From 3f999e6151583323302f6a9cd8508dde34279fec Mon Sep 17 00:00:00 2001 From: Clay McGinnis Date: Thu, 28 May 2026 13:20:15 -0700 Subject: [PATCH] feat: add ci-tools-discover trust policy The discover job in ci-tools' sync-templates workflow needs an org-scoped token to list wherobots repos and check each for the `.ci-tools.yml` marker file. octo-sts identities map 1:1 to policy filenames, so the existing sync-templates policy (per-repo write) can't double for this read-only discovery role. Same subject + job_workflow_ref pin as sync-templates.sts.yaml. Permissions reduced to metadata:read + contents:read. --- .github/chainguard/ci-tools-discover.sts.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/chainguard/ci-tools-discover.sts.yaml diff --git a/.github/chainguard/ci-tools-discover.sts.yaml b/.github/chainguard/ci-tools-discover.sts.yaml new file mode 100644 index 0000000..7a2dc5b --- /dev/null +++ b/.github/chainguard/ci-tools-discover.sts.yaml @@ -0,0 +1,27 @@ +# octo-sts trust policy for the ci-tools-discover identity. +# +# Used by the discover job in the ci-tools sync-templates workflow to list +# wherobots org repos and identify subscribers via the presence of a +# `.ci-tools.yml` marker file at each repo root. +# +# Org-scoped: minted with `scope: wherobots`. The minimal permissions +# (metadata + contents read) keep the token safe even though it can reach +# every repo in the org. The companion `sync-templates` policy carries the +# write permissions for the per-repo sync step. +# +# Source workflow: +# https://github.com/wherobots/ci-tools/blob/main/.github/workflows/sync-templates.yaml + +# Pin the subject to ci-tools' main branch. The job_workflow_ref claim below +# additionally pins the exact workflow file, so a second workflow added to +# ci-tools/main cannot mint these tokens. +issuer: https://token.actions.githubusercontent.com +subject: repo:wherobots/ci-tools:ref:refs/heads/main + +claim_pattern: + job_workflow_ref: ^wherobots/ci-tools/\.github/workflows/sync-templates\.yaml@refs/heads/main$ + +# Smallest token surface the discover job needs. +permissions: + metadata: read + contents: read