Merge pull request #723 from DataDog/simon.marechal/use-dd-octo-sts-tokens

Minosity-VR · web-flow · commit 143ea742650d · 2026-01-16T09:00:46.000+01:00
Use dd-octo-sts for short lived tokens
diff --git a/.github/chainguard/self.release.create-pr.sts.yml b/.github/chainguard/self.release.create-pr.sts.yml
@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/stratus-red-team:ref:refs/heads/main
+
+claim_pattern:
+  event_name: push
+  ref: refs/heads/main
+  ref_protected: "true"
+  job_workflow_ref: DataDog/stratus-red-team/.github/workflows/release.yml@refs/heads/main
+
+permissions:
+  contents: read
+  pull-requests: read
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -15,7 +15,7 @@ permissions:
 jobs:
   deploy:
     permissions:
-      contents: write  # for mkdocs gh-deploy to publish docs
+      contents: write # for mkdocs gh-deploy to publish docs
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
@@ -27,7 +27,6 @@ jobs:
             github.com:443
             pypi.org:443
             *.actions.githubusercontent.com:443
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,18 +9,14 @@ defaults:
   run:
     working-directory: ./v2
 
-permissions:
-  contents: read
-  pull-requests: read
-
 jobs:
   goreleaser:
     timeout-minutes: 120
     runs-on:
       group: Large Runner Shared Public
       labels: ubuntu-4-core-latest
     permissions:
-      pull-requests: write
+      id-token: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a
@@ -41,7 +37,11 @@ jobs:
             go.dev:443
             dl.google.com:443
             golang.org:443
-
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/stratus-red-team
+          policy: self.release.create-pr.sts.yml
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -58,4 +58,4 @@ jobs:
           args: release --clean --config ../.goreleaser.yaml --timeout 600m0s --verbose --parallelism 1
           workdir: ./v2
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
