https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/tags/octo-sts/Recent content in Octo-Sts onHugo -- gohugo.ioenCopyright (c) 2023 ChainguardTue, 23 Dec 2025 15:04:05 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/overview/Tue, 23 Dec 2025 15:04:05 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/overview/<p>Octo STS is a GitHub App developed by Chainguard that acts as a Security Token Service (STS) for the GitHub API. It enables workloads running anywhere that can produce OIDC tokens to federate with GitHub, exchanging those tokens for short-lived GitHub access tokens. The primary goal is to eliminate the need for GitHub Personal Access Tokens (PATs), which are long-lived credentials that pose significant security risks.</p> <h2 id="why-octo-sts-matters" class="heading-2" data-heading-level="2"> <span class="heading-text">Why Octo STS Matters</span> <a href="#why-octo-sts-matters" class="anchor" aria-label="Link to Why Octo STS Matters" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>Long-lived access tokens are a common target in security incidents. When attackers gain access to a PAT, they can exploit it to access repositories, make changes, and pivot to other resources. These tokens often have broad permissions and no expiration date, making them particularly dangerous if compromised.</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/faq/Mon, 22 Dec 2025 15:04:05 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/faq/<p>This page answers frequently asked questions about Octo STS, including setup, security, troubleshooting, and common use cases.</p> <h2 id="general-questions" class="heading-2" data-heading-level="2"> <span class="heading-text">General Questions</span> <a href="#general-questions" class="anchor" aria-label="Link to General Questions" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><h3 id="what-is-octo-sts" class="heading-3" data-heading-level="3"> <span class="heading-text">What is Octo STS?</span> <a href="#what-is-octo-sts" class="anchor" aria-label="Link to What is Octo STS?" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h3><p>Octo STS is a GitHub App developed by Chainguard that acts as a Security Token Service for GitHub. It allows workloads with OIDC tokens from various identity providers (GitHub Actions, cloud providers, Kubernetes, etc.) to exchange those tokens for short-lived GitHub access tokens. The primary goal is to eliminate the need for long-lived Personal Access Tokens (PATs).</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/updating-container-images-with-renovate/Tue, 23 Dec 2025 09:30:00 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/octo-sts/updating-container-images-with-renovate/<p>In this video, Developer Relations Engineer Adrian Mouat shows you how you can update container images using Renovate with Octo STS, eliminating the need for GitHub Personal Access Tokens.</p> <h2 id="video" class="heading-2" data-heading-level="2"> <span class="heading-text">Video</span> <a href="#video" class="anchor" aria-label="Link to Video" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"> <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/I0hWRMtdUyI?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe> </div> <h2 id="what-youll-learn" class="heading-2" data-heading-level="2"> <span class="heading-text">What You&rsquo;ll Learn</span> <a href="#what-youll-learn" class="anchor" aria-label="Link to What You&rsquo;ll Learn" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><ul> <li>How to set up Renovate as a GitHub Action</li> <li>Using Octo STS to eliminate Personal Access Tokens</li> <li>Configuring trust policies for automated workflows</li> <li>Setting up assumable identities for private registries</li> <li>Automating container image and GitHub Actions updates</li> </ul> <h2 id="transcript" class="heading-2" data-heading-level="2"> <span class="heading-text">Transcript</span> <a href="#transcript" class="anchor" aria-label="Link to Transcript" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>In this video, I&rsquo;m going to show you how you can use Renovate to update container images and GitHub actions. At Chainguard, we do talk a lot about the need to keep software up to date. And in my opinion, it&rsquo;s essential you do that for both security and maintainability. So, if you stay on an old version of a package for too long, there&rsquo;s a strong chance that you&rsquo;ll be bitten by an unpatched vulnerability. But also, the longer you stay on an old version, the harder updating becomes. So, it&rsquo;s much better to do frequent small updates than it is to occasionally be forced into having to do major breaking updates.</p>