Skip to content

Commit 1417470

Browse files
xophamclaude
andauthored
Fix release tag push and pin actions by SHA (#335)
The release workflow's tag push was rejected by the tag ruleset because actions/checkout persisted GITHUB_TOKEN credentials, which took precedence over the dd-octo-sts token in the explicit push URL. Drop the persisted credentials and downgrade contents permission to read. Also pin actions/download-artifact and actions/setup-node by commit SHA. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 34c2138 commit 1417470

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

.github/workflows/release.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,18 @@ jobs:
2525
environment: npm
2626
permissions:
2727
id-token: write # Required for OIDC
28-
contents: write
28+
contents: read
2929
steps:
3030
- uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
3131
id: octo-sts
3232
with:
3333
scope: DataDog/pprof-nodejs
3434
policy: self.github.release.push-tags
3535
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
36-
- uses: actions/download-artifact@v4
37-
- uses: actions/setup-node@v3
36+
with:
37+
persist-credentials: false # drop GITHUB_TOKEN so the dd-octo-sts token is used for the tag push
38+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
39+
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
3840
with:
3941
node-version: '24'
4042
registry-url: 'https://registry.npmjs.org'
@@ -58,8 +60,8 @@ jobs:
5860
contents: read
5961
steps:
6062
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
61-
- uses: actions/download-artifact@v4
62-
- uses: actions/setup-node@v3
63+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
64+
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
6365
with:
6466
node-version: '24'
6567
registry-url: 'https://registry.npmjs.org'

0 commit comments

Comments
 (0)