Use a policy

iunanua · iunanua · commit 5d19cfa80741 · 2025-12-05T11:16:11.000+01:00
diff --git a/.github/chainguard/freeze-branch.sts.yml b/.github/chainguard/freeze-branch.sts.yml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-rs:ref:refs/heads/igor/versioning/release-dispatch
+
+claim_pattern:
+  event_name: (workflow_dispatch|push)
+  ref: refs/heads/igor/versioning/release-dispatch
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-rs/.github/workflows/release-dispatch.yml@refs/heads/igor/versioning/release-dispatch
+
+permissions:
+  admin: write
diff --git a/.github/workflows/release-dispatch.yaml b/.github/workflows/release-dispatch.yaml
@@ -23,16 +23,16 @@ jobs:
     outputs:
       frozen: false
     steps:
-      # - name: Get token
-      #   uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
-      #   id: octo-sts
-      #   with:
-      #     scope: DataDog/dd-trace-rs
-      #     policy: self.dispatch.create-pr
+      - name: Get token
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-rs
+          policy: freeze-branch
       - name: Freeze branch
         run: |
-          # gh auth login --with-token ${{ steps.octo-sts.outputs.token }}
-          # gh auth login --with-token ${{ secrets.GITHUB_TOKEN }}
+          echo "${{ steps.octo-sts.outputs.token }}" | gh auth login --with-token
+          # echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
 
           gh api -X GET -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
             /repos/DataDog/dd-trace-rs/branches/${{ env.BRANCH_NAME }}/protection 
@@ -46,9 +46,8 @@ jobs:
             #   -f '{"dismiss_stale_reviews": null, "require_code_owner_reviews": null, "required_approving_review_count": null}' \
             #   -f '{"restrictions": null}' \
           echo "frozen=false" >> $GITHUB_OUTPUT
-        env:
-          # GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # env:
+        #   GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
           
   # make-release-pr:
   #   permissions:
