ci(chainguard): Add dd-octo-sts policy for slapr workflow#47838
ci(chainguard): Add dd-octo-sts policy for slapr workflow#47838
Conversation
github-actions
bot
added
the
short review
chouetz
added
changelog/no-changelog
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 042d1b9e63
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| claim_pattern: | ||
| event_name: (pull_request|pull_request_review) | ||
| ref: refs/(pull/\d+/merge|heads/main) | ||
| job_workflow_ref: DataDog/datadog-agent/\.github/workflows/slapr\.yml@refs/(pull/\d+/merge|heads/main) |
There was a problem hiding this comment.
The job_workflow_ref claim is pinned to .github/workflows/slapr.yml, but this repository tree at ea79d7c4701cd4aa266eef005459d348358f120e does not contain that workflow file under .github/workflows/. Because dd-octo-sts only mints tokens when all claim patterns match, this policy is currently unreachable and will not grant the intended members:read token to any existing workflow run; either reference the actual workflow filename or include the workflow in the same change.
Useful? React with 👍 / 👎.
Files inventory check summaryFile checks results against ancestor 2c465803: Results for datadog-agent_7.78.0~devel.git.590.042d1b9.pipeline.102518638-1_amd64.deb:No change detected |
1 participant
What does this PR do?
Adds a new dd-octo-sts trust policy at
.github/chainguard/self.slapr.read-members.sts.yamlto grant theslapr.ymlworkflow short-lived GitHub tokens withcontents:read,pull_requests:read, andmembers:readpermissions.Motivation
The slapr workflow needs to read organization members to function properly. This policy allows it to obtain scoped tokens via dd-octo-sts instead of relying on broader credentials.
Describe how you validated your changes
Policy file follows the established dd-octo-sts pattern used by other policies in
.github/chainguard/. The claim patterns matchpull_requestandpull_request_reviewevents on PR merge refs andmain.Additional Notes
The policy scopes to:
repo:DataDog/datadog-agent:pull_requestpull_requestandpull_request_reviewmainslapr.ymlonly