diff --git a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
index 85e1f7aa343..c2b192475a7 100644
--- a/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
+++ b/.github/chainguard/self.pin-system-tests.create-pr.sts.yaml
@@ -1,11 +1,11 @@
 issuer: https://token.actions.githubusercontent.com
 
-subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/.+
+subject_pattern: repo:DataDog/dd-trace-java:ref:refs/heads/(master|test/v.+)
 
 claim_pattern:
-  event_name: (push|workflow_dispatch)
-  ref: refs/heads/.+
-  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/.+
+  event_name: (create|workflow_dispatch)
+  ref: refs/heads/(master|test/v.+)
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/pin-system-tests\.yaml@refs/heads/(master|test/v.+)
 
 permissions:
   contents: write
diff --git a/.github/workflows/pin-system-tests.yaml b/.github/workflows/pin-system-tests.yaml
new file mode 100644
index 00000000000..725eedf3178
--- /dev/null
+++ b/.github/workflows/pin-system-tests.yaml
@@ -0,0 +1,107 @@
+name: Pin system tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The minor release branch name (e.g. release/v1.54.x)'
+        required: true
+        type: string
+  # run workflow when a release branch is created
+  create:
+
+jobs:
+  pin-system-tests:
+    name: "Pin system tests"
+    # CHANGE BACK TO release/v*
+    if: github.event_name != 'create' || startsWith(github.ref, 'refs/heads/test/v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # may not be needed
+      id-token: write # Required for OIDC token federation
+    steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.pin-system-tests.create-pr
+      
+      - name: Checkout the repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Define branch name
+        id: define-branch
+        run: echo "branch=ci/pin-system-tests-$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+
+      - name: Check if branch already exists
+        id: check-branch
+        run: |
+          BRANCH=${{ steps.define-branch.outputs.branch }}
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            echo "creating_new_branch=false" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH already exists - please delete it and re-run the workflow."
+            exit 0
+          else
+            echo "creating_new_branch=true" >> "$GITHUB_OUTPUT"
+            echo "Branch $BRANCH does not exist - creating it now"
+          fi
+      
+      - name: Update system-tests references to latest commit SHA on main
+        run: ./tooling/update_system_test_reference.sh
+      
+      - name: Check if changes should be committed
+        id: check-changes
+        run: |
+          if [[ -z "$(git status -s)" ]]; then
+            echo "No changes to commit, exiting."
+            echo "commit_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          else
+            echo "commit_changes=true" >> "$GITHUB_OUTPUT"
+            echo "Changes to commit:"
+            git status -s
+          fi
+      
+      - name: Commit changes
+        if: steps.check-changes.outputs.commit_changes == 'true'
+        id: create-commit
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: Pin system-tests for release branch" .github/workflows/run-system-tests.yaml
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      
+      - name: Push changes
+        uses: DataDog/commit-headless@5a0f3876e0fbdd3a86b3e008acf4ec562db59eee # action/v2.0.1
+        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
+        with:
+          token: "${{ steps.octo-sts.outputs.token }}"
+          branch: "${{ steps.define-branch.outputs.branch }}"
+          head-sha: "${{ github.sha }}"
+          create-branch: true
+          command: push
+          commits: "${{ steps.create-commit.outputs.commit }}"
+      
+      - name: Define base branch
+        id: define-base-branch
+        run: |
+          if [[ -n "${{ github.event.inputs.tag }}" ]]; then
+            BASE_BRANCH=${{ github.event.inputs.tag }}
+          else
+            BASE_BRANCH=${GITHUB_REF#refs/heads/}
+          fi
+          echo "base_branch=${BASE_BRANCH}" >> $GITHUB_OUTPUT
+
+      - name: Create pull request
+        if: steps.check-changes.outputs.commit_changes == 'true' && steps.check-branch.outputs.creating_new_branch == 'true'
+        env:
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
+        # REMOVE DRAFT
+        run: |
+          gh pr create --title "Pin system tests for release branch" \
+            --base ${{ steps.define-base-branch.outputs.base_branch }} \
+            --head ${{ steps.define-branch.outputs.branch }} \
+            --label "tag: dependencies" \
+            --label "tag: no release notes" \
+            --body "This PR pins the system-tests reference for the release branch." \
+            --draft