From ddf31f11622aa17a6f37af5c8859d8f3f2ab5d27 Mon Sep 17 00:00:00 2001
From: Alex Vidal <alex.vidal@datadoghq.com>
Date: Wed, 16 Jul 2025 10:11:58 -0500
Subject: [PATCH] chore: add trust policy for testing weekly reset job

---
 .../chainguard/gitlab.reset-staging.sts.yaml  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/chainguard/gitlab.reset-staging.sts.yaml

diff --git a/.github/chainguard/gitlab.reset-staging.sts.yaml b/.github/chainguard/gitlab.reset-staging.sts.yaml
new file mode 100644
index 0000000..52549ac
--- /dev/null
+++ b/.github/chainguard/gitlab.reset-staging.sts.yaml
@@ -0,0 +1,19 @@
+issuer: https://gitlab.ddbuild.io
+
+# Allow this policy for pipelines on the main branch of this repository
+#subject: 'project_path:DataDog/commit-headless:ref_type:branch:ref:main'
+subject: 'project_path:DataDog/commit-headless:ref_type:branch:ref:test-weekly-reset'
+
+claim_pattern:
+  ref_protected: "true"
+  pipeline_source: 'schedule|push' # TODO: verify sources for manually executed jobs
+
+  # Only allow this policy to pipelines defined in the root .gitlab-ci.yml
+  ci_config_ref_uri: 'gitlab\.ddbuild\.io/DataDog/commit-headless//\.gitlab-ci\.ya?ml@.*'
+
+permissions:
+  # For creating the staging-reset commit
+  contents: write
+
+  # For creating, approving, and merging the pull request
+  pull_requests: write