Skip to content

fix(ci): correct release trust policy for environment-scoped subject#515

Merged
jack-edmonds-dd merged 1 commit into
mainfrom
fix/release-trust-policy
May 20, 2026
Merged

fix(ci): correct release trust policy for environment-scoped subject#515
jack-edmonds-dd merged 1 commit into
mainfrom
fix/release-trust-policy

Conversation

@jack-edmonds-dd
Copy link
Copy Markdown
Collaborator

@jack-edmonds-dd jack-edmonds-dd commented May 20, 2026

Summary

The Prepare Release workflow has been failing with 403 permission denied during dd-octo-sts token exchange (e.g. run 26134581691). Two issues in .github/chainguard/release.sts.yaml:

  1. Subject mismatch. The release job declares environment: release, which causes GitHub Actions to rewrite the OIDC sub claim to repo:DataDog/pup:environment:release instead of the ref-based form. The policy was matching on the ref-based subject.
  2. Case mismatch. Claim regex matching is case-sensitive (Go RE2). The policy used lowercase datadog/pup but GitHub preserves DataDog/pup in claims like repository and job_workflow_ref.

Changes

  • .github/chainguard/release.sts.yaml — subject changed to repo:DataDog/pup:environment:release; fixed casing of repository and job_workflow_ref patterns.

Security

The contents: write permission is now scoped to the release environment subject. That environment has a required-reviewer protection rule (verified via gh api repos/DataDog/pup/environments/release), so the privileged permission grant is gated by environment protection — consistent with dd-octo-sts guidance on restricting privileged permissions to protected refs/environments.

Test plan

  • Merge to main so dd-octo-sts can pick up the new policy (policies are read from the default branch).
  • Wait ~5 min for the trust policy cache to refresh.
  • Re-run the failed Prepare Release job (or wait for the next scheduled run) and confirm token exchange succeeds.

🤖 Generated with Claude Code

@jack-edmonds-dd @claude
fix(ci): correct release trust policy for environment-scoped subject
4962272 
The release job in release-prepare.yml uses `environment: release`,
which rewrites the OIDC subject to `repo:DataDog/pup:environment:release`
instead of the ref-based form. Also fix casing — claim regex matching is
case-sensitive and GitHub preserves `DataDog/pup` in claims.

The `release` environment has a required-reviewer protection rule, which
appropriately gates the `contents: write` permission grant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jack-edmonds-dd jack-edmonds-dd requested a review from a team as a code owner May 20, 2026 12:29
@jack-edmonds-dd jack-edmonds-dd merged commit 537a928 into main May 20, 2026
7 checks passed
@jack-edmonds-dd jack-edmonds-dd deleted the fix/release-trust-policy branch May 20, 2026 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@platinummonkey platinummonkey platinummonkey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jack-edmonds-dd @platinummonkey