Skip to content

chore(ci): use dd-sts for system-tests test optimization #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nccatoni merged 6 commits into from
Apr 14, 2026
Merged

chore(ci): use dd-sts for system-tests test optimization #306

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3e7d454
chore(ci): use dd-sts for system-tests test optimization
nccatoni Apr 9, 2026
8395190
chore(ci): remove dd_sts_policy from system-tests subworkflow
nccatoni Apr 13, 2026
2dea7f7
chore(ci): remove unneeded permissions from system-tests subworkflow
nccatoni Apr 13, 2026
7557398
chore(ci): pin system-tests workflow to 1e5d6b709
nccatoni Apr 13, 2026
bcf3a3b
fix: add contents:read permission to system-tests workflow call
nccatoni Apr 13, 2026
74af748
chore(ci): pass ref to system-tests reusable workflow
nccatoni Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,12 +197,12 @@ jobs:

system-tests:
needs: build-system-tests-artifact
uses: DataDog/system-tests/.github/workflows/system-tests.yml@main
uses: DataDog/system-tests/.github/workflows/system-tests.yml@1e5d6b7096279ca43ce4826fda3cc805635b63c1
secrets:
TEST_OPTIMIZATION_API_KEY: ${{ secrets.DD_CI_VIS_API_KEY }}
permissions:
contents: read
packages: write
id-token: write
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Propagate id-token permission to upstream workflow callers

Adding id-token: write here is not sufficient for all execution paths: dev.yml is invoked via workflow_call from .github/workflows/main.yml (job call-dev-workflow), and that caller explicitly grants only contents: read and packages: write. In reusable workflows, permissions cannot be elevated by the callee, so the system-tests job will not actually get an OIDC token in main/scheduled runs, which will break Datadog STS auth once this pin is updated to a dd-sts-enabled system-tests SHA.

Useful? React with 👍 / 👎.

with:
library: cpp
binaries_artifact: system_tests_binaries
Expand Down
Loading