From e77acf628e1726965eec10260009981b6c55b2e3 Mon Sep 17 00:00:00 2001
From: Attila Szegedi <attila.szegedi@datadoghq.com>
Date: Mon, 22 Jun 2026 17:22:25 +0200
Subject: [PATCH] fix: release tag push and pin actions by SHA

The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also add the dd-octo-sts policy file.
---
 .../self.github.release.push-tags.sts.yaml           | 12 ++++++++++++
 .github/workflows/release.yml                        | 11 +++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 .github/chainguard/self.github.release.push-tags.sts.yaml

diff --git a/.github/chainguard/self.github.release.push-tags.sts.yaml b/.github/chainguard/self.github.release.push-tags.sts.yaml
new file mode 100644
index 0000000..e807440
--- /dev/null
+++ b/.github/chainguard/self.github.release.push-tags.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/libdatadog-nodejs:environment:npm
+
+claim_pattern:
+  event_name: push
+  job_workflow_ref: DataDog/libdatadog-nodejs/\.github/workflows/release\.yml@refs/heads/v[0-9]+\.x
+  ref: refs/heads/v[0-9]+\.x
+  repository: DataDog/libdatadog-nodejs
+
+permissions:
+  contents: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6abf54..8cfd339 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,11 +36,18 @@ jobs:
     environment: npm
     permissions:
       id-token: write  # Required for OIDC
-      contents: write
+      contents: read
     outputs:
       pkgjson: ${{ steps.pkg.outputs.json }}
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/libdatadog-nodejs
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false # drop GITHUB_TOKEN so the dd-octo-sts token is used for the tag push
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: prebuilds
@@ -57,4 +64,4 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}