Fix github tag push (#7959)

IlyasShabi · bengl · web-flow · commit 918b4d0b4119 · 2026-04-09T12:49:26.000+02:00
* use dd-octo-sts for tag creation

* fix: address review feedback for dd-octo-sts integration

- Rename STS policy file to self.github.release.push-tags.sts.yaml
- Remove unreliable ref_protected claim
- Update policy references in release workflow
- Remove unnecessary contents:write and pull-requests:read permissions

* persist tag for dev

---------

Co-authored-by: Bryan English &lt;bryan.english@datadoghq.com&gt;
diff --git a/.github/chainguard/self.github.release.push-tags.sts.yaml b/.github/chainguard/self.github.release.push-tags.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-js:environment:npm
+
+claim_pattern:
+  event_name: (push|workflow_dispatch)
+  ref: refs/heads/(v[345]\.x|master)
+  repository: DataDog/dd-trace-js
+  job_workflow_ref: DataDog/dd-trace-js/\.github/workflows/release\.yml@refs/heads/(v[345]\.x|master)
+
+permissions:
+  contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,11 +21,14 @@ jobs:
       url: https://npmjs.com/package/dd-trace
     permissions:
       id-token: write
-      contents: write
-      pull-requests: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-js
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/node
       - run: npm publish --tag latest-node14
@@ -35,7 +38,7 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}
       - run: node scripts/release/notes
 
   publish-v4:
@@ -46,11 +49,14 @@ jobs:
       url: https://npmjs.com/package/dd-trace
     permissions:
       id-token: write
-      contents: write
-      pull-requests: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-js
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/node
       - run: npm publish --tag latest-node16
@@ -60,7 +66,7 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}
       - run: node scripts/release/notes
 
   publish-latest:
@@ -71,12 +77,17 @@ jobs:
       url: https://npmjs.com/package/dd-trace
     permissions:
       id-token: write
-      contents: write
-      pull-requests: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-js
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/node
       - run: npm publish
       - id: pkg
@@ -85,7 +96,7 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}
       - run: node scripts/release/notes --latest
 
   docs:
@@ -130,9 +141,15 @@ jobs:
       url: https://npmjs.com/package/dd-trace
     permissions:
       id-token: write
-      contents: write
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-js
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/node
       - uses: ./.github/actions/install
       - id: pkg
@@ -143,5 +160,22 @@ jobs:
       - run: npm publish --tag dev
       - run: |
           git tag --force dev
-          git push origin :refs/tags/dev
-          git push origin --tags
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git :refs/tags/dev
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git --tags
+
+  status:
+    needs: ["publish-v3", "publish-v4", "publish-latest"]
+    if: always() && contains(needs.*.result, 'success')
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout: scripts/release/status.js
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - run: node scripts/release/status.js
