From 1f6038625673439707e48602e81a2500fe84cfdd Mon Sep 17 00:00:00 2001
From: Isabelle Kraemer <isabelle.kraemer@datadoghq.com>
Date: Tue, 10 Feb 2026 14:38:10 +0100
Subject: [PATCH] use dd-octo-sts policies

---
 .github/workflows/approved_status.yml         | 16 ++++++--------
 .github/workflows/release.yml                 | 22 +++++++++----------
 .github/workflows/reusable-ci.yml             | 20 -----------------
 .github/workflows/reusable-examples.yml       |  5 -----
 .../workflows/reusable-integration-test.yml   | 19 ++++++----------
 .github/workflows/reusable-java-test.yml      |  4 ----
 .github/workflows/reusable-javadoc.yml        |  5 -----
 .github/workflows/reusable-pre-commit.yml     | 15 +++++--------
 .github/workflows/reusable-shading.yml        |  5 -----
 .github/workflows/test.yml                    | 16 +++++---------
 10 files changed, 36 insertions(+), 91 deletions(-)

diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
index a553c9d1d55..a128a08d8f8 100644
--- a/.github/workflows/approved_status.yml
+++ b/.github/workflows/approved_status.yml
@@ -1,9 +1,5 @@
 name: Send PR Approval Status
 
-permissions:
-  contents: read
-  checks: write
-
 on:
   pull_request:
     branches:
@@ -16,6 +12,9 @@ on:
 
 jobs:
   send_status:
+    permissions:
+      contents: read
+      id-token: write  # Required for dd-octo-sts OIDC token
     runs-on: ubuntu-latest
     if: >
       github.event.pull_request.draft == false &&
@@ -23,13 +22,12 @@ jobs:
       !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') &&
       contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-java.approved_status.post-review-status
       - name: Post PR review status check
         uses: DataDog/github-actions/post-review-status@v2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2da60bd811b..a217ebb9b75 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,5 @@
 name: Release
 
-permissions:
-  contents: write
-  pull-requests: write
-
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
@@ -16,24 +12,26 @@ on:
 
 jobs:
   create_release:
+    permissions:
+      contents: read
+      id-token: write  # Required for dd-octo-sts OIDC token
     name: Create release
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
     steps:
-      - name: Get GitHub App token
-        id: get_token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 #v1.11.1
-        with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-
       - name: Checkout ${{ github.event.pull_request.base.ref }}
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          token: ${{ steps.get_token.outputs.token }}
           ref: ${{ github.event.pull_request.base.ref }}
           fetch-depth: 0
 
+      - name: Get GitHub token via dd-octo-sts
+        id: get_token
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
+        with:
+          scope: DataDog/datadog-api-client-java
+          policy: self.github.release.master
+
       - name: Release packages
         env:
           HEAD_SHA: ${{ github.event.pull_request.merge_commit_sha }}
diff --git a/.github/workflows/reusable-ci.yml b/.github/workflows/reusable-ci.yml
index 860d7816eba..d934696195f 100644
--- a/.github/workflows/reusable-ci.yml
+++ b/.github/workflows/reusable-ci.yml
@@ -29,10 +29,6 @@ on:
         type: string
         default: './check-examples.sh'
     secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
       # Integration test secrets
       DD_API_KEY:
         required: false
@@ -49,25 +45,16 @@ jobs:
     with:
       target-branch: ${{ inputs.target-branch }}
       enable-commit-changes: false  # Don't auto-commit in external CI
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   javadoc:
     uses: ./.github/workflows/reusable-javadoc.yml
     with:
       target-branch: ${{ inputs.target-branch }}
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   shading:
     uses: ./.github/workflows/reusable-shading.yml
     with:
       target-branch: ${{ inputs.target-branch }}
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   test:
     uses: ./.github/workflows/reusable-java-test.yml
@@ -77,8 +64,6 @@ jobs:
       platforms: ${{ inputs.platforms }}
       test-script: ${{ inputs.test-script }}
     secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
 
   examples:
@@ -86,9 +71,6 @@ jobs:
     with:
       target-branch: ${{ inputs.target-branch }}
       examples-script: ${{ inputs.examples-script }}
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   integration:
     uses: ./.github/workflows/reusable-integration-test.yml
@@ -96,8 +78,6 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       has-integration-label: ${{ contains(github.event.pull_request.labels.*.name, 'ci/integrations') }}
     secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
       DD_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
       DD_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
diff --git a/.github/workflows/reusable-examples.yml b/.github/workflows/reusable-examples.yml
index 368a8062cfd..62515d409f0 100644
--- a/.github/workflows/reusable-examples.yml
+++ b/.github/workflows/reusable-examples.yml
@@ -18,11 +18,6 @@ on:
         required: false
         type: string
         default: '16'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 jobs:
   examples:
diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml
index 0a7df7e896a..9826076ead5 100644
--- a/.github/workflows/reusable-integration-test.yml
+++ b/.github/workflows/reusable-integration-test.yml
@@ -1,8 +1,5 @@
 name: Reusable Integration Test Workflow
 
-permissions:
-  contents: read
-
 on:
   pull_request:
     types:
@@ -44,10 +41,6 @@ on:
         type: boolean
         default: false
     secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
       DD_API_KEY:
         required: true
       DD_CLIENT_API_KEY:
@@ -63,6 +56,9 @@ concurrency:
 
 jobs:
   test_integration:
+    permissions:
+      contents: read
+      id-token: write  # Required for dd-octo-sts OIDC token
     runs-on: ubuntu-latest
     if: >
       (github.event_name == 'pull_request' &&
@@ -82,14 +78,13 @@ jobs:
           DD_HOSTNAME: "none"
           DD_INSIDE_CI: "true"
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         if: github.event_name == 'pull_request'
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: ${{ inputs.target-repo || 'datadog-api-spec' }}
+          scope: DataDog/${{ inputs.target-repo || 'datadog-api-spec' }}
+          policy: datadog-api-client-java.reusable-integration-test.post-status
       - name: Checkout code
         uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/reusable-java-test.yml b/.github/workflows/reusable-java-test.yml
index 1dab2dc65b4..29cf7c518d2 100644
--- a/.github/workflows/reusable-java-test.yml
+++ b/.github/workflows/reusable-java-test.yml
@@ -24,10 +24,6 @@ on:
         type: string
         default: './run-tests.sh'
     secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
       DD_API_KEY:
         required: false
 
diff --git a/.github/workflows/reusable-javadoc.yml b/.github/workflows/reusable-javadoc.yml
index 00393d09c50..b852648db19 100644
--- a/.github/workflows/reusable-javadoc.yml
+++ b/.github/workflows/reusable-javadoc.yml
@@ -13,11 +13,6 @@ on:
         required: false
         type: string
         default: '8'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 jobs:
   javadoc:
diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
index 0977ba73d32..323549ca87b 100644
--- a/.github/workflows/reusable-pre-commit.yml
+++ b/.github/workflows/reusable-pre-commit.yml
@@ -13,11 +13,6 @@ on:
         required: false
         type: boolean
         default: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
@@ -26,14 +21,16 @@ env:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for dd-octo-sts OIDC token
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         id: get_token
         if: inputs.enable-commit-changes
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          scope: DataDog/datadog-api-client-java
+          policy: self.github.pre-commit.pull-requests
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
diff --git a/.github/workflows/reusable-shading.yml b/.github/workflows/reusable-shading.yml
index 0fe58354382..7ba31046b2f 100644
--- a/.github/workflows/reusable-shading.yml
+++ b/.github/workflows/reusable-shading.yml
@@ -13,11 +13,6 @@ on:
         required: false
         type: string
         default: '8'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 jobs:
   shading:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 963431dedb1..045e86ee5cb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,9 +28,6 @@ jobs:
     uses: ./.github/workflows/reusable-pre-commit.yml
     with:
       enable-commit-changes: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   javadoc:
     if: >
@@ -60,8 +57,6 @@ jobs:
       platforms: '["ubuntu-latest"]'
       test-script: './run-tests.sh'
     secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
   
   examples:
@@ -78,20 +73,21 @@ jobs:
   report:
     runs-on: ubuntu-latest
     if: always() && github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
+    permissions:
+      id-token: write  # Required for dd-octo-sts OIDC token
     needs:
       - test
       - examples
       - javadoc
       - shading
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         if: github.event_name == 'pull_request'
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-java.test.post-status
       - name: Post status check
         uses: DataDog/github-actions/post-status-check@v2
         with: