chore: migrate DD_K9_LIBRARY_GO_APP_PRIVATE_KEY to dd-octo-sts

[RamyElkest]

Summary

Part 2 of 2 — depends on #815 (trust policies) being merged first.

Replaces actions/create-github-app-token with DataDog/dd-octo-sts-action for OIDC-federated short-lived tokens, eliminating the dependency on the shared DD_K9_LIBRARY_GO_APP_PRIVATE_KEY secret.

Why this depends on #815

dd-octo-sts reads trust policies from the target repo's default branch. The policies from #815 must be on main before this PR's workflows can exchange OIDC tokens. Once #815 merges, the self-mutation job on this PR can exercise the new token exchange.

Workflows migrated

Workflow	Job	What it does	Token used for
deps-update.yml	create-pr	Automated dependency updates	ghcommit-action signed commits + gh pr create
validate.yml	self-mutation	Push generated files to PR branches	ghcommit-action signed commits

Changes

• Replaced actions/create-github-app-token → DataDog/dd-octo-sts-action@v1.0.4 (SHA-pinned)
• Added id-token: write to job permissions (required for OIDC exchange)
• Dropped pull-requests: write from deps-update job permissions (now handled by dd-octo-sts token)

Test plan

• After chore: add dd-octo-sts trust policies for workflow automation #815 merges, self-mutation should work on this PR if go generate produces changes
• After this merges, trigger deps-update.yml via workflow_dispatch

🤖 Generated with Claude Code

---

Jira: APPSEC-62083

[RamyElkest]

• chore: migrate DD_K9_LIBRARY_GO_APP_PRIVATE_KEY to dd-octo-sts #816 👈 (View in Graphite)
• chore: add dd-octo-sts trust policies for workflow automation #815
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[datadog-datadog-prod-us1]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 69.06%

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8151c6b | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[eliottness]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.82%. Comparing base (e061d12) to head (8151c6b).
⚠️ Report is 75 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #816      +/-   ##
==========================================
+ Coverage   65.72%   70.82%   +5.10%     
==========================================
  Files         113      116       +3     
  Lines        7926     6900    -1026     
==========================================
- Hits         5209     4887     -322     
+ Misses       2192     1442     -750     
- Partials      525      571      +46     

Components	Coverage Δ
Generators	83.23% <ø> (+2.98%)	⬆️
Instruments	∅ <ø> (∅)
Go Driver	75.58% <65.38%> (-0.23%)	⬇️
Toolexec Driver	74.78% <100.00%> (+7.25%)	⬆️
Aspects	76.97% <75.78%> (+5.06%)	⬆️
Injector	77.24% <77.14%> (+4.44%)	⬆️
Job Server	71.00% <55.55%> (+5.08%)	⬆️
Other	70.82% <65.33%> (+5.10%)	⬆️
see 108 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.