fix(ci): add missing octo-sts policy for license check#7664
Merged
Conversation
The update-3rdparty-licenses workflow has been failing on every bot PR since the octo-sts step was introduced (4afd74a) because the corresponding chainguard policy was never created. Split the workflow into two jobs for privilege separation: the license check runs with read-only permissions, while the auto-commit job (id-token: write) only runs for bot PRs and never processes untrusted code.
Contributor
Overall package sizeSelf size: 4.89 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.6 | 81.92 kB | 816.75 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
watson
force-pushed
the
watson/fix-workflow
branch
from
524a5e0 to
24a5ce2
Compare
|
✅ Tests 🎉 All green!❄️ No new flaky tests detected 🔗 Commit SHA: 24a5ce2 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
BridgeAR
approved these changes
Mar 5, 2026
dd-octo-sts bot
pushed a commit
that referenced
this pull request
Mar 5, 2026
The update-3rdparty-licenses workflow has been failing on every bot PR since the octo-sts step was introduced (4afd74a) because the corresponding chainguard policy was never created. Split the workflow into two jobs for privilege separation: the license check runs with read-only permissions, while the auto-commit job (id-token: write) only runs for bot PRs and never processes untrusted code.
Merged
juan-fernandez
pushed a commit
that referenced
this pull request
Mar 5, 2026
The update-3rdparty-licenses workflow has been failing on every bot PR since the octo-sts step was introduced (4afd74a) because the corresponding chainguard policy was never created. Split the workflow into two jobs for privilege separation: the license check runs with read-only permissions, while the auto-commit job (id-token: write) only runs for bot PRs and never processes untrusted code.
crysmags
pushed a commit
that referenced
this pull request
Mar 6, 2026
The update-3rdparty-licenses workflow has been failing on every bot PR since the octo-sts step was introduced (4afd74a) because the corresponding chainguard policy was never created. Split the workflow into two jobs for privilege separation: the license check runs with read-only permissions, while the auto-commit job (id-token: write) only runs for bot PRs and never processes untrusted code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes the
update-3rdparty-licensesCI workflow, which has been broken on every bot PR since commit 4afd74a (Feb 5) introduced an octo-sts step without the corresponding chainguard policy.Two changes:
Adds the missing
update-3rdparty-licensesocto-sts policy (.github/chainguard/update-3rdparty-licenses.sts.yaml) — restricts token minting todependabot[bot]anddd-octo-sts[bot]actors, and pins to this specific workflow file.Splits the workflow into two jobs for privilege separation — the
check-licensesjob processes untrusted PR code with read-only permissions (contents: read), while theauto-commit-licensesjob holdsid-token: writebut only runs for bot PRs and never executes third-party code. This follows the same pattern asdependabot-automation.yml(vendor-build/vendor-push).Motivation
The
update-3rdparty-licensesworkflow was failing at the "Mint GitHub App token (octo-sts)" step with "Fetch failed after 4 attempts" because the policy file was never created. Human PRs were unaffected since the octo-sts step was skipped via anifcondition.Beyond just fixing the missing policy, the original single-job design granted
id-token: writeto the entire job — including steps that check out and process untrusted PR code (e.g., runningdd-license-attributionon the PR'syarn.lock). Splitting into two jobs ensures the OIDC token is never available in the same job that handles untrusted input.Additional Notes
check-licensesjob behavior is unchanged for human PRs: it still fails with instructions whenLICENSE-3rdparty.csvis out of date.head_oidneeded for the GraphQL commit mutation is passed as a job output fromcheck-licenses, avoiding a checkout in the privileged job.expectedHeadOidfield in the mutation protects against race conditions between the two jobs.