Remove obsolete `ref_protected` from STS trust policies by d-niu · Pull Request #7676 · DataDog/dd-trace-js

d-niu · 2026-03-04T22:35:34Z

Summary

Remove ref_protected: "true" from dd-octo-sts trust policy claim patterns

The ref_protected OIDC claim is now obsolete in the DataDog org:

GitHub: The org-level "incompatible file paths on windows" push ruleset causes ALL branches to report ref_protected: true in OIDC tokens, making it useless as a security signal
GitLab: All branches on gitlab.ddbuild.io report ref_protected: true due to org-level pushAccessLevels: 40 config

Since the claim is universally true, it provides no actual filtering — only a false sense of security. Removing it has zero functional impact on policy enforcement.

All other constraints (subject, ref, job_workflow_ref, project_path, pipeline_source, etc.) remain unchanged and continue to provide the real security boundaries.

Ticket: https://datadoghq.atlassian.net/browse/SINT-4732

Test plan

Verify that the remaining policy constraints are sufficient (ref, job_workflow_ref, etc. are unchanged)
No functional change expected since ref_protected was already always true

🤖 Generated with Claude Code

github-actions · 2026-03-04T22:36:17Z

Overall package size

Self size: 4.96 MB
Deduped: 5.81 MB
No deduping: 5.81 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.0 | 81.15 kB | 815.98 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

codecov · 2026-03-04T22:36:20Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.42%. Comparing base (2d575de) to head (7be09ec).
⚠️ Report is 35 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7676   +/-   ##
=======================================
  Coverage   80.42%   80.42%           
=======================================
  Files         741      741           
  Lines       32182    32182           
=======================================
  Hits        25883    25883           
  Misses       6299     6299

Flag	Coverage Δ
aiguard-macos	`39.09% <ø> (-0.10%)`	⬇️
aiguard-ubuntu	`39.21% <ø> (-0.10%)`	⬇️
aiguard-windows	`38.94% <ø> (-0.10%)`	⬇️
apm-capabilities-tracing-macos	`48.89% <ø> (ø)`
apm-capabilities-tracing-ubuntu	`48.93% <ø> (ø)`
apm-capabilities-tracing-windows	`48.66% <ø> (-0.01%)`	⬇️
apm-integrations-child-process	`38.39% <ø> (-0.10%)`	⬇️
apm-integrations-couchbase-18	`37.31% <ø> (-0.10%)`	⬇️
apm-integrations-couchbase-eol	`37.78% <ø> (-0.10%)`	⬇️
apm-integrations-oracledb	`37.62% <ø> (-0.10%)`	⬇️
appsec-express	`55.20% <ø> (-0.07%)`	⬇️
appsec-fastify	`51.54% <ø> (-0.07%)`	⬇️
appsec-graphql	`51.73% <ø> (-0.08%)`	⬇️
appsec-kafka	`44.27% <ø> (-0.08%)`	⬇️
appsec-ldapjs	`43.93% <ø> (-0.08%)`	⬇️
appsec-lodash	`43.59% <ø> (-0.08%)`	⬇️
appsec-macos	`58.21% <ø> (-0.07%)`	⬇️
appsec-mongodb-core	`48.70% <ø> (-0.08%)`	⬇️
appsec-mongoose	`49.37% <ø> (-0.08%)`	⬇️
appsec-mysql	`50.90% <ø> (+0.02%)`	⬆️
appsec-node-serialize	`43.11% <ø> (-0.08%)`	⬇️
appsec-passport	`47.55% <ø> (-0.09%)`	⬇️
appsec-postgres	`50.54% <ø> (-0.05%)`	⬇️
appsec-sourcing	`42.51% <ø> (-0.08%)`	⬇️
appsec-template	`43.27% <ø> (-0.08%)`	⬇️
appsec-ubuntu	`58.29% <ø> (-0.07%)`	⬇️
appsec-windows	`58.07% <ø> (-0.05%)`	⬇️
instrumentations-instrumentation-bluebird	`32.26% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-body-parser	`40.41% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-child_process	`37.71% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-cookie-parser	`34.24% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express	`34.56% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express-mongo-sanitize	`34.37% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-express-session	`40.05% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-fs	`31.88% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-generic-pool	`29.69% <ø> (ø)`
instrumentations-instrumentation-http	`39.69% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-knex	`32.27% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-mongoose	`33.39% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-multer	`40.16% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-mysql2	`38.17% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-passport	`43.97% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-passport-http	`43.64% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-passport-local	`44.17% <ø> (-0.09%)`	⬇️
instrumentations-instrumentation-pg	`37.60% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-promise	`32.19% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-promise-js	`32.20% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-q	`32.24% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-url	`32.17% <ø> (-0.10%)`	⬇️
instrumentations-instrumentation-when	`32.21% <ø> (-0.10%)`	⬇️
llmobs-ai	`42.15% <ø> (-0.09%)`	⬇️
llmobs-anthropic	`40.14% <ø> (-0.09%)`	⬇️
llmobs-bedrock	`39.13% <ø> (-0.08%)`	⬇️
llmobs-google-genai	`39.69% <ø> (-0.09%)`	⬇️
llmobs-langchain	`39.93% <ø> (-0.08%)`	⬇️
llmobs-openai	`43.87% <ø> (-0.09%)`	⬇️
llmobs-vertex-ai	`39.94% <ø> (-0.09%)`	⬇️
platform-core	`31.53% <ø> (ø)`
platform-esbuild	`34.48% <ø> (ø)`
platform-instrumentations-misc	`48.40% <ø> (ø)`
platform-shimmer	`37.63% <ø> (ø)`
platform-unit-guardrails	`32.95% <ø> (ø)`
plugins-azure-event-hubs	`25.83% <ø> (ø)`
plugins-azure-service-bus	`25.19% <ø> (ø)`
plugins-bullmq	`44.18% <ø> (-0.10%)`	⬇️
plugins-cassandra	`37.80% <ø> (+0.04%)`	⬆️
plugins-cookie	`26.89% <ø> (ø)`
plugins-cookie-parser	`26.67% <ø> (ø)`
plugins-crypto	`26.79% <ø> (ø)`
plugins-dd-trace-api	`38.22% <ø> (-0.10%)`	⬇️
plugins-express-mongo-sanitize	`26.82% <ø> (ø)`
plugins-express-session	`26.63% <ø> (ø)`
plugins-fastify	`42.13% <ø> (-0.09%)`	⬇️
plugins-fetch	`38.22% <ø> (-0.09%)`	⬇️
plugins-fs	`38.49% <ø> (-0.10%)`	⬇️
plugins-generic-pool	`25.87% <ø> (ø)`
plugins-google-cloud-pubsub	`45.34% <ø> (-0.09%)`	⬇️
plugins-grpc	`40.81% <ø> (-0.09%)`	⬇️
plugins-handlebars	`26.86% <ø> (ø)`
plugins-hapi	`40.04% <ø> (-0.10%)`	⬇️
plugins-hono	`40.30% <ø> (-0.10%)`	⬇️
plugins-ioredis	`38.30% <ø> (-0.10%)`	⬇️
plugins-knex	`26.50% <ø> (ø)`
plugins-ldapjs	`24.36% <ø> (ø)`
plugins-light-my-request	`26.23% <ø> (ø)`
plugins-limitd-client	`32.54% <ø> (-0.10%)`	⬇️
plugins-lodash	`25.96% <ø> (ø)`
plugins-mariadb	`39.35% <ø> (-0.10%)`	⬇️
plugins-memcached	`38.03% <ø> (-0.10%)`	⬇️
plugins-microgateway-core	`39.11% <ø> (-0.10%)`	⬇️
plugins-moleculer	`40.40% <ø> (-0.09%)`	⬇️
plugins-mongodb	`39.05% <ø> (-0.10%)`	⬇️
plugins-mongodb-core	`38.88% <ø> (-0.10%)`	⬇️
plugins-mongoose	`38.74% <ø> (-0.10%)`	⬇️
plugins-multer	`26.63% <ø> (ø)`
plugins-mysql	`39.04% <ø> (-0.10%)`	⬇️
plugins-mysql2	`39.14% <ø> (-0.10%)`	⬇️
plugins-node-serialize	`26.93% <ø> (ø)`
plugins-opensearch	`37.49% <ø> (-0.10%)`	⬇️
plugins-passport-http	`26.68% <ø> (ø)`
plugins-postgres	`35.53% <ø> (-0.09%)`	⬇️
plugins-process	`26.79% <ø> (ø)`
plugins-pug	`26.89% <ø> (ø)`
plugins-redis	`38.77% <ø> (-0.10%)`	⬇️
plugins-router	`42.99% <ø> (+0.04%)`	⬆️
plugins-sequelize	`25.47% <ø> (ø)`
plugins-test-and-upstream-amqp10	`38.38% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-amqplib	`43.76% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-apollo	`39.01% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-avsc	`38.55% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-bunyan	`33.80% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-connect	`40.70% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-graphql	`40.00% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-koa	`40.29% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-protobufjs	`38.78% <ø> (-0.10%)`	⬇️
plugins-test-and-upstream-rhea	`43.94% <ø> (-0.10%)`	⬇️
plugins-undici	`38.99% <ø> (-0.09%)`	⬇️
plugins-url	`26.79% <ø> (ø)`
plugins-valkey	`37.97% <ø> (-0.10%)`	⬇️
plugins-vm	`26.79% <ø> (ø)`
plugins-winston	`33.99% <ø> (-0.10%)`	⬇️
plugins-ws	`41.76% <ø> (-0.10%)`	⬇️
profiling-macos	`39.80% <ø> (-0.10%)`	⬇️
profiling-ubuntu	`39.92% <ø> (-0.10%)`	⬇️
profiling-windows	`41.51% <ø> (+0.30%)`	⬆️
serverless-azure-functions-client	`25.54% <ø> (ø)`
serverless-azure-functions-eventhubs	`25.54% <ø> (ø)`
serverless-azure-functions-servicebus	`25.54% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pr-commenter · 2026-03-04T22:44:08Z

Benchmarks

Benchmark execution time: 2026-03-13 19:33:42

Comparing candidate commit 7be09ec in PR branch remove-ref-protected-from-sts-policies with baseline commit 2d575de in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 230 metrics, 30 unstable metrics.

The `ref_protected` OIDC claim is now universally `true` in the DataDog org due to the org-level "incompatible file paths on windows" push ruleset, making it useless as a security discriminator. Ticket: https://datadoghq.atlassian.net/browse/SINT-4732 Co-Authored-By: Claude Opus 4.6 <[email protected]>

The `ref_protected` OIDC claim is now universally `true` in the DataDog org due to the org-level "incompatible file paths on windows" push ruleset, making it useless as a security discriminator. Ticket: https://datadoghq.atlassian.net/browse/SINT-4732

BridgeAR approved these changes Mar 5, 2026

View reviewed changes

BridgeAR added the semver-patch label Mar 5, 2026

BridgeAR enabled auto-merge (squash) March 5, 2026 10:21

BridgeAR force-pushed the remove-ref-protected-from-sts-policies branch from a169211 to e7ecc6c Compare March 9, 2026 15:23

BridgeAR requested a review from a team as a code owner March 9, 2026 15:23

juliendoutre approved these changes Mar 9, 2026

View reviewed changes

BridgeAR added 2 commits March 13, 2026 10:09

Merge branch 'master' into remove-ref-protected-from-sts-policies

1b43987

Merge branch 'master' into remove-ref-protected-from-sts-policies

7be09ec

BridgeAR merged commit f20430c into master Mar 18, 2026
790 of 791 checks passed

BridgeAR deleted the remove-ref-protected-from-sts-policies branch March 18, 2026 04:35

dd-octo-sts bot mentioned this pull request Mar 18, 2026

v5.91.0 proposal #7802

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove obsolete `ref_protected` from STS trust policies#7676

Remove obsolete `ref_protected` from STS trust policies#7676
BridgeAR merged 3 commits intomasterfrom
remove-ref-protected-from-sts-policies

d-niu commented Mar 4, 2026

Uh oh!

github-actions bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

codecov bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

pr-commenter bot commented Mar 4, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

d-niu commented Mar 4, 2026

Summary

Test plan

Uh oh!

github-actions bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overall package size

Uh oh!

codecov bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

pr-commenter bot commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

github-actions bot commented Mar 4, 2026 •

edited

Loading

codecov bot commented Mar 4, 2026 •

edited

Loading

pr-commenter bot commented Mar 4, 2026 •

edited

Loading