add octo-sts (#149)

Author: pavelzw

.github/chainguard/write.sts.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/octo-sts/app/refs/heads/main/pkg/octosts/octosts.TrustPolicy.json
+issuer: https://token.actions.githubusercontent.com
+subject: repo:prefix-dev/pixi-docker:ref:refs/heads/main
+
+permissions:
+  contents: write
+  pull_requests: write

.github/workflows/bump.yml

@@ -10,8 +10,8 @@ jobs:
     name: Reference latest Pixi version in README
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -26,11 +26,17 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
+        id: octo-sts
+        with:
+          scope: ${{ github.repository }}
+          identity: write
+
       - name: Create pull request
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         if: github.ref_name == 'main'
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.octo-sts.outputs.token }}
           commit-message: Bump pixi version to ${{ steps.bump.outputs.latest-version }}
           title: Bump pixi version to ${{ steps.bump.outputs.latest-version }}
           labels: enhancement