chore(ci): use dd-sts for system-tests test optimization

[nccatoni]

Summary

Migrates system-tests CI to use dd-sts for Datadog Test Optimization instead of long-lived API keys.

All repositories now share a single system-tests policy (see dd-source#408172) — no per-repo policy is needed.

Depends on DataDog/system-tests#6726.

Changes

• Add id-token: write permission to the system-tests reusable workflow call so it can obtain short-lived credentials via OIDC
• Pin system-tests to 1e5d6b709 (current main, pre-migration) to allow a controlled rollout: repos stay on the pre-migration workflow until their pin is explicitly updated to the post-merge SHA

How to review

The only functional change is adding id-token: write. It has no effect at the pinned SHA (dd-sts is not yet used there) but will be required once each repo's pin is updated after DataDog/system-tests#6726 merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-04-13 15:26:27

Comparing candidate commit 74af748 in PR branch nccatoni/system-tests-dd-sts with baseline commit 967246f in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1 metrics, 0 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

[datadog-prod-us1-4]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 90.94% (+0.05%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 74af748 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bcf3a3bd3b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Propagate id-token permission to upstream workflow callers

Adding id-token: write here is not sufficient for all execution paths: dev.yml is invoked via workflow_call from .github/workflows/main.yml (job call-dev-workflow), and that caller explicitly grants only contents: read and packages: write. In reusable workflows, permissions cannot be elevated by the callee, so the system-tests job will not actually get an OIDC token in main/scheduled runs, which will break Datadog STS auth once this pin is updated to a dd-sts-enabled system-tests SHA.

Useful? React with 👍 / 👎.