Tweak the release and third-party trust policies (#1187)

egibs · web-flow · commit 960a0848eefe · 2025-10-31T12:03:28.000-04:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/.chainguard/source.yaml b/.chainguard/source.yaml
@@ -7,6 +7,10 @@ spec:
         identities:
           - issuer: https://accounts.google.com
           - issuer: https://github.com/login/oauth
+          - issuer: https://token.actions.githubusercontent.com
+            subject: chainguard-dev/malcontent/.github/workflows/release.yaml@refs/heads/main
+          - issuer: https://token.actions.githubusercontent.com
+            subject: chainguard-dev/malcontent/.github/workflows/third-party.yaml@refs/heads/main
     - key:
         # allow commits signed by GitHub, e.g. the UI
         kms: https://github.com/web-flow.gpg
diff --git a/.github/chainguard/release.sts.yaml b/.github/chainguard/release.sts.yaml
@@ -1,7 +1,7 @@
 issuer: https://token.actions.githubusercontent.com
 subject: repo:chainguard-dev/malcontent:ref:refs/heads/main
 claim_pattern:
-  job_workflow_ref: chainguard-dev/malcontent/.github/workflows/(version|release).yaml@.*
+  workflow_ref: chainguard-dev/malcontent/.github/workflows/(version|release).yaml@refs/heads/main
 
 permissions:
   contents: write
diff --git a/.github/chainguard/third-party.sts.yaml b/.github/chainguard/third-party.sts.yaml
@@ -1,7 +1,7 @@
 issuer: https://token.actions.githubusercontent.com
 subject: repo:chainguard-dev/malcontent:ref:refs/heads/main
 claim_pattern:
-  job_workflow_ref: chainguard-dev/malcontent/.github/workflows/third-party.yaml@.*
+  workflow_ref: chainguard-dev/malcontent/.github/workflows/third-party.yaml@refs/heads/main
 
 permissions:
   contents: write
