From 07c92012a0fd48ee0efcdfa046250d7d9f3d905a Mon Sep 17 00:00:00 2001 From: Christoph Hamsen <37963496+xopham@users.noreply.github.com> Date: Fri, 1 Aug 2025 14:48:33 +0200 Subject: [PATCH] Avoid GITHUB_TOKEN for PR approval --- .../self.approve-trivial.approve-pr.sts.yaml | 14 ++++++++++++++ .github/workflows/approve-trivial.yml | 13 ++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 .github/chainguard/self.approve-trivial.approve-pr.sts.yaml diff --git a/.github/chainguard/self.approve-trivial.approve-pr.sts.yaml b/.github/chainguard/self.approve-trivial.approve-pr.sts.yaml new file mode 100644 index 000000000..eb52fc892 --- /dev/null +++ b/.github/chainguard/self.approve-trivial.approve-pr.sts.yaml @@ -0,0 +1,14 @@ +issuer: https://token.actions.githubusercontent.com + +subject: repo:DataDog/java-profiler:pull_request + +claim_pattern: + event_name: pull_request_target + ref: refs/heads/main + ref_protected: "true" + job_workflow_ref: DataDog/java-profiler/\.github/workflows/approve-trivial\.yml@refs/heads/main + +permissions: + contents: read + pull_requests: write + diff --git a/.github/workflows/approve-trivial.yml b/.github/workflows/approve-trivial.yml index 83e9cdef9..1968a1ddc 100644 --- a/.github/workflows/approve-trivial.yml +++ b/.github/workflows/approve-trivial.yml @@ -4,16 +4,19 @@ on: pull_request_target: types: [labeled] -permissions: - pull-requests: write - contents: read - jobs: auto-approve: if: contains(github.event.pull_request.labels.*.name, 'trivial') || contains(github.event.pull_request.labels.*.name, 'no-review') runs-on: ubuntu-latest + permissions: + id-token: write # Needed to federate tokens steps: + - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3 + id: octo-sts + with: + scope: DataDog/java-profiler + policy: self.approve-trivial.approve-pr - name: Auto-approve PR uses: hmarr/auto-approve-action@v4 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ steps.octo-sts.outputs.token }}