# dd-octo-sts-action

**Repository Path**: mirrors_DataDog/dd-octo-sts-action

## Basic Information

- **Project Name**: dd-octo-sts-action
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: Apache-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2025-05-30
- **Last Updated**: 2025-09-27

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# `dd-octo-sts-action`

This action federates the GitHub Actions identity token for a Github App token
according to the Trust Policy in the target organization or repository.

## Usage

Consider the following workflow in `my-org/my-repo`:

```yaml
permissions:
  id-token: write # Needed to federate tokens.

steps:
- uses: DataDog/dd-octo-sts-action@main
  id: octo-sts
  with:
    scope: your-org/your-repo # the target repository
    policy: foo # policy filename excluding `.sts.yaml`

- env:
    GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
  run: |
    gh repo list
```

The above will load a "trust policy" from `.github/chainguard/foo.sts.yaml` in
the repository `your-org/your-repo`.  Suppose this contains the following, then
workflows in `my-org/my-repo` will receive a token with the specified
permissions on `my-org/my-repo`.

```yaml
issuer: https://token.actions.githubusercontent.com
subject: repo:my-org/my-repo:ref:refs/heads/main

permissions:
  contents: read
  issues: write
```

See the [Use Action](./.github/workflows/use-action.yaml) workflow for a working example of this, that opens an issue in this repository.

Org-wide permissions are accessible by only providing the GitHub organization name as scope and referencing a policy in `your-org/.github` repo under `.github/chainguard/`.