diff --git a/.github/workflows/check-pull-request-labels.yaml b/.github/workflows/check-pull-request-labels.yaml
index fbcc7303afe..e339e23b193 100644
--- a/.github/workflows/check-pull-request-labels.yaml
+++ b/.github/workflows/check-pull-request-labels.yaml
@@ -11,15 +11,22 @@ jobs:
   check_pr_labels:
     name: Check pull request labels
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.check-pull-request-labels
       - name: Flag AI-generated pull requests
         id: flag_ai_generated
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
@@ -124,7 +131,7 @@ jobs:
         env:
           LABELS_STALE: ${{ steps.flag_ai_generated.outputs.labels_stale }}
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
diff --git a/.github/workflows/check-pull-requests.yaml b/.github/workflows/check-pull-requests.yaml
index 42058eb42ab..4e7f00f07c7 100644
--- a/.github/workflows/check-pull-requests.yaml
+++ b/.github/workflows/check-pull-requests.yaml
@@ -3,8 +3,8 @@ on:
   pull_request:
     types: [opened, edited, ready_for_review, labeled, unlabeled, synchronize]
     branches:
-    - master
-    - release/v*
+      - master
+      - release/v*
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -12,14 +12,21 @@ jobs:
   check_pull_requests:
     name: Check pull requests
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.check-pull-requests
       - name: Check pull requests
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Skip draft pull requests
             if (context.payload.pull_request.draft) {
@@ -41,7 +48,7 @@ jobs:
             if (titleCheckFailed) {
               core.setFailed('Please remove the tag from the pull request title.')
             }
-            // Check body does 
+            // Check body does
             const linkingKeywords = ['closes', 'closed', 'fix', 'fixes', 'fixed', 'resolve', 'resolves', 'resolved']
             const body = context.payload.pull_request.body
             const bodyCheckFailed = linkingKeywords.some(keyword => body.search(new RegExp(`${keyword}\\s\\d+`, "im")) !== -1)
diff --git a/.github/workflows/comment-on-submodule-update.yaml b/.github/workflows/comment-on-submodule-update.yaml
index c81a3004bf5..59065c94d01 100644
--- a/.github/workflows/comment-on-submodule-update.yaml
+++ b/.github/workflows/comment-on-submodule-update.yaml
@@ -3,23 +3,30 @@ name: Comment on Submodule Update
 on:
   pull_request:
     branches:
-        - 'master'
-        - 'release/**'
+      - "master"
+      - "release/**"
     paths:
-      - 'dd-java-agent/agent-jmxfetch/integrations-core'
+      - "dd-java-agent/agent-jmxfetch/integrations-core"
 
 jobs:
   comment_on_submodule_update:
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
 
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.comment-on-submodule-update
       - name: Post comment on submodule update
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
diff --git a/.github/workflows/enforce-groovy-migration.yaml b/.github/workflows/enforce-groovy-migration.yaml
index adfb3ff59ce..d9d51d63a22 100644
--- a/.github/workflows/enforce-groovy-migration.yaml
+++ b/.github/workflows/enforce-groovy-migration.yaml
@@ -4,7 +4,7 @@ on:
     types: [opened, edited, ready_for_review, labeled, unlabeled, synchronize]
     branches:
       - master
-      - 'release/v*'
+      - "release/v*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,14 +14,21 @@ jobs:
   enforce_groovy_migration:
     name: Enforce Groovy migration
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to create a comment on the pull request
       pull-requests: write # Required to create a comment on the pull request
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.enforce-groovy-migration
       - name: Check for new Groovy files
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             const managedMarker = '<!-- dd-trace-java-groovy-enforcement -->'
 
diff --git a/.github/workflows/update-issues-on-release.yaml b/.github/workflows/update-issues-on-release.yaml
index 8ed8a9de1b1..8749f857231 100644
--- a/.github/workflows/update-issues-on-release.yaml
+++ b/.github/workflows/update-issues-on-release.yaml
@@ -11,13 +11,20 @@ on:
 jobs:
   update_issues:
     permissions:
+      id-token: write # Required for OIDC token federation
       issues: write # Required to update issues
     runs-on: ubuntu-latest
     steps:
+      - name: Get GitHub Token via dd-octo-sts
+        id: generate-token
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-issues-on-release
       - name: Get milestone for release
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # 9.0.0
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ steps.generate-token.outputs.token }}
           script: |
             // Get release milestone name
             const milestoneName = "${{github.event_name}}" == "workflow_dispatch" ?