use dd-octo-sts for tag creation (#300)

IlyasShabi · web-flow · commit ef19df366690 · 2026-03-17T20:34:49.000+01:00
use dd-octo-sts for tag creation
diff --git a/.github/chainguard/release.sts.yaml b/.github/chainguard/release.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/pprof-nodejs:environment:npm
+
+claim_pattern:
+  event_name: push
+  job_workflow_ref: DataDog/pprof-nodejs/\.github/workflows/release\.yml@refs/heads/v[0-9]+\.x
+  ref: refs/heads/v[0-9]+\.x
+  repository: DataDog/pprof-nodejs
+
+permissions:
+  contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,10 +20,15 @@ jobs:
     runs-on: ubuntu-latest
     environment: npm
     permissions:
-      id-token: write  # Required for OIDC
+      id-token: write # Required for OIDC
       contents: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/pprof-nodejs
+          policy: self.github.release.push-tags
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: actions/download-artifact@v4
       - uses: actions/setup-node@v3
         with:
@@ -37,4 +42,4 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}
