diff --git a/.github/chainguard/digestabot.sts.yaml b/.github/chainguard/digestabot.sts.yaml
new file mode 100644
index 00000000000..b6240a2148c
--- /dev/null
+++ b/.github/chainguard/digestabot.sts.yaml
@@ -0,0 +1,9 @@
+issuer: https://token.actions.githubusercontent.com
+subject: repo:wolfi-dev/os:ref:refs/heads/main
+claim_pattern:
+  job_workflow_ref: wolfi-dev/os/.github/workflows/digestabot.yaml@refs/heads/main
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
index 8c7d364f30e..bbf4e2bda34 100644
--- a/.github/workflows/digestabot.yaml
+++ b/.github/workflows/digestabot.yaml
@@ -12,11 +12,18 @@ jobs:
     if: github.repository == 'wolfi-dev/os'
 
     permissions:
-      contents: read
-      id-token: write
+      contents: read # To clone the repo
+      id-token: write # To gitsign and federate
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - uses: chainguard-dev/actions/octo-sts@main
+      id: octo-sts
+      with:
+        scope: ${{ github.repository }}
+        identity: digestabot
+
     - uses: chainguard-dev/actions/digesta-bot@main
       with:
-        token: ${{ secrets.DIGEST_BOT_WOLFI_PAT }}
+        token: ${{ steps.octo-sts.outputs.token }}