Add dd-octo-sts token to cloudfoundry workflow and clean up

sarahchen6 · sarahchen6 · commit 6452fc450aba · 2025-09-22T14:57:54.000-04:00
diff --git a/.github/workflows/add-release-to-cloudfoundry.yaml b/.github/workflows/add-release-to-cloudfoundry.yaml
@@ -6,9 +6,16 @@ on:
 jobs:
   update-releases:
     permissions:
-      contents: write
+      contents: read
+      id-token: write # Required for OIDC token federation
     runs-on: ubuntu-latest
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.add-release-to-cloudfoundry
+
       - name: Checkout "cloudfoundry" branch
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
@@ -59,6 +66,7 @@ jobs:
         uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
         if: ${{ steps.create-commit.outputs.commit != '' }}
         with:
+          token: "${{ steps.octo-sts.outputs.token }}"
           branch: cloudfoundry
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
diff --git a/.github/workflows/update-gradle-dependencies.yaml b/.github/workflows/update-gradle-dependencies.yaml
@@ -33,19 +33,20 @@ jobs:
           JAVA_11_HOME=$JAVA_HOME_11_X64 \
           JAVA_17_HOME=$JAVA_HOME_17_X64 \
           JAVA_21_HOME=$JAVA_HOME_21_X64 \
+          JAVA_25_HOME=$JAVA_HOME_25_X64 \
           ./gradlew resolveAndLockAll --write-locks --parallel --stacktrace --no-daemon --max-workers=4
       - name: Check for changes
         id: check-changes
         run: |
           if [[ -z "$(git status -s)" ]]; then
             echo "No changes to commit, exiting."
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            echo "commit_changes=false" >> "$GITHUB_OUTPUT"
             exit 0
           else
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+            echo "commit_changes=true" >> "$GITHUB_OUTPUT"
           fi
       - name: Commit changes
-        if: steps.check-changes.outputs.has_changes == 'true'
+        if: steps.check-changes.outputs.commit_changes == 'true'
         id: create-commit
         run: |
           git config user.name "github-actions[bot]"
@@ -55,7 +56,7 @@ jobs:
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
         uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
-        if: ${{ steps.check-changes.outputs.has_changes == 'true' && steps.create-commit.outputs.commit != '' }}
+        if: ${{ steps.check-changes.outputs.commit_changes == 'true' && steps.create-commit.outputs.commit != '' }}
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
@@ -65,7 +66,7 @@ jobs:
           command: push
           commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request
-        if: steps.check-changes.outputs.has_changes == 'true'
+        if: steps.check-changes.outputs.commit_changes == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
           BRANCH_NAME: ${{ steps.define-branch.outputs.branch }}
