Skip to content

ci: add least-privilege STS policy for benchmarking-platform PR comments#608

Merged
jbachorik merged 1 commit into
mainfrom
jb/sts-allow-bp-comments
Jun 19, 2026
Merged

ci: add least-privilege STS policy for benchmarking-platform PR comments#608
jbachorik merged 1 commit into
mainfrom
jb/sts-allow-bp-comments

Conversation

@jbachorik

@jbachorik jbachorik commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

What does this PR do?:

Adds a dedicated, least-privilege dd-octo-sts trust policy
(benchmarking-platform-reports.ci) that lets the benchmarking-platform GitLab CI
project mint a short-lived token to upsert a result comment on a java-profiler PR.
The new policy grants only issues: write + pull_requests: read — no contents access.

Motivation:

dd-octo-sts reads trust policies from the repository's default branch, not the PR
branch. The reliability benchmark pipeline runs in the benchmarking-platform GitLab
project, whose OIDC subject (project_path:DataDog/apm-reliability/benchmarking-platform:...)
had no matching policy, so the token exchange failed with HTTP 403 permission denied
and the results comment was silently skipped.

The obvious shortcut — adding the BP project to the existing async-profiler-build.ci
policy — was rejected because that policy grants contents: write. Matching the
separate BP repository there would let any BP branch pipeline mint a token able to
modify java-profiler repository contents, far beyond posting a comment. Instead this
PR adds a separate policy scoped to the BP project with only the comment permissions.

Additional Notes:

Permissions are the minimum the comment script needs: GET /pulls (pull_requests:read)
to resolve the open PR, and GET/POST/PATCH on issue comments (issues:write) to
upsert the comment. async-profiler-build.ci is left unchanged.

How to test the change?:

Trigger the reliability benchmark pipeline from a java-profiler PR. Once this policy is
on main, the benchmarking-platform post-pr-comment job exchanges its OIDC token via
benchmarking-platform-reports.ci and upserts the benchmark-results comment instead of
logging the 403.

For Datadog employees:

  • If this PR touches code that signs or publishes builds or packages, or handles
    credentials of any kind, I've requested a security review (run the dd:platform-security-review
    skill, or file a request via the PSEC review form).
    bewaire also runs automatically on every PR.
  • This PR doesn't touch any of that.
  • JIRA: [JIRA-XXXX]

Unsure? Have a question? Request a review!

@jbachorik jbachorik marked this pull request as ready for review June 19, 2026 21:43
@jbachorik jbachorik requested a review from a team as a code owner June 19, 2026 21:43
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 19, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9cf8cd8d88

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/chainguard/async-profiler-build.ci.sts.yaml Outdated
@jbachorik @claude
ci: add least-privilege STS policy for benchmarking-platform PR comments
c1cb565 
The benchmarking-platform reliability pipeline back-reports results as a PR
comment on java-profiler, but dd-octo-sts reads trust policies from the default
branch, so the BP project's OIDC subject had no matching policy and the token
exchange failed with HTTP 403.

Rather than widen async-profiler-build.ci (which grants contents: write) to the
separate BP project, add a dedicated policy scoped to that project with only the
permissions needed to upsert a comment: issues: write + pull_requests: read, no
contents access.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jbachorik jbachorik force-pushed the jb/sts-allow-bp-comments branch from 9cf8cd8 to c1cb565 Compare June 19, 2026 21:49
@jbachorik jbachorik changed the title ci: allow benchmarking-platform GitLab CI to post PR comments ci: add least-privilege STS policy for benchmarking-platform PR comments Jun 19, 2026
@jbachorik jbachorik merged commit f22fd8d into main Jun 19, 2026
93 of 100 checks passed
@jbachorik jbachorik deleted the jb/sts-allow-bp-comments branch June 19, 2026 21:59
@github-actions github-actions Bot added this to the 1.46.0 milestone Jun 19, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

CI Test Results

Run: #27849984672 | Commit: 391eadc | Duration: 16m 52s (longest job)

All 32 test jobs passed

Status Overview

JDK glibc-aarch64/debug glibc-amd64/debug musl-aarch64/debug musl-amd64/debug
8 - - -
8-ibm - - -
8-j9 - -
8-librca - -
8-orcl - - -
11 - - -
11-j9 - -
11-librca - -
17 - -
17-graal - -
17-j9 - -
17-librca - -
21 - -
21-graal - -
21-librca - -
25 - -
25-graal - -
25-librca - -

Legend: ✅ passed | ❌ failed | ⚪ skipped | 🚫 cancelled

Summary: Total: 32 | Passed: 32 | Failed: 0

Updated: 2026-06-19 22:10:29 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@dd-octo-sts dd-octo-sts[bot] dd-octo-sts[bot] approved these changes

Assignees

No one assigned

Labels

AI trivial

Projects

None yet

Milestone

1.46.0

Development

Successfully merging this pull request may close these issues.

1 participant

@jbachorik