Migrate to dd-octo-sts. (#1450)

jack-edmonds-dd · web-flow · commit 387c87ac8bdc · 2026-04-03T11:45:37.000-04:00
diff --git a/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml b/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml
@@ -0,0 +1,13 @@
+---
+# Policy for: .github/workflows/reusable-pre-commit.yml in DataDog/datadog-api-client-rust
+# Allows the pre-commit workflow to push fixes back to the PR branch
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-rust:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-rust/\.github/workflows/reusable-pre-commit\.yml@refs/pull/[0-9]+/merge
+  repository: DataDog/datadog-api-client-rust
+
+permissions:
+  contents: write
diff --git a/.github/chainguard/self.github.release.master.sts.yaml b/.github/chainguard/self.github.release.master.sts.yaml
@@ -0,0 +1,13 @@
+---
+# Policy for: .github/workflows/release.yml in DataDog/datadog-api-client-rust
+# Allows the release workflow to create tags and GitHub releases
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-rust:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-rust/\.github/workflows/release\.yml@refs/pull/[0-9]+/merge
+  repository: DataDog/datadog-api-client-rust
+
+permissions:
+  contents: write
diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
@@ -22,14 +22,15 @@ jobs:
       !contains(github.event.pull_request.labels.*.name, 'ci/skip') &&
       !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') &&
       contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
+    permissions:
+      id-token: write
     steps:
       - name: Get GitHub App token
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-rust.approved_status.post-review-status
       - name: Post PR review status check
         uses: DataDog/github-actions/post-review-status@v2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,13 +19,15 @@ jobs:
     name: Create release
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
+    permissions:
+      id-token: write
     steps:
       - name: Get GitHub App token
         id: get_token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 #v1.11.1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          scope: DataDog/datadog-api-client-rust
+          policy: self.github.release.master
 
       - name: Checkout ${{ github.event.pull_request.base.ref }}
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml
@@ -29,10 +29,6 @@ on:
         type: string
         default: 'cargo check --examples'
     secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
       # Integration test secrets
       DD_API_KEY:
         required: false
@@ -47,9 +43,6 @@ jobs:
     with:
       target-branch: ${{ inputs.target-branch }}
       enable-commit-changes: false  # Don't auto-commit in external CI
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   test:
     uses: ./.github/workflows/reusable-rust-test.yml
@@ -58,28 +51,19 @@ jobs:
       rust-versions: ${{ inputs.rust-versions }}
       platforms: ${{ inputs.platforms }}
       test-script: ${{ inputs.test-script }}
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     uses: ./.github/workflows/reusable-examples.yml
     with:
       target-branch: ${{ inputs.target-branch }}
       examples-command: ${{ inputs.examples-command }}
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   integration:
     uses: ./.github/workflows/reusable-integration-test.yml
     with:
       target-branch: ${{ inputs.target-branch }}
       has-integration-label: ${{ contains(github.event.pull_request.labels.*.name, 'ci/integrations') }}
     secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
       DD_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
       DD_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
-
diff --git a/.github/workflows/reusable-examples.yml b/.github/workflows/reusable-examples.yml
@@ -18,12 +18,6 @@ on:
         required: false
         type: string
         default: 'stable'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
-
 jobs:
   examples:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml
@@ -44,10 +44,6 @@ on:
         type: boolean
         default: false
     secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
       DD_API_KEY:
         required: true
       DD_CLIENT_API_KEY:
@@ -70,6 +66,9 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'ci/integrations')) ||
       github.event_name == 'schedule' ||
       (github.event_name == 'workflow_call' && inputs.has-integration-label)
+    permissions:
+      id-token: write
+      contents: read
     services:
       datadog-agent:
         image: gcr.io/datadoghq/agent:latest
@@ -83,11 +82,10 @@ jobs:
       - name: Get GitHub App token
         if: github.event_name == 'pull_request'
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: ${{ inputs.target-repo || 'datadog-api-spec' }}
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-rust.reusable-integration-test.post-status
       - name: Checkout code
         uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
@@ -13,27 +13,24 @@ on:
         required: false
         type: boolean
         default: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
-
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
 
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Get GitHub App token
         id: get_token
-        if: inputs.enable-commit-changes
-        uses: actions/create-github-app-token@v1
+        if: inputs.enable-commit-changes && github.event_name == 'pull_request'
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          scope: DataDog/datadog-api-client-rust
+          policy: self.github.pre-commit.pull-requests
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
diff --git a/.github/workflows/reusable-rust-test.yml b/.github/workflows/reusable-rust-test.yml
@@ -23,12 +23,6 @@ on:
         required: false
         type: string
         default: './run-tests.sh'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
-
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -28,9 +28,6 @@ jobs:
     uses: ./.github/workflows/reusable-pre-commit.yml
     with:
       enable-commit-changes: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   test:
     if: >
@@ -43,9 +40,6 @@ jobs:
       rust-versions: '["stable"]'
       platforms: '["ubuntu-latest"]'
       test-script: './run-tests.sh'
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     if: >
@@ -64,15 +58,16 @@ jobs:
     needs:
       - test
       - examples
+    permissions:
+      id-token: write
     steps:
       - name: Get GitHub App token
         if: github.event_name == 'pull_request'
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-rust.test.post-status
       - name: Post status check
         uses: DataDog/github-actions/post-status-check@v2
         with:
