ci(chainguard): Add dd-octo-sts policy for rshell version bump

[matt-dz]

What does this PR do?

Adds a dd-octo-sts policy allowing the bump_datadog_agent GitLab CI job in DataDog/rshell to mint a short-lived GitHub token scoped to DataDog/datadog-agent and open a PR bumping the pinned rshell version.

Motivation

Today every rshell release requires a hand-crafted PR in this repo to bump the github.com/DataDog/rshell line in go.mod + regenerate go.sum + add a reno note. Companion PR DataDog/rshell#188 adds a GitLab pipeline that automates this on every new rshell tag. This policy is the auth anchor that pipeline needs.

Policy scope

Claim	Value	Why
issuer	https://gitlab.ddbuild.io	Accept only internal GitLab OIDC tokens
subject_pattern	rshell tag pipelines (v*.*.*) OR pipelines on main	Tags for the auto path; main for manual retries via Run pipeline + BUMP_VERSION
claim_pattern.project_path	DataDog/rshell	Belt-and-braces re-assertion
permissions	contents: write, pull_requests: write	Push the bump branch and open the draft PR — nothing more

Mirrors the existing self.buildimages-ci.push-to-datadog-agent.sts.yaml pattern for another external GitLab project acting on this repo.

Upstream defence

Tag creation on DataDog/rshell is already gated by two active GitHub rulesets — a DataDog org-wide Global Tag Protection (public repos) ruleset and a repo-specific tag-protection ruleset — both blocking creation/update/deletion of any tag for non-bypass users, with GPG/SSH signatures required. Only the release.yml workflow (approval-gated release environment) and explicit admins can create v* tags. By the time a tag reaches GitLab via the pull-mirror, it has already been vetted upstream, which is why the policy does not additionally require ref_protected: "true" on the GitLab side.

Describe how you validated your changes

• Policy file parses as valid YAML.
• Subject pattern hand-traced against a mock GitLab OIDC JWT for a tag pipeline (project_path:DataDog/rshell:ref_type:tag:ref:v0.0.12) and for a main-branch pipeline (project_path:DataDog/rshell:ref_type:branch:ref:main) — both match.
• End-to-end validation will happen once this merges: the companion rshell PR is set up to exercise the token mint on the next tag pipeline.

Possible Drawbacks / Trade-offs

Grants token-minting to rshell pipelines. Scope is intentionally minimal (two permissions) and restricted to the rshell project + either semver tags or main. Feature-branch pipelines fail the subject regex.

Additional Notes

Keep as draft until the companion DataDog/rshell#188 is ready to merge — these should land together.

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 8ef69a70:

Results for datadog-agent_7.79.0~devel.git.827.9591821.pipeline.108143236-1_amd64.deb:

No change detected

[dd-octo-sts]

This pull request has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this pull request is still relevant, adding a comment or pushing new commits will keep it open. Also, you can always reopen the pull request if you missed the window.

Thank you for your contributions!

[dd-octo-sts]

This pull request was automatically closed because it has been stale for 15 days with no activity.

If this pull request is still relevant, please reopen it or create a new pull request with updated information.

Thanks!