Skip to content

Add dd-octo-sts chainguard policy files#11353

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
lloeki/dd-octo-sts-chainguard
May 12, 2026
Merged

Add dd-octo-sts chainguard policy files#11353
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
lloeki/dd-octo-sts-chainguard

Conversation

@lloeki
Copy link
Copy Markdown
Member

@lloeki lloeki commented May 12, 2026
edited by sarahchen6
Loading

What Does This Do

Add 5 Chainguard policy files under .github/chainguard/ for the upcoming migration of secrets.GITHUB_TOKEN to DataDog/dd-octo-sts-action.

Motivation

These policies must be on the default branch before the corresponding workflow changes can use them. They declare which workflow, event, and ref pattern may request which permissions via the dd-octo-sts OIDC token exchange.

Additional Notes

Policy files only — no workflow changes. Stacked with #11347.

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels

@lloeki
Add dd-octo-sts chainguard policy files
59dd18b 
Add 5 policy files under .github/chainguard/ declaring the
issuer, subject, event, and permission constraints for every
workflow that will be migrated from secrets.GITHUB_TOKEN to
DataDog/dd-octo-sts-action.

These policies must be on the default branch before the
corresponding workflow changes can use them.
@lloeki lloeki mentioned this pull request May 12, 2026
Merged
5 tasks
@sarahchen6 sarahchen6 added type: enhancement Enhancements and improvements tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels May 12, 2026
@sarahchen6 sarahchen6 marked this pull request as ready for review May 12, 2026 15:12
@sarahchen6 sarahchen6 requested a review from a team as a code owner May 12, 2026 15:12
@sarahchen6 sarahchen6 requested review from dougqh and removed request for a team May 12, 2026 15:12
@sarahchen6
Copy link
Copy Markdown
Contributor

sarahchen6 commented May 12, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented May 12, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-05-12 15:43:21 UTC ℹ️ Start processing command /merge

2026-05-12 15:43:26 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

2026-05-12 17:03:32 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit dab8a45 into master May 12, 2026
581 of 584 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the lloeki/dd-octo-sts-chainguard branch May 12, 2026 17:03
@github-actions github-actions Bot added this to the 1.63.0 milestone May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dougqh dougqh dougqh approved these changes

@sarahchen6 sarahchen6 sarahchen6 approved these changes

Assignees

No one assigned

Labels

comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.63.0

Development

Successfully merging this pull request may close these issues.

3 participants

@lloeki @sarahchen6 @dougqh