From 6a4ff20c4815e37e6ed4af7b2a9ecb1f39be0292 Mon Sep 17 00:00:00 2001
From: Isabelle Kraemer <isabelle.kraemer@datadoghq.com>
Date: Wed, 11 Feb 2026 22:46:41 +0100
Subject: [PATCH] [SINT-4729] use dd-octo-sts in approved_status

---
 .github/workflows/approved_status.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
index a553c9d1d55..a128a08d8f8 100644
--- a/.github/workflows/approved_status.yml
+++ b/.github/workflows/approved_status.yml
@@ -1,9 +1,5 @@
 name: Send PR Approval Status
 
-permissions:
-  contents: read
-  checks: write
-
 on:
   pull_request:
     branches:
@@ -16,6 +12,9 @@ on:
 
 jobs:
   send_status:
+    permissions:
+      contents: read
+      id-token: write  # Required for dd-octo-sts OIDC token
     runs-on: ubuntu-latest
     if: >
       github.event.pull_request.draft == false &&
@@ -23,13 +22,12 @@ jobs:
       !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/') &&
       contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
     steps:
-      - name: Get GitHub App token
+      - name: Get GitHub token via dd-octo-sts
         id: get_token
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80  # v1.0.3
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-java.approved_status.post-review-status
       - name: Post PR review status check
         uses: DataDog/github-actions/post-review-status@v2
         with: