Skip to content

Closed#225

Closed
nskaggs wants to merge 1 commit into
mainfrom
DEV-1372-octosts-policy-detector
Closed

Closed#225
nskaggs wants to merge 1 commit into
mainfrom
DEV-1372-octosts-policy-detector

Conversation

@nskaggs
Copy link
Copy Markdown
Contributor

@nskaggs nskaggs commented May 18, 2026
edited
Loading

Closed.

@nskaggs
feat(octosts): add daily policy detector
02bc7c8 
Daily GHA cron that queries BigQuery for OctoSTS identities returning
'no trust policy' errors, diffs against the trust policy files in this
repo, and opens a Linear issue per missing identity. The issue is
labeled for the linear-materializer (chainguard-dev/mono/bots/linear-materializer)
which then opens a draft PR with a stub .sts.yaml using the format
described in .claude/skills/octosts-policy.md.

Modeled on .github/workflows/ghaudit.yaml in this repo.

Requires (separate setup):
- GCP SA octosts-policy-detector@octo-sts.iam.gserviceaccount.com with
  roles/bigquery.dataViewer on the cloudevents_octo_sts_recorder dataset,
  bound to the existing internal-tools WIF pool for this workflow
- LINEAR_CLIENT_ID and LINEAR_CLIENT_SECRET secrets in this repo
  (reusing the materializer's OAuth app)
- chainguard-dev/.github added to the materializer's AllowedRepoOwners
  in chainguard-dev/mono/bots/linear-materializer prod IaC

DEV-1372

Signed-off-by: Nicholas Skaggs <nicholas.skaggs@chainguard.dev>
@nskaggs nskaggs closed this May 18, 2026
@nskaggs nskaggs deleted the DEV-1372-octosts-policy-detector branch May 18, 2026 19:23
@nskaggs nskaggs changed the title feat(octosts): add daily policy detector Closed May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nskaggs