From b0b5c536ee029278b9d615449cc4a6e0384c5b66 Mon Sep 17 00:00:00 2001 From: d <88739846+d-niu@users.noreply.github.com> Date: Wed, 4 Mar 2026 17:37:36 -0500 Subject: [PATCH] Remove obsolete `ref_protected` from STS trust policies The `ref_protected` OIDC claim is now universally `true` in the DataDog org due to the org-level "incompatible file paths on windows" push ruleset, making it useless as a security discriminator. Ticket: https://datadoghq.atlassian.net/browse/SINT-4732 Co-Authored-By: Claude Opus 4.6 --- .github/chainguard/self.changelog.sts.yaml | 1 - .github/chainguard/self.gitlab-read.sts.yaml | 1 - .github/chainguard/self.k8s_components.sts.yaml | 1 - .github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml | 1 - 4 files changed, 4 deletions(-) diff --git a/.github/chainguard/self.changelog.sts.yaml b/.github/chainguard/self.changelog.sts.yaml index 5444efcb0a6..db1a6360871 100644 --- a/.github/chainguard/self.changelog.sts.yaml +++ b/.github/chainguard/self.changelog.sts.yaml @@ -5,7 +5,6 @@ subject: repo:DataDog/system-tests:ref:refs/heads/main claim_pattern: event_name: (workflow_dispatch|schedule) ref: refs/heads/main - ref_protected: "true" job_workflow_ref: DataDog/system-tests/\.github/workflows/changelog\.yml@refs/heads/main permissions: diff --git a/.github/chainguard/self.gitlab-read.sts.yaml b/.github/chainguard/self.gitlab-read.sts.yaml index fb46f4ff5ed..6f146472c92 100644 --- a/.github/chainguard/self.gitlab-read.sts.yaml +++ b/.github/chainguard/self.gitlab-read.sts.yaml @@ -7,7 +7,6 @@ claim_pattern: ref: "main" ref_type: "branch" ref_path: "refs/heads/main" - ref_protected: "true" pipeline_source: "push" ci_config_ref_uri: "gitlab\\.ddbuild\\.io/DataDog/system-tests//\\.gitlab-ci\\.yml@refs/heads/main" diff --git a/.github/chainguard/self.k8s_components.sts.yaml b/.github/chainguard/self.k8s_components.sts.yaml index c08f278a245..c9bbfbaad76 100644 --- a/.github/chainguard/self.k8s_components.sts.yaml +++ b/.github/chainguard/self.k8s_components.sts.yaml @@ -5,7 +5,6 @@ subject: repo:DataDog/system-tests:ref:refs/heads/main claim_pattern: event_name: (workflow_dispatch|schedule) ref: refs/heads/main - ref_protected: "true" job_workflow_ref: DataDog/system-tests/\.github/workflows/update_k8s_components\.yml@refs/heads/main permissions: diff --git a/.github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml b/.github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml index de8da098694..2cabab204c0 100644 --- a/.github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml +++ b/.github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml @@ -5,7 +5,6 @@ subject: repo:DataDog/system-tests:ref:refs/heads/main claim_pattern: event_name: (workflow_dispatch|schedule) ref: refs/heads/main - ref_protected: "true" job_workflow_ref: DataDog/system-tests/\.github/workflows/update-agent-protobuf\.yml@refs/heads/main permissions: