[SINT-4729] use dd-octo-sts in approved_status (#3483)

ikraemer-dd · web-flow · commit 85b6c7040819 · 2026-02-12T10:06:10.000-05:00
diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
@@ -1,9 +1,5 @@
 name: Send PR Approval Status
 
-permissions:
-  contents: read
-  checks: write
-
 on:
   pull_request:
     branches:
@@ -16,20 +12,22 @@ on:
 
 jobs:
   send_status:
+    permissions:
+      contents: read
+      id-token: write  # Required for dd-octo-sts OIDC token
     runs-on: ubuntu-latest
     if: >
       github.event.pull_request.draft == false &&
       !contains(github.event.pull_request.labels.*.name, 'ci/skip') &&
       !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') &&
       contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-java.approved_status.post-review-status
       - name: Post PR review status check
         uses: DataDog/github-actions/post-review-status@v2
         with:
