From 6dee3b54c2745b950883ae2bf168d24ae7120778 Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Thu, 12 Mar 2026 15:08:04 +0100 Subject: [PATCH 1/7] Add Datadog code coverage upload alongside Codecov Add DataDog/coverage-upload-github-action step to the coverage job in test.yml to upload coverage reports to Datadog Code Coverage side-by-side with the existing Codecov upload. This enables comparison of coverage data between both systems as part of the Codecov-to-Datadog migration. --- .github/workflows/test.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ab08f88f..610b2a48 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,6 +77,14 @@ jobs: directory: coverage_data use_oidc: true + - name: Upload coverage to Datadog + if: always() + continue-on-error: true + uses: DataDog/coverage-upload-github-action@v1 + with: + api_key: ${{ secrets.DD_API_KEY }} + files: coverage_data + check: if: always() needs: From 61f98db3a7ab1182a8929aa617c55f54a546eefa Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Thu, 12 Mar 2026 15:15:27 +0100 Subject: [PATCH 2/7] Pin coverage-upload-github-action to full SHA Required by DataDog org policy: all actions must be pinned to full-length commit SHAs. --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 610b2a48..db6bb643 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,7 +80,7 @@ jobs: - name: Upload coverage to Datadog if: always() continue-on-error: true - uses: DataDog/coverage-upload-github-action@v1 + uses: DataDog/coverage-upload-github-action@9bbbf86d16f7db1b14c5b885e61cf0d96053686a # v1 with: api_key: ${{ secrets.DD_API_KEY }} files: coverage_data From b384d2cbe6bb6703ce4e6db00ffdccfd81f4c376 Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Thu, 12 Mar 2026 15:34:31 +0100 Subject: [PATCH 3/7] Use datadog-ci CLI instead of GitHub Action The DataDog/coverage-upload-github-action is blocked by the enterprise action allowlist (it depends on datadog/install-datadog-ci-github-action which is not permitted). Fall back to npx @datadog/datadog-ci CLI directly. --- .github/workflows/test.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index db6bb643..5fcf19f7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -80,10 +80,9 @@ jobs: - name: Upload coverage to Datadog if: always() continue-on-error: true - uses: DataDog/coverage-upload-github-action@9bbbf86d16f7db1b14c5b885e61cf0d96053686a # v1 - with: - api_key: ${{ secrets.DD_API_KEY }} - files: coverage_data + run: npx @datadog/datadog-ci coverage upload coverage_data + env: + DD_API_KEY: ${{ secrets.DD_API_KEY }} check: if: always() From 5647001d10849ad2c7a4b17d4438e6e96ef7c6fb Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Wed, 8 Apr 2026 12:57:58 +0200 Subject: [PATCH 4/7] Use dd-sts OIDC token exchange instead of DD_API_KEY repo secret --- .github/workflows/test.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5fcf19f7..f10410f7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,12 +77,18 @@ jobs: directory: coverage_data use_oidc: true + - name: Get Datadog credentials + id: dd-sts + continue-on-error: true + uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0 + with: + policy: datadog-agent-dev - name: Upload coverage to Datadog - if: always() + if: steps.dd-sts.outputs.api_key != '' continue-on-error: true run: npx @datadog/datadog-ci coverage upload coverage_data env: - DD_API_KEY: ${{ secrets.DD_API_KEY }} + DD_API_KEY: ${{ steps.dd-sts.outputs.api_key }} check: if: always() From 101cefaed141d565c96c75dc386015540035c298 Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Wed, 8 Apr 2026 19:12:01 +0200 Subject: [PATCH 5/7] Trigger CI after dd-sts deployment From a8cd55ebde70497e4f1c7defb741ceedbb824c3a Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Thu, 9 Apr 2026 14:43:26 +0200 Subject: [PATCH 6/7] Use coverage-upload-github-action instead of npx (pinned version) --- .github/workflows/test.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f10410f7..d543a39d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -86,9 +86,10 @@ jobs: - name: Upload coverage to Datadog if: steps.dd-sts.outputs.api_key != '' continue-on-error: true - run: npx @datadog/datadog-ci coverage upload coverage_data - env: - DD_API_KEY: ${{ steps.dd-sts.outputs.api_key }} + uses: DataDog/coverage-upload-github-action@9bbbf86d16f7db1b14c5b885e61cf0d96053686a # v1.0.0 + with: + api_key: ${{ steps.dd-sts.outputs.api_key }} + files: coverage_data check: if: always() From 724d9e58d456970f4de334d9ea1a227e5384245e Mon Sep 17 00:00:00 2001 From: Manuel Palenzuela Merino Date: Thu, 9 Apr 2026 14:50:27 +0200 Subject: [PATCH 7/7] Pin datadog-ci to v5.12.1 (action not in allowlist) --- .github/workflows/test.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d543a39d..079ff487 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -86,10 +86,9 @@ jobs: - name: Upload coverage to Datadog if: steps.dd-sts.outputs.api_key != '' continue-on-error: true - uses: DataDog/coverage-upload-github-action@9bbbf86d16f7db1b14c5b885e61cf0d96053686a # v1.0.0 - with: - api_key: ${{ steps.dd-sts.outputs.api_key }} - files: coverage_data + run: npx @datadog/datadog-ci@5.12.1 coverage upload coverage_data + env: + DD_API_KEY: ${{ steps.dd-sts.outputs.api_key }} check: if: always()