Fix jmxfetch workflow (#9306)

* Add write permissions and remove branch creation

* Re-add step to create branch

* Change commit and push logic

* Add PR permissions

* Use dd-octo-sts tokens

* Remove ghcommit entirely

Author: sarahchen6

.github/workflows/update-jmxfetch-submodule.yaml

@@ -8,17 +8,22 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to create and push branch
+      id-token: write # Required for OIDC token federation
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-jmxfetch-submodule.create-pr
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
       - name: Update Submodule
         run: |
           git submodule update --remote -- dd-java-agent/agent-jmxfetch/integrations-core
-      - name: Download ghcommit CLI
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-jmxfetch-submodule-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
@@ -28,12 +33,21 @@ jobs:
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit and push changes
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
-          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add dd-java-agent/agent-jmxfetch/integrations-core --message "Update agent-jmxfetch submodule"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            exit 0;
+          fi
+          git checkout -b ${{ steps.define-branch.outputs.branch }}
+          git add dd-java-agent/agent-jmxfetch/integrations-core
+          git commit -m "Update agent-jmxfetch submodule"
+          git push origin ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update agent-jmxfetch submodule" \
             --base master \