Skip to content

Fix release tag push and pin actions by SHA#335

Merged
szegedi merged 1 commit into
mainfrom
christoph.hamsen/fix-release-tag-push
May 20, 2026
Merged

Fix release tag push and pin actions by SHA#335
szegedi merged 1 commit into
mainfrom
christoph.hamsen/fix-release-tag-push

Conversation

@xopham
Copy link
Copy Markdown

@xopham xopham commented May 20, 2026

Summary

  • The publish_release job's tag push was rejected by the refs/tags/* ruleset (see failed run). Root cause: actions/checkout persists GITHUB_TOKEN credentials, which take precedence over the dd-octo-sts token we pass in the explicit push URL. Fix matches the working pattern from sdlc-security-playground: set persist-credentials: false on checkout and downgrade contents permission to read.
  • Pin actions/download-artifact (v4.3.0) and actions/setup-node (v3.9.1) by commit SHA in both jobs.

Test plan

  • Bump version on a v*.x branch and confirm the workflow tags + pushes successfully via the dd-octo-sts token.

🤖 Generated with Claude Code

@xopham @claude
Fix release tag push and pin actions by SHA
2a41eeb 
The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also pin actions/download-artifact and actions/setup-node by commit SHA.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

Overall package size

Self size: 2.09 MB
Deduped: 2.45 MB
No deduping: 2.45 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | pprof-format | 2.2.1 | 163.06 kB | 163.06 kB | | node-gyp-build | 4.8.4 | 13.86 kB | 13.86 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@datadog-prod-us1-6
Copy link
Copy Markdown

datadog-prod-us1-6 Bot commented May 20, 2026
edited by datadog-datadog-prod-us1-2 Bot
Loading

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Pull Request Labels | label   View in Datadog   GitHub Actions

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration. Label error. Requires exactly 1 of: semver-patch, semver-minor, semver-major

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 2a41eeb | Docs | Datadog PR Page | Give us feedback!

@szegedi szegedi added the semver-patch Bug or security fixes, mainly label May 20, 2026
@szegedi szegedi enabled auto-merge (squash) May 20, 2026 10:36
@szegedi szegedi merged commit 1417470 into main May 20, 2026
236 of 246 checks passed
@szegedi szegedi deleted the christoph.hamsen/fix-release-tag-push branch May 20, 2026 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szegedi szegedi szegedi approved these changes

@IlyasShabi IlyasShabi IlyasShabi approved these changes

@nsavoire nsavoire Awaiting requested review from nsavoire nsavoire is a code owner

@r1viollet r1viollet Awaiting requested review from r1viollet r1viollet is a code owner

Assignees

No one assigned

Labels

semver-patch Bug or security fixes, mainly

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xopham @szegedi @IlyasShabi