From cc0b6bc40259388555d52251d260de1582645c63 Mon Sep 17 00:00:00 2001
From: d <88739846+d-niu@users.noreply.github.com>
Date: Wed, 4 Mar 2026 17:36:18 -0500
Subject: [PATCH] Remove obsolete `ref_protected` from STS trust policies

The `ref_protected` OIDC claim is now universally `true` in the DataDog org
due to the org-level "incompatible file paths on windows" push ruleset,
making it useless as a security discriminator.

Ticket: https://datadoghq.atlassian.net/browse/SINT-4732

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/chainguard/self.read.members.sts.yaml | 1 -
 .github/chainguard/self.write.pr.sts.yaml     | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.github/chainguard/self.read.members.sts.yaml b/.github/chainguard/self.read.members.sts.yaml
index e591e5d32a..ed3973f064 100644
--- a/.github/chainguard/self.read.members.sts.yaml
+++ b/.github/chainguard/self.read.members.sts.yaml
@@ -4,7 +4,6 @@ subject_pattern: "repo:DataDog/libdatadog.*"
 
 claim_pattern:
   ref: "refs/heads/(main|release)"
-  ref_protected: "true"
 
 permissions:
   members: read
diff --git a/.github/chainguard/self.write.pr.sts.yaml b/.github/chainguard/self.write.pr.sts.yaml
index 62711f4aa7..86bbb7ecd0 100644
--- a/.github/chainguard/self.write.pr.sts.yaml
+++ b/.github/chainguard/self.write.pr.sts.yaml
@@ -4,7 +4,6 @@ subject_pattern: "repo:DataDog/libdatadog.*"
 
 claim_pattern:
   ref: "refs/heads/(main|release)"
-  ref_protected: "true"
   job_workflow_ref: DataDog/libdatadog/\.github/workflows/release-proposal-dispatch\.yml@.+
 
 permissions: