DataDog · sarahchen6 · Aug 14, 2025 · Aug 14, 2025 · Aug 14, 2025 · Aug 14, 2025
@@ -7,8 +7,15 @@ jobs:
   update-releases:
     permissions:
       contents: write # Required to commit and push changes to the repository
+      id-token: write # Required for OIDC token federation
     runs-on: ubuntu-latest
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.add-release-to-cloudfoundry
+
       - name: Checkout "cloudfoundry" branch
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
@@ -42,11 +49,22 @@ jobs:
       - name: Append release to Cloud Foundry repository
         run: |
           echo "${{ steps.get-release-version.outputs.VERSION }}: ${{ steps.get-release-url.outputs.URL }}" >> index.yml
-      - name: Commit and push changes
-        uses: planetscale/ghcommit-action@322be9669498a4be9ce66efc1169f8f43f6bd883 # v0.2.17
-        with:
-          commit_message: "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
-          repo: ${{ github.repository }}
-          branch: cloudfoundry
+      - name: Configure git
+        id: configure-git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Commit changes
+        id: create-commit
+        run: |
+          git commit -a -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Push changes
+        uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          local_branch_name: cloudfoundry
+          remote_branch_name: cloudfoundry
@@ -15,7 +15,7 @@ jobs:
   update-docker-build-image:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Required to create and push branch
+      contents: read
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -58,11 +58,12 @@ jobs:
           else
             echo "commit_changes=true" >> "$GITHUB_OUTPUT"
           fi
-      - name: Download ghcommit CLI
+      - name: Configure git
         if: steps.check-changes.outputs.commit_changes == 'true'
+        id: configure-git
         run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - name: Pick a branch name
         if: steps.check-changes.outputs.commit_changes == 'true'
         id: define-branch
@@ -72,16 +73,25 @@ jobs:
         run: |
           git checkout -b ${{ steps.define-branch.outputs.branch }}
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
-      - name: Commit and push changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
         env:
           GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Commit changes
+        if: steps.check-changes.outputs.commit_changes == 'true'
+        id: create-commit
         run: |
-          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add .gitlab-ci.yml --message "feat(ci): Update Docker build image"
+          git commit --message "feat(ci): Update Docker build image" .gitlab-ci.yml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Push changes
+        uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          local_branch_name: ${{ steps.define-branch.outputs.branch }}
+          remote_branch_name: ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         if: steps.check-changes.outputs.commit_changes == 'true'
-        env:
-          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update Docker build image" \
             --base master \
@@ -90,3 +100,5 @@ jobs:
             --label "type: enhancement" \
             --label "tag: no release notes" \
             --body "This PR updates the Docker build image to ${{ steps.define-tag.outputs.tag }}."
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Update Gradle dependencies
     permissions:
-      contents: write # Required to create new branch
+      contents: read
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -22,16 +22,20 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
         with:
           submodules: "recursive"
-      - name: Download ghcommit CLI
+      - name: Configure git
+        id: configure-git
         run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - name: Pick a branch name
-        run: echo "BRANCH_NAME=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_ENV
+        id: define-branch
+        run: echo "branch=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
       - name: Create branch
         run: |
-          git checkout -b $BRANCH_NAME
-          git push -u origin $BRANCH_NAME --force
+          git checkout -b ${{ steps.define-branch.outputs.branch }} --force
+          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
       - name: Update Gradle dependencies
         run: |
           GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
@@ -42,46 +46,29 @@ jobs:
           JAVA_21_HOME=$JAVA_HOME_21_X64 \
           ./gradlew resolveAndLockAll --write-locks --parallel --stacktrace --no-daemon --max-workers=4
       - name: Commit changes
+        id: create-commit
+        run: |
+          git add .
+          git commit --message "chore: Update Gradle dependencies"
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
-        run: |
-          GH_ADD_ARGS=""
-          COUNT=0
-          BRANCH_HEAD=$(git rev-parse HEAD)
-          for lockfile in $(git status --porcelain=v1 | awk '{ print $NF }'); do
-            echo "Found lockfile: $lockfile"
-            GH_ADD_ARGS="$GH_ADD_ARGS --add $lockfile"
-            COUNT=$((COUNT+1))
-            if [ $COUNT -eq 10 ]; then
-              echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS"
-              OUTPUT=$(ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies" 2>&1)
-              echo $OUTPUT
-              if [[ $OUTPUT != *"Success. New commit"* ]]; then
-                exit 1
-              fi
-              BRANCH_HEAD=${OUTPUT##*/}
-              echo "ghcommit output: $OUTPUT"
-              GH_ADD_ARGS=""
-              COUNT=0
-            fi
-          done
-          # Check at uncommited files
-          echo "Checking uncommited files"
-          git status
-          # Create a PR from the created branch
-          if [ $COUNT -gt 0 ]; then
-            echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS"
-            ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies"
-          fi
+      - name: Push changes
+        uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          local_branch_name: ${{ steps.define-branch.outputs.branch }}
+          remote_branch_name: ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
-        env:
-          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           # use echo to set a multiline body for the PR
-          echo -e "This PR updates the Gradle dependencies. ⚠️ Don't forget to squash commits before merging. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \
+          echo -e "This PR updates the Gradle dependencies. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \
             gh pr create --title "Update Gradle dependencies" \
             --base master \
-            --head $BRANCH_NAME \
+            --head ${{ steps.define-branch.outputs.branch }} \
             --label "tag: dependencies" \
             --label "tag: no release notes" \
             --body-file -
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
@@ -9,7 +9,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Required to create and push branch
+      contents: read
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -20,7 +20,6 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
-
       - name: Update Submodule
         run: |
           git submodule update --remote -- dd-java-agent/agent-jmxfetch/integrations-core
@@ -34,6 +33,12 @@ jobs:
           else
             echo "commit_changes=true" >> "$GITHUB_OUTPUT"
           fi
+      - name: Configure git
+        if: steps.check-changes.outputs.commit_changes == 'true'
+        id: configure-git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - name: Pick a branch name
         if: steps.check-changes.outputs.commit_changes == 'true'
         id: define-branch
@@ -43,20 +48,25 @@ jobs:
         run: |
           git checkout -b ${{ steps.define-branch.outputs.branch }}
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
-      - name: Commit and push changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
         env:
           GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Commit changes
+        if: steps.check-changes.outputs.commit_changes == 'true'
+        id: create-commit
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add dd-java-agent/agent-jmxfetch/integrations-core
-          git commit -m "Update agent-jmxfetch submodule"
-          git push origin ${{ steps.define-branch.outputs.branch }}
+          git commit --message "feat(ci): Update agent-jmxfetch submodule" dd-java-agent/agent-jmxfetch/integrations-core
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Push changes
+        uses: Asana/push-signed-commits@d615ca88d8e1a946734c24970d1e7a6c56f34897
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
+          local_branch_name: ${{ steps.define-branch.outputs.branch }}
+          remote_branch_name: ${{ steps.define-branch.outputs.branch }}
       - name: Create pull request
         if: steps.check-changes.outputs.commit_changes == 'true'
-        env:
-          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update agent-jmxfetch submodule" \
             --base master \
@@ -65,3 +75,5 @@ jobs:
             --label "type: enhancement" \
             --label "tag: no release notes" \
             --body "This PR updates the agent-jmxfetch submodule."
+        env:
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}