From 6262f9b9493b9af6cf482e6a2f6b1767dff053eb Mon Sep 17 00:00:00 2001 From: Lewis Date: Tue, 13 Jan 2026 12:39:19 -0500 Subject: [PATCH 1/2] Allow more types of serverless-ci to access github --- .../chainguard/serverless-init-ci-publish.sts.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/chainguard/serverless-init-ci-publish.sts.yaml b/.github/chainguard/serverless-init-ci-publish.sts.yaml index 64f6fe311..c9e893f2f 100644 --- a/.github/chainguard/serverless-init-ci-publish.sts.yaml +++ b/.github/chainguard/serverless-init-ci-publish.sts.yaml @@ -8,18 +8,14 @@ issuer: https://gitlab.ddbuild.io -# Subject pattern matches the serverless-init-ci repo on main branch -subject_pattern: "project_path:DataDog/serverless-init-ci:ref_type:branch:ref:main" +# Subject pattern matches the serverless-init-ci repo on any branch or tag +subject_pattern: "project_path:DataDog/serverless-init-ci:ref_type:(branch|tag):ref:.*" -# Restrict to protected main branch only (root of trust) +# Allow all branches and tags for building RC and prod images claim_pattern: project_path: "DataDog/serverless-init-ci" - ref: "main" - ref_type: "branch" - ref_path: "refs/heads/main" - ref_protected: "true" - pipeline_source: "push" - ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/serverless-init-ci//.gitlab-ci.yml@refs/heads/main" + ref_type: "^(branch|tag)$" + pipeline_source: "^(web|pipeline|push)$" # Minimal permissions: only write packages to GHCR permissions: From 8c8ca6e233f82b26441ae7e2e1b3c1aa7119e6d0 Mon Sep 17 00:00:00 2001 From: Lewis Date: Tue, 13 Jan 2026 12:46:08 -0500 Subject: [PATCH 2/2] Add back ci_config_ref_uri --- .github/chainguard/serverless-init-ci-publish.sts.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/chainguard/serverless-init-ci-publish.sts.yaml b/.github/chainguard/serverless-init-ci-publish.sts.yaml index c9e893f2f..07d915ec5 100644 --- a/.github/chainguard/serverless-init-ci-publish.sts.yaml +++ b/.github/chainguard/serverless-init-ci-publish.sts.yaml @@ -16,6 +16,7 @@ claim_pattern: project_path: "DataDog/serverless-init-ci" ref_type: "^(branch|tag)$" pipeline_source: "^(web|pipeline|push)$" + ci_config_ref_uri: "^gitlab\\.ddbuild\\.io/DataDog/serverless-init-ci//\\.gitlab-ci\\.yml@refs/(heads|tags)/.*$" # Minimal permissions: only write packages to GHCR permissions: