dd-sts migration

.github/actions/push_to_test_optim/action.yml

@@ -6,9 +6,13 @@ inputs:
     default: datadoghq.com
   datadog_api_key:
     description: "A valid DD_API_KEY"
+    default: ""
   ci_environment:
     description: "CI environment running the tests (dev/prod/custom), used for Test Optimization tagging"
     default: ""
+  dd_sts_policy:
+    description: "dd-sts policy to use to get a datadog API key (required if datadog_api_key is not set)"
+    default: ""
 
 runs:
   using: composite
@@ -19,19 +23,26 @@ runs:
       run: echo "Skipping TestOptim push for dependabot PRs"
 
     - name: Install datadog-ci
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       shell: bash
       run: npm install -g @datadog/datadog-ci || sleep 60 && npm install -g @datadog/datadog-ci
 
     - name: checkout owner repo
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
       with:
         path: repo
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      if: inputs.dd_sts_policy != ''
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: ${{ inputs.dd_sts_policy }}
+
     # https://docs.datadoghq.com/tests/setup/junit_xml/?tab=linux
     - name: Push results
-      if: github.event.pull_request.user.login != 'dependabot[bot]' && inputs.datadog_api_key != ''
+      if: github.event.pull_request.user.login != 'dependabot[bot]'
       shell: bash
       run: |
         cd repo
@@ -43,5 +54,5 @@ runs:
           --xpath-tag "test.codeowners=/testcase/properties/property[@name='test.codeowners']"
       env:
         DATADOG_SITE: ${{ inputs.datadog_site }}
-        DATADOG_API_KEY:  ${{ inputs.datadog_api_key }}
+        DATADOG_API_KEY:  ${{ inputs.datadog_api_key != '' && inputs.datadog_api_key || steps.dd-sts.outputs.api_key }}
         DD_TAGS: ${{ inputs.ci_environment != '' && format('test.configuration.ci_environment:{0}', inputs.ci_environment) || '' }}

.github/workflows/ci.yml

@@ -71,6 +71,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -92,6 +93,7 @@ jobs:
       _system_tests_dev_mode: ${{ matrix.version == 'dev' }}
       _system_tests_library_target_branch_map: ${{ needs.compute_libraries_and_scenarios.outputs.target-branch-map }}
       push_to_test_optimization: true
+      dd_sts_policy: system-tests
 
   exotics:
     name: Exotics scenarios

.github/workflows/run-end-to-end.yml

@@ -101,6 +101,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
 
 jobs:
   main:
@@ -546,3 +551,4 @@ jobs:
         datadog_api_key: ${{ secrets.TEST_OPTIMIZATION_API_KEY }}
         datadog_site: ${{ inputs.test_optimization_datadog_site }}
         ci_environment: ${{ inputs.ci_environment }}
+        dd_sts_policy: ${{ inputs.dd_sts_policy }}

.github/workflows/run-parametric.yml

@@ -76,6 +76,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
     secrets:
       TEST_OPTIMIZATION_API_KEY:
         description: "API key for pushing test results to DataDog Test Optimization"
@@ -166,3 +171,4 @@ jobs:
           datadog_api_key: ${{ secrets.TEST_OPTIMIZATION_API_KEY }}
           datadog_site: ${{ inputs.test_optimization_datadog_site }}
           ci_environment: ${{ inputs.ci_environment }}
+          dd_sts_policy: ${{ inputs.dd_sts_policy }}

.github/workflows/system-tests.yml

@@ -124,6 +124,11 @@ on:
         default: "datadoghq.com"
         required: false
         type: string
+      dd_sts_policy:
+        description: "dd-sts policy to use to get a Datadog API key for Test Optimization"
+        default: ""
+        required: false
+        type: string
 
     secrets:
       DOCKERHUB_USERNAME:
@@ -170,6 +175,8 @@ jobs:
     if: needs.compute_parameters.outputs.parametric_enable == 'true'
     uses: ./.github/workflows/run-parametric.yml
     secrets: inherit
+    permissions:
+      id-token: write
     with:
       library: ${{ inputs.library }}
       ref: ${{ inputs.ref }}
@@ -182,6 +189,7 @@ jobs:
       unique_id: ${{ needs.compute_parameters.outputs.unique_id }}
       push_to_test_optimization: ${{ inputs.push_to_test_optimization }}
       test_optimization_datadog_site: ${{ inputs.test_optimization_datadog_site }}
+      dd_sts_policy: ${{ inputs.dd_sts_policy }}
 
   build_end_to_end:
     name: Build end-to-end (${{ matrix.weblog.name }})
@@ -256,6 +264,8 @@ jobs:
       fail-fast: false
     uses: ./.github/workflows/run-end-to-end.yml
     secrets: inherit
+    permissions:
+      id-token: write
     with:
       runs_on: ${{ matrix.job.runs_on }}
       library: ${{ matrix.job.library }}
@@ -272,6 +282,7 @@ jobs:
       artifact_retention_days: ${{ inputs.artifact_retention_days }}
       push_to_test_optimization: ${{ inputs.push_to_test_optimization }}
       test_optimization_datadog_site: ${{ inputs.test_optimization_datadog_site }}
+      dd_sts_policy: ${{ inputs.dd_sts_policy }}
       _build_buddies_images: ${{ inputs._build_buddies_images }}
       _build_proxy_image: ${{ inputs._build_proxy_image }}
       _build_lambda_proxy_image: ${{ inputs._build_lambda_proxy_image }}