From 51a8e1b1e5eae2d27400681a778c8571b61c6a3d Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:18:11 -0400
Subject: [PATCH 1/6] Add write permissions and remove branch creation

---
 .github/workflows/update-jmxfetch-submodule.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 9cd38cf906c..7b06ed8cc4c 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -8,6 +8,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
@@ -22,10 +24,6 @@ jobs:
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-jmxfetch-submodule-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
-      - name: Create branch
-        run: |
-          git checkout -b ${{ steps.define-branch.outputs.branch }}
-          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit and push changes
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

From 18e47a88c309c797792996900dc3b9ee03428f35 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:26:29 -0400
Subject: [PATCH 2/6] Re-add step to create branch

---
 .github/workflows/update-jmxfetch-submodule.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 7b06ed8cc4c..a57528fa779 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -24,6 +24,10 @@ jobs:
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-jmxfetch-submodule-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+      - name: Create branch
+        run: |
+          git checkout -b ${{ steps.define-branch.outputs.branch }}
+          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit and push changes
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

From c863aacb30e17af22c4c2eeb35a7a6f00ac83055 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:39:37 -0400
Subject: [PATCH 3/6] Change commit and push logic

---
 .github/workflows/update-jmxfetch-submodule.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index a57528fa779..5330fbbe76c 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -32,7 +32,16 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         run: |
-          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add dd-java-agent/agent-jmxfetch/integrations-core --message "Update agent-jmxfetch submodule"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            exit 0;
+          fi
+          git checkout -b ${{ steps.define-branch.outputs.branch }}
+          git add dd-java-agent/agent-jmxfetch/integrations-core
+          git commit -m "Update agent-jmxfetch submodule"
+          git push origin ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         env:
           GH_TOKEN: ${{ github.token }}

From 938b2b7851b257282af0808fba0c04971648a556 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:42:39 -0400
Subject: [PATCH 4/6] Add PR permissions

---
 .github/workflows/update-jmxfetch-submodule.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 5330fbbe76c..80591de15db 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -10,6 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

From 6d3d0421fb8354e8016c0273c39bfd5f2d1093f0 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:52:26 -0400
Subject: [PATCH 5/6] Use dd-octo-sts tokens

---
 .github/workflows/update-jmxfetch-submodule.yaml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 80591de15db..f7950c9b111 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -9,9 +9,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # Required to create and push branch
+      id-token: write # Required for OIDC token federation
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-jmxfetch-submodule.create-pr
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
 
@@ -31,7 +37,7 @@ jobs:
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit and push changes
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
@@ -45,7 +51,7 @@ jobs:
           git push origin ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update agent-jmxfetch submodule" \
             --base master \

From aa98b0ed9d41dca6ab095addd3581dbc5567933a Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Mon, 4 Aug 2025 16:59:04 -0400
Subject: [PATCH 6/6] Remove ghcommit entirely

---
 .github/workflows/update-jmxfetch-submodule.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index f7950c9b111..8cfe9ae1041 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -24,10 +24,6 @@ jobs:
       - name: Update Submodule
         run: |
           git submodule update --remote -- dd-java-agent/agent-jmxfetch/integrations-core
-      - name: Download ghcommit CLI
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-jmxfetch-submodule-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT