dd-sts migration

[nccatoni]

Motivation

Changes

Workflow

1. ⚠️ Create your PR as draft ⚠️
2. Work on you PR until the CI passes
3. Mark it as ready for review
   • Test logic is modified? -> Get a review from RFC owner.
   • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed and the CI green, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

• Anything but tests/ or manifests/ is modified ? I have the approval from R&P team
• A docker base image is modified?
  • the relevant build-XXX-image label is present
• A scenario is added, removed or renamed?
  • Get a review from R&P team

[github-actions]

CODEOWNERS have been resolved as:

.github/actions/push_to_test_optim/action.yml                           @DataDog/system-tests-core
.github/workflows/ci.yml                                                @DataDog/system-tests-core
.github/workflows/run-end-to-end.yml                                    @DataDog/system-tests-core
.github/workflows/run-parametric.yml                                    @DataDog/system-tests-core
.github/workflows/system-tests.yml                                      @DataDog/system-tests-core

[ikraemer-dd]

The permission block is not needed here: id-token: write is specified line 74, and contents: read should be defined in the policy

[ikraemer-dd]

it will also need a permission block with id-token: write since this workflow calls DataDog/dd-sts-action

[ikraemer-dd]

will need id-token: write permissions to invoke DataDog/dd-sts-action

[ikraemer-dd]

will need id-token: write permissions to invoke DataDog/dd-sts-action

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d4a2f58 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[lloeki]

@nccatoni with https://github.com/DataDog/dd-source/pull/405204 it should be possible to test your PR as a nested workflow on DataDog/dd-trace-rb

[nccatoni]

@lloeki We are calling this as a nested workflow from the system-tests repo directly so the current tests on this PR run against this policy which you should be able to adapt to your repo

[lloeki]

• Updated: https://github.com/DataDog/dd-source/pull/405204
• Opened: Use dd-sts via policy to push test results dd-trace-rb#5566 (fails for now until above is merged)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d4a2f58d65

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Skip upload when no Datadog credentials are configured

The Push results step now runs for every non-Dependabot execution, even when both credential sources are empty. If inputs.datadog_api_key is '' and inputs.dd_sts_policy is also '', the dd-sts step is skipped and DATADOG_API_KEY resolves to an empty value, so datadog-ci junit upload is still invoked without auth and can fail the job. This is a regression from the previous guard and affects callers that enable push_to_test_optimization without passing either credential source (for example workflows that rely on system-tests.yml defaults).

Useful? React with 👍 / 👎.