From 3fd923366db467626477dd7fc43f2da8d872f029 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Wed, 24 Jan 2024 15:17:44 -0500 Subject: [PATCH] Have tf-apko utilize Octo STS (#227) Signed-off-by: Matt Moore --- .github/chainguard/digestabot.sts.yaml | 9 +++++++++ .github/workflows/digestabot.yaml | 19 ++++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 .github/chainguard/digestabot.sts.yaml diff --git a/.github/chainguard/digestabot.sts.yaml b/.github/chainguard/digestabot.sts.yaml new file mode 100644 index 0000000..aaba20a --- /dev/null +++ b/.github/chainguard/digestabot.sts.yaml @@ -0,0 +1,9 @@ +issuer: https://token.actions.githubusercontent.com +subject: repo:chainguard-dev/terraform-provider-apko:ref:refs/heads/main +claim_pattern: + job_workflow_ref: chainguard-dev/terraform-provider-apko/.github/workflows/digestabot.yaml@refs/heads/main + +permissions: + contents: write + pull_requests: write + workflows: write diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml index 1346bb5..43d4dbc 100644 --- a/.github/workflows/digestabot.yaml +++ b/.github/workflows/digestabot.yaml @@ -9,12 +9,21 @@ jobs: image-update: name: Image digest update runs-on: ubuntu-latest + if: github.repository == 'chainguard-dev/terraform-provider-apko' permissions: - id-token: write # Used for gitsign + contents: read # To clone the repo + id-token: write # To gitsign and federate steps: - - uses: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: chainguard-dev/actions/digesta-bot@main - with: - token: ${{ secrets.DIGEST_BOT_CHAINGUARD_DEV_PAT }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: chainguard-dev/actions/octo-sts@main + id: octo-sts + with: + scope: ${{ github.repository }} + identity: digestabot + + - uses: chainguard-dev/actions/digesta-bot@main + with: + token: ${{ steps.octo-sts.outputs.token }}