From b75dad8840b5f1b92a10d113474338c5301a3732 Mon Sep 17 00:00:00 2001 From: jack-edmonds-dd Date: Fri, 3 Apr 2026 11:04:09 -0400 Subject: [PATCH] Use dd-octo-sts and add policies. --- ...elf.github.pre-commit.pull-requests.sts.yaml | 14 ++++++++++++++ .../self.github.release.master.sts.yaml | 14 ++++++++++++++ .github/workflows/approved_status.yml | 9 +++++---- .github/workflows/release.yml | 8 +++++--- .github/workflows/reusable-ci.yml | 12 ------------ .github/workflows/reusable-integration-test.yml | 14 ++++++-------- .github/workflows/reusable-pre-commit.yml | 16 +++++++--------- .github/workflows/reusable-ruby-test.yml | 4 ---- .github/workflows/test.yml | 17 ++++++++--------- 9 files changed, 59 insertions(+), 49 deletions(-) create mode 100644 .github/chainguard/self.github.pre-commit.pull-requests.sts.yaml create mode 100644 .github/chainguard/self.github.release.master.sts.yaml diff --git a/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml b/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml new file mode 100644 index 000000000000..e57874df21f0 --- /dev/null +++ b/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml @@ -0,0 +1,14 @@ +# Trust policy for pre-commit fixes on pull requests +# Allows pushing pre-commit fixes back to PR branches +# Will be called in reusable-pre-commit.yml +issuer: https://token.actions.githubusercontent.com +subject: repo:DataDog/datadog-api-client-ruby:pull_request + +claim_pattern: + event_name: pull_request + job_workflow_ref: DataDog/datadog-api-client-ruby/\.github/workflows/reusable-pre-commit\.yml@refs/pull/[0-9]+/merge + ref: refs/pull/[0-9]+/merge + repository: DataDog/datadog-api-client-ruby + +permissions: + contents: write # Required for pushing pre-commit fixes diff --git a/.github/chainguard/self.github.release.master.sts.yaml b/.github/chainguard/self.github.release.master.sts.yaml new file mode 100644 index 000000000000..c0bd8a0c8f43 --- /dev/null +++ b/.github/chainguard/self.github.release.master.sts.yaml @@ -0,0 +1,14 @@ +# Trust policy for creating releases on master branch +# Restricted to master branch (protected ref) for security +# Will be called in release.yml +issuer: https://token.actions.githubusercontent.com +subject: repo:DataDog/datadog-api-client-ruby:pull_request + +claim_pattern: + event_name: pull_request + job_workflow_ref: DataDog/datadog-api-client-ruby/\.github/workflows/release\.yml@refs/heads/master + repository: DataDog/datadog-api-client-ruby + ref: refs/heads/master + +permissions: + contents: write diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml index bab208ebc259..d50dd40b2d26 100644 --- a/.github/workflows/approved_status.yml +++ b/.github/workflows/approved_status.yml @@ -22,14 +22,15 @@ jobs: !contains(github.event.pull_request.labels.*.name, 'ci/skip') && !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/') + permissions: + id-token: write steps: - name: Get GitHub App token id: get_token - uses: actions/create-github-app-token@v1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} - repositories: datadog-api-spec + scope: DataDog/datadog-api-spec + policy: datadog-api-client-ruby.approved_status.post-review-status - name: Post PR review status check uses: DataDog/github-actions/post-review-status@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 351c104fb21f..7fa953c3686a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,13 +19,15 @@ jobs: name: Create release runs-on: ubuntu-latest if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') + permissions: + id-token: write steps: - name: Get GitHub App token id: get_token - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 #v1.11.1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} + scope: DataDog/datadog-api-client-ruby + policy: self.github.release.master - name: Checkout ${{ github.event.pull_request.base.ref }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml index a215ae0bb33e..2dbca76ef766 100644 --- a/.github/workflows/reusable-ci.yml +++ b/.github/workflows/reusable-ci.yml @@ -15,10 +15,6 @@ on: default: '' secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false # Integration test secrets DD_API_KEY: required: false @@ -35,9 +31,6 @@ jobs: with: target-branch: ${{ inputs.target-branch }} enable-commit-changes: false # Don't auto-commit in external CI - secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} test: uses: ./.github/workflows/reusable-ruby-test.yml @@ -45,8 +38,6 @@ jobs: target-branch: ${{ inputs.target-branch }} cache-version: ${{ inputs.cache-version }} secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} DD_API_KEY: ${{ secrets.DD_API_KEY }} examples: @@ -62,10 +53,7 @@ jobs: cache-version: ${{ inputs.cache-version }} has-integration-label: ${{ contains(github.event.pull_request.labels.