From e6174be0670d447a538f2e7ec3fd9a53760834ba Mon Sep 17 00:00:00 2001
From: Azimjon Ulmasov <azimjon.ulmasov@chainguard.dev>
Date: Thu, 19 Mar 2026 06:11:46 -0400
Subject: [PATCH] Add policy for the prod archived-repo-detector bot

Signed-off-by: Azimjon Ulmasov <azimjon.ulmasov@chainguard.dev>
---
 .../chainguard/archived-repo-detector.sts.yaml   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/chainguard/archived-repo-detector.sts.yaml

diff --git a/.github/chainguard/archived-repo-detector.sts.yaml b/.github/chainguard/archived-repo-detector.sts.yaml
new file mode 100644
index 0000000..f85064d
--- /dev/null
+++ b/.github/chainguard/archived-repo-detector.sts.yaml
@@ -0,0 +1,16 @@
+# Copyright 2026 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+issuer: https://accounts.google.com
+
+# archived-repo-detector@prod-enforce-fabc.iam.gserviceaccount.com
+# subject is the numeric unique ID from Terraform output: archived_repo_detector_service_account
+subject: "REPLACE_WITH_SA_NUMERIC_ID"
+
+permissions:
+  contents: read  # read chainguard-dev/stereo for discovery
+  issues: write   # create issues in chainguard-dev/internal-dev
+
+repositories:
+  - stereo
+  - internal-dev