Skip to content

Commit e9ffa01

Browse files
sarah-wittsarah-witt
authored
[AI-6502] Update dependency resolution dd-octo-sts policy (DataDog#23955)
* Update dd-octo-sts policy for resolve build deps * revert workflow change
1 parent bdac825 commit e9ffa01

1 file changed

Lines changed: 8 additions & 13 deletions

File tree

.github/chainguard/self.resolve-build-deps.push.sts.yaml

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,18 @@
11
# Policy for: .github/workflows/resolve-build-deps.yaml publish job in DataDog/integrations-core
2-
# Triggered by push to master or release branches, or workflow_dispatch
2+
# Triggered by push to feature branches that update dependencies
33
#
44
# Naming convention:
55
# self: Only this repository (DataDog/integrations-core) can use this policy
66
# resolve-build-deps: Specific workflow
7-
# push: Primary trigger is push to protected branches
7+
# push: Primary trigger is push to feature branches
88
#
99
# Security model:
10-
# - Publish job runs on push or workflow_dispatch to protected branches (master and X.Y.x)
10+
# - Publish job runs on push to any feature branch
1111
# - Workflow file must be committed to the same branch
12-
# - Pull request events are excluded by the job's if condition
12+
# - Access is scoped to this specific workflow file via job_workflow_ref
1313
#
1414
# Permissions granted:
15-
# - contents: write - Push commits to branches
16-
# - pull_requests: write - Create pull requests
17-
# - workflows: write - Modify workflow files in generated commits
15+
# - contents: write - Push commits (lockfiles) back to the feature branch
1816
#
1917
# Usage in workflows:
2018
# - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
@@ -24,15 +22,12 @@
2422

2523
issuer: https://token.actions.githubusercontent.com
2624

27-
subject_pattern: repo:DataDog/integrations-core:ref:refs/heads/(master|\d+\.\d+\..*)
25+
subject_pattern: repo:DataDog/integrations-core:ref:refs/heads/.*
2826

2927
claim_pattern:
30-
event_name: (push|workflow_dispatch)
31-
job_workflow_ref: DataDog/integrations-core/\.github/workflows/resolve-build-deps\.yaml@refs/heads/(master|\d+\.\d+\..*)
32-
ref: refs/heads/(master|\d+\.\d+\..*)
28+
event_name: push
29+
job_workflow_ref: DataDog/integrations-core/\.github/workflows/resolve-build-deps\.yaml@refs/heads/.*
3330
repository: DataDog/integrations-core
3431

3532
permissions:
3633
contents: write
37-
pull_requests: write
38-
workflows: write

0 commit comments

Comments
 (0)