fix: switch release workflow trigger to push to fix octo-sts OIDC mismatch#513
Merged
michael-richey merged 1 commit intomainfrom Apr 7, 2026
Merged
fix: switch release workflow trigger to push to fix octo-sts OIDC mismatch#513michael-richey merged 1 commit intomainfrom
michael-richey merged 1 commit intomainfrom
Conversation
…ject mismatch The pull_request trigger sets OIDC sub to repo:DataDog/datadog-sync-cli:pull_request, which does not match the self.release.create-release trust policy requiring ref:refs/heads/main. Switching to a push trigger fixes the subject. A detect_release step recovers the PR context (branch name, release guard) lost by moving away from the pull_request event. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4 tasks
riyazsh
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pull_request: types: [closed]trigger sets the OIDC tokensubtorepo:DataDog/datadog-sync-cli:pull_request, which does not match theself.release.create-releasetrust policy requiringrepo:DataDog/datadog-sync-cli:ref:refs/heads/mainpush: branches: [main]sets the correct subjectDetect releasestep usinglistPullRequestsAssociatedWithCommitrecovers the PR context (branch name, release guard) that is unavailable in push eventsChanges
pull_request: types: [closed]topush: branches: [main]concurrencygroup to prevent run stackingpull-requests: readpermission for the detect stepDetect releasestep with error handling and sorted resultscreate_releasejob now exposes outputs (is_release,release_branch) consumed bybuild_artifactsgithub.head_refreplaced with step/job outputs throughoutcontext.payload.pull_request.merge_commit_shareplaced withcontext.shaTest plan
create_releasejob runs, detect step skips,build_artifactsskippedprepare_release.ymland merge → full release flow executes, no more octo-sts 403🤖 Generated with Claude Code