From e95a1f0aa2680ef297698081a321f2f993309ce1 Mon Sep 17 00:00:00 2001
From: Carlos Panato <ctadeu@gmail.com>
Date: Thu, 11 Dec 2025 09:13:17 +0100
Subject: [PATCH] add sts policy for rt gh checker

---
 .../chainguard/github-rate-limit-checker.sts.yaml    | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/chainguard/github-rate-limit-checker.sts.yaml

diff --git a/.github/chainguard/github-rate-limit-checker.sts.yaml b/.github/chainguard/github-rate-limit-checker.sts.yaml
new file mode 100644
index 0000000..7a214a3
--- /dev/null
+++ b/.github/chainguard/github-rate-limit-checker.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://accounts.google.com
+
+# octo-sts/internal-tools: internal-tools-gh-rt-chk-wolfi@octo-sts.iam.gserviceaccount.com
+subject_pattern: "113689568553746125790"
+
+permissions:
+  contents: read
+
+# limit the scope to only the repositories that are needed
+# this service will just get the rate limit will not perform any actions in the repo
+repositories:
+  - .github