add sts policy for github automation

cpanato · cpanato · commit c48fd0ab5ed1 · 2025-03-28T08:53:39.000+01:00
diff --git a/.github/chainguard/sync-github.sts.yaml b/.github/chainguard/sync-github.sts.yaml
@@ -0,0 +1,13 @@
+# Copyright 2025 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+issuer: https://token.actions.githubusercontent.com
+subject: repo:chainguard-dev/infra:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.*
+
+permissions:
+  members: write # to add/remove GitHub members
+  metadata: read # to read metadata about the org
+
+repositories: [] # Act over all of the repos in the org.
diff --git a/.github/chainguard/verify-github.sts.yaml b/.github/chainguard/verify-github.sts.yaml
@@ -0,0 +1,13 @@
+# Copyright 2025 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: repo:chainguard-dev/infra:.*
+claim_pattern:
+  job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.*
+
+permissions:
+  members: write # to add/remove GitHub members
+  metadata: read # to read metadata about the org
+
+repositories: [] # Act over all of the repos in the org.
