diff --git a/.github/workflows/system-tests-official.yml b/.github/workflows/system-tests-official.yml
new file mode 100644
index 00000000000..11092984c5b
--- /dev/null
+++ b/.github/workflows/system-tests-official.yml
@@ -0,0 +1,127 @@
+name: System Tests - Official
+on: # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+      # A workaround to trigger the workflow for pull requests from forked repository,
+      # which does not have access to secrets.
+      #
+      # This is also useful for testing the workflow without opening a pull request.
+      - tmp/*
+  # pull_request:  # To be uncommented if the guild chooses this workflow
+  #   branches:
+  #     - master
+  workflow_dispatch: {}
+  # schedule:  # To be uncommented if the guild chooses this workflow
+  #   - cron: "00 04 * * 2-6"
+
+# Default permissions for all jobs
+permissions: {}
+
+jobs:
+  changes:
+    name: Changes
+    runs-on: ubuntu-24.04
+    outputs:
+      changes: ${{ steps.changes.outputs.src }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Changes
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: changes
+        with:
+          filters: |
+            src:
+              - '.github/forced-tests-list.json'
+              - '.github/workflows/**'
+              - 'lib/**'
+              - 'ext/**'
+              - '*.gemspec'
+              - 'Gemfile'
+              - '*.gemfile'
+              - 'lib-injection/**'
+              - 'tasks/**'
+
+  build:
+    needs:
+      - changes
+    if: ${{ needs.changes.outputs.changes == 'true' }}
+    runs-on: ubuntu-22.04
+    name: Build artifact
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout DataDog/dd-trace-rb
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: DataDog/dd-trace-rb
+          fetch-depth: 2
+          persist-credentials: false
+          path: packaged/dd-trace-rb
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dd-trace-rb  # The name must match the folder name so it extracts to binaries/dd-trace-rb on download
+          path: packaged
+
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - weblogs: ""  # All of them
+            scenarios: DEFAULT,EVERYTHING_DISABLED,APPSEC_BLOCKING_FULL_DENYLIST,APPSEC_REQUEST_BLOCKING,APPSEC_BLOCKING,GRAPHQL_APPSEC
+          - weblogs: rack,rails70
+            scenarios: |
+              APPSEC_API_SECURITY,
+              APPSEC_AUTO_EVENTS_EXTENDED,
+              APPSEC_CORRUPTED_RULES,
+              APPSEC_CUSTOM_OBFUSCATION,
+              APPSEC_CUSTOM_RULES,
+              APPSEC_LOW_WAF_TIMEOUT,
+              APPSEC_MISSING_RULES,
+              APPSEC_RATE_LIMITER,
+              APPSEC_RULES_MONITORING_WITH_ERRORS,
+              APPSEC_STANDALONE,
+              CROSSED_TRACING_LIBRARIES,
+              DEBUGGER_PII_REDACTION,
+              DEBUGGER_PROBES_SNAPSHOT,
+              DEBUGGER_PROBES_STATUS,
+              INTEGRATIONS,
+              PROFILING,
+              REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD,
+              REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD_NOCACHE,
+              REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES,
+              REMOTE_CONFIG_MOCKED_BACKEND_ASM_FEATURES_NOCACHE,
+              SAMPLING,
+              SCA_STANDALONE,
+              TELEMETRY_APP_STARTED_PRODUCTS_DISABLED,
+              TELEMETRY_DEPENDENCY_LOADED_TEST_FOR_DEPENDENCY_COLLECTION_DISABLED,
+              TELEMETRY_LOG_GENERATION_DISABLED,
+              TELEMETRY_METRIC_GENERATION_DISABLED
+    needs:
+      - build
+    uses: DataDog/system-tests/.github/workflows/system-tests.yml@8ff6c41624103d83d384e0cf3241ec12e4984800  # Automated: This reference is automatically updated.
+    secrets: inherit  # zizmor: ignore[secrets-inherit]
+    permissions:
+      contents: read
+      packages: write
+    with:
+      library: ruby
+      binaries_artifact: dd-trace-rb
+      desired_execution_time: 300  # 5 minutes
+      scenarios: ${{ matrix.scenarios }}
+      weblogs: ${{ matrix.weblogs }}
+      skip_empty_scenarios: true
+      ref: 8ff6c41624103d83d384e0cf3241ec12e4984800  # Automated: This reference is automatically updated.
+
+  complete:
+    name: System Tests (complete)
+    runs-on: ubuntu-24.04
+    needs:
+      - test
+    steps:
+      - run: echo "DONE!"
diff --git a/.github/workflows/update-system-tests.yml b/.github/workflows/update-system-tests.yml
index 1fea2f31cc6..e7df762c357 100644
--- a/.github/workflows/update-system-tests.yml
+++ b/.github/workflows/update-system-tests.yml
@@ -61,6 +61,18 @@ jobs:
           PATTERN: '(\s*SYSTEM_TESTS_REF:\s+)(\S+)(\s+# Automated:.*)'
           REF: ${{ steps.system-test-ref.outputs.commit }}
 
+      - run: .github/scripts/update_reference.sh
+        env:
+          TARGET: ".github/workflows/system-tests-official.yml"
+          PATTERN: '(system-tests.yml@)(\S+)(\s+# Automated:.*)'
+          REF: ${{ steps.system-test-ref.outputs.commit }}
+
+      - run: .github/scripts/update_reference.sh
+        env:
+          TARGET: ".github/workflows/system-tests-official.yml"
+          PATTERN: '(\s+ref: )(\S+)(\s+# Automated:.*)'
+          REF: ${{ steps.system-test-ref.outputs.commit }}
+
       - run: git diff --color=always
 
       - name: Generate GitHub App Token