Skip to content

fix: release tag push and pin actions by SHA#65

Merged
szegedi merged 1 commit into
mainfrom
fix/release-tag-push
Jun 15, 2026
Merged

fix: release tag push and pin actions by SHA#65
szegedi merged 1 commit into
mainfrom
fix/release-tag-push

Conversation

@szegedi

@szegedi szegedi commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

The release workflow's tag push was rejected by the tag ruleset because actions/checkout persisted GITHUB_TOKEN credentials, which took precedence over the dd-octo-sts token in the explicit push URL.

Changes

  • Add DataDog/dd-octo-sts-action step to obtain a token with tag-push permission
  • Add .github/chainguard/self.github.release.push-tags.sts.yaml policy file
  • Set persist-credentials: false on checkout so the GITHUB_TOKEN doesn't shadow the octo-sts token
  • Downgrade contents permission from write to read
  • Fix deprecated ::set-output syntax to use $GITHUB_OUTPUT

Mirrors the fix applied in DataDog/pprof-nodejs@1417470

The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also add the dd-octo-sts policy file and fix the deprecated ::set-output
syntax to use GITHUB_OUTPUT.
@szegedi szegedi requested review from a team as code owners June 12, 2026 09:48
@szegedi szegedi merged commit 84f486e into main Jun 15, 2026
14 checks passed
@szegedi szegedi deleted the fix/release-tag-push branch June 15, 2026 10:41
szegedi added a commit that referenced this pull request Jun 15, 2026
The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also add the dd-octo-sts policy file and fix the deprecated ::set-output
syntax to use GITHUB_OUTPUT.
@szegedi szegedi mentioned this pull request Jun 15, 2026
szegedi added a commit that referenced this pull request Jun 16, 2026
The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also add the dd-octo-sts policy file and fix the deprecated ::set-output
syntax to use GITHUB_OUTPUT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants