add octo-sts trust policy for release proposal #6118
Conversation
Overall package sizeSelf size: 9.69 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.7.0 | 35.02 MB | 35.02 MB | | @datadog/native-appsec | 10.0.1 | 20.3 MB | 20.3 MB | | @datadog/native-iast-taint-tracking | 4.0.0 | 11.72 MB | 11.73 MB | | @datadog/pprof | 5.9.0 | 9.77 MB | 10.14 MB | | @opentelemetry/core | 1.30.1 | 908.66 kB | 7.16 MB | | protobufjs | 7.5.3 | 2.95 MB | 5.6 MB | | @datadog/wasm-js-rewriter | 4.0.1 | 2.85 MB | 3.58 MB | | @datadog/native-metrics | 3.1.1 | 1.02 MB | 1.43 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | jsonpath-plus | 10.3.0 | 617.18 kB | 1.08 MB | | import-in-the-middle | 1.14.2 | 122.36 kB | 850.93 kB | | lru-cache | 10.4.3 | 804.3 kB | 804.3 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.1 | 109.9 kB | 109.9 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 7.0.5 | 63.38 kB | 63.38 kB | | istanbul-lib-coverage | 3.2.2 | 34.37 kB | 34.37 kB | | rfdc | 1.4.1 | 27.15 kB | 27.15 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | dc-polyfill | 0.1.9 | 25.11 kB | 25.11 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | shell-quote | 1.8.3 | 23.74 kB | 23.74 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | semifies | 1.0.0 | 15.84 kB | 15.84 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | mutexify | 1.4.0 | 5.71 kB | 8.74 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.4 | 3.96 kB | 3.96 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #6118 +/- ##
=======================================
Coverage 82.79% 82.79%
=======================================
Files 476 476
Lines 19622 19622
=======================================
Hits 16246 16246
Misses 3376 3376 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
BenchmarksBenchmark execution time: 2025-07-20 22:12:51 Comparing candidate commit c01c6d9 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 1273 metrics, 50 unstable metrics. |
071c75f to
d839d28
Compare
d839d28 to
c01c6d9
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds an Octo-STS trust policy configuration for release proposals to enhance security by replacing GitHub app authentication with token-based authentication.
- Adds a new STS configuration file that defines trust policies for release proposal workflows
- Configures GitHub Actions token validation with specific subject and claim patterns
- Sets appropriate permissions for release proposal operations
| job_workflow_ref: DataDog/dd-trace-js/.github/workflows/release-proposal.yml@refs/heads/master | ||
|
|
||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
The 'contents: write' permission allows modification of repository content. Consider if this broad permission is necessary or if more specific permissions could be used to follow the principle of least privilege.
| contents: write | |
| contents: read |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
When looking at the octo-sts docs, it seems like the read permission is enough. Have you verified this?
There was a problem hiding this comment.
The script errors when it doesn't have write access on contents and workflows. I will admit that I can't explain why, as it goes through the git client to make those changes and not through the API. Maybe the git client also uses the token automatically?
| permissions: | ||
| contents: write | ||
| pull_requests: write | ||
| workflows: write |
There was a problem hiding this comment.
The 'workflows: write' permission allows modification of workflow files. This is a powerful permission that should be carefully reviewed to ensure it's required for the release proposal functionality.
| workflows: write |
Copilot uses AI. Check for mistakes.
What does this PR do?
Add Octo-STS trust policy for release proposal.
Motivation
Once this lands, we will be able to use Octo-STS to get a token instead of a GitHub app for release proposals, which is more secure.