diff --git a/.github/chainguard/audit-gh-automation.sts.yaml b/.github/chainguard/audit-gh-automation.sts.yaml
new file mode 100644
index 0000000..052810f
--- /dev/null
+++ b/.github/chainguard/audit-gh-automation.sts.yaml
@@ -0,0 +1,13 @@
+# Copyright 2025 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+issuer: https://token.actions.githubusercontent.com
+subject: repo:chainguard-dev/infra:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: chainguard-dev/infra/.github/workflows/audit-gh-automation.yaml@refs/heads/main
+
+permissions:
+  members: read # to read GitHub members
+  metadata: read # to read metadata about the org
+
+repositories: [] # Act over all of the repos in the org.