Use dd-octo-sts tokens

sarahchen6 · sarahchen6 · commit 6d3d0421fb83 · 2025-08-04T16:52:26.000-04:00
diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -9,9 +9,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # Required to create and push branch
+      id-token: write # Required for OIDC token federation
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-jmxfetch-submodule.create-pr
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
@@ -31,7 +37,7 @@ jobs:
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit and push changes
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
@@ -45,7 +51,7 @@ jobs:
           git push origin ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update agent-jmxfetch submodule" \
             --base master \
