From 0725324cf36c329697ca86c57ee079c67191c409 Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Tue, 12 May 2026 16:19:28 +0200 Subject: [PATCH] Replace secrets.GITHUB_TOKEN with dd-octo-sts Migrate all 4 GitHub Actions workflows from secrets.GITHUB_TOKEN to OIDC tokens minted by DataDog/dd-octo-sts-action. The token exchange is auditable and governed by chainguard policy files that explicitly declare which workflow, event, and ref pattern may request which permissions. Add a permissions block to add-asset-to-gh-release.yml which previously had none. --- .github/workflows/add-asset-to-gh-release.yml | 16 +++++++++++++--- .github/workflows/auto_add_pr_to_miletone.yml | 12 ++++++++++-- .github/workflows/auto_check_snapshots.yml | 12 ++++++++++-- .github/workflows/auto_label_prs.yml | 15 +++++++++++---- 4 files changed, 44 insertions(+), 11 deletions(-) diff --git a/.github/workflows/add-asset-to-gh-release.yml b/.github/workflows/add-asset-to-gh-release.yml index 1136d0f2768..437abafaa54 100644 --- a/.github/workflows/add-asset-to-gh-release.yml +++ b/.github/workflows/add-asset-to-gh-release.yml @@ -4,16 +4,26 @@ on: workflow_dispatch: inputs: packagesUrl: - description: 'URL for `packages.tar.gz` to add to release' + description: "URL for `packages.tar.gz` to add to release" required: true releaseVersion: - description: 'Version to add the assets to' + description: "Version to add the assets to" required: true jobs: add-assets-to-release: runs-on: ubuntu-8-core-latest + permissions: + contents: write + id-token: write steps: + - name: Get GitHub Token via dd-octo-sts + id: generate-token + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 + with: + scope: DataDog/dd-trace-php + policy: self.add-asset-to-gh-release + - run: | curl -L -o packages.tar.gz $PACKAGES_URL tar -xvzf packages.tar.gz @@ -22,4 +32,4 @@ jobs: env: PACKAGES_URL: ${{ inputs.packagesUrl }} RELEASE: ${{ inputs.releaseVersion }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/auto_add_pr_to_miletone.yml b/.github/workflows/auto_add_pr_to_miletone.yml index 0878d33b5b7..7ab3552782b 100644 --- a/.github/workflows/auto_add_pr_to_miletone.yml +++ b/.github/workflows/auto_add_pr_to_miletone.yml @@ -15,6 +15,7 @@ jobs: contents: read pull-requests: write # need to modify existing PR issues: write # need to potentially create a new milestone + id-token: write steps: - name: Checkout @@ -22,10 +23,17 @@ jobs: - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: - dotnet-version: '7.0.101' + dotnet-version: "7.0.101" + + - name: Get GitHub Token via dd-octo-sts + id: generate-token + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 + with: + scope: DataDog/dd-trace-php + policy: self.auto-add-pr-to-milestone - name: "Assign to vNext Milestone" run: ./github-actions-helpers/build.sh AssignPullRequestToMilestone env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" PullRequestNumber: "${{ github.event.pull_request.number }}" diff --git a/.github/workflows/auto_check_snapshots.yml b/.github/workflows/auto_check_snapshots.yml index fec1096e598..40c5a668c2f 100644 --- a/.github/workflows/auto_check_snapshots.yml +++ b/.github/workflows/auto_check_snapshots.yml @@ -9,6 +9,7 @@ jobs: permissions: contents: read pull-requests: write # need to add a comment to a PR + id-token: write steps: - name: Checkout @@ -18,11 +19,18 @@ jobs: - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: - dotnet-version: '7.0.101' + dotnet-version: "7.0.101" + + - name: Get GitHub Token via dd-octo-sts + id: generate-token + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 + with: + scope: DataDog/dd-trace-php + policy: self.auto-check-snapshots - name: "Check Snapshots" run: ./github-actions-helpers/build.sh SummaryOfSnapshotChanges env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" PullRequestNumber: "${{ github.event.pull_request.number }}" TargetBranch: "${{ github.base_ref }}" diff --git a/.github/workflows/auto_label_prs.yml b/.github/workflows/auto_label_prs.yml index c5c73386da5..eb295dcb27b 100644 --- a/.github/workflows/auto_label_prs.yml +++ b/.github/workflows/auto_label_prs.yml @@ -1,16 +1,16 @@ name: Label PRs on: -- pull_request + - pull_request jobs: add-labels: - runs-on: ubuntu-24.04 permissions: contents: read issues: write # Update labels on PRs (might not be necessary, but we call the UpdateIssue API so...) pull-requests: write # Update labels on PRs + id-token: write steps: - name: Checkout @@ -18,10 +18,17 @@ jobs: - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: - dotnet-version: '7.0.101' + dotnet-version: "7.0.101" + + - name: Get GitHub Token via dd-octo-sts + id: generate-token + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 + with: + scope: DataDog/dd-trace-php + policy: self.auto-label-prs - name: "Add labels" run: ./github-actions-helpers/build.sh AssignLabelsToPullRequest env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" PullRequestNumber: "${{ github.event.pull_request.number }}"