ci: migrate GitHub release publishing to dd-octo-sts tokens (#3357)

PROFeNoM · web-flow · commit 4ba40d227fab · 2025-07-25T08:48:24.000+02:00
* ci: migrate GitHub release publishing from AWS SSM to dd-octo-sts

* chore(ci): add GitLab CI configuration for publishing releases with dd-octo-sts
diff --git a/.github/chainguard/gitlab-ci-publish-release.sts.yaml b/.github/chainguard/gitlab-ci-publish-release.sts.yaml
@@ -0,0 +1,6 @@
+issuer: https://gitlab.ddbuild.io
+
+subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-php:ref_type:tag:ref:ddtrace-.*"
+
+permissions:
+  contents: write 
diff --git a/.gitlab/generate-package.php b/.gitlab/generate-package.php
@@ -85,6 +85,7 @@
   - notify
   - verify
   - shared-pipeline # OCI packaging
+  - pre-release
   - release
 
 variables:
@@ -1403,6 +1404,33 @@
     UPSTREAM_BRANCH: $CI_COMMIT_REF_NAME
     UPSTREAM_COMMIT_SHA: $CI_COMMIT_SHA
 
+"generate github token":
+  stage: pre-release
+  image: registry.ddbuild.io/images/dd-octo-sts-ci-base:2025.06-1
+  tags: [ "arch:amd64" ]
+  only:
+    refs:
+      - /^ddtrace-.*$/
+  id_tokens:
+    DDOCTOSTS_ID_TOKEN:
+      aud: dd-octo-sts
+  script:
+    - echo "Generating GitHub token for release..."
+    - dd-octo-sts debug --scope DataDog/dd-trace-php --policy gitlab-ci-publish-release
+    - dd-octo-sts token --scope DataDog/dd-trace-php --policy gitlab-ci-publish-release > github_token.txt
+    # Verify token works
+    - export GITHUB_TOKEN=$(cat github_token.txt)
+    - 'curl -f -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/DataDog/dd-trace-php | jq -r .name'
+    - echo "Token generated and verified successfully"
+  artifacts:
+    paths:
+      - github_token.txt
+    expire_in: 1 hour
+    when: on_success
+  variables:
+    # Prevent token from appearing in logs
+    GITHUB_TOKEN: "[MASKED]"
+
 "publish release to github":
   stage: release
   image: registry.ddbuild.io/images/mirror/php:8.2-cli
@@ -1411,6 +1439,8 @@
     refs:
       - /^ddtrace-.*$/
   needs:
+    - job: "generate github token"
+      artifacts: true
     - job: "datadog-setup.php"
       artifacts: true
     - job: "package extension windows"
@@ -1420,5 +1450,12 @@
       artifacts: true
 <?php endforeach; ?>
   script:
-    - if [ -z ${GITHUB_RELEASE_PAT} ]; then export GITHUB_RELEASE_PAT=$(aws ssm get-parameter --region us-east-1 --name ci.$CI_PROJECT_NAME.gh_token --with-decryption --query "Parameter.Value" --out text); fi
-    - php tooling/bin/create_release.php packages
+    - echo "Using pre-generated GitHub token for release..."
+    - export GITHUB_RELEASE_PAT=$(cat github_token.txt)
+    - php tooling/ci/create_release.php packages
+  after_script:
+    # Clean up token file (token will expire automatically in 1 hour)
+    - rm -f github_token.txt
+  variables:
+    # Prevent token from appearing in logs
+    GITHUB_RELEASE_PAT: "[MASKED]"
