[SDTEST-3585] Migrate release workflows from GITHUB_TOKEN to dd-octo-sts

[anmarchenko]

Summary

• Replace github.token with dd-octo-sts short-lived tokens in prerelease.yml and release.yml workflows
• Add trust policies (.github/chainguard/) scoping contents: write to protected refs (main branch and v* tags)
• Pin dd-octo-sts-action to v1.0.3 by full commit SHA

Changes

• prerelease.yml: Uses self.github.release.prerelease policy, scoped to push on main
• release.yml: Uses self.github.release.tags policy, scoped to push on v* tags
• Both workflows: contents: write replaced with contents: read + id-token: write at job level

Deployment

1. Merge this PR first (policies must be on default branch)
2. Pre-release workflow will self-test on merge to main
3. Tag a version to test the release workflow

Note

Tag protection ruleset (org-wide, 13532795) will be enforced on 2026-04-01, restricting tag push to maintainer+ roles.

Test plan

• Verify Trust Policy Validation check passes on this PR
• After merge, confirm pre-release workflow succeeds on main
• Tag a test version to confirm release workflow succeeds

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 868bc5d103

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".