[pull] master from DataDog:master

.github/workflows/config/labeler.yml

@@ -22,7 +22,7 @@ dev/testing:
 - changed-files:
   - any-glob-to-any-file:
     - .github/workflows/**
-    - .codecov.yml
+    - code-coverage.datadog.yml
 dev/tooling:
 - changed-files:
   - any-glob-to-any-file:

.github/workflows/master-windows.yml

@@ -78,8 +78,6 @@ jobs:
       (success() || failure())
     runs-on: ubuntu-latest
     permissions:
-      # needed for codecov, allows the action to get a JWT signed by Github
-      id-token: write
       contents: read
 
     steps:
@@ -92,13 +90,6 @@ jobs:
         path: coverage-reports
         merge-multiple: false
 
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-      with:
-        use_oidc: true
-        directory: coverage-reports
-        fail_ci_if_error: false
-
     - name: Upload coverage to Datadog
       if: always()
       continue-on-error: true

.github/workflows/master.yml

@@ -75,8 +75,6 @@ jobs:
       (success() || failure())
     runs-on: ubuntu-latest
     permissions:
-      # needed for codecov, allows the action to get a JWT signed by Github
-      id-token: write
       contents: read
 
     steps:
@@ -89,13 +87,6 @@ jobs:
           path: coverage-reports
           merge-multiple: false
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-        with:
-          use_oidc: true
-          directory: coverage-reports
-          fail_ci_if_error: false
-
       - name: Upload coverage to Datadog
         if: always()
         continue-on-error: true

.github/workflows/nightly-base-package-windows.yml

@@ -17,8 +17,6 @@ jobs:
     uses: ./.github/workflows/test-all-windows.yml
 
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read
 

.github/workflows/nightly-base-package.yml

@@ -15,8 +15,6 @@ jobs:
     uses: ./.github/workflows/test-all.yml
 
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read
 

.github/workflows/pr-all-windows.yml

@@ -52,8 +52,6 @@ jobs:
       (success() || failure())
     runs-on: ubuntu-latest
     permissions:
-      # needed for codecov, allows the action to get a JWT signed by Github
-      id-token: write
       contents: read
 
     steps:
@@ -66,13 +64,6 @@ jobs:
           path: coverage-reports
           merge-multiple: false
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-        with:
-          use_oidc: true
-          directory: coverage-reports
-          fail_ci_if_error: false
-
       - name: Upload coverage to Datadog
         if: always()
         continue-on-error: true

.github/workflows/pr-all.yml

@@ -55,8 +55,6 @@ jobs:
       (success() || failure())
     runs-on: ubuntu-latest
     permissions:
-      # needed for codecov, allows the action to get a JWT signed by Github
-      id-token: write
       contents: read
 
     steps:
@@ -69,13 +67,6 @@ jobs:
           path: coverage-reports
           merge-multiple: false
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-        with:
-          use_oidc: true
-          directory: coverage-reports
-          fail_ci_if_error: false
-
       - name: Upload coverage to Datadog
         if: always()
         continue-on-error: true

.github/workflows/pr-test.yml

@@ -112,8 +112,6 @@ jobs:
       inputs.pytest-args != '-m flaky'
     runs-on: ubuntu-latest
     permissions:
-      # needed for codecov, allows the action to get a JWT signed by Github
-      id-token: write
       contents: read
 
     steps:
@@ -126,13 +124,6 @@ jobs:
           path: coverage-reports
           merge-multiple: false
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-        with:
-          use_oidc: true
-          directory: coverage-reports
-          fail_ci_if_error: false
-
       - name: Upload coverage to Datadog
         if: always()
         continue-on-error: true

.github/workflows/pr.yml

@@ -24,7 +24,5 @@ jobs:
     secrets: inherit
 
     permissions:
-       # needed for codecov in pr-test.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read

.github/workflows/release-dispatch.yml

@@ -20,6 +20,10 @@ on:
         description: "Commit SHA or ref to build from"
         required: false
         type: string
+      source-repo-branch:
+        description: "Branch that contains source-repo-ref, used to determine stable vs pre-release behavior"
+        required: false
+        type: string
       dry-run:
         description: >-
           When true, print what would be released and where without pushing tags
@@ -56,68 +60,85 @@ jobs:
       batches: ${{ steps.release-dispatch.outputs.batches }}
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      # Workflow tooling (composite actions + release scripts) always comes from
+      # integrations-core at the workflow's own commit. When called from another
+      # repo we don't have that commit available locally, so we fall back to
+      # master. This is decoupled from inputs.source-repo-ref on purpose so the
+      # release pipeline can build older refs without losing recent tooling.
+      - name: Checkout workflow tooling
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ inputs.source-repo-ref || github.sha }}
-          fetch-depth: 0 # ddev needs full tag history
+          repository: DataDog/integrations-core
+          ref: ${{ github.repository == 'DataDog/integrations-core' && github.sha || 'master' }}
+          fetch-depth: 1
+          sparse-checkout: .github
+          path: tooling
 
