chore: add dd-octo-sts trust policies for workflow automation

[RamyElkest]

Summary

Part 1 of 2 — adds trust policies only. Merge this first.

Adds dd-octo-sts trust policies to prepare for migrating deps-update.yml and validate.yml workflows from DD_K9_LIBRARY_GO_APP_PRIVATE_KEY to OIDC-federated tokens.

Why split into two PRs?

dd-octo-sts reads trust policies from the target repo's default branch. If we ship the policies and workflow changes together, the workflow changes can't be tested on the PR itself — the policies aren't on main yet. By merging policies first, the second PR's CI can exercise the new dd-octo-sts token exchange.

Policies added

Policy file	Workflow	Events	Permissions
self.github.deps-update.schedule.sts.yaml	deps-update.yml / create-pr	schedule, dispatch	contents: write, pull_requests: write
self.github.validate.self-mutation.sts.yaml	validate.yml / self-mutation	pull_request	contents: write

Both are self-referential policies (orchestrion writing to itself). These are needed because:

• deps-update creates PRs — disallowed for GITHUB_TOKEN per org policy
• self-mutation pushes commits that must re-trigger CI — GITHUB_TOKEN pushes don't trigger workflow runs

Next step

After this merges → #816 migrates the workflows.

Test plan

• Trust Policy Validation CI check passes

🤖 Generated with Claude Code

---

Jira: APPSEC-62083

[datadog-prod-us1-5]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 67.73%

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 9a1b086 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[RamyElkest]

• chore: migrate DD_K9_LIBRARY_GO_APP_PRIVATE_KEY to dd-octo-sts #816
• chore: add dd-octo-sts trust policies for workflow automation #815 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.52%. Comparing base (e061d12) to head (9a1b086).
⚠️ Report is 74 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #815      +/-   ##
==========================================
+ Coverage   65.72%   69.52%   +3.80%     
==========================================
  Files         113      116       +3     
  Lines        7926     6900    -1026     
==========================================
- Hits         5209     4797     -412     
+ Misses       2192     1554     -638     
- Partials      525      549      +24     

Components	Coverage Δ
Generators	83.23% <ø> (+2.98%)	⬆️
Instruments	∅ <ø> (∅)
Go Driver	75.16% <65.38%> (-0.66%)	⬇️
Toolexec Driver	74.78% <100.00%> (+7.25%)	⬆️
Aspects	76.97% <75.78%> (+5.06%)	⬆️
Injector	77.24% <77.14%> (+4.44%)	⬆️
Job Server	67.72% <55.55%> (+1.80%)	⬆️
Other	69.52% <65.33%> (+3.80%)	⬆️
see 108 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[eliottness]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9a1b086be8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".