SYSTEM Cited by 1 source

octo-sts

octo-sts is Chainguard's open-source Security Token Service for GitHub: it lets workflows dynamically exchange a short-lived OIDC token for a minimally-scoped, time-bounded GitHub credential, replacing long-lived Personal Access Tokens (PATs) and GitHub App private keys stored as repo secrets.

Shape

1. Workflow's GitHub Actions runner obtains an OIDC token (GitHub acts as IdP).
2. Runner calls the octo-sts endpoint with the OIDC token + requested scope.
3. octo-sts validates the OIDC token's sub/workflow/repo claims against a policy bound to a GitHub App installation.
4. octo-sts issues a scoped, short-lived GitHub token (read/write to specific repos, specific permissions only, ~1-hour max TTL).
5. Workflow uses the token; it auto-expires.

Why it matters

GitHub PATs and GitHub App private keys are long-lived secrets stored in repo/org secrets. Leakage has an arbitrary blast radius. octo-sts turns that model into per-workflow, minimally-scoped, auto-rotated tokens driven by OIDC identity federation — the same pattern AWS uses for sts.AssumeRoleWithWebIdentity.

Datadog operates a fork, dd-octo-sts-action, customised for internal workflow needs.

Seen in

• sources/2026-03-09-datadog-when-an-ai-agent-came-knocking — Datadog cites octo-sts (via dd-octo-sts-action) as one of its SDLC-security initiatives to deprecate long-lived PATs and GitHub Apps in workflows.

Related

• systems/github-actions — the substrate providing OIDC tokens.
• systems/dd-octo-sts-action — Datadog's adaptation.
• concepts/oidc-identity-federation — the underlying mechanism.
• patterns/short-lived-oidc-credentials-in-ci — the hardening pattern octo-sts instantiates for GitHub's token surface.