-      - name: Checkout integrations-core actions
-        if: github.repository != 'DataDog/integrations-core'
+      # Source tree to tag and validate. ddev release tag operates on HEAD of
+      # this checkout, so it must be at the ref the caller asked to release.
+      - name: Checkout source repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: "DataDog/integrations-core"
-          ref: master
-          fetch-depth: 1
-          sparse-checkout: .github/actions
-          path: core-temp
+          ref: ${{ inputs.source-repo-ref || github.sha }}
+          fetch-depth: 0 # ddev needs full tag history
+          path: source
+
+      - name: Verify source ref is on release branch
+        if: inputs.source-repo-branch != ''
+        working-directory: source
+        env:
+          SOURCE_REF: ${{ inputs.source-repo-ref || github.sha }}
+          SOURCE_BRANCH: ${{ inputs.source-repo-branch }}
+        run: |
+          branch="${SOURCE_BRANCH#refs/heads/}"
+          git fetch --no-tags origin "+refs/heads/${branch}:refs/remotes/origin/${branch}"
+          if ! git merge-base --is-ancestor HEAD "refs/remotes/origin/${branch}"; then
+            echo "::error::source-repo-ref '${SOURCE_REF}' is not contained in source-repo-branch '${SOURCE_BRANCH}'"
+            exit 1
+          fi
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install ddev
-        if: github.repository == 'DataDog/integrations-core'
-        uses: ./.github/actions/setup-ddev
-        with:
-          install-mode: pypi
-          ddev-version: "==${{ inputs.ddev-version || env.DEFAULT_DDEV_VERSION }}"
-
-      - name: Install ddev
-        if: github.repository != 'DataDog/integrations-core'
-        uses: ./core-temp/.github/actions/setup-ddev
+        uses: ./tooling/.github/actions/setup-ddev
         with:
           install-mode: pypi
           ddev-version: "==${{ inputs.ddev-version || env.DEFAULT_DDEV_VERSION }}"
 
       - name: Configure ddev
+        working-directory: source
         env:
           SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
         run: |
           REPO_SHORT="${SOURCE_REPO#integrations-}"
           ddev config set upgrade_check false
-          ddev config set repos.${REPO_SHORT} .
+          ddev config set repos.${REPO_SHORT} "$PWD"
           ddev config set repo ${REPO_SHORT}
 
       - name: Prepare dispatch
         id: prepare
+        working-directory: source
         env:
           DRY_RUN: ${{ inputs.dry-run }}
           SELECTED_PACKAGES: ${{ inputs.packages }}
           SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
           REF: ${{ inputs.source-repo-ref || github.sha }}
           IS_STABLE_RELEASE: ${{ inputs.is-stable-release }}
-        run: python .github/workflows/scripts/release_prepare.py
+        run: python "$GITHUB_WORKSPACE/tooling/.github/workflows/scripts/release_prepare.py"
 
       - name: Build dispatch batches
         id: release-dispatch
         if: steps.prepare.outputs.has_packages == 'true'
+        working-directory: source
         env:
           PACKAGES: ${{ steps.prepare.outputs.packages }}
           SOURCE_REPO: ${{ inputs.source-repo || 'integrations-core' }}
           REF: ${{ inputs.source-repo-ref || github.sha }}
           DRY_RUN: ${{ inputs.dry-run }}
-        run: python .github/workflows/scripts/release_dispatch.py
+        run: python "$GITHUB_WORKSPACE/tooling/.github/workflows/scripts/release_dispatch.py"
 
   dispatch:
     name: Dispatch wheel builds (batch ${{ strategy.job-index }})

