diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
index 77074daa4c..ad98978e6d 100644
--- a/.github/workflows/reusable-pre-commit.yml
+++ b/.github/workflows/reusable-pre-commit.yml
@@ -13,11 +13,6 @@ on:
         required: false
         type: boolean
         default: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
@@ -26,20 +21,23 @@ env:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: Get GitHub App token
-        id: get_token
+      - name: Get dd-octo-sts token
+        id: octo-sts
         if: inputs.enable-commit-changes
-        uses: actions/create-github-app-token@v1
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          scope: DataDog/datadog-api-client-python
+          policy: self.github.pre-commit.pull-request
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
           repository: DataDog/datadog-api-client-python
           ref: ${{ inputs.target-branch || github.event.pull_request.head.sha || github.ref }}
-          token: ${{ inputs.enable-commit-changes && steps.get_token.outputs.token || github.token }}
+          token: ${{ inputs.enable-commit-changes && steps.octo-sts.outputs.token || github.token }}
       - uses: actions/setup-python@v4
         with:
           python-version: '3.11'
diff --git a/.github/workflows/reusable-python-test.yml b/.github/workflows/reusable-python-test.yml
index 3297b2329c..b10ed6e46c 100644
--- a/.github/workflows/reusable-python-test.yml
+++ b/.github/workflows/reusable-python-test.yml
@@ -23,11 +23,6 @@ on:
         required: false
         type: string
         default: '[{"platform": "macos-latest", "python-version": "3.8"}, {"platform": "ubuntu-latest", "python-version": "3.8"}, {"platform": "ubuntu-22.04", "python-version": "3.12"}]'
-    secrets:
-      PIPELINE_GITHUB_APP_ID:
-        required: false
-      PIPELINE_GITHUB_APP_PRIVATE_KEY:
-        required: false
 
 jobs:
   test:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 68d6ee506f..bfbebc1a61 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,11 +26,11 @@ jobs:
        !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/')) ||
       github.event_name == 'schedule'
     uses: ./.github/workflows/reusable-pre-commit.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       enable-commit-changes: true
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   test:
     if: >
@@ -43,9 +43,6 @@ jobs:
       python-versions: '["3.8", "3.12"]'
       platforms: '["ubuntu-22.04", "ubuntu-latest", "macos-latest"]'
       matrix-exclude: '[{"platform": "macos-latest", "python-version": "3.8"}, {"platform": "ubuntu-latest", "python-version": "3.8"}, {"platform": "ubuntu-22.04", "python-version": "3.12"}]'
-    secrets:
-      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     if: >
@@ -60,23 +57,23 @@ jobs:
 
   report:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     if: always() && github.event_name == 'pull_request' && contains(github.event.pull_request.head.ref, 'datadog-api-spec/generated/')
     needs:
       - test
       - examples
     steps:
-      - name: Get GitHub App token
-        if: github.event_name == 'pull_request'
-        id: get_token
-        uses: actions/create-github-app-token@v1
+      - name: Get dd-octo-sts token
+        id: octo-sts
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
-          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
-          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
-          repositories: datadog-api-spec
+          scope: DataDog/datadog-api-spec
+          policy: datadog-api-client-python.github.post-status-check.pull-request
       - name: Post status check
         uses: DataDog/github-actions/post-status-check@v2
         with:
-          github-token: ${{ steps.get_token.outputs.token }}
+          github-token: ${{ steps.octo-sts.outputs.token }}
           repo: datadog-api-spec
           status: ${{ (needs.test.result == 'cancelled' || needs.examples.result == 'cancelled') && 'pending' || (needs.test.result == 'success' && needs.examples.result == 'success') && 'success' || 'failure' }}
           context: master/unit