diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml index 0977ba73d32..e4543acdd37 100644 --- a/.github/workflows/reusable-pre-commit.yml +++ b/.github/workflows/reusable-pre-commit.yml @@ -13,11 +13,6 @@ on: required: false type: boolean default: true - secrets: - PIPELINE_GITHUB_APP_ID: - required: false - PIPELINE_GITHUB_APP_PRIVATE_KEY: - required: false env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" @@ -26,14 +21,17 @@ env: jobs: pre-commit: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Get GitHub App token id: get_token - if: inputs.enable-commit-changes - uses: actions/create-github-app-token@v1 + if: inputs.enable-commit-changes && github.event_name == 'pull_request' + uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 with: - app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} + scope: DataDog/datadog-api-client-java + policy: self.github.pre-commit.pull-requests - uses: actions/checkout@v3 with: fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 963431dedb1..84ddbea34dd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,12 +25,12 @@ jobs: !contains(github.event.pull_request.labels.*.name, 'ci/skip') && !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/')) || github.event_name == 'schedule' + permissions: + id-token: write + contents: read uses: ./.github/workflows/reusable-pre-commit.yml with: enable-commit-changes: true - secrets: - PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }} - PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }} javadoc: if: >