diff --git a/.github/chainguard/fulfilled-bot.sts.yaml b/.github/chainguard/fulfilled-bot.sts.yaml
new file mode 100644
index 0000000..da5a36f
--- /dev/null
+++ b/.github/chainguard/fulfilled-bot.sts.yaml
@@ -0,0 +1,13 @@
+# Copyright 2024 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+issuer: https://accounts.google.com
+# 107106855617134891633: bot-fulfilled@staging-enforce-cd1e.iam.gserviceaccount.com
+# TODO(philde): Grant access to the prod service account, when available.
+subject_pattern: "107106855617134891633"
+
+permissions:
+  issues: read
+  organization_projects: read
+
+repositories: [] # Act over all of the repos in the org.