.github/workflows/release-trigger.yml

@@ -27,6 +27,10 @@ on:
         description: "Commit SHA or ref to build from"
         required: true
         type: string
+      source-repo-branch:
+        description: "Branch that contains source-repo-ref, used to determine stable vs pre-release behavior"
+        required: true
+        type: string
       dry-run:
         description: "Print what would be released without pushing tags or starting builds"
         required: false
@@ -45,10 +49,14 @@ jobs:
       is-stable-release: ${{ steps.detect.outputs.is-stable-release }}
     steps:
       - id: detect
-        # Sets is-stable-release based on the branch: true for master/X.Y.x, false otherwise.
-        # Manual runs on master get "true", which blocks pre-release packages — conservative and intentional.
+        # Stable for master/X.Y.x, pre-release for alpha/beta/rc branches.
+        # Manual dispatches use source-repo-branch instead of GITHUB_REF so the
+        # release behavior follows the branch that contains source-repo-ref.
+        env:
+          RELEASE_BRANCH: ${{ github.event_name == 'workflow_dispatch' && inputs.source-repo-branch || github.ref_name }}
         run: |
-          if [[ "$GITHUB_REF" =~ ^refs/heads/(master|[0-9]+\.[0-9]+\.x)$ ]]; then
+          branch="${RELEASE_BRANCH#refs/heads/}"
+          if [[ "$branch" =~ ^(master|[0-9]+\.[0-9]+\.x)$ ]]; then
             echo "is-stable-release=true" >> "$GITHUB_OUTPUT"
           else
             echo "is-stable-release=false" >> "$GITHUB_OUTPUT"
@@ -70,6 +78,7 @@ jobs:
       source-repo: integrations-core
       packages: ${{ inputs.packages || '' }}
       source-repo-ref: ${{ github.event_name == 'workflow_dispatch' && inputs.source-repo-ref || github.sha }}
+      source-repo-branch: ${{ github.event_name == 'workflow_dispatch' && inputs.source-repo-branch || github.ref_name }}
       dry-run: ${{ inputs.dry-run || false }}
       ddev-version: ${{ inputs.ddev-version || '' }}
       is-stable-release: ${{ needs.context.outputs.is-stable-release }}

.github/workflows/test-agent-target.yml

@@ -63,7 +63,5 @@ jobs:
       context: "test-agent-target"
     secrets: inherit
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read

.github/workflows/test-agent-windows.yml

@@ -51,7 +51,5 @@ jobs:
       context: "test-agent"
     secrets: inherit
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read

.github/workflows/test-agent.yml

@@ -51,7 +51,5 @@ jobs:
       context: "test-agent"
     secrets: inherit
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-       id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read

.github/workflows/test-fips-e2e.yml

@@ -43,7 +43,7 @@ jobs:
       DD_TRACE_ANALYTICS_ENABLED: "true"
 
     permissions:
-      # needed for dd-sts and codecov in test-target.yml, allows the action to get a JWT signed by Github
+      # needed for dd-sts
       id-token: write
       # needed for compute-matrix in test-target.yml
       contents: read
@@ -121,16 +121,6 @@ jobs:
           name: "test-results-${{ inputs.target || 'tls' }}"
           path: "${{ env.TEST_RESULTS_BASE_DIR }}"
 
-      - name: Upload coverage data
-        if: >
-          !github.event.repository.private &&
-          always()
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
-        with:
-          use_oidc: true
-          files: "${{ inputs.target || 'tls' }}/coverage.xml"
-          flags: "${{ inputs.target || 'tls' }}"
-
       - name: Upload coverage to Datadog
         if: >
           !github.event.repository.private &&

.github/workflows/weekly-latest-windows.yml

@@ -18,7 +18,5 @@ jobs:
       context: "weekly-latest"
     secrets: inherit
     permissions:
-      # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-      id-token: write
       # needed for compute-matrix in test-target.yml
       contents: read

.github/workflows/weekly-latest.yml

@@ -16,7 +16,5 @@ jobs:
       context: "weekly-latest"
     secrets: inherit
     permissions:
-      # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
-      id-token: write
       # needed for compute-matrix in test-target.yml
       contents: read

README.md

@@ -2,7 +2,7 @@
 
 | | |
 | --- | --- |
-| CI/CD | [![CI - Test][1]][2] [![CI - Coverage][17]][18] |
+| CI/CD | [![CI - Test][1]][2] |
 | Docs | [![Docs - Release][19]][20] |
 | Meta | [![Hatch project][26]][27] [![Linting - Ruff][24]][25] [![Code style - black][21]][22] [![Typing - Mypy][28]][29] [![License - BSD-3-Clause][30]][31] |
 
@@ -41,8 +41,6 @@ For more information on integrations, please reference our [documentation][11] a
 [13]: https://docs.datadoghq.com/help/
 [15]: https://github.com/DataDog/integrations-core/blob/6.2.1/requirements-integration-core.txt
 [16]: https://github.com/DataDog/integrations-core/blob/ea2dfbf1e8859333af4c8db50553eb72a3b466f9/requirements-agent-release.txt
-[17]: https://codecov.io/github/DataDog/integrations-core/coverage.svg?branch=master
-[18]: https://codecov.io/github/DataDog/integrations-core?branch=master
 [19]: https://github.com/DataDog/integrations-core/workflows/docs/badge.svg
 [20]: https://github.com/DataDog/integrations-core/actions?workflow=docs
 [21]: https://img.shields.io/badge/code%20style-black-000000.svg

apache/assets/logs/apache.yaml

@@ -1,3 +1,4 @@
+# bypass-global-date-remapper-parse-failure-checks
 id: apache
 metric_id: apache
 backend_only: false

apache/assets/logs/apache_tests.yaml

@@ -1,3 +1,4 @@
+# bypass-global-date-remapper-parse-failure-checks
 id: "apache"
 tests:
  -