Adding dd-octo-sts policy for the test activation workflow (#5351)

nccatoni · web-flow · commit ee1c1760e167 · 2025-09-29T13:08:11.000Z
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -34,4 +34,4 @@
 /manifests/ruby.yml @DataDog/ruby-guild @DataDog/asm-ruby
 /manifests/rust.yml @DataDog/apm-rust
 
-
+/chainguard/** @DataDog/system-tests-core # Security sensitive
diff --git a/chainguard/self.test-activation.sts.yaml b/chainguard/self.test-activation.sts.yaml
@@ -0,0 +1,13 @@
+# Docs: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/5138645099/User+guide+dd-octo-sts
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/system-tests-dashboard:ref:refs/heads/main
+claim_pattern:
+  event_name: workflow_dispatch
+  ref: refs/heads/main
+  ref_protected: "true"
+  job_workflow_ref: DataDog/system-tests-dashboard/\.github/workflows/test-activation-tmp\.yml@refs/heads/main
+
+permissions:
+  contents: write
+  pull-requests: write
diff --git a/utils/scripts/compute_impacted_scenario.py b/utils/scripts/compute_impacted_scenario.py
@@ -131,6 +131,7 @@ def main() -> None:
                 files_map: dict[str, ScenarioGroup | Scenario | list[ScenarioGroup | Scenario] | None] = {
                     r"\.cursor/rules/.*": None,
                     r"\.circleci/.*": None,
+                    r"chainguard/.*": None,
                     r"\.vscode/.*": None,
                     r"\.github/actions/pull_images/action.yml": scenario_groups.end_to_end,
                     r"\.github/CODEOWNERS": None,
