Replace our custom GitHub App Token with dd-octo-sts#8318
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 05ffe4fcb2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR migrates several GitHub Actions workflows from generating GitHub App installation tokens (actions/create-github-app-token) to using dd-octo-sts (OIDC-based) tokens, aligning with the recommendation from sdlc-security.
Changes:
- Add
dd-octo-ststoken minting steps (and requiredid-token: writepermissions) to AAS deploy/release workflows. - Update the
deploy-aas-dev-appscomposite action to accept a pre-mintedgithub_tokeninstead of GitHub App credentials. - Update the reusable draft release workflow to use
dd-octo-stsand introduce a corresponding Chainguard STS policy file.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/scheduled_aas_deploy.yml | Adds OIDC permission + dd-octo-sts token step; passes minted token into deploy composite action. |
| .github/workflows/code_freeze_start.yml | Adds OIDC permission + dd-octo-sts token step; passes minted token into deploy composite action. |
| .github/workflows/auto_deploy_aas_test_apps.yml | Adds OIDC permission + dd-octo-sts token step; passes minted token into deploy composite action. |
| .github/workflows/auto-trigger-aas-release.yml | Replaces GitHub App token creation with dd-octo-sts token for repository dispatch call. |
| .github/actions/deploy-aas-dev-apps/action.yml | Removes GitHub App token generation; requires caller-provided github_token. |
| .github/workflows/_create_draft_release.yml | Replaces GitHub App token creation with dd-octo-sts for release-related GitHub API operations. |
| .github/chainguard/self.github.create-draft-release.sts.yaml | Adds STS policy intended to allow dd-octo-sts to mint a token for the draft release workflow. |
| .github/workflows/create_normal_draft_release.yml | Stops passing GitHub App secrets into the reusable draft release workflow. |
| .github/workflows/create_hotfix_draft_release.yml | Stops passing GitHub App secrets into the reusable draft release workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| subject_pattern: repo:DataDog/dd-trace-dotnet:ref:refs/heads/(master|hotfix/.+) | ||
|
|
||
| claim_pattern: | ||
| event_name: workflow_dispatch |
There was a problem hiding this comment.
From Claude, with the dd-octo-sts plugin:
The reviewer's concern is understandable, but actually the policy is correct as-is. From the dd-octo-sts guide's claim format for workflow_call:
▎ Note: workflow_call does not exist in isolation but only with a triggering context (e.g. workflow_dispatch). The job_workflow_ref reflects the reusable workflow, not the caller.The example claims for a workflow_call show:
{ "event_name": "workflow_dispatch", // ← the triggering event, NOT "workflow_call" "job_workflow_ref": ".../.github/workflows/workflow-call-demo.yml@refs/heads/main" }So the OIDC token's event_name claim will be workflow_dispatch (the caller's trigger), not workflow_call. And job_workflow_ref will correctly point to _create_draft_release.yml (the reusable workflow). The policy as written should work.
| echo "Push succeeded, cleaning up" | ||
| rm Datadog.Trace.Annotations.1.0.0.nupkg | ||
|
|
||
| - name: Generate GitHub App Token |
There was a problem hiding this comment.
Do we need id-token: write here?
There was a problem hiding this comment.
Yes, I believe so, but we already have it 🙂
NachoEchevarria
left a comment
There was a problem hiding this comment.
LGTM, thanks. Just a comment/question.
BenchmarksBenchmark execution time: 2026-03-17 12:21:21 Comparing candidate commit 1a6d29d in PR branch Found 8 performance improvements and 5 performance regressions! Performance is the same for 165 metrics, 14 unstable metrics. scenario:Benchmarks.Trace.ActivityBenchmark.StartStopWithChild netcoreapp3.1
scenario:Benchmarks.Trace.AgentWriterBenchmark.WriteAndFlushEnrichedTraces net6.0
scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.AllCycleSimpleBody netcoreapp3.1
scenario:Benchmarks.Trace.Asm.AppSecBodyBenchmark.ObjectExtractorSimpleBody netcoreapp3.1
scenario:Benchmarks.Trace.Asm.AppSecEncoderBenchmark.EncodeLegacyArgs netcoreapp3.1
scenario:Benchmarks.Trace.AspNetCoreBenchmark.SendRequest net6.0
scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces net472
scenario:Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark.WriteAndFlushEnrichedTraces netcoreapp3.1
scenario:Benchmarks.Trace.CharSliceBenchmark.OptimizedCharSlice netcoreapp3.1
scenario:Benchmarks.Trace.CharSliceBenchmark.OriginalCharSlice net6.0
|
Summary of changes
Replaces our use of
actions/create-github-app-tokenwithdd-octo-stsReason for change
It was recommended by sdlc-security that we make the shift
Implementation details
They have a claude plugin to do it, so I poked the bot with a stick until it did this. Looks OK to me best I can understand, and I'm definitely happier having 🤖 write the various "patterns" 😅
Test coverage
Unfortunately, no... this isn't an easy one to test.
The AAS deploy is just one we will have to keep an eye on, as it's non critical and we can temporarily revert if necessary.
The release one is more problematic - I left the "fallback"
create_draft_releaseworkflow "as-is" for now, as we know it works, and we want to make sure we have an escape hatch for the first runOther details
Requires DataDog/datadog-aas-extension#438 to be merged first.