diff --git a/.github/chainguard/self.prepare-release.create-pr.sts.yaml b/.github/chainguard/self.prepare-release.create-pr.sts.yaml new file mode 100644 index 00000000..aa5455ad --- /dev/null +++ b/.github/chainguard/self.prepare-release.create-pr.sts.yaml @@ -0,0 +1,13 @@ +issuer: https://token.actions.githubusercontent.com + +subject: repo:DataDog/datadog-sync-cli:ref:refs/heads/main + +claim_pattern: + event_name: workflow_dispatch + ref: refs/heads/main + ref_protected: "true" + job_workflow_ref: DataDog/datadog-sync-cli/.github/workflows/prepare_release.yml@refs/heads/main + +permissions: + contents: write + pull_requests: write \ No newline at end of file diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml index 63529653..ce2d2c20 100644 --- a/.github/workflows/prepare_release.yml +++ b/.github/workflows/prepare_release.yml @@ -1,9 +1,5 @@ name: Prepare release -permissions: - contents: write - pull-requests: write - env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" GIT_AUTHOR_NAME: "ci.datadog-sync-cli" @@ -18,7 +14,16 @@ jobs: prepare_release: name: Create release PR runs-on: ubuntu-latest + permissions: + id-token: write steps: + - name: Get access token + uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1 + id: octo-sts + with: + scope: DataDog/datadog-sync-cli + policy: self.prepare-release.create-pr + - name: Checkout code uses: actions/checkout@v3 with: @@ -47,7 +52,7 @@ jobs: env: RELEASE_VERSION: ${{ steps.get_version.outputs.version }} with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ steps.octo-sts.outputs.token }} script: | const { data: notes } = await github.rest.repos.generateReleaseNotes({ owner: context.repo.owner, diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c604d1cd..8cbdf0a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,7 @@ name: Release -permissions: +permissions: contents: write - pull-requests: write on: pull_request: