.yaml new file mode 100644 index 00000000000..4f2c63c2436 --- /dev/null +++ b/.github/chainguard/self.auto-check-snapshots.sts.yaml @@ -0,0 +1,11 @@ +issuer: https://token.actions.githubusercontent.com + +subject_pattern: "repo:DataDog/dd-trace-php:pull_request" + +claim_pattern: + event_name: pull_request + repository: DataDog/dd-trace-php + job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_check_snapshots\.yml@refs/(pull/[0-9]+/merge|heads/.+) + +permissions: + pull_requests: write diff --git a/.github/chainguard/self.auto-label-prs.sts.yaml b/.github/chainguard/self.auto-label-prs.sts.yaml new file mode 100644 index 00000000000..948e0a4cebc --- /dev/null +++ b/.github/chainguard/self.auto-label-prs.sts.yaml @@ -0,0 +1,13 @@ +issuer: https://token.actions.githubusercontent.com + +subject_pattern: "repo:DataDog/dd-trace-php:pull_request" + +claim_pattern: + event_name: pull_request + repository: DataDog/dd-trace-php + job_workflow_ref: DataDog/dd-trace-php/\.github/workflows/auto_label_prs\.yml@refs/(pull/[0-9]+/merge|heads/.+) + +permissions: + contents: read + issues: write + pull_requests: write