Add dd-octo-sts trust policy for release-dashboard-api on us1.ddbuild.io#3197
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intoJun 26, 2026
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
gabedos
approved these changes
Jun 25, 2026
Contributor
Author
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
04ff744
into
main
60 of 63 checks passed
gh-worker-dd-mergequeue-cf854d Bot
pushed a commit
to DataDog/datadog-agent
that referenced
this pull request
Jun 26, 2026
….io (#52827) ## Summary - Adds `.github/chainguard/release-dashboard-api-ddbuild.sts.yaml` trust policy authorizing the `release-dashboard-api` service on `us1.ddbuild.io` to read repository contents and pull requests via dd-octo-sts - Uses `vault.us1.ddbuild.io` issuer and the ddbuild Vault UUID, following the same permissions (`contents: read`, `pull_requests: read`) as the existing prod and staging policies ## Related PRs - dd-source allowlist: https://github.com/ddoghq/dd-source/pull/1663 - dd-source policy selector: https://github.com/ddoghq/dd-source/pull/1649 - datadog-operator trust policy: DataDog/datadog-operator#3197 ## Merge order 1. Merge this PR and the operator trust policy PR first — the policy must be on the default branch before the service can exchange tokens 2. Then merge the allowlist and policy selector PRs ## Test plan - [ ] Verify "Trust Policy Validation" CI check passes on this PR 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: antonio.mejia <antonio.mejia@datadoghq.com>
levan-m
added a commit
that referenced
this pull request
Jun 27, 2026
* Add dd-octo-sts trust policy for release-dashboard-api on us1.ddbuild.io (#3197) Add dd-octo-sts trust policy for release-dashboard-api on us1.ddbuild.io Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: antonio.mejia <antonio.mejia@datadoghq.com> * fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4) (#3148) * ADMS: vuln minor upgrades — 6 packages (minor: 2 · patch: 4) Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> * chore: regenerate lockfiles after rebase Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> * fix: update LICENSE-3rdparty.csv for moby/spdystream v0.5.1 sub-package The upgrade from github.com/moby/spdystream v0.5.0 to v0.5.1 introduced a new sub-package github.com/moby/spdystream/spdy with a BSD-3-Clause license. Add the missing entry to keep LICENSE-3rdparty.csv up to date. Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> * fix: sync api/go.mod with workspace after dependency upgrades Run 'go work sync' to keep api/go.mod consistent with the transitive dependency updates from the main module (golang.org/x/* version bumps pulled in by the moby/spdystream and opentelemetry upgrades). Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> * fix: add missing go.mod hash entries to api/go.sum 'go mod tidy' adds .mod file hash entries that 'go work sync' omits. Required to satisfy the check-golang-version CI validation. Environment: Datadog workspace Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> --------- Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> * ci(issue-triage): add reusable workflow from DataDog/issue-triage-action (#3187) * ci(issue-triage): add reusable workflow from DataDog/issue-triage-action Add issue triage workflow that delegates to the shared reusable action at DataDog/issue-triage-action v1.0.0. On each new issue the workflow runs Claude-based triage, applies a team label, and sends a Slack notification. * Use the good commit * [CONTP-1785] Replace container image with name in DDI check section (#3196) Add DatadogInstrumentation check containerName chore: update config sample Co-authored-by: mathew.estafanous <mathew.estafanous@datadoghq.com> * Update Operator Release Workflows (#3060) * sync operator release workflow * simplify diff detection * Add DatadogInstrumentation logs config (#3198) Add DatadogInstrumentation logs config Co-authored-by: mathew.estafanous <mathew.estafanous@datadoghq.com> --------- Co-authored-by: Antonio Mejia <antonio.mejia@datadoghq.com> Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com> Co-authored-by: dd-octo-sts-26fcfa[bot] <266798054+dd-octo-sts-26fcfa[bot]@users.noreply.github.com> Co-authored-by: Nicolas Schweitzer <nicolas.schweitzer@datadoghq.com> Co-authored-by: Mathew Estafanous <56979977+Mathew-Estafanous@users.noreply.github.com> Co-authored-by: mathew.estafanous <mathew.estafanous@datadoghq.com> Co-authored-by: Gabriel Dos Santos <91925154+gabedos@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/chainguard/release-dashboard-api-ddbuild.sts.yamltrust policy authorizing therelease-dashboard-apiservice onus1.ddbuild.ioto read repository contents and pull requests via dd-octo-stsvault.us1.ddbuild.ioissuer and the ddbuild Vault UUID, following the same permissions (contents: read,pull_requests: read) as the existing prod and staging policiesRelated PRs
Merge order
Test plan
🤖 Generated with Claude Code