add dd-octo-sts policies

Author: ikraemer-dd

.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml

@@ -0,0 +1,12 @@
+# Trust policy for pre-commit fixes on pull requests
+# Allows pushing pre-commit fixes back to PR branches
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-java:pull_request
+
+claim_pattern:
+  repository: DataDog/datadog-api-client-java
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-java/\.github/workflows/reusable-pre-commit\.yml@refs/pull/[0-9]+/merge
+
+permissions:
+  contents: write

.github/chainguard/self.github.release.master.sts.yaml

@@ -0,0 +1,13 @@
+# Trust policy for creating releases on master branch
+# Restricted to master branch (protected ref) for security
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-java:ref:refs/heads/master
+
+claim_pattern:
+  repository: DataDog/datadog-api-client-java
+  ref: refs/heads/master
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-java/\.github/workflows/release\.yml@refs/heads/master
+
+permissions:
+  contents: write