From 41cfc6dc79a49614760f95bdbf79a9f7ebb4012a Mon Sep 17 00:00:00 2001
From: Jonathan Lange <jml@mumak.net>
Date: Tue, 12 May 2026 14:04:26 -0400
Subject: [PATCH] Add Octo STS policy for livegrep.chaindag.dev indexer

---
 .../chainguard/chaindag-livegrep-indexer.sts.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/chainguard/chaindag-livegrep-indexer.sts.yaml

diff --git a/.github/chainguard/chaindag-livegrep-indexer.sts.yaml b/.github/chainguard/chaindag-livegrep-indexer.sts.yaml
new file mode 100644
index 0000000..3244393
--- /dev/null
+++ b/.github/chainguard/chaindag-livegrep-indexer.sts.yaml
@@ -0,0 +1,15 @@
+# Copyright 2026 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# Octo STS policy for the livegrep.chaindag.dev indexer.
+# Service account: livegrep@chaindag.iam.gserviceaccount.com
+# Deployed by: env/chaindag.dev/iac/livegrep.tf in chainguard-dev/mono
+
+issuer: https://accounts.google.com
+subject: "106681300217655979572"
+
+permissions:
+  # Clone repository contents for code search indexing
+  contents: read
+  # Required baseline permission for all GitHub API access
+  metadata: read