From 6bf789bcdb042dd45b32fbca799e96d2c31f8849 Mon Sep 17 00:00:00 2001
From: jack-edmonds-dd <jack.edmonds@datadoghq.com>
Date: Wed, 1 Apr 2026 14:52:39 -0400
Subject: [PATCH 1/2] Use dd-octo-sts.

---
 ...lf.github.pre-commit.pull-request.sts.yaml | 15 +++++++++++++
 .github/workflows/reusable-pre-commit.yml     | 20 ++++++++---------
 .github/workflows/reusable-python-test.yml    |  5 -----
 .github/workflows/test.yml                    | 22 +++++++------------
 4 files changed, 32 insertions(+), 30 deletions(-)
 create mode 100644 .github/chainguard/self.github.pre-commit.pull-request.sts.yaml

diff --git a/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml b/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml
new file mode 100644
index 0000000000..996ba40741
--- /dev/null
+++ b/.github/chainguard/self.github.pre-commit.pull-request.sts.yaml
@@ -0,0 +1,15 @@
+# Policy for: .github/workflows/reusable-pre-commit.yml in DataDog/datadog-api-client-python
+# Grants contents:write to push pre-commit fixes back to the PR branch.
+# WARNING: contents:write is granted on pull_request events (non-protected ref).
+# This is intentional to allow automated pre-commit fixes on PRs.
+issuer: https://token.actions.githubusercontent.com
+subject: repo:DataDog/datadog-api-client-python:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-api-client-python/\.github/workflows/reusable-pre-commit\.yml@refs/pull/[0-9]+/merge
+  ref: refs/pull/[0-9]+/merge
+  repository: DataDog/datadog-api-client-python
+
+permissions:
+  contents: write
diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
index 77074daa4c..ad98978e6d 100644
--- a/.github/workflows/reusable-pre-commit.yml
+++ b/.github/workflows/reusable-pre-commit.yml
@@ -13,11 +13,6 @@ on:
         required: false
         type: boolean
         default: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
@@ -26,20 +21,23 @@ env:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: Get GitHub App token
-        id: get_token
+      - name: Get dd-octo-sts token
+        id: octo-sts
         if: inputs.enable-commit-changes
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          scope: DataDog/datadog-api-client-python
+          policy: self.github.pre-commit.pull-request
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
           repository: DataDog/datadog-api-client-python
           ref: ${{ inputs.target-branch || github.event.pull_request.head.sha || github.ref }}
-          token: ${{ inputs.enable-commit-changes && steps.get_token.outputs.token || github.token }}
+          token: ${{ inputs.enable-commit-changes && steps.octo-sts.outputs.token || github.token }}
       - uses: actions/setup-python@v4
         with:
           python-version: '3.11'
diff --git a/.github/workflows/reusable-python-test.yml b/.github/workflows/reusable-python-test.yml
index 3297b2329c..b10ed6e46c 100644
--- a/.github/workflows/reusable-python-test.yml
+++ b/.github/workflows/reusable-python-test.yml
@@ -23,11 +23,6 @@ on:
         required: false
         type: string
         default: '[{"platform": "macos-latest", "python-version": "3.8"}, {"platform": "ubuntu-latest", "python-version": "3.8"}, {"platform": "ubuntu-22.04", "python-version": "3.12"}]'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 jobs:
   test:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 68d6ee506f..92c0815094 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,9 +28,6 @@ jobs:
     uses: ./.github/workflows/reusable-pre-commit.yml
     with:
       enable-commit-changes: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   test:
     if: >
@@ -43,9 +40,6 @@ jobs:
       python-versions: '["3.8", "3.12"]'
       platforms: '["ubuntu-22.04", "ubuntu-latest", "macos-latest"]'
       matrix-exclude: '[{"platform": "macos-latest", "python-version": "3.8"}, {"platform": "ubuntu-latest", "python-version": "3.8"}, {"platform": "ubuntu-22.04", "python-version": "3.12"}]'
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     if: >
@@ -60,23 +54,23 @@ jobs:
 
   report:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     if: always() && github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
     needs:
       - test
       - examples
     steps:
-      - name: Get GitHub App token
-        if: github.event_name == 'pull_request'
-        id: get_token
-        uses: actions/create-github-app-token@v1
+      - name: Get dd-octo-sts token
+        id: octo-sts
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-python.github.post-status-check.pull-request
       - name: Post status check
         uses: DataDog/github-actions/post-status-check@v2
         with:
-          github-token: ${{ steps.get_token.outputs.token }}
+          github-token: ${{ steps.octo-sts.outputs.token }}
           repo: datadog-api-spec
           status: ${{ (needs.test.result == 'cancelled' || needs.examples.result == 'cancelled') && 'pending' || (needs.test.result == 'success' && needs.examples.result == 'success') && 'success' || 'failure' }}
           context: master/unit

From d7921b0afacd1a4a7aad0848b18950f69c48a829 Mon Sep 17 00:00:00 2001
From: jack-edmonds-dd <jack.edmonds@datadoghq.com>
Date: Thu, 2 Apr 2026 09:13:04 -0400
Subject: [PATCH 2/2] Grant id-token: write to pre-commit reusable workflow
 call

---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 92c0815094..bfbebc1a61 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,6 +26,9 @@ jobs:
        !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/')) ||
       github.event_name == 'schedule'
     uses: ./.github/workflows/reusable-pre-commit.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       enable-commit-changes: true