diff --git a/.github/chainguard/epoch-bot.sts.yaml b/.github/chainguard/epoch-bot.sts.yaml
new file mode 100644
index 0000000..7361c3a
--- /dev/null
+++ b/.github/chainguard/epoch-bot.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://accounts.google.com
+
+# epoch-bot@prod-enforce-fabc.iam.gserviceaccount.com
+subject: "103350835514269129226"
+
+permissions:
+  contents: read
+  checks: write
+  pull_requests: read
+
+repositories:
+- os