use dd-octo-sts policy for rustfmt commits

Author: ekump

.github/workflows/rustfmt-auto.yml

@@ -10,15 +10,22 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'commit-rustfmt-changes') &&
       !startsWith(github.head_ref, 'mq-working-branch')
     permissions:
+      id-token: write
       contents: write
     steps:
       - name: Checkout sources
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ github.head_ref }}
+      - name: Get GitHub App token
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/libdatadog
+          policy: self.write.rustfmt
       - name: Install nightly-2026-02-08 toolchain and rustfmt
         run: rustup install nightly-2026-02-08 && rustup default nightly-2026-02-08 && rustup component add rustfmt
       - name: Run rustfmt and commit changes
         uses: mbrobbel/rustfmt-check@e7ac5685995bd39fb14f6c83fa6f10627e92e680 # master
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.octo-sts.outputs.token }}