[chore] Remove obsolete ref_protected from STS trust policies#2144
Open
d-niu wants to merge 1 commit into
Open
[chore] Remove obsolete ref_protected from STS trust policies#2144d-niu wants to merge 1 commit into
ref_protected from STS trust policies#2144d-niu wants to merge 1 commit into
Conversation
The `ref_protected` OIDC claim is now universally `true` in the DataDog org due to the org-level "incompatible file paths on windows" push ruleset, making it useless as a security discriminator. Ticket: https://datadoghq.atlassian.net/browse/SINT-4732 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Drarig29
approved these changes
Mar 5, 2026
Drarig29
changed the title
ref_protected from STS trust policiesref_protected from STS trust policies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ref_protected: "true"from dd-octo-sts trust policy claim patternsThe
ref_protectedOIDC claim is now obsolete in the DataDog org:ref_protected: truein OIDC tokens, making it useless as a security signalgitlab.ddbuild.ioreportref_protected: truedue to org-levelpushAccessLevels: 40configSince the claim is universally
true, it provides no actual filtering — only a false sense of security. Removing it has zero functional impact on policy enforcement.All other constraints (subject, ref, job_workflow_ref, project_path, pipeline_source, etc.) remain unchanged and continue to provide the real security boundaries.
Ticket: https://datadoghq.atlassian.net/browse/SINT-4732
Test plan
🤖 Generated with Claude Code