From a0d08a930c334ba2efb7c1869c5dda685fb59286 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 13 Apr 2026 17:19:59 -0500 Subject: [PATCH] chore(sync-github): add new org scopes Add octo-sts scopes to manage roles via IAC. --- .github/chainguard/sync-github.sts.yaml | 5 +++-- .github/chainguard/verify-github.sts.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/chainguard/sync-github.sts.yaml b/.github/chainguard/sync-github.sts.yaml index 5d4cb5b..8ee9c89 100644 --- a/.github/chainguard/sync-github.sts.yaml +++ b/.github/chainguard/sync-github.sts.yaml @@ -7,10 +7,11 @@ claim_pattern: job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.* permissions: - organization_administration: write # required to manage organization rulesets administration: write # required to manage the repository contents: write # required per terraform docs (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) members: write # to add/remove GitHub members metadata: read # to read metadata about the org - + organization_administration: write # required to manage organization rulesets + organization_custom_org_roles: write # required for managing custom organization roles + organization_custom_roles: write # required for managing custom repository roles repositories: [] # Act over all of the repos in the org. diff --git a/.github/chainguard/verify-github.sts.yaml b/.github/chainguard/verify-github.sts.yaml index 94c8ff6..5fcb5f9 100644 --- a/.github/chainguard/verify-github.sts.yaml +++ b/.github/chainguard/verify-github.sts.yaml @@ -7,10 +7,11 @@ claim_pattern: job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.* permissions: - organization_administration: write # required to read organization rulesets administration: read # required to read the repository contents: write # required per terraform docs (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) members: read # to add/remove GitHub members metadata: read # to read metadata about the org - + organization_administration: write # required to read organization rulesets + organization_custom_org_roles: read # required for reading custom organization roles + organization_custom_roles: read # required for reading custom repository roles repositories: [] # Act over all of the repos in the org.