From c1cb565a827a71c1ddbcce36db29d92d6c10c4be Mon Sep 17 00:00:00 2001 From: Jaroslav Bachorik Date: Fri, 19 Jun 2026 23:40:50 +0200 Subject: [PATCH] ci: add least-privilege STS policy for benchmarking-platform PR comments The benchmarking-platform reliability pipeline back-reports results as a PR comment on java-profiler, but dd-octo-sts reads trust policies from the default branch, so the BP project's OIDC subject had no matching policy and the token exchange failed with HTTP 403. Rather than widen async-profiler-build.ci (which grants contents: write) to the separate BP project, add a dedicated policy scoped to that project with only the permissions needed to upsert a comment: issues: write + pull_requests: read, no contents access. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../benchmarking-platform-reports.ci.sts.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/chainguard/benchmarking-platform-reports.ci.sts.yaml diff --git a/.github/chainguard/benchmarking-platform-reports.ci.sts.yaml b/.github/chainguard/benchmarking-platform-reports.ci.sts.yaml new file mode 100644 index 000000000..4459dc058 --- /dev/null +++ b/.github/chainguard/benchmarking-platform-reports.ci.sts.yaml @@ -0,0 +1,15 @@ +# Allow the benchmarking-platform GitLab CI to back-report results to PRs only. +# +# Scoped deliberately narrower than async-profiler-build.ci: the BP project lives +# in a separate repository, so it is granted *only* the permissions needed to +# upsert a result comment on a java-profiler PR — never contents: write. +issuer: https://gitlab.ddbuild.io + +subject_pattern: "project_path:DataDog/apm-reliability/benchmarking-platform:ref_type:branch:ref:.*" + +permissions: + # issues: write covers creating/updating comments on a PR (the PR comment lives + # on the issues/comments endpoint); pull_requests: read is enough to resolve the + # open PR for a branch. No contents access is granted. + issues: write + pull_requests: read