diff --git a/.github/chainguard/self.github.release.master.sts.yaml b/.github/chainguard/self.github.release.master.sts.yaml new file mode 100644 index 0000000000..e5ab6884ca --- /dev/null +++ b/.github/chainguard/self.github.release.master.sts.yaml @@ -0,0 +1,14 @@ +# Trust policy for creating releases on master branch +# Restricted to master branch (protected ref) for security +# Will be called in release.yml +issuer: https://token.actions.githubusercontent.com +subject: repo:DataDog/datadog-api-client-python:pull_request + +claim_pattern: + event_name: pull_request + job_workflow_ref: DataDog/datadog-api-client-python/\.github/workflows/release\.yml@refs/heads/master + repository: DataDog/datadog-api-client-python + ref: refs/heads/master + +permissions: + contents: write diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml index e8e1836d4a..6e2fe3f1a4 100644 --- a/.github/workflows/approved_status.yml +++ b/.github/workflows/approved_status.yml @@ -22,14 +22,15 @@ jobs: !contains(github.event.pull_request.labels.*.name, 'ci/skip') && !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/') + permissions: + id-token: write steps: - name: Get GitHub App token id: get_token - uses: actions/create-github-app-token@v1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} - repositories: datadog-api-spec + scope: DataDog/datadog-api-spec + policy: datadog-api-client-python.approved_status.post-review-status - name: Post PR review status check uses: DataDog/github-actions/post-review-status@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e0aca6d41f..47a7145f2c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,13 +20,15 @@ jobs: name: Create release runs-on: ubuntu-latest if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') + permissions: + id-token: write steps: - name: Get GitHub App token id: get_token - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 #v1.11.1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} + scope: DataDog/datadog-api-client-python + policy: self.github.release.master - name: Checkout ${{ github.event.pull_request.base.ref }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml index 41dafadebd..043d5e97a3 100644 --- a/.github/workflows/reusable-ci.yml +++ b/.github/workflows/reusable-ci.yml @@ -24,10 +24,6 @@ on: type: string default: '[{"platform": "macos-latest", "python-version": "3.8"}, {"platform": "ubuntu-latest", "python-version": "3.8"}, {"platform": "ubuntu-22.04", "python-version": "3.12"}]' secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false # Integration test secrets DD_API_KEY: required: false @@ -44,9 +40,6 @@ jobs: with: target-branch: ${{ inputs.target-branch }} enable-commit-changes: false # Don't auto-commit in external CI - secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} test: uses: ./.github/workflows/reusable-python-test.yml @@ -55,9 +48,6 @@ jobs: python-versions: ${{ inputs.python-versions }} platforms: ${{ inputs.platforms }} matrix-exclude: ${{ inputs.matrix-exclude }} - secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} examples: uses: ./.github/workflows/reusable-examples.yml @@ -70,10 +60,7 @@ jobs: target-branch: ${{ inputs.target-branch }} has-integration-label: ${{ contains(github.event.pull_request.labels.*.name, 'ci/integrations') }} secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} DD_API_KEY: ${{ secrets.DD_API_KEY }} DD_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }} DD_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }} SLEEP_AFTER_REQUEST: ${{ secrets.SLEEP_AFTER_REQUEST }} - diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml index 670fb61a19..365932ce5c 100644 --- a/.github/workflows/reusable-integration-test.yml +++ b/.github/workflows/reusable-integration-test.yml @@ -44,10 +44,6 @@ on: type: boolean default: false secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false DD_API_KEY: required: true DD_CLIENT_API_KEY: @@ -81,15 +77,17 @@ jobs: DD_API_KEY: ${{ secrets.DD_API_KEY }} DD_HOSTNAME: "none" DD_INSIDE_CI: "true" + permissions: + id-token: write + contents: read steps: - name: Get GitHub App token if: github.event_name == 'pull_request' id: get_token - uses: actions/create-github-app-token@v1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} - repositories: ${{ inputs.target-repo || 'datadog-api-spec' }} + scope: DataDog/datadog-api-spec + policy: datadog-api-client-python.reusable-integration-test.post-status - name: Checkout code uses: actions/checkout@v3 with: