diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 3e1dfa98346a7..2d0cd02df7957 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -42,7 +42,7 @@ env:
 jobs:
 
   changes:
-    if: github.event_name == 'pull_request'
+    if: "${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'ci: assume ec') }}"
     uses: ./.github/workflows/changes.yml
     with:
       source: false
@@ -54,13 +54,13 @@ jobs:
     runs-on: ubuntu-24.04-8core
     timeout-minutes: 45
     needs: changes
-    if: always() && (
+    if: "${{ always() && (
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch' ||
       needs.changes.outputs.e2e-datadog-logs == 'true' ||
       needs.changes.outputs.e2e-datadog-metrics == 'true' ||
       needs.changes.outputs.e2e-opentelemetry-logs == 'true'
-      )
+      ) && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) }}"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -74,8 +74,9 @@ jobs:
         if: github.event_name == 'pull_request'
         env:
           GH_APP_DATADOG_VECTOR_CI_APP_ID: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          ASSUME_EC: "${{ contains(github.event.pull_request.labels.*.name, 'ci: assume ec') }}"
         run: |
-          if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" ]] ; then
+          if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" && "$ASSUME_EC" != "true" ]] ; then
             echo "PR_HAS_ACCESS_TO_SECRETS=true" >> "$GITHUB_ENV"
           else
             echo "PR_HAS_ACCESS_TO_SECRETS=false" >> "$GITHUB_ENV"
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 5d46c5c1db0ab..5c1185e0afd5f 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -35,7 +35,7 @@ env:
 
 jobs:
   changes:
-    if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
+    if: "${{ (github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) || github.event_name == 'merge_group' }}"
     uses: ./.github/workflows/changes.yml
     with:
       source: true
@@ -53,8 +53,9 @@ jobs:
         id: secret_check
         env:
           GH_APP_DATADOG_VECTOR_CI_APP_ID: ${{ secrets.GH_APP_DATADOG_VECTOR_CI_APP_ID }}
+          ASSUME_EC: "${{ contains(github.event.pull_request.labels.*.name, 'ci: assume ec') }}"
         run: |
-          if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" ]]; then
+          if [[ "$GH_APP_DATADOG_VECTOR_CI_APP_ID" != "" && "$ASSUME_EC" != "true" ]]; then
             echo "can_access_secrets=true" >> $GITHUB_OUTPUT
           else
             echo "can_access_secrets=false" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/k8s_e2e.yml b/.github/workflows/k8s_e2e.yml
index 7165bf63d5ce8..52a3dee032919 100644
--- a/.github/workflows/k8s_e2e.yml
+++ b/.github/workflows/k8s_e2e.yml
@@ -51,7 +51,7 @@ env:
 jobs:
   changes:
     # Only evaluate files changed on pull request trigger
-    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    if: "${{ (github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) || github.event_name == 'merge_group' }}"
     uses: ./.github/workflows/changes.yml
     secrets: inherit
 
@@ -61,7 +61,7 @@ jobs:
     timeout-minutes: 45
     needs: changes
     # Run this job even if `changes` job is skipped
-    if: ${{ !failure() && !cancelled() && needs.changes.outputs.website_only != 'true' && needs.changes.outputs.k8s != 'false' }}
+    if: "${{ !failure() && !cancelled() && needs.changes.outputs.website_only != 'true' && needs.changes.outputs.k8s != 'false' && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) }}"
     # cargo-deb requires a release build, but we don't need optimizations for tests
     env:
       CARGO_PROFILE_RELEASE_OPT_LEVEL: 0
@@ -125,7 +125,7 @@ jobs:
     timeout-minutes: 5
     needs: changes
     # Run this job even if `changes` job is skipped
-    if: ${{ !failure() && !cancelled() && needs.changes.outputs.website_only != 'true' && needs.changes.outputs.k8s != 'false' }}
+    if: "${{ !failure() && !cancelled() && needs.changes.outputs.website_only != 'true' && needs.changes.outputs.k8s != 'false' && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) }}"
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
@@ -182,7 +182,7 @@ jobs:
       - build-x86_64-unknown-linux-gnu
       - compute-k8s-test-plan
     # because `changes` job might be skipped
-    if: always() && needs.build-x86_64-unknown-linux-gnu.result == 'success' && needs.compute-k8s-test-plan.result == 'success'
+    if: "${{ always() && needs.build-x86_64-unknown-linux-gnu.result == 'success' && needs.compute-k8s-test-plan.result == 'success' && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) }}"
     strategy:
       matrix: ${{ fromJson(needs.compute-k8s-test-plan.outputs.matrix) }}
       fail-fast: false
@@ -243,7 +243,7 @@ jobs:
       - build-x86_64-unknown-linux-gnu
       - compute-k8s-test-plan
       - test-e2e-kubernetes
-    if: always()
+    if: "${{ always() && (github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci: assume ec')) }}"
     env:
       FAILED: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
     steps:
diff --git a/Cargo.toml b/Cargo.toml
index dfa2ca290975d..d9f34157947a1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1104,3 +1104,5 @@ name = "codecs"
 path = "benches/codecs/main.rs"
 harness = false
 required-features = ["codecs-benches"]
+
+# Hi