Clean workflow and trust policy (#10200)

* Clean workflow and trust policy

Author: sarahchen6

.github/chainguard/self.pin-system-tests.create-pr.sts.yaml

@@ -1,11 +1,11 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|test/v.+)
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|release/v.+)
 
 claim_pattern:
   event_name: (create|workflow_dispatch)
-  ref: refs/heads/(master|test/v.+)
-  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|test/v.+)
+  ref: refs/heads/(master|release/v.+)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|release/v.+)
 
 permissions:
   contents: write

.github/workflows/pin-system-tests.yaml

@@ -13,12 +13,11 @@ on:
 jobs:
   pin-system-tests:
     name: "Pin system tests"
-    # CHANGE BACK TO release/v*
-    if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v')
+    if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/release/v')
     runs-on: ubuntu-latest
     permissions:
-      contents: write # may not be needed
-      id-token: write # Required for OIDC token federation
+      contents: write
+      id-token: write # required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
@@ -55,11 +54,10 @@ jobs:
         run: |
           BRANCH=${{ steps.define-branch.outputs.branch }}
           if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
-            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH already exists - please delete it and re-run the workflow."
+            echo "ERROR: Branch $BRANCH already exists - please delete it and re-run the workflow."
+            exit 1
           else
-            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
-            echo "Branch $BRANCH does not exist - creating it now"
+            echo "Branch $BRANCH does not exist - creating it now."
           fi
       
       - name: Update system-tests references to latest commit SHA on main
@@ -69,16 +67,14 @@ jobs:
         id: check-changes
         run: |
           if [[ -z "$(git status -s)" ]]; then
-            echo "No changes to commit, exiting."
-            echo "commit_changes=false" >> "$GITHUB_OUTPUT"
+            echo "ERROR: No changes to commit - the system-tests reference was not updated."
+            exit 1
           else
-            echo "commit_changes=true" >> "$GITHUB_OUTPUT"
             echo "Changes to commit:"
             git status -s
           fi
       
       - name: Commit changes
-        if: steps.check-changes.outputs.commit_changes == 'true'
         id: create-commit
         run: |
           git config user.name "github-actions[bot]"
@@ -88,7 +84,6 @@ jobs:
       
       - name: Push changes
         uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
-        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
@@ -98,15 +93,12 @@ jobs:
           commits: "${{ steps.create-commit.outputs.commit }}"
 
       - name: Create pull request
-        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
-        # REMOVE DRAFT
         run: |
           gh pr create --title "Pin system tests for release branch" \
             --base ${{ steps.define-base-branch.outputs.base_branch }} \
             --head ${{ steps.define-branch.outputs.branch }} \
             --label "tag: dependencies" \
             --label "tag: no release notes" \
             --body "This PR pins the system-tests reference for the release branch." \
-            --draft