From ba943fb4d3b5f181ec443ed7851ded48b6dafac1 Mon Sep 17 00:00:00 2001
From: Lewis <lewis.lewis@datadoghq.com>
Date: Tue, 13 Jan 2026 10:04:52 -0500
Subject: [PATCH] Add DD Octo STS trust policy for serverless-init-ci GHCR
 publishing

---
 .../serverless-init-ci-publish.sts.yaml       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/chainguard/serverless-init-ci-publish.sts.yaml

diff --git a/.github/chainguard/serverless-init-ci-publish.sts.yaml b/.github/chainguard/serverless-init-ci-publish.sts.yaml
new file mode 100644
index 000000000..64f6fe311
--- /dev/null
+++ b/.github/chainguard/serverless-init-ci-publish.sts.yaml
@@ -0,0 +1,27 @@
+# DD Octo STS Trust Policy for serverless-init-ci GitLab pipeline
+#
+# This policy allows the serverless-init-ci GitLab pipeline to publish
+# serverless-init images to GitHub Container Registry (GHCR).
+#
+# Reference: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/5138645099
+# Pipeline: https://gitlab.ddbuild.io/DataDog/serverless-init-ci
+
+issuer: https://gitlab.ddbuild.io
+
+# Subject pattern matches the serverless-init-ci repo on main branch
+subject_pattern: "project_path:DataDog/serverless-init-ci:ref_type:branch:ref:main"
+
+# Restrict to protected main branch only (root of trust)
+claim_pattern:
+  project_path: "DataDog/serverless-init-ci"
+  ref: "main"
+  ref_type: "branch"
+  ref_path: "refs/heads/main"
+  ref_protected: "true"
+  pipeline_source: "push"
+  ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/serverless-init-ci//.gitlab-ci.yml@refs/heads/main"
+
+# Minimal permissions: only write packages to GHCR
+permissions:
+  packages: write
+  metadata: read
\ No newline at end of file