Refine trust policy

Author: sarahchen6

.github/chainguard/self.pin-system-tests.create-pr.sts.yaml

@@ -1,11 +1,11 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/.+
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|test/v.+)
 
 claim_pattern:
-  event_name: (push|workflow_dispatch)
-  ref: refs/heads/.+
-  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/.+
+  event_name: (create|workflow_dispatch)
+  ref: refs/heads/(master|test/v.+)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|test/v.+)
 
 permissions:
   contents: write

.github/workflows/pin-system-tests.yaml

@@ -13,6 +13,7 @@ on:
 jobs:
   pin-system-tests:
     name: "Pin system tests"
+    # CHANGE BACK TO release/v*
     if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v')
     runs-on: ubuntu-latest
     permissions:
@@ -95,7 +96,7 @@ jobs:
         if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
-        # base may need to be `release/v*`
+        # REMOVE DRAFT
         run: |
           gh pr create --title "Pin system tests for release branch" \
             --base ${{ steps.define-base-branch.outputs.base_branch }} \