From ccf340ce2ebf4ef7da536eebf74225f3ba363501 Mon Sep 17 00:00:00 2001
From: "michael.richey" <michael.richey@datadoghq.com>
Date: Mon, 6 Apr 2026 15:21:08 -0400
Subject: [PATCH 1/3] fix: use dd-octo-sts token for tag creation in release
 workflow

The GITHUB_TOKEN is blocked by the org-level "Global Tag Protection
(public repos)" ruleset. Switch to dd-octo-sts so the workflow runs
with a token that has tag bypass rights.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../self.release.create-release.sts.yaml          | 10 ++++++++++
 .github/workflows/release.yml                     | 15 +++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 .github/chainguard/self.release.create-release.sts.yaml

diff --git a/.github/chainguard/self.release.create-release.sts.yaml b/.github/chainguard/self.release.create-release.sts.yaml
new file mode 100644
index 00000000..bd8b7e9a
--- /dev/null
+++ b/.github/chainguard/self.release.create-release.sts.yaml
@@ -0,0 +1,10 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/datadog-sync-cli:pull_request
+
+claim_pattern:
+  event_name: pull_request
+  job_workflow_ref: DataDog/datadog-sync-cli/.github/workflows/release.yml@refs/heads/main
+
+permissions:
+  contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4eabba1..3181e5d4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,5 @@
 name: Release
 
-permissions:
-  contents: write
-
 on:
   pull_request:
     types: [closed]
@@ -14,13 +11,23 @@ jobs:
     name: Create release
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
+    permissions:
+      contents: read
+      id-token: write
     steps:
+      - name: Get access token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        id: octo-sts
+        with:
+          scope: DataDog/datadog-sync-cli
+          policy: self.release.create-release
+
       - name: Create release
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           RELEASE_BRANCH: ${{ github.head_ref }}
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const tagName = `${process.env.RELEASE_BRANCH.split("/")[1]}`;
             let tagExists = false;

From 69eac73d5cd5e47d2f4d90dd2ec637092b3a6fe0 Mon Sep 17 00:00:00 2001
From: "michael.richey" <michael.richey@datadoghq.com>
Date: Mon, 6 Apr 2026 15:23:55 -0400
Subject: [PATCH 2/3] fix review: correct OIDC subject and restore
 build_artifacts permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- OIDC subject for pull_request[closed] event uses base branch ref, not
  pull_request literal — align with prepare_release policy pattern
- Add explicit contents: write to build_artifacts job so artifact
  uploads still work after removing top-level permissions block

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/chainguard/self.release.create-release.sts.yaml | 2 +-
 .github/workflows/release.yml                           | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/chainguard/self.release.create-release.sts.yaml b/.github/chainguard/self.release.create-release.sts.yaml
index bd8b7e9a..43c56190 100644
--- a/.github/chainguard/self.release.create-release.sts.yaml
+++ b/.github/chainguard/self.release.create-release.sts.yaml
@@ -1,6 +1,6 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject: repo:DataDog/datadog-sync-cli:pull_request
+subject: repo:DataDog/datadog-sync-cli:ref:refs/heads/main
 
 claim_pattern:
   event_name: pull_request
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3181e5d4..a54fa9fa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -77,6 +77,8 @@ jobs:
   build_artifacts:
     needs: create_release
     name: Build executables
+    permissions:
+      contents: write
     strategy:
       matrix:
         os: [ubuntu-22.04-arm, ubuntu-22.04, windows-latest, macos-latest]

From 54c9e420f765c13eb15b4402be782efe0354100b Mon Sep 17 00:00:00 2001
From: "michael.richey" <michael.richey@datadoghq.com>
Date: Mon, 6 Apr 2026 15:33:39 -0400
Subject: [PATCH 3/3] security: harden STS policy and fix shell quoting

- Add ref: refs/heads/main constraint to claim_pattern for
  defense-in-depth (consistent with prepare_release policy)
- Add comment explaining OIDC subject derivation for pull_request events
- Quote $RELEASE_BRANCH in shell to prevent word splitting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/chainguard/self.release.create-release.sts.yaml | 3 +++
 .github/workflows/release.yml                           | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/chainguard/self.release.create-release.sts.yaml b/.github/chainguard/self.release.create-release.sts.yaml
index 43c56190..f90a5786 100644
--- a/.github/chainguard/self.release.create-release.sts.yaml
+++ b/.github/chainguard/self.release.create-release.sts.yaml
@@ -1,9 +1,12 @@
 issuer: https://token.actions.githubusercontent.com
 
+# For pull_request events, OIDC subject is derived from the PR base branch ref.
+# This policy only works for PRs targeting 'main'.
 subject: repo:DataDog/datadog-sync-cli:ref:refs/heads/main
 
 claim_pattern:
   event_name: pull_request
+  ref: refs/heads/main
   job_workflow_ref: DataDog/datadog-sync-cli/.github/workflows/release.yml@refs/heads/main
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a54fa9fa..06c0c0c7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,7 +88,7 @@ jobs:
         env:
           RELEASE_BRANCH: ${{ github.head_ref }}
         run: |
-          TAG_NAME=$(echo $RELEASE_BRANCH | cut -d "/" -f2)
+          TAG_NAME=$(echo "$RELEASE_BRANCH" | cut -d "/" -f2)
           echo "tag_name=$TAG_NAME" >> "$GITHUB_ENV"
         shell: bash
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2