Replace secrets.GITHUB_TOKEN with dd-octo-sts in CI workflows (#11347)

lloeki · sarahchen6 · web-flow · commit 287722762e51 · 2026-05-12T20:48:55.000Z
Add dd-octo-sts chainguard policy files

Add 5 policy files under .github/chainguard/ declaring the
issuer, subject, event, and permission constraints for every
workflow that will be migrated from secrets.GITHUB_TOKEN to
DataDog/dd-octo-sts-action.

These policies must be on the default branch before the
corresponding workflow changes can use them.

Replace secrets.GITHUB_TOKEN with dd-octo-sts

Migrate all 5 GitHub Actions workflows from
secrets.GITHUB_TOKEN to OIDC tokens minted by
DataDog/dd-octo-sts-action. The token exchange is
auditable and governed by chainguard policy files that
explicitly declare which workflow, event, and ref pattern
may request which permissions.

All affected workflows pass the token to
actions/github-script via the github-token parameter.

Merge branch 'master' into lloeki/dd-octo-sts

Co-authored-by: sarahchen6 &lt;sarah.chen@datadoghq.com&gt;
diff --git a/.github/workflows/check-pull-request-labels.yaml b/.github/workflows/check-pull-request-labels.yaml
@@ -11,15 +11,22 @@ jobs:
   check_pr_labels:
     name: Check pull request labels
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.check-pull-request-labels
       - name: Flag AI-generated pull requests
         id: flag_ai_generated
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
@@ -124,7 +131,7 @@ jobs:
         env:
           LABELS_STALE: ${{ steps.flag_ai_generated.outputs.labels_stale }}
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
diff --git a/.github/workflows/check-pull-requests.yaml b/.github/workflows/check-pull-requests.yaml
@@ -3,23 +3,30 @@ on:
   pull_request:
     types: [opened, edited, ready_for_review, labeled, unlabeled, synchronize]
     branches:
-    - master
-    - release/v*
+      - master
+      - release/v*
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 jobs:
   check_pull_requests:
     name: Check pull requests
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.check-pull-requests
       - name: Check pull requests
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
@@ -41,7 +48,7 @@ jobs:
             if (titleCheckFailed) {
               core.setFailed('Please remove the tag from the pull request title.')
             }
-            // Check body does 
+            // Check body does
             const linkingKeywords = ['closes', 'closed', 'fix', 'fixes', 'fixed', 'resolve', 'resolves', 'resolved']
             const body = context.payload.pull_request.body
             const bodyCheckFailed = linkingKeywords.some(keyword => body.search(new RegExp(`${keyword}\\s\\d+`, "im")) !== -1)
diff --git a/.github/workflows/comment-on-submodule-update.yaml b/.github/workflows/comment-on-submodule-update.yaml
@@ -3,23 +3,30 @@ name: Comment on Submodule Update
 on:
   pull_request:
     branches:
-        - 'master'
-        - 'release/**'
+      - "master"
+      - "release/**"
     paths:
-      - 'dd-java-agent/agent-jmxfetch/integrations-core'
+      - "dd-java-agent/agent-jmxfetch/integrations-core"
 
 jobs:
   comment_on_submodule_update:
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
 
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.comment-on-submodule-update
       - name: Post comment on submodule update
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
diff --git a/.github/workflows/enforce-groovy-migration.yaml b/.github/workflows/enforce-groovy-migration.yaml
@@ -4,7 +4,7 @@ on:
     types: [opened, edited, ready_for_review, labeled, unlabeled, synchronize]
     branches:
       - master
-      - 'release/v*'
+      - "release/v*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,14 +14,21 @@ jobs:
   enforce_groovy_migration:
     name: Enforce Groovy migration
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.enforce-groovy-migration
       - name: Check for new Groovy files
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             const managedMarker = '<!-- dd-trace-java-groovy-enforcement -->'
 
diff --git a/.github/workflows/update-issues-on-release.yaml b/.github/workflows/update-issues-on-release.yaml
@@ -11,13 +11,20 @@ on:
 jobs:
   update_issues:
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to update issues
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-issues-on-release
       - name: Get milestone for release
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Get release milestone name
             const milestoneName = "${{github.event_name}}" == "workflow_dispatch" ?
