Merge pull request #26 from DataDog/christoph.hamsen/avoid-github-token-for-pr-creation

Avoid using GITHUB_TOKEN for PR creation

Author: christophetd

.github/chainguard/self.release.create-pr.sts.yaml

@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject_pattern: repo:DataDog/managed-kubernetes-auditing-toolkit:ref:refs/tags/v.*
+
+claim_pattern:
+  event_name: push
+  ref: refs/tags/v.*
+  job_workflow_ref: DataDog/managed-kubernetes-auditing-toolkit/\.github/workflows/release\.yml@refs/tags/v.*
+
+permissions:
+  contents: write
+  pull_requests: write
+

.github/workflows/release.yml

@@ -5,13 +5,11 @@ on:
     tags:
       - "v*"
 
-permissions:
-  contents: write
-  pull-requests: write
-  
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Needed to federate tokens for dd-octo-sts
     steps:
       - name: Checkout
         uses: actions/[email protected]
@@ -21,6 +19,11 @@ jobs:
         uses: actions/[email protected]
         with:
           go-version: 1.19
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/managed-kubernetes-auditing-toolkit
+          policy: self.release.create-pr
       - name: Run GoReleaser
         timeout-minutes: 60
         uses: goreleaser/[email protected]
@@ -29,4 +32,4 @@ jobs:
           version: latest
           args: release --clean --config .goreleaser.yaml
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}