From 229671f41cd08de879b8545e22cfa5b0b151380a Mon Sep 17 00:00:00 2001
From: jack-edmonds-dd <jack.edmonds@datadoghq.com>
Date: Thu, 2 Apr 2026 09:17:23 -0400
Subject: [PATCH] Add dd-octo-sts trust policy for pre-commit workflow

---
 .../self.github.pre-commit.pull-request.sts.yaml  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/chainguard/self.github.pre-commit.pull-request.sts.yaml

diff --git a/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml b/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml
new file mode 100644
index 0000000000..996ba40741
--- /dev/null
+++ b/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml
@@ -0,0 +1,15 @@
+# Policy for: .github/workflows/reusable-pre-commit.yml in DataDog/datadog-api-client-python
+# Grants contents:write to push pre-commit fixes back to the PR branch.
+# WARNING: contents:write is granted on pull_request events (non-protected ref).
+# This is intentional to allow automated pre-commit fixes on PRs.
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-python:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-python/\.github/workflows/reusable-pre-commit\.yml@refs/pull/[0-9]+/merge
+  ref: refs/pull/[0-9]+/merge
+  repository: DataDog/datadog-api-client-python
+
+permissions:
+  contents: write