The Datadog team has developed a system that empowers developers to release new and trustworthy Datadog Agent integrations on demand, without completely trusting automation. This system uses the Update Framework (TUF) and in-toto to guarantee end-to-end security by protecting the authenticity and integrity of Agent integrations from the moment they are signed by developers to the point when they are installed by end-users. The system includes a supply chain defined using in-toto, which specifies a series of steps that must be followed to produce signed metadata about the input received and the output produced. This ensures that tampering with any step in the supply chain is prevented, providing meaningful security guarantees. The system also uses TUF to securely distribute and revoke public keys used to verify the supply chain, ensuring compromise-resilience. Additionally, developers sign integrations using hardware keys (Yubikeys), which are trusted and support on-card generation and storage of GPG signing keys.