*.name, 'ci/integrations') }} secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} DD_API_KEY: ${{ secrets.DD_API_KEY }} DD_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }} DD_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }} SLEEP_AFTER_REQUEST: ${{ secrets.SLEEP_AFTER_REQUEST }} - diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml index a083199be7b5..8def622fdecf 100644 --- a/.github/workflows/reusable-integration-test.yml +++ b/.github/workflows/reusable-integration-test.yml @@ -49,10 +49,6 @@ on: type: boolean default: false secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false DD_API_KEY: required: true DD_CLIENT_API_KEY: @@ -86,15 +82,17 @@ jobs: DD_API_KEY: ${{ secrets.DD_API_KEY }} DD_HOSTNAME: "none" DD_INSIDE_CI: "true" + permissions: + id-token: write + contents: read steps: - name: Get GitHub App token if: github.event_name == 'pull_request' id: get_token - uses: actions/create-github-app-token@v1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} - repositories: ${{ inputs.target-repo || 'datadog-api-spec' }} + scope: DataDog/datadog-api-spec + policy: datadog-api-client-ruby.reusable-integration-test.post-status - name: Checkout code uses: actions/checkout@v3 with: diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml index a8b1c7bb58db..9f82a77f5409 100644 --- a/.github/workflows/reusable-pre-commit.yml +++ b/.github/workflows/reusable-pre-commit.yml @@ -13,11 +13,6 @@ on: required: false type: boolean default: true - secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" @@ -26,14 +21,17 @@ env: jobs: pre-commit: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Get GitHub App token id: get_token - if: inputs.enable-commit-changes - uses: actions/create-github-app-token@v1 + if: inputs.enable-commit-changes && github.event_name == 'pull_request' + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} + scope: DataDog/datadog-api-client-ruby + policy: self.github.pre-commit.pull-requests - uses: actions/checkout@v3 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-ruby-test.yml b/.github/workflows/reusable-ruby-test.yml index 176a72420b7a..0e9a0b557035 100644 --- a/.github/workflows/reusable-ruby-test.yml +++ b/.github/workflows/reusable-ruby-test.yml @@ -29,10 +29,6 @@ on: type: string default: '' secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false DD_API_KEY: required: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 762e1b737419..1d0ed308fac0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,12 +25,12 @@ jobs: !contains(github.event.pull_request.labels.*.name, 'ci/skip') && !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/')) || github.event_name == 'schedule' + permissions: + id-token: write + contents: read uses: ./.github/workflows/reusable-pre-commit.yml with: enable-commit-changes: true - secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} test: if: > @@ -45,8 +45,6 @@ jobs: test-script: './run-tests.sh' cache-version: ${{ vars.CACHE_VERSION }} secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} DD_API_KEY: ${{ secrets.DD_API_KEY }} examples: @@ -66,15 +64,16 @@ jobs: needs: - test - examples + permissions: + id-token: write steps: - name: Get GitHub App token if: github.event_name == 'pull_request' id: get_token - uses: actions/create-github-app-token@v1 + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} - repositories: datadog-api-spec + scope: DataDog/datadog-api-spec + policy: datadog-api-client-ruby.test.post-status - name: Post status check uses: DataDog/github-actions/post-status-check@v2 with: