DataDog · Kyle-Neale · Nov 11, 2025 · Nov 6, 2025 · Nov 7, 2025 · Nov 10, 2025
@@ -718,6 +718,7 @@ plaid/assets/logs/                                                  @DataDog/saa
 /datadog_checks_downloader/                                           @DataDog/agent-integrations
 docs/developer/process/integration-release.md                         @DataDog/agent-integrations
 # As well as the pipelines.
+/.github/chainguard/                                                  @DataDog/agent-integrations
 /.github/workflows/                                                   @DataDog/agent-integrations
 /.github/workflows/resolve-build-deps.yml                             @DataDog/agent-build
 /.gitlab-ci.yml                                                       @DataDog/agent-integrations

@@ -0,0 +1,44 @@
+# Trust policy for automated workflows that create pull requests
+#
+# This policy is intended for use with the peter-evans/create-pull-request action
+# in workflows that run on schedule from the protected master branch.
+#
+# Naming convention:
+#   self: Only this repository (DataDog/integrations-core) can use this policy
+#   create-pull-requests: Grants permissions to create pull requests
+#   schedule: Intended for workflows running on schedule (workflow_dispatch is included
+#             to allow manual triggering)
+#
+# Security model:
+#   - Workflow must run from the protected master branch
+#   - Workflow file must be committed to master
+#   - Supports 'schedule' and 'workflow_dispatch' events only
+#
+# Permissions granted:
+#   - contents: write       - Push commits to branches
+#   - pull_requests: write  - Create pull requests
+#   - workflows: write      - Modify workflow files (enables full automation)
+#
+# Usage in workflows:
+#   - uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1
+#     with:
+#       scope: DataDog/integrations-core
+#       policy: self.create-pull-requests.schedule
+#
+# Recommended for migrating workflows away from static GitHub App credentials stored in secrets.
+
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/integrations-core:ref:refs/heads/master
+
+claim_pattern:
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/integrations-core/.github/workflows/.*\.ya?ml@refs/heads/master
+  event_name: (schedule|workflow_dispatch)
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
+
@@ -10,6 +10,9 @@ jobs:
   upgrade_python_version:
     name: Upgrade Python version
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC token federation with dd-octo-sts
+      contents: read
     steps:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -27,13 +30,12 @@ jobs:
       run: |-
         ddev config set repos.core .
         ddev config set repo core
-    - name: Create token
-      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
-      id: token-generator
+    - name: Get GitHub token via dd-octo-sts
+      uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1
+      id: octo-sts
       with:
-        app-id: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_APP_ID }}
-        private-key: ${{ secrets.DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY }}
-        repositories: integrations-core
+        scope: DataDog/integrations-core
+        policy: self.create-pull-requests.schedule
     - name: Upgrade Python version
       id: update
       run: |-
@@ -53,7 +55,7 @@ jobs:
       id: cpr
       uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
       with:
-        token: ${{ steps.token-generator.outputs.token }}
+        token: ${{ steps.octo-sts.outputs.token }}
         commit-message: Upgrade Python version
         body: |
           ### What does this PR do?