feat: minty configuration file for this repository (#134)

Conversion of:
https://github.com/abcxyz/abcxyz-services/blob/main/github-token-minter/deployments/configs/abcxyz/secure-setup-terraform.yaml

Author: bradegler

.github/minty.yaml

@@ -0,0 +1,31 @@
+version: 'minty.abcxyz.dev/v2'
+
+rule:
+  if: |-
+    assertion.iss == 'https://token.actions.githubusercontent.com' &&
+    assertion.organization_id == '93787867' &&
+    assertion.repository_id == '560465650' &&
+    assertion.ref == 'refs/heads/main'
+
+scope:
+  update-checksums:
+    rule:
+      if: |-
+        assertion.workflow_ref.startsWith("abcxyz/secure-setup-terraform/.github/workflows/update-checksums.yml") &&
+        (assertion.event_name == 'schedule' || assertion.event_name == 'workflow_dispatch')
+    repositories:
+      - 'secure-setup-terraform'
+    permissions:
+      pull_requests: 'write'
+      contents: 'write'
+
+  create-release:
+    rule:
+      if: |-
+        assertion.workflow_ref.startsWith("abcxyz/secure-setup-terraform/.github/workflows/create-release.yml") &&
+        assertion.event_name == 'push'
+    repositories:
+      - 'secure-setup-terraform'
+    permissions:
+      contents: 'write'
+

.github/workflows/create-release.yml

@@ -60,6 +60,7 @@ jobs:
           service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
           requested_permissions: |-
             {
+              "scope": "create-release",
               "repositories": ["${{ github.event.repository.name }}"],
               "permissions": {
                 "contents": "write"

.github/workflows/update-checksums.yml

@@ -48,6 +48,7 @@ jobs:
           service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
           requested_permissions: |-
             {
+              "scope": "update-checksums",
               "repositories": ["secure-setup-terraform"],
               "permissions": {
                 "pull_requests": "write",