Skip to content

Commit 59dd18b

Browse files
lloekilloeki
committed
Add dd-octo-sts chainguard policy files
Add 5 policy files under .github/chainguard/ declaring the issuer, subject, event, and permission constraints for every workflow that will be migrated from secrets.GITHUB_TOKEN to DataDog/dd-octo-sts-action. These policies must be on the default branch before the corresponding workflow changes can use them.
1 parent 25bb679 commit 59dd18b

5 files changed

Lines changed: 55 additions & 0 deletions

.github/chainguard/self.check-pull-request-labels.sts.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
issuer: https://token.actions.githubusercontent.com
2+
3+
subject: repo:DataDog/dd-trace-java:pull_request
4+
5+
claim_pattern:
6+
event_name: pull_request
7+
job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/check-pull-request-labels\.yaml@refs/(pull/[0-9]+/merge|heads/.+)
8+
9+
permissions:
10+
issues: write
11+
pull_requests: write

.github/chainguard/self.check-pull-requests.sts.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
issuer: https://token.actions.githubusercontent.com
2+
3+
subject: repo:DataDog/dd-trace-java:pull_request
4+
5+
claim_pattern:
6+
event_name: pull_request
7+
job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/check-pull-requests\.yaml@refs/(pull/[0-9]+/merge|heads/.+)
8+
9+
permissions:
10+
issues: write
11+
pull_requests: write

.github/chainguard/self.comment-on-submodule-update.sts.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
issuer: https://token.actions.githubusercontent.com
2+
3+
subject: repo:DataDog/dd-trace-java:pull_request
4+
5+
claim_pattern:
6+
event_name: pull_request
7+
job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/comment-on-submodule-update\.yaml@refs/(pull/[0-9]+/merge|heads/.+)
8+
9+
permissions:
10+
issues: write
11+
pull_requests: write

.github/chainguard/self.enforce-groovy-migration.sts.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
issuer: https://token.actions.githubusercontent.com
2+
3+
subject: repo:DataDog/dd-trace-java:pull_request
4+
5+
claim_pattern:
6+
event_name: pull_request
7+
job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/enforce-groovy-migration\.yaml@refs/(pull/[0-9]+/merge|heads/.+)
8+
9+
permissions:
10+
contents: read
11+
issues: write
12+
pull_requests: write

.github/chainguard/self.update-issues-on-release.sts.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
issuer: https://token.actions.githubusercontent.com
2+
3+
subject_pattern: "repo:DataDog/dd-trace-java:ref:refs/(heads|tags)/.*"
4+
5+
claim_pattern:
6+
event_name: (release|workflow_dispatch)
7+
job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/update-issues-on-release\.yaml@refs/(heads/.*|tags/.*)
8+
9+
permissions:
10+
issues: write

0 commit comments

Comments
 (0)