DataDog · fpighi · Jun 5, 2026
@@ -3,8 +3,11 @@ name: Run Integration Tests
 permissions:
   contents: read
 
+# pull_request_target so that PRs from forks can mint Datadog credentials via
+# OIDC. The credentialed job checks out the PR head and, for forks, runs in the
+# forks-prs environment.
 on: # yamllint disable-line rule:truthy
-  pull_request:
+  pull_request_target:
     types:
       - labeled
       - unlabeled
@@ -25,10 +28,25 @@ env:
 jobs:
   integration_tests:
     runs-on: ubuntu-latest
-    if: (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ci/integrations')) || github.event_name == 'schedule'
+    if: (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'ci/integrations')) || github.event_name == 'schedule'
+    # Fork PRs run untrusted code with live (short-lived, test-org) credentials,
+    # so they run in the forks-prs environment. The scheduled run on master uses
+    # no environment gate.
+    environment: ${{ github.event.pull_request.head.repo.fork && 'forks-prs' || '' }}
+    permissions:
+      contents: read
+      id-token: write # Required to mint Datadog credentials via dd-sts
     steps:
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        with:
+          # PR head for pull_request_target; the triggering ref for the schedule.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      - name: Mint Datadog credentials
+        id: dd-sts
+        uses: DataDog/dd-sts-action@7d2d231c02fd54a3da912e582ff87cb995d1fd30 # v1.0.4
+        with:
+          policy: terraform-provider-datadog
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
         with:
@@ -48,8 +66,8 @@ jobs:
       - name: Sweep stale test resources
         run: make sweep
         env:
-          DD_TEST_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
-          DD_TEST_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
+          DD_TEST_CLIENT_API_KEY: ${{ steps.dd-sts.outputs.api_key }}
+          DD_TEST_CLIENT_APP_KEY: ${{ steps.dd-sts.outputs.app_key }}
       - name: Build skip list for flaky tests
         id: skip-list
         run: |
@@ -65,8 +83,8 @@ jobs:
         env:
           RECORD: "none"
           CI: "true"
-          DD_TEST_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
-          DD_TEST_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
+          DD_TEST_CLIENT_API_KEY: ${{ steps.dd-sts.outputs.api_key }}
+          DD_TEST_CLIENT_APP_KEY: ${{ steps.dd-sts.outputs.app_key }}
           DD_HTTP_CLIENT_RETRY_ENABLED: "true"
           TF_ACC_TERRAFORM_PATH: "/home/runner/.cache/terraform/terraform"
           TF_ACC_TEMP_DIR: "/tmp"

@@ -3,8 +3,11 @@ name: PR Integration Tests
 permissions:
   contents: read
 
+# pull_request_target so that PRs from forks can mint Datadog credentials via
+# OIDC. The credentialed job checks out the PR head and, for forks, runs in the
+# forks-prs environment.
 on: # yamllint disable-line rule:truthy
-  pull_request:
+  pull_request_target:
     branches: [master, v3]
     types: [opened, synchronize, reopened]
 
@@ -22,14 +25,19 @@ jobs:
       test_args: ${{ steps.build-args.outputs.test_args }}
       should_run: ${{ steps.build-args.outputs.should_run }}
     steps:
-      - name: Checkout code
+      - name: Checkout base
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
         with:
           fetch-depth: 0
       - name: Get changed files
         id: changed
         run: |
-          git diff --name-only origin/${{ github.base_ref }}...HEAD > /tmp/changed_files.txt
+          # pull_request_target checks out the base branch (trusted). Fetch the
+          # PR head and diff by filename only, so untrusted PR code is never
+          # executed in this credential-less job; the test selection scripts
+          # below run from the trusted base checkout.
+          git fetch --no-tags origin "refs/pull/${{ github.event.pull_request.number }}/head"
+          git diff --name-only "origin/${{ github.base_ref }}...${{ github.event.pull_request.head.sha }}" > /tmp/changed_files.txt
           echo "Changed files:"
           cat /tmp/changed_files.txt
       - name: Select tests and build args
@@ -59,9 +67,23 @@ jobs:
     needs: determine-tests
     if: needs.determine-tests.outputs.should_run == 'true'
     runs-on: ubuntu-latest
+    # Fork PRs run untrusted code with live (short-lived, test-org) credentials,
+    # so they run in the forks-prs environment. Same-repo PRs run without an
+    # environment gate.
+    environment: ${{ github.event.pull_request.head.repo.fork && 'forks-prs' || '' }}
+    permissions:
+      contents: read
+      id-token: write # Required to mint Datadog credentials via dd-sts
     steps:
-      - name: Checkout code
+      - name: Checkout PR code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Mint Datadog credentials
+        id: dd-sts
+        uses: DataDog/dd-sts-action@7d2d231c02fd54a3da912e582ff87cb995d1fd30 # v1.0.4
+        with:
+          policy: terraform-provider-datadog
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
         with:
@@ -81,15 +103,15 @@ jobs:
       - name: Sweep stale test resources
         run: make sweep
         env:
-          DD_TEST_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
-          DD_TEST_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
+          DD_TEST_CLIENT_API_KEY: ${{ steps.dd-sts.outputs.api_key }}
+          DD_TEST_CLIENT_APP_KEY: ${{ steps.dd-sts.outputs.app_key }}
       - name: Run selected integration tests
         run: make testacc
         env:
           RECORD: "none"
           CI: "true"
-          DD_TEST_CLIENT_API_KEY: ${{ secrets.DD_CLIENT_API_KEY }}
-          DD_TEST_CLIENT_APP_KEY: ${{ secrets.DD_CLIENT_APP_KEY }}
+          DD_TEST_CLIENT_API_KEY: ${{ steps.dd-sts.outputs.api_key }}
+          DD_TEST_CLIENT_APP_KEY: ${{ steps.dd-sts.outputs.app_key }}
           DD_HTTP_CLIENT_RETRY_ENABLED: "true"
           TF_ACC_TERRAFORM_PATH: "/home/runner/.cache/terraform/terraform"
           TF_ACC_TEMP_DIR: "/tmp"