Fix GitHub workflows and tests

[jacobotb]

Motivation

GitHub workflows were not executing, or if they executed, they were not completing.

Changes

• Some actions were defined using vXXX tags, which is not safe and is not allowed by the repo settings, making the workflows fail. They've been switched to commit SHA pinning.
• Some actions were not allowed because they were not owned by GitHub, DataDog, or a verified Marketplace action. They've been approved specifically.
• Some tests timed out. This was caused by those tests trying to locate a parent subdirectory named kics (which was meant to be the repository's name). In this repository, no such directory exists. Changed those tests to look for datadog-iac-scanner and fixed the function that changed directory so it will fail if it reaches the filesystem root without finding the directory.
• Added an API key and environment variables to upload the coverage report.
• Changed the "critical tests" gate to remove KICS references and add pkg/scanner as it's not that slow.

Author Checklist

• I have reviewed my own PR.
• I have added or updated relevant unit tests where necessary. If no tests are added, I've explained why.
• All new and existing tests pass.
• I have tested my changes on staging (if applicable).
• I have updated any relevant documentation (if applicable).

QA Instruction

We can tell it works because the GitHub checks below have passed.

Blast Radius

What services will this change impact. Is it only DataDog IaC Scanner, internal services, the documentation or anything else?

Additional Notes

If you need to share anything else along with your PR, please do it here.

I submit this contribution under the Apache-2.0 license.

[github-actions]

❌ Critical Tests Failed

One or more critical test suites failed. These packages are critical to KICS security scanning functionality.

This PR cannot be merged until these tests pass.

Please review the test failures and fix the issues.

View workflow run

[github-actions]

❌ Critical Tests Failed

One or more critical test suites failed. These packages are critical to KICS security scanning functionality.

This PR cannot be merged until these tests pass.

Please review the test failures and fix the issues.

View workflow run

[github-actions]

❌ Critical Tests Failed

One or more critical test suites failed. These packages are critical to KICS security scanning functionality.

This PR cannot be merged until these tests pass.

Please review the test failures and fix the issues.

View workflow run

[datadog-staging-us1-crawler-test]

✅ dbt Impact Preview

dbt Impact Preview (placeholder)

This is a test comment from the dbt-cicd provider.

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1cd49a8 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[datadog-datadog-prod-us1]

🎯 Code Coverage (details)
• Patch Coverage: 41.67%
• Overall Coverage: 42.47%

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1cd49a8 | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[jacobotb]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-02-19 17:00:08 UTC ℹ️ Start processing command /merge

---

2026-02-19 17:00:13 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 0s (p90).

---

2026-02-19 17:07:34 UTC ℹ️ MergeQueue: This merge request was merged