fix(ci): restore protected-branch constraints for STS policies

[paullegranddc]

Motivation

• A previous change broadened Chainguard STS claim_pattern.ref to allow unprotected personal branches and commented out ref_protected, enabling untrusted branch runs to mint privileged tokens for repository write and org-membership reads, so the trust boundary must be restored.

Description

• Restrict claim_pattern.ref back to refs/heads/(main|release) in .github/chainguard/self.write.pr.sts.yaml and .github/chainguard/self.read.members.sts.yaml.
• Re-enable claim_pattern.ref_protected: "true" in both STS policy files so only protected refs can obtain these tokens.
• No other functional changes were made and the workflows that consume these policies remain unchanged.

Testing

• Printed the updated files using sed -n '1,200p' to confirm the ref and ref_protected values were restored and the file contents are correct, and the command succeeded.
• Listed files with line numbers using nl -ba to verify the exact lines of the claim_pattern and ref_protected entries, and the command succeeded.
• Verified the repository diff shows only the two STS policy files were modified and that the policies now require protected main/release refs, and this check succeeded.

---

Codex Task

[datadog-official]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 72.64% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 708e2d6 | Docs | Datadog PR Page | Give us feedback!}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.64%. Comparing base (7a24f53) to head (708e2d6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1972   +/-   ##
=======================================
  Coverage   72.64%   72.64%           
=======================================
  Files         448      448           
  Lines       73629    73629           
=======================================
  Hits        53487    53487           
  Misses      20142    20142           

Components	Coverage Δ
libdd-crashtracker	65.21% <ø> (-0.02%)	⬇️
libdd-crashtracker-ffi	36.82% <ø> (ø)
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	86.58% <ø> (ø)
libdd-data-pipeline-ffi	75.64% <ø> (ø)
libdd-common	79.81% <ø> (ø)
libdd-common-ffi	74.41% <ø> (ø)
libdd-telemetry	69.86% <ø> (ø)
libdd-telemetry-ffi	19.37% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	76.22% <ø> (+0.04%)	⬆️
libdd-profiling	81.57% <ø> (ø)
libdd-profiling-ffi	64.51% <ø> (ø)
libdd-sampling	97.25% <ø> (ø)
datadog-sidecar	29.82% <ø> (ø)
datdog-sidecar-ffi	13.22% <ø> (ø)
spawn-worker	54.69% <ø> (ø)
libdd-tinybytes	93.16% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.26% <ø> (ø)
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	89.27% <ø> (ø)
libdd-tracer-flare	86.88% <ø> (ø)
libdd-log	74.83% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.57 MB	7.57 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	81.66 MB	81.66 MB	0% (0 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.01 MB	10.01 MB	0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	97.83 MB	97.83 MB	0% (0 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	24.40 MB	24.40 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	79.87 KB	79.87 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	179.63 MB	179.65 MB	+0% (+16.00 KB) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	910.79 MB	910.79 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	7.71 MB	7.71 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	79.87 KB	79.87 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.11 MB	23.11 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	45.25 MB	45.25 MB	0% (0 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.02 MB	21.02 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	81.11 KB	81.11 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	183.76 MB	183.76 MB	-0% (-8.00 KB) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	896.89 MB	896.89 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	5.98 MB	5.98 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	81.11 KB	81.11 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	24.74 MB	24.74 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	42.75 MB	42.75 MB	0% (0 B) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	72.78 MB	72.78 MB	0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.41 MB	8.41 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	90.53 MB	90.53 MB	0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.03 MB	10.03 MB	0% (0 B) 👌