From fc182007b507c7204dc66d2a08032148a15ab656 Mon Sep 17 00:00:00 2001 From: jack-edmonds-dd Date: Wed, 20 May 2026 12:42:26 -0400 Subject: [PATCH] fix(ci): correct release-tag trust policy claims MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For `pull_request: closed` events, GitHub OIDC uses the base-branch context, so the actual claims are `ref: refs/heads/main` and `job_workflow_ref: ...@refs/heads/main` — not `refs/pull/N/merge` as the initial policy assumed. Also tighten via `head_ref` regex and `base_ref` for defense in depth. Co-Authored-By: Claude Opus 4.7 --- .github/chainguard/release-tag.sts.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/chainguard/release-tag.sts.yaml b/.github/chainguard/release-tag.sts.yaml index 3cfc7b5..cc88fcf 100644 --- a/.github/chainguard/release-tag.sts.yaml +++ b/.github/chainguard/release-tag.sts.yaml @@ -3,9 +3,11 @@ issuer: https://token.actions.githubusercontent.com subject: repo:DataDog/pup:pull_request claim_pattern: + base_ref: main event_name: pull_request - job_workflow_ref: DataDog/pup/\.github/workflows/release-tag\.yml@refs/pull/[0-9]+/merge - ref: refs/pull/[0-9]+/merge + head_ref: release/v[0-9]+\.[0-9]+\.[0-9]+ + job_workflow_ref: DataDog/pup/\.github/workflows/release-tag\.yml@refs/heads/main + ref: refs/heads/main repository: DataDog/pup permissions: