From 197f7e96435ad9122b66329dae7b24107a18d037 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 12 Dec 2025 10:51:41 -0600
Subject: [PATCH 1/2] Clean workflow and trust policy

---
 .../chainguard/self.pin-system-tests.create-pr.sts.yaml    | 6 +++---
 .github/workflows/pin-system-tests.yaml                    | 7 ++-----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
index c2b192475a7..5041744f0da 100644
--- a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
+++ b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
@@ -1,11 +1,11 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|test/v.+)
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|release/v.+)
 
 claim_pattern:
   event_name: (create|workflow_dispatch)
-  ref: refs/heads/(master|test/v.+)
-  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|test/v.+)
+  ref: refs/heads/(master|release/v.+)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|release/v.+)
 
 permissions:
   contents: write
diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml
index 65008ab999b..530a9ff4211 100644
--- a/.github/workflows/pin-system-tests.yaml
+++ b/.github/workflows/pin-system-tests.yaml
@@ -13,11 +13,10 @@ on:
 jobs:
   pin-system-tests:
     name: "Pin system tests"
-    # CHANGE BACK TO release/v*
-    if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v')
+    if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/release/v')
     runs-on: ubuntu-latest
     permissions:
-      contents: write # may not be needed
+      contents: write
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -96,7 +95,6 @@ jobs:
         if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
-        # REMOVE DRAFT
         run: |
           gh pr create --title "Pin system tests for release branch" \
             --base ${{ steps.define-base-branch.outputs.base_branch }} \
@@ -104,4 +102,3 @@ jobs:
             --label "tag: dependencies" \
             --label "tag: no release notes" \
             --body "This PR pins the system-tests reference for the release branch." \
-            --draft

From 5422f0c245b5d1c04954c203d4111a9cf9d769b6 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Fri, 12 Dec 2025 11:28:38 -0600
Subject: [PATCH 2/2] Add error statements and exit on errors

---
 .github/workflows/pin-system-tests.yaml | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml
index 530a9ff4211..6340906c396 100644
--- a/.github/workflows/pin-system-tests.yaml
+++ b/.github/workflows/pin-system-tests.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      id-token: write # Required for OIDC token federation
+      id-token: write # required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
@@ -49,11 +49,10 @@ jobs:
         run: |
           BRANCH=${{ steps.define-branch.outputs.branch }}
           if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
-            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH already exists - please delete it and re-run the workflow."
+            echo "ERROR: Branch $BRANCH already exists - please delete it and re-run the workflow."
+            exit 1
           else
-            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH does not exist - creating it now"
+            echo "Branch $BRANCH does not exist - creating it now."
           fi
       
       - name: Update system-tests references to latest commit SHA on main
@@ -63,16 +62,14 @@ jobs:
         id: check-changes
         run: |
           if [[ -z "$(git status -s)" ]]; then
-            echo "No changes to commit, exiting."
-            echo "commit_changes=false" >> "$GITHUB_OUTPUT"
+            echo "ERROR: No changes to commit - the system-tests reference was not updated."
+            exit 1
           else
-            echo "commit_changes=true" >> "$GITHUB_OUTPUT"
             echo "Changes to commit:"
             git status -s
           fi
       
       - name: Commit changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
         id: create-commit
         run: |
           git config user.name "github-actions[bot]"
@@ -82,7 +79,6 @@ jobs:
       
       - name: Push changes
         uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
-        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
@@ -92,7 +88,6 @@ jobs:
           commits: "${{ steps.create-commit.outputs.commit }}"
 
       - name: Create pull request
-        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |