Skip to content

Replace secrets.GITHUB_TOKEN with dd-octo-sts in CI workflows#11347

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
lloeki/dd-octo-sts
May 12, 2026
Merged

Replace secrets.GITHUB_TOKEN with dd-octo-sts in CI workflows#11347
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
lloeki/dd-octo-sts

Conversation

@lloeki
Copy link
Copy Markdown
Member

@lloeki lloeki commented May 12, 2026
edited by sarahchen6
Loading

Stacked on #11353 (chainguard policies — merge first).

What Does This Do

Replace all secrets.GITHUB_TOKEN usage across 5 GitHub Actions workflows with OIDC tokens obtained via DataDog/dd-octo-sts-action. Add 5 corresponding Chainguard policy files. The token is passed via the github-token parameter of actions/github-script.

Motivation

The dd-octo-sts token exchange is auditable and governed by Chainguard policy files that explicitly declare which workflow, event, and ref pattern may request which permissions.

Additional Notes

No functional changes. All affected workflows continue to behave identically.

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels
  • Avoid using close, fix, or any linking keywords when referencing an issue
  • Update the CODEOWNERS file on source file addition, migration, or deletion
  • Update public documentation with any new configuration flags or behaviors

@lloeki lloeki force-pushed the lloeki/dd-octo-sts branch from 3b9c86f to 56847de Compare May 12, 2026 09:11
lloeki added 2 commits May 12, 2026 16:17
@lloeki
Add dd-octo-sts chainguard policy files
59dd18b 
Add 5 policy files under .github/chainguard/ declaring the
issuer, subject, event, and permission constraints for every
workflow that will be migrated from secrets.GITHUB_TOKEN to
DataDog/dd-octo-sts-action.

These policies must be on the default branch before the
corresponding workflow changes can use them.
@lloeki
Replace secrets.GITHUB_TOKEN with dd-octo-sts
e24c687 
Migrate all 5 GitHub Actions workflows from
secrets.GITHUB_TOKEN to OIDC tokens minted by
DataDog/dd-octo-sts-action. The token exchange is
auditable and governed by chainguard policy files that
explicitly declare which workflow, event, and ref pattern
may request which permissions.

All affected workflows pass the token to
actions/github-script via the github-token parameter.
@lloeki lloeki force-pushed the lloeki/dd-octo-sts branch from 56847de to e24c687 Compare May 12, 2026 14:17
@lloeki lloeki changed the base branch from master to lloeki/dd-octo-sts-chainguard May 12, 2026 14:26
@lloeki lloeki mentioned this pull request May 12, 2026
Merged
2 tasks
@lloeki lloeki marked this pull request as ready for review May 12, 2026 15:12
@lloeki lloeki requested a review from a team as a code owner May 12, 2026 15:12
@lloeki lloeki requested review from bric3 and removed request for a team May 12, 2026 15:12
@sarahchen6 sarahchen6 added type: enhancement Enhancements and improvements tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels May 12, 2026
Base automatically changed from lloeki/dd-octo-sts-chainguard to master May 12, 2026 17:03
@sarahchen6
Copy link
Copy Markdown
Contributor

sarahchen6 commented May 12, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented May 12, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-05-12 19:18:35 UTC ℹ️ Start processing command /merge

2026-05-12 19:18:44 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

2026-05-12 19:20:24 UTC ⚠️ MergeQueue: This merge request was unqueued

sarah.chen@datadoghq.com unqueued this merge request

@sarahchen6
Copy link
Copy Markdown
Contributor

sarahchen6 commented May 12, 2026

/merge -c

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented May 12, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-05-12 19:20:18 UTC ℹ️ Start processing command /merge -c

@sarahchen6 sarahchen6 removed type: enhancement Enhancements and improvements tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling labels May 12, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 12, 2026

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@sarahchen6 sarahchen6 added type: enhancement Enhancements and improvements tag: no release notes Changes to exclude from release notes comp: tooling Build & Tooling and removed comp: tooling Build & Tooling labels May 12, 2026
sarahchen6
sarahchen6 approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sarahchen6 sarahchen6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed on this branch that the PR check workflows are successful.

@sarahchen6
Copy link
Copy Markdown
Contributor

sarahchen6 commented May 12, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented May 12, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-05-12 19:29:15 UTC ℹ️ Start processing command /merge

2026-05-12 19:29:19 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

2026-05-12 20:49:02 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 2877227 into master May 12, 2026
576 of 584 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the lloeki/dd-octo-sts branch May 12, 2026 20:48
@github-actions github-actions Bot added this to the 1.63.0 milestone May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarahchen6 sarahchen6 sarahchen6 approved these changes

@bric3 bric3 Awaiting requested review from bric3 bric3 is a code owner automatically assigned from DataDog/apm-lang-platform-java

Assignees

No one assigned

Labels

comp: tooling Build & Tooling tag: no release notes Changes to exclude from release notes type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.63.0

Development

Successfully merging this pull request may close these issues.

2 participants

@lloeki @sarahchen6