From 2a41eebf6271adcd1d458f40dbefb1c1a6ff4e22 Mon Sep 17 00:00:00 2001
From: xopham <christoph.hamsen@datadoghq.com>
Date: Wed, 20 May 2026 11:58:23 +0200
Subject: [PATCH] Fix release tag push and pin actions by SHA

The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also pin actions/download-artifact and actions/setup-node by commit SHA.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8114f84a..ddd4e082 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
     environment: npm
     permissions:
       id-token: write # Required for OIDC
-      contents: write
+      contents: read
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
@@ -33,8 +33,10 @@ jobs:
           scope: DataDog/pprof-nodejs
           policy: self.github.release.push-tags
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - uses: actions/download-artifact@v4
-      - uses: actions/setup-node@v3
+        with:
+          persist-credentials: false # drop GITHUB_TOKEN so the dd-octo-sts token is used for the tag push
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'
@@ -58,8 +60,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - uses: actions/download-artifact@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'