From b448d6aa883eebb863809a525938f393a26cddd5 Mon Sep 17 00:00:00 2001
From: Alex Vidal <alex.vidal@datadoghq.com>
Date: Fri, 1 Aug 2025 09:46:31 -0500
Subject: [PATCH 1/8] ci: use commit-headless to create signed commits from
 actions

Built on #9288
---
 ...date-jmxfetch-submodule.create-pr.sts.yaml | 13 ++++
 .../add-release-to-cloudfoundry.yaml          | 26 +++++---
 .../workflows/update-docker-build-image.yaml  | 37 ++++++++----
 .../workflows/update-gradle-dependencies.yaml | 60 +++++++++++--------
 .../workflows/update-jmxfetch-submodule.yaml  | 47 ++++++++++-----
 5 files changed, 124 insertions(+), 59 deletions(-)
 create mode 100644 .github/chainguard/self.update-jmxfetch-submodule.create-pr.sts.yaml

diff --git a/.github/chainguard/self.update-jmxfetch-submodule.create-pr.sts.yaml b/.github/chainguard/self.update-jmxfetch-submodule.create-pr.sts.yaml
new file mode 100644
index 00000000000..4c1eda413fa
--- /dev/null
+++ b/.github/chainguard/self.update-jmxfetch-submodule.create-pr.sts.yaml
@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: (schedule|workflow_dispatch)
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/update-jmxfetch-submodule\.yaml@refs/heads/master
+
+permissions:
+  contents: write
+  pull_requests: write
diff --git a/.github/workflows/add-release-to-cloudfoundry.yaml b/.github/workflows/add-release-to-cloudfoundry.yaml
index f63eab4c982..dd8a161fa97 100644
--- a/.github/workflows/add-release-to-cloudfoundry.yaml
+++ b/.github/workflows/add-release-to-cloudfoundry.yaml
@@ -1,5 +1,5 @@
 name: Add release to Cloud Foundry
-on: 
+on:
   release:
     types:
       - released
@@ -42,11 +42,23 @@ jobs:
       - name: Append release to Cloud Foundry repository
         run: |
           echo "${{ steps.get-release-version.outputs.VERSION }}: ${{ steps.get-release-url.outputs.URL }}" >> index.yml
-      - name: Commit and push changes
-        uses: planetscale/ghcommit-action@322be9669498a4be9ce66efc1169f8f43f6bd883 # v0.2.17
+      - name: Commit changes
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            exit 0;
+          fi
+
+          git commit -a -m "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      - name: Push changes
+        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        if: ${{ steps.create-commit.outputs.commit != '' }}
         with:
-          commit_message: "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
-          repo: ${{ github.repository }}
           branch: cloudfoundry
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml
index 76f15bf2c42..63f07169043 100644
--- a/.github/workflows/update-docker-build-image.yaml
+++ b/.github/workflows/update-docker-build-image.yaml
@@ -15,7 +15,7 @@ jobs:
   update-docker-build-image:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Required to create and push branch
+      contents: read
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -26,17 +26,9 @@ jobs:
 
       - name: Checkout the repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Download ghcommit CLI
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-docker-build-image-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
-      - name: Create branch
-        run: |
-          git checkout -b ${{ steps.define-branch.outputs.branch }}
-          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Define the Docker build image tage to use
         id: define-tag
         run: |
@@ -59,11 +51,30 @@ jobs:
       - name: Update the Docker build image in GitLab CI config
         run: |
           sed -i '' -E 's|(BUILDER_IMAGE_VERSION_PREFIX:)[^#]*([#].*)|\1 "${{ steps.define-tag.outputs.tag }}-" \2|' .gitlab-ci.yml
-      - name: Commit and push changes
-        env:
-          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+      - name: Commit changes
+        id: create-commit
         run: |
-          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add .gitlab-ci.yml --message "feat(ci): Update Docker build image"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            exit 0;
+          fi
+
+          git commit --message "feat(ci): Update Docker build image" .gitlab-ci.yml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      - name: Push changes
+        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          # for scheduled runs, sha is the tip of the default branch
+          # for dispatched runs, sha is the tip of the branch it was dispatched on
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
diff --git a/.github/workflows/update-gradle-dependencies.yaml b/.github/workflows/update-gradle-dependencies.yaml
index 14d4e587ade..acf364a255f 100644
--- a/.github/workflows/update-gradle-dependencies.yaml
+++ b/.github/workflows/update-gradle-dependencies.yaml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Update Gradle dependencies
     permissions:
-      contents: write # Required to create new branch
+      contents: read
       id-token: write # Required for OIDC token federation
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
@@ -22,16 +22,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           submodules: "recursive"
-      - name: Download ghcommit CLI
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
-        run: echo "BRANCH_NAME=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_ENV
-      - name: Create branch
-        run: |
-          git checkout -b $BRANCH_NAME
-          git push -u origin $BRANCH_NAME --force
+        run: echo "branch=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
       - name: Update Gradle dependencies
         run: |
           GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
@@ -42,40 +34,58 @@ jobs:
           JAVA_21_HOME=$JAVA_HOME_21_X64 \
           ./gradlew resolveAndLockAll --write-locks --parallel --stacktrace --no-daemon --max-workers=4
       - name: Commit changes
+        id: create-commits
         env:
-          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
+          BRANCH_NAME: ${{ steps.define-branch.outputs.branch }}
         run: |
-          GH_ADD_ARGS=""
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          FILES=""
+          COMMITS=""
           COUNT=0
+          # XXX: Could be replaced by ${{ github.sha }}
           BRANCH_HEAD=$(git rev-parse HEAD)
           for lockfile in $(git status --porcelain=v1 | awk '{ print $NF }'); do
             echo "Found lockfile: $lockfile"
-            GH_ADD_ARGS="$GH_ADD_ARGS --add $lockfile"
+            FILES="$FILES $lockfile"
             COUNT=$((COUNT+1))
             if [ $COUNT -eq 10 ]; then
-              echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS"
-              OUTPUT=$(ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies" 2>&1)
-              echo $OUTPUT
-              if [[ $OUTPUT != *"Success. New commit"* ]]; then
-                exit 1
-              fi
-              BRANCH_HEAD=${OUTPUT##*/}
-              echo "ghcommit output: $OUTPUT"
-              GH_ADD_ARGS=""
+              echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with files $FILES"
+              git commit --no-verify --message="chore: Update Gradle dependencies" "${FILES}"
+              COMMITS="$COMMITS $(git rev-parse HEAD)"
+              FILES=""
               COUNT=0
             fi
           done
           # Check at uncommited files
           echo "Checking uncommited files"
           git status
-          # Create a PR from the created branch
+
+          # Commit any remaining files
           if [ $COUNT -gt 0 ]; then
-            echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $GH_ADD_ARGS"
-            ghcommit --repository ${{ github.repository }} --branch $BRANCH_NAME --sha $BRANCH_HEAD $GH_ADD_ARGS --message "chore: Update Gradle dependencies"
+            echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $FILES"
+            git commit --no-verify --message="chore: Update Gradle dependencies" "${FILES}"
+            COMMITS="$COMMITS $(git rev-parse HEAD)"
           fi
+
+          echo "Commits to push: ${COMMITS}"
+          echo "commits=\"${COMMITS}\"" >> $GITHUB_OUTPUT
+      - name: Push changes
+        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        if: ${{ steps.create-commits.outputs.commits != '' }}
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          # for scheduled runs, sha is the tip of the default branch
+          # for dispatched runs, sha is the tip of the branch it was dispatched on
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commits.outputs.commits }}"
       - name: Create pull request
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+          BRANCH_NAME: ${{ steps.define-branch.outputs.branch }}
         run: |
           # use echo to set a multiline body for the PR
           echo -e "This PR updates the Gradle dependencies. ⚠️ Don't forget to squash commits before merging. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \
diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 9cd38cf906c..cbb750fd9c4 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -8,32 +8,51 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: ${{ github.repository }}
+          policy: self.update-jmxfetch-submodule.create-pr
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
-
       - name: Update Submodule
         run: |
           git submodule update --remote -- dd-java-agent/agent-jmxfetch/integrations-core
-      - name: Download ghcommit CLI
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
         id: define-branch
         run: echo "branch=ci/update-jmxfetch-submodule-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
-      - name: Create branch
-        run: |
-          git checkout -b ${{ steps.define-branch.outputs.branch }}
-          git push -u origin ${{ steps.define-branch.outputs.branch }} --force
-      - name: Commit and push changes
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Commit changes
+        id: create-commit
         run: |
-          ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add dd-java-agent/agent-jmxfetch/integrations-core --message "Update agent-jmxfetch submodule"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            exit 0;
+          fi
+
+          git commit -a -m "Update agent-jmxfetch submodule"
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      - name: Push changes
+        uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
+        if: ${{ steps.create-commit.outputs.commit != '' }}
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          # for scheduled runs, sha is the tip of the default branch
+          # for dispatched runs, sha is the tip of the branch it was dispatched on
+          branch-from: "${{ github.sha }}"
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request
+        if: ${{ steps.create-commit.outputs.commit != '' }}
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: "${{ steps.octo-sts.outputs.token }}"
         run: |
           gh pr create --title "Update agent-jmxfetch submodule" \
             --base master \

From 17d121bec8f0c35def5a0e41558d9708ee0776c4 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 15:47:06 -0400
Subject: [PATCH 2/8] Add back create-commit id

---
 .github/workflows/update-docker-build-image.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml
index b37ea6e2e7a..a0c734dbe7c 100644
--- a/.github/workflows/update-docker-build-image.yaml
+++ b/.github/workflows/update-docker-build-image.yaml
@@ -74,6 +74,7 @@ jobs:
           git push -u origin ${{ steps.define-branch.outputs.branch }} --force
       - name: Commit changes
         if: steps.check-changes.outputs.commit_changes == 'true'
+        id: create-commit
         env:
           GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
@@ -89,7 +90,7 @@ jobs:
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
         uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
-        if: ${{ steps.create-commit.outputs.commit != '' }}
+        if: ${{ steps.check-changes.outputs.commit_changes == 'true' && steps.create-commit.outputs.commit != '' }}
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"

From 04ea0473daa2e9c65748040131be403d799cc909 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 16:04:10 -0400
Subject: [PATCH 3/8] Delete ghcommit download

---
 .github/workflows/update-docker-build-image.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml
index a0c734dbe7c..cc3070dab08 100644
--- a/.github/workflows/update-docker-build-image.yaml
+++ b/.github/workflows/update-docker-build-image.yaml
@@ -58,11 +58,6 @@ jobs:
           else
             echo "commit_changes=true" >> "$GITHUB_OUTPUT"
           fi
-      - name: Download ghcommit CLI
-        if: steps.check-changes.outputs.commit_changes == 'true'
-        run: |
-          curl https://github.com/planetscale/ghcommit/releases/download/v0.1.48/ghcommit_linux_amd64 -o /usr/local/bin/ghcommit -L
-          chmod +x /usr/local/bin/ghcommit
       - name: Pick a branch name
         if: steps.check-changes.outputs.commit_changes == 'true'
         id: define-branch

From a9a1f752f3442a399bb8f7b75b77a42e62a250c1 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 16:26:02 -0400
Subject: [PATCH 4/8] Change cloudfoundry content permissions to read

---
 .github/workflows/add-release-to-cloudfoundry.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/add-release-to-cloudfoundry.yaml b/.github/workflows/add-release-to-cloudfoundry.yaml
index dd8a161fa97..ffb4e187dc7 100644
--- a/.github/workflows/add-release-to-cloudfoundry.yaml
+++ b/.github/workflows/add-release-to-cloudfoundry.yaml
@@ -6,7 +6,7 @@ on:
 jobs:
   update-releases:
     permissions:
-      contents: write # Required to commit and push changes to the repository
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout "cloudfoundry" branch

From 2a47f6ac496b5c2b3cd424d259067b40c8be62b9 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 16:38:21 -0400
Subject: [PATCH 5/8] Undo - Change cloudfoundry content permissions to read

---
 .github/workflows/add-release-to-cloudfoundry.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/add-release-to-cloudfoundry.yaml b/.github/workflows/add-release-to-cloudfoundry.yaml
index ffb4e187dc7..86ca175c183 100644
--- a/.github/workflows/add-release-to-cloudfoundry.yaml
+++ b/.github/workflows/add-release-to-cloudfoundry.yaml
@@ -6,7 +6,7 @@ on:
 jobs:
   update-releases:
     permissions:
-      contents: read
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout "cloudfoundry" branch

From f8587d4c6eca63acfc59b23e993ea6046fc0e5f8 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 16:44:18 -0400
Subject: [PATCH 6/8] Clean docker build workflow

---
 .github/workflows/update-docker-build-image.yaml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/update-docker-build-image.yaml b/.github/workflows/update-docker-build-image.yaml
index cc3070dab08..93ff8dc2191 100644
--- a/.github/workflows/update-docker-build-image.yaml
+++ b/.github/workflows/update-docker-build-image.yaml
@@ -70,17 +70,9 @@ jobs:
       - name: Commit changes
         if: steps.check-changes.outputs.commit_changes == 'true'
         id: create-commit
-        env:
-          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-          if [[ -z "$(git status -s)" ]]; then
-            echo "No changes to commit, exiting."
-            exit 0;
-          fi
-
           git commit --message "feat(ci): Update Docker build image" .gitlab-ci.yml
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes

From 3e3c04fd4ca899ec1a6240a254c1b461fddda13d Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 16:48:55 -0400
Subject: [PATCH 7/8] Clean jmxfetch submodule workflow

---
 .github/workflows/update-jmxfetch-submodule.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/update-jmxfetch-submodule.yaml b/.github/workflows/update-jmxfetch-submodule.yaml
index 1255e3a34ec..06d317f46bf 100644
--- a/.github/workflows/update-jmxfetch-submodule.yaml
+++ b/.github/workflows/update-jmxfetch-submodule.yaml
@@ -43,8 +43,7 @@ jobs:
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add dd-java-agent/agent-jmxfetch/integrations-core
-          git commit -m "Update agent-jmxfetch submodule"
+          git commit --message "feat(ci): Update agent-jmxfetch submodule" dd-java-agent/agent-jmxfetch/integrations-core
           echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
         uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0

From 7744e409f6c7e7b981dfa52786ee912d8e25faa1 Mon Sep 17 00:00:00 2001
From: Sarah Chen <sarah.chen@datadoghq.com>
Date: Tue, 5 Aug 2025 17:08:47 -0400
Subject: [PATCH 8/8] Clean gradle dependencies workflow

---
 .../workflows/update-gradle-dependencies.yaml | 57 +++++++------------
 1 file changed, 20 insertions(+), 37 deletions(-)

diff --git a/.github/workflows/update-gradle-dependencies.yaml b/.github/workflows/update-gradle-dependencies.yaml
index acf364a255f..d5c444a4f0f 100644
--- a/.github/workflows/update-gradle-dependencies.yaml
+++ b/.github/workflows/update-gradle-dependencies.yaml
@@ -23,6 +23,7 @@ jobs:
         with:
           submodules: "recursive"
       - name: Pick a branch name
+        id: define-branch
         run: echo "branch=ci/update-gradle-dependencies-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
       - name: Update Gradle dependencies
         run: |
@@ -33,47 +34,28 @@ jobs:
           JAVA_17_HOME=$JAVA_HOME_17_X64 \
           JAVA_21_HOME=$JAVA_HOME_21_X64 \
           ./gradlew resolveAndLockAll --write-locks --parallel --stacktrace --no-daemon --max-workers=4
+      - name: Check for changes
+        id: check-changes
+        run: |
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          else
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          fi
       - name: Commit changes
-        id: create-commits
-        env:
-          BRANCH_NAME: ${{ steps.define-branch.outputs.branch }}
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: create-commit
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-          FILES=""
-          COMMITS=""
-          COUNT=0
-          # XXX: Could be replaced by ${{ github.sha }}
-          BRANCH_HEAD=$(git rev-parse HEAD)
-          for lockfile in $(git status --porcelain=v1 | awk '{ print $NF }'); do
-            echo "Found lockfile: $lockfile"
-            FILES="$FILES $lockfile"
-            COUNT=$((COUNT+1))
-            if [ $COUNT -eq 10 ]; then
-              echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with files $FILES"
-              git commit --no-verify --message="chore: Update Gradle dependencies" "${FILES}"
-              COMMITS="$COMMITS $(git rev-parse HEAD)"
-              FILES=""
-              COUNT=0
-            fi
-          done
-          # Check at uncommited files
-          echo "Checking uncommited files"
-          git status
-
-          # Commit any remaining files
-          if [ $COUNT -gt 0 ]; then
-            echo "Creating a commit to $BRANCH_NAME@$BRANCH_HEAD with $FILES"
-            git commit --no-verify --message="chore: Update Gradle dependencies" "${FILES}"
-            COMMITS="$COMMITS $(git rev-parse HEAD)"
-          fi
-
-          echo "Commits to push: ${COMMITS}"
-          echo "commits=\"${COMMITS}\"" >> $GITHUB_OUTPUT
+          git add .
+          git commit --no-verify --message="chore: Update Gradle dependencies"
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Push changes
         uses: DataDog/commit-headless@1186485b788f57eedaaadb19919781698b4d262f # action/v1.0.0
-        if: ${{ steps.create-commits.outputs.commits != '' }}
+        if: ${{ steps.check-changes.outputs.has_changes == 'true' && steps.create-commit.outputs.commit != '' }}
         with:
           token: "${{ steps.octo-sts.outputs.token }}"
           branch: "${{ steps.define-branch.outputs.branch }}"
@@ -81,14 +63,15 @@ jobs:
           # for dispatched runs, sha is the tip of the branch it was dispatched on
           branch-from: "${{ github.sha }}"
           command: push
-          commits: "${{ steps.create-commits.outputs.commits }}"
+          commits: "${{ steps.create-commit.outputs.commit }}"
       - name: Create pull request
+        if: steps.check-changes.outputs.has_changes == 'true'
         env:
           GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
           BRANCH_NAME: ${{ steps.define-branch.outputs.branch }}
         run: |
           # use echo to set a multiline body for the PR
-          echo -e "This PR updates the Gradle dependencies. ⚠️ Don't forget to squash commits before merging. ⚠️\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \
+          echo -e "This PR updates the Gradle dependencies.\n\n- [ ] Update PR title if a code change is needed to support one of those new dependencies" | \
             gh pr create --title "Update Gradle dependencies" \
             --base master \
             --head $BRANCH_NAME \