From b4b596731f79e353fb565bc48e01694d27bd13a4 Mon Sep 17 00:00:00 2001
From: Nicolas Catoni <nicolas.catoni@datadoghq.com>
Date: Fri, 3 Apr 2026 14:27:50 +0200
Subject: [PATCH 1/2] dd-sts migration

---
 .github/actions/push_to_test_optim/action.yml | 19 +++++++++++++++----
 .github/workflows/ci.yml                      |  3 ++-
 .github/workflows/run-end-to-end.yml          |  8 ++++++++
 .github/workflows/run-parametric.yml          |  8 ++++++++
 .github/workflows/system-tests.yml            | 11 +++++++++++
 5 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/.github/actions/push_to_test_optim/action.yml b/.github/actions/push_to_test_optim/action.yml
index 674c391c85c..0502cd4a190 100644
--- a/.github/actions/push_to_test_optim/action.yml
+++ b/.github/actions/push_to_test_optim/action.yml
@@ -6,9 +6,13 @@ inputs:
     default: datadoghq.com
   datadog_api_key:
     description: "A valid DD_API_KEY"
+    default: ""
   ci_environment:
     description: "CI environment running the tests (dev/prod/custom), used for Test Optimization tagging"
     default: ""
+  dd_sts_policy:
+    description: "dd-sts policy to use to get a datadog API key (required if datadog_api_key is not set)"
+    default: ""
 
 runs:
   using: composite
@@ -19,19 +23,26 @@ runs:
       run: echo "Skipping TestOptim push for dependabot PRs"
 
     - name: Install datadog-ci
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       shell: bash
       run: npm install -g @datadog/datadog-ci || sleep 60 && npm install -g @datadog/datadog-ci
 
     - name: checkout owner repo
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
       with:
         path: repo
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      if: inputs.dd_sts_policy != ''
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: ${{ inputs.dd_sts_policy }}
+
     # https://docs.datadoghq.com/tests/setup/junit_xml/?tab=linux
     - name: Push results
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       shell: bash
       run: |
         cd repo
@@ -43,5 +54,5 @@ runs:
           --xpath-tag "test.codeowners=/testcase/properties/property[@name='test.codeowners']"
       env:
         DATADOG_SITE: ${{ inputs.datadog_site }}
-        DATADOG_API_KEY:  ${{ inputs.datadog_api_key }}
+        DATADOG_API_KEY:  ${{ inputs.datadog_api_key != '' && inputs.datadog_api_key || steps.dd-sts.outputs.api_key }}
         DD_TAGS: ${{ inputs.ci_environment != '' && format('test.configuration.ci_environment:{0}', inputs.ci_environment) || '' }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7fdbfab566e..d471614e0c8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -71,10 +71,10 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      TEST_OPTIMIZATION_API_KEY: ${{ secrets.TEST_OPTIMIZATION_API_KEY }}
       CIRCLECI_TOKEN: ${{ secrets.CIRCLECI_TOKEN }}
       DD_API_KEY: ${{ secrets.DD_API_KEY }}
       DD_APPLICATION_KEY: ${{ secrets.DD_APPLICATION_KEY }}
@@ -100,6 +100,7 @@ jobs:
       _system_tests_dev_mode: ${{ matrix.version == 'dev' }}
       _system_tests_library_target_branch_map: ${{ needs.compute_libraries_and_scenarios.outputs.target-branch-map }}
       push_to_test_optimization: true
+      dd_sts_policy: system-tests
 
   exotics:
     name: Exotics scenarios
diff --git a/.github/workflows/run-end-to-end.yml b/.github/workflows/run-end-to-end.yml
index 9019e59f332..9670f33e797 100644
--- a/.github/workflows/run-end-to-end.yml
+++ b/.github/workflows/run-end-to-end.yml
@@ -101,6 +101,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
 
 jobs:
   main:
@@ -111,6 +116,8 @@ jobs:
       SYSTEM_TESTS_REPORT_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
       SYSTEM_TESTS_SKIP_EMPTY_SCENARIO: ${{ inputs.skip_empty_scenarios }}
       SYSTEM_TESTS_FORCE_EXECUTE: ${{ inputs.force_execute }}
+    # permissions:
+    #   id-token: write
     steps:
     - name: Compute ref
       id: compute_ref
@@ -546,3 +553,4 @@ jobs:
         datadog_api_key: ${{ secrets.TEST_OPTIMIZATION_API_KEY }}
         datadog_site: ${{ inputs.test_optimization_datadog_site }}
         ci_environment: ${{ inputs.ci_environment }}
+        dd_sts_policy: ${{ inputs.dd_sts_policy }}
diff --git a/.github/workflows/run-parametric.yml b/.github/workflows/run-parametric.yml
index 3cf1add1095..8c71f564adc 100644
--- a/.github/workflows/run-parametric.yml
+++ b/.github/workflows/run-parametric.yml
@@ -76,6 +76,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
     secrets:
       TEST_OPTIMIZATION_API_KEY:
         description: "API key for pushing test results to DataDog Test Optimization"
@@ -95,6 +100,8 @@ jobs:
       SYSTEM_TESTS_REPORT_ENVIRONMENT: ${{ inputs.ci_environment }}
       SYSTEM_TESTS_REPORT_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
       SYSTEM_TESTS_FORCE_EXECUTE: ${{ inputs.force_execute }}
+    # permissions:
+    #   id-token: write
     steps:
       - name: Compute ref
         id: compute_ref
@@ -166,3 +173,4 @@ jobs:
           datadog_api_key: ${{ secrets.TEST_OPTIMIZATION_API_KEY }}
           datadog_site: ${{ inputs.test_optimization_datadog_site }}
           ci_environment: ${{ inputs.ci_environment }}
+          dd_sts_policy: ${{ inputs.dd_sts_policy }}
diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
index 2705c561c7c..d7d3646c9db 100644
--- a/.github/workflows/system-tests.yml
+++ b/.github/workflows/system-tests.yml
@@ -124,6 +124,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
 
     secrets:
       DOCKERHUB_USERNAME:
@@ -170,6 +175,8 @@ jobs:
     if: needs.compute_parameters.outputs.parametric_enable == 'true'
     uses: ./.github/workflows/run-parametric.yml
     secrets: inherit
+    permissions:
+      id-token: write
     with:
       library: ${{ inputs.library }}
       ref: ${{ inputs.ref }}
@@ -182,6 +189,7 @@ jobs:
       unique_id: ${{ needs.compute_parameters.outputs.unique_id }}
       push_to_test_optimization: ${{ inputs.push_to_test_optimization }}
       test_optimization_datadog_site: ${{ inputs.test_optimization_datadog_site }}
+      dd_sts_policy: ${{ inputs.dd_sts_policy }}
 
   build_end_to_end:
     name: Build end-to-end (${{ matrix.weblog.name }})
@@ -256,6 +264,8 @@ jobs:
       fail-fast: false
     uses: ./.github/workflows/run-end-to-end.yml
     secrets: inherit
+    permissions:
+      id-token: write
     with:
       runs_on: ${{ matrix.job.runs_on }}
       library: ${{ matrix.job.library }}
@@ -272,6 +282,7 @@ jobs:
       artifact_retention_days: ${{ inputs.artifact_retention_days }}
       push_to_test_optimization: ${{ inputs.push_to_test_optimization }}
       test_optimization_datadog_site: ${{ inputs.test_optimization_datadog_site }}
+      dd_sts_policy: ${{ inputs.dd_sts_policy }}
       _build_buddies_images: ${{ inputs._build_buddies_images }}
       _build_proxy_image: ${{ inputs._build_proxy_image }}
       _build_lambda_proxy_image: ${{ inputs._build_lambda_proxy_image }}

From c289262eb51b5bd68da28f75f6a70c7d7bcce147 Mon Sep 17 00:00:00 2001
From: Nicolas Catoni <nicolas.catoni@datadoghq.com>
Date: Wed, 8 Apr 2026 18:17:36 +0200
Subject: [PATCH 2/2] Cleanup

---
 .github/workflows/run-end-to-end.yml | 2 --
 .github/workflows/run-parametric.yml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/.github/workflows/run-end-to-end.yml b/.github/workflows/run-end-to-end.yml
index 9670f33e797..5930de82096 100644
--- a/.github/workflows/run-end-to-end.yml
+++ b/.github/workflows/run-end-to-end.yml
@@ -116,8 +116,6 @@ jobs:
       SYSTEM_TESTS_REPORT_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
       SYSTEM_TESTS_SKIP_EMPTY_SCENARIO: ${{ inputs.skip_empty_scenarios }}
       SYSTEM_TESTS_FORCE_EXECUTE: ${{ inputs.force_execute }}
-    # permissions:
-    #   id-token: write
     steps:
     - name: Compute ref
       id: compute_ref
diff --git a/.github/workflows/run-parametric.yml b/.github/workflows/run-parametric.yml
index 8c71f564adc..b02454efef7 100644
--- a/.github/workflows/run-parametric.yml
+++ b/.github/workflows/run-parametric.yml
@@ -100,8 +100,6 @@ jobs:
       SYSTEM_TESTS_REPORT_ENVIRONMENT: ${{ inputs.ci_environment }}
       SYSTEM_TESTS_REPORT_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
       SYSTEM_TESTS_FORCE_EXECUTE: ${{ inputs.force_execute }}
-    # permissions:
-    #   id-token: write
     steps:
       - name: Compute ref
         id: compute_ref