Allow more types of serverless-ci to access github

Lewis-E · Lewis-E · commit 6262f9b9493b · 2026-01-13T12:39:19.000-05:00
diff --git a/.github/chainguard/serverless-init-ci-publish.sts.yaml b/.github/chainguard/serverless-init-ci-publish.sts.yaml
@@ -8,18 +8,14 @@
 
 issuer: https://gitlab.ddbuild.io
 
-# Subject pattern matches the serverless-init-ci repo on main branch
-subject_pattern: "project_path:DataDog/serverless-init-ci:ref_type:branch:ref:main"
+# Subject pattern matches the serverless-init-ci repo on any branch or tag
+subject_pattern: "project_path:DataDog/serverless-init-ci:ref_type:(branch|tag):ref:.*"
 
-# Restrict to protected main branch only (root of trust)
+# Allow all branches and tags for building RC and prod images
 claim_pattern:
   project_path: "DataDog/serverless-init-ci"
-  ref: "main"
-  ref_type: "branch"
-  ref_path: "refs/heads/main"
-  ref_protected: "true"
-  pipeline_source: "push"
-  ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/serverless-init-ci//.gitlab-ci.yml@refs/heads/main"
+  ref_type: "^(branch|tag)$"
+  pipeline_source: "^(web|pipeline|push)$"
 
 # Minimal permissions: only write packages to GHCR
 permissions:
