From f6c6b725a0d3a69d335c295c6139779ede969253 Mon Sep 17 00:00:00 2001
From: "michael.richey" <michael.richey@datadoghq.com>
Date: Tue, 7 Apr 2026 13:41:39 -0400
Subject: [PATCH 1/2] fix: switch release workflow trigger to push to fix
 octo-sts OIDC subject mismatch

The pull_request trigger sets OIDC sub to
repo:DataDog/datadog-sync-cli:pull_request, which does not match the
self.release.create-release trust policy requiring ref:refs/heads/main.

Switching to a push trigger fixes the subject. A detect_release step
recovers the PR context (branch name, release guard) lost by moving away
from the pull_request event.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 50 ++++++++++++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06c0c0c7..f72d5bcb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,21 +1,56 @@
 name: Release
 
 on:
-  pull_request:
-    types: [closed]
+  push:
     branches:
       - main
 
+concurrency:
+  group: release-${{ github.sha }}
+  cancel-in-progress: false
+
 jobs:
   create_release:
     name: Create release
     runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')
+    outputs:
+      is_release: ${{ steps.detect_release.outputs.is_release }}
+      release_branch: ${{ steps.detect_release.outputs.release_branch }}
     permissions:
       contents: read
       id-token: write
+      pull-requests: read
     steps:
+      - name: Detect release
+        id: detect_release
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            try {
+              const prs = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                commit_sha: context.sha
+              });
+              const releasePRs = prs.data
+                .filter(pr => pr.merged_at && pr.head.ref.startsWith('release/'))
+                .sort((a, b) => new Date(b.merged_at) - new Date(a.merged_at));
+              const releasePR = releasePRs[0];
+              if (releasePR) {
+                core.setOutput('is_release', 'true');
+                core.setOutput('release_branch', releasePR.head.ref);
+                core.info(`Detected release PR: ${releasePR.head.ref}`);
+              } else {
+                core.setOutput('is_release', 'false');
+                core.setOutput('release_branch', '');
+                core.info('No release PR detected for this push — skipping release steps');
+              }
+            } catch (e) {
+              core.setFailed(`Failed to detect release PR: ${e.message}`);
+            }
+
       - name: Get access token
+        if: steps.detect_release.outputs.is_release == 'true'
         uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         id: octo-sts
         with:
@@ -23,9 +58,10 @@ jobs:
           policy: self.release.create-release
 
       - name: Create release
+        if: steps.detect_release.outputs.is_release == 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
-          RELEASE_BRANCH: ${{ github.head_ref }}
+          RELEASE_BRANCH: ${{ steps.detect_release.outputs.release_branch }}
         with:
           github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
@@ -49,7 +85,7 @@ jobs:
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 ref: `refs/tags/${tagName}`,
-                sha: context.payload.pull_request.merge_commit_sha,
+                sha: context.sha,
               });
             }
 
@@ -74,8 +110,10 @@ jobs:
                 tag_name: tagName,
               });
             }
+
   build_artifacts:
     needs: create_release
+    if: needs.create_release.outputs.is_release == 'true'
     name: Build executables
     permissions:
       contents: write
@@ -86,7 +124,7 @@ jobs:
     steps:
       - name: Set tag
         env:
-          RELEASE_BRANCH: ${{ github.head_ref }}
+          RELEASE_BRANCH: ${{ needs.create_release.outputs.release_branch }}
         run: |
           TAG_NAME=$(echo "$RELEASE_BRANCH" | cut -d "/" -f2)
           echo "tag_name=$TAG_NAME" >> "$GITHUB_ENV"

From 08e6b0c1e68b991611c3eff2b45ba72dd314b44a Mon Sep 17 00:00:00 2001
From: "michael.richey" <michael.richey@datadoghq.com>
Date: Tue, 7 Apr 2026 15:06:46 -0400
Subject: [PATCH 2/2] fix: update trust policy event_name to match push trigger
 in release workflow

The release workflow was switched from pull_request to push trigger, but
the trust policy still required event_name: pull_request, causing OIDC
subject mismatch on every token exchange.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/chainguard/self.release.create-release.sts.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/chainguard/self.release.create-release.sts.yaml b/.github/chainguard/self.release.create-release.sts.yaml
index f90a5786..5f941ba5 100644
--- a/.github/chainguard/self.release.create-release.sts.yaml
+++ b/.github/chainguard/self.release.create-release.sts.yaml
@@ -1,13 +1,13 @@
+# Policy for: .github/workflows/release.yml in DataDog/datadog-sync-cli
 issuer: https://token.actions.githubusercontent.com
 
-# For pull_request events, OIDC subject is derived from the PR base branch ref.
-# This policy only works for PRs targeting 'main'.
 subject: repo:DataDog/datadog-sync-cli:ref:refs/heads/main
 
 claim_pattern:
-  event_name: pull_request
+  event_name: push
+  job_workflow_ref: DataDog/datadog-sync-cli/\.github/workflows/release\.yml@refs/heads/main
   ref: refs/heads/main
-  job_workflow_ref: DataDog/datadog-sync-cli/.github/workflows/release.yml@refs/heads/main
+  repository: DataDog/datadog-sync-cli
 
 permissions:
   contents: write