DataDog · gh-worker-dd-mergequeue-cf854d · Feb 20, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 4, 2026
@@ -1,11 +1,11 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|release/v.+)
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/(heads/master|tags/v\d+\.\d+\.0)
 
 claim_pattern:
-  event_name: (create|workflow_dispatch)
-  ref: refs/heads/(master|release/v.+)
-  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|release/v.+)
+  event_name: (workflow_dispatch|push)
+  ref: refs/(heads/master|tags/v\d+\.\d+\.0)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/create-release-branch\.yaml@refs/heads/master
 
 permissions:
   contents: write

@@ -1,4 +1,4 @@
-name: Create Release Branch
+name: Create Release Branch and Pin System Tests
 
 on:
   push:
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write # Allow pushing the release branch
+    outputs:
+      release-branch-name: ${{ steps.define-release-branch.outputs.branch }}
     steps:
       - name: Determine tag
         id: determine-tag
@@ -31,8 +33,8 @@ jobs:
           fi
           echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
 
-      - name: Define branch name from tag
-        id: define-branch
+      - name: Define release branch name from tag
+        id: define-release-branch
         run: |
           TAG=${{ steps.determine-tag.outputs.tag }}
           echo "branch=release/${TAG%.0}.x" >> "$GITHUB_OUTPUT"
@@ -43,9 +45,9 @@ jobs:
           ref: ${{ steps.determine-tag.outputs.tag }}
 
       - name: Check if branch already exists
-        id: check-branch
+        id: check-release-branch
         run: |
-          BRANCH=${{ steps.define-branch.outputs.branch }}
+          BRANCH=${{ steps.define-release-branch.outputs.branch }}
           if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
             echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
             echo "Branch $BRANCH already exists - skipping creation"
@@ -55,7 +57,88 @@ jobs:
           fi
 
       - name: Create and push release branch
-        if: steps.check-branch.outputs.creating_new_branch == 'true'
+        if: steps.check-release-branch.outputs.creating_new_branch == 'true'
         run: |
-          git checkout -b "${{ steps.define-branch.outputs.branch }}"
-          git push -u origin "${{ steps.define-branch.outputs.branch }}"
+          git checkout -b "${{ steps.define-release-branch.outputs.branch }}"
+          git push -u origin "${{ steps.define-release-branch.outputs.branch }}"
+
+  pin-system-tests:
+    needs: create-release-branch
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.pin-system-tests.create-pr
+
+      - name: Checkout dd-trace-java at release branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ needs.create-release-branch.outputs.release-branch-name }}
+
+      - name: Get latest commit SHA of base release branch
+        id: get-latest-commit-sha
+        run: |
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Define pin-system-tests branch name
+        id: define-pin-branch
+        run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+
+      - name: Check if pin-system-tests branch already exists
+        id: check-pin-branch
+        run: |
+          BRANCH=${{ steps.define-pin-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "ERROR: Branch $BRANCH already exists - please delete it and re-run the workflow."
+            exit 1
+          else
+            echo "Branch $BRANCH does not exist - creating it now."
+          fi
+
+      - name: Update system-tests references to latest commit SHA of system-tests main
+        run: ./tooling/update_system_test_reference.sh
+
+      - name: Check if changes should be committed
+        id: check-changes
+        run: |
+          if [[ -z "$(git status -s)" ]]; then
+            echo "ERROR: No changes to commit - the system-tests reference was not updated."
+            exit 1
+          else
+            echo "Changes to commit:"
+            git status -s
+          fi
+
+      - name: Commit changes
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Push changes
+        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-pin-branch.outputs.branch }}"
+          head-sha: "${{ steps.get-latest-commit-sha.outputs.sha }}"
+          create-branch: true
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
+
+      - name: Create pull request
+        env:
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        run: |
+          gh pr create --title "Pin system tests for release branch" \
+            --base ${{ needs.create-release-branch.outputs.release-branch-name }} \
+            --head ${{ steps.define-pin-branch.outputs.branch }} \
+            --label "tag: dependencies" \
+            --label "tag: no release notes" \
+            --body "This PR pins the system-tests reference for the release branch."