diff --git a/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml b/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml
new file mode 100644
index 00000000000..789b20b5b0a
--- /dev/null
+++ b/.github/chainguard/self.github.pre-commit.pull-requests.sts.yaml
@@ -0,0 +1,15 @@
+# Trust policy for pre-commit fixes on pull requests
+# Allows pushing pre-commit fixes back to PR branches
+# Will be called in reusable-pre-commit.yml
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-java:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  # Even when running pull_request, the workflow code comes from the base branch, hence refs/heads/master
+  job_workflow_ref: DataDog/datadog-api-client-java/\.github/workflows/reusable-pre-commit\.yml@refs/heads/master
+  repository: DataDog/datadog-api-client-java
+  ref: refs/heads/master
+
+permissions:
+  contents: write # Required for pushing pre-commit fixes
diff --git a/.github/chainguard/self.github.release.master.sts.yaml b/.github/chainguard/self.github.release.master.sts.yaml
new file mode 100644
index 00000000000..d738c0d2da8
--- /dev/null
+++ b/.github/chainguard/self.github.release.master.sts.yaml
@@ -0,0 +1,14 @@
+# Trust policy for creating releases on master branch
+# Restricted to master branch (protected ref) for security
+# Will be called in release.yml
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-java:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-java/\.github/workflows/release\.yml@refs/heads/master
+  repository: DataDog/datadog-api-client-java
+  ref: refs/heads/master
+
+permissions:
+  contents: write