SYSTEM Cited by 1 source
dd-octo-sts-action¶
dd-octo-sts-action is Datadog's adaptation of Chainguard's octo-sts for internal use as a GitHub Actions action. It allows Datadog's workflows to "dynamically generate minimally scoped, short-lived GitHub credentials at runtime through Open ID Connect (OIDC) identity federation to deprecate long-lived and overscoped GitHub Personal Access Tokens (PATs) and GitHub Apps in workflows" (source).
Datadog's 2026-03-09 hackerbot-claw retrospective lists it as one of several SDLC-security initiatives, alongside identifying + removing unused GitHub Actions secrets at scale and enforcing branch protection + mandatory commit signing across thousands of repositories.
Shape¶
Matches upstream systems/octo-sts:
- Job acquires a GitHub OIDC token (GitHub acts as IdP).
- Action exchanges the OIDC token for a scoped, short-lived GitHub token.
- Step uses the token; it expires without needing rotation.
Why Datadog forked¶
Specific adaptations are not publicly disclosed in the 2026-03-09 post beyond naming the action. Likely drivers: Datadog-specific policy bindings, internal deployment pipelines, or telemetry integration (BewAIre + Cloud SIEM) requirements.
Seen in¶
- sources/2026-03-09-datadog-when-an-ai-agent-came-knocking — cited as the concrete Datadog deployment of the patterns/short-lived-oidc-credentials-in-ci pattern.
Related¶
- systems/octo-sts — upstream project.
- systems/github-actions — the substrate.
- concepts/oidc-identity-federation — underlying mechanism.
- patterns/short-lived-oidc-credentials-in-ci — the pattern.
- companies/datadog — operator.