diff --git a/.github/chainguard/self.github.release.push-tags.sts.yaml b/.github/chainguard/self.github.release.push-tags.sts.yaml
new file mode 100644
index 0000000..e807440
--- /dev/null
+++ b/.github/chainguard/self.github.release.push-tags.sts.yaml
@@ -0,0 +1,12 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/libdatadog-nodejs:environment:npm
+
+claim_pattern:
+  event_name: push
+  job_workflow_ref: DataDog/libdatadog-nodejs/\.github/workflows/release\.yml@refs/heads/v[0-9]+\.x
+  ref: refs/heads/v[0-9]+\.x
+  repository: DataDog/libdatadog-nodejs
+
+permissions:
+  contents: write
diff --git a/.github/dependabot.yml.disabled b/.github/dependabot.yml
similarity index 100%
rename from .github/dependabot.yml.disabled
rename to .github/dependabot.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6abf54..8cfd339 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,11 +36,18 @@ jobs:
     environment: npm
     permissions:
       id-token: write  # Required for OIDC
-      contents: write
+      contents: read
     outputs:
       pkgjson: ${{ steps.pkg.outputs.json }}
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/libdatadog-nodejs
+          policy: self.github.release.push-tags
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false # drop GITHUB_TOKEN so the dd-octo-sts token is used for the tag push
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: prebuilds
@@ -57,4 +64,4 @@ jobs:
           echo "json=$content" >> $GITHUB_OUTPUT
       - run: |
           git tag v${{ fromJson(steps.pkg.outputs.json).version }}
-          git push origin v${{ fromJson(steps.pkg.outputs.json).version }}
+          git push https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git v${{ fromJson(steps.pkg.outputs.json).version }}
diff --git a/Cargo.lock b/Cargo.lock
index afac19e..a8d1c7e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -811,17 +811,17 @@ dependencies = [
 
 [[package]]
 name = "libdd-library-config"
-version = "1.0.0"
-source = "git+https://github.com/DataDog/libdatadog.git?tag=v29.0.0#001bd56fcbba34fa4ec3f9798a6c4fbcddeffa40"
+version = "2.0.0"
+source = "git+https://github.com/DataDog/libdatadog.git?tag=v35.0.0#aa78483fba211c72ca3759c76318895f45e0184b"
 dependencies = [
  "anyhow",
+ "libc",
  "libdd-trace-protobuf",
  "memfd",
  "prost",
  "rand",
  "rmp",
  "rmp-serde",
- "rustix",
  "serde",
  "serde_yaml",
 ]
@@ -883,8 +883,8 @@ dependencies = [
 
 [[package]]
 name = "libdd-trace-protobuf"
-version = "1.1.0"
-source = "git+https://github.com/DataDog/libdatadog.git?tag=v29.0.0#001bd56fcbba34fa4ec3f9798a6c4fbcddeffa40"
+version = "3.0.2"
+source = "git+https://github.com/DataDog/libdatadog.git?tag=v35.0.0#aa78483fba211c72ca3759c76318895f45e0184b"
 dependencies = [
  "prost",
  "serde",
diff --git a/crates/process_discovery/Cargo.toml b/crates/process_discovery/Cargo.toml
index 30f94b4..4aa80ce 100644
--- a/crates/process_discovery/Cargo.toml
+++ b/crates/process_discovery/Cargo.toml
@@ -8,7 +8,7 @@ crate-type = ["cdylib", "rlib"]
 
 [dependencies]
 anyhow = "1"
-libdd-library-config = { git = "https://github.com/DataDog/libdatadog.git", tag = "v29.0.0" }
+libdd-library-config = { git = "https://github.com/DataDog/libdatadog.git", tag = "v35.0.0", features = ["otel-thread-ctx"] }
 
 napi = { version = "2" }
 napi-derive = { version = "2", default-features = false }
diff --git a/crates/process_discovery/src/lib.rs b/crates/process_discovery/src/lib.rs
index 3649959..3bf3516 100644
--- a/crates/process_discovery/src/lib.rs
+++ b/crates/process_discovery/src/lib.rs
@@ -21,6 +21,16 @@ pub struct TracerMetadata {
     pub service_version: Option<String>,
     pub process_tags: Option<String>,
     pub container_id: Option<String>,
+    /// Ordered list of attribute key names for thread-level OTEP-4947
+    /// context records. Key indices on the wire index into this list.
+    /// libdatadog's OTel process-context conversion prepends the
+    /// implicit `datadog.local_root_span_id` entry at wire index 0, so
+    /// callers should only set their additional keys here — entry 0 in
+    /// this list corresponds to wire key index 1.
+    ///
+    /// `null`/omitted (the default) disables the thread-context-related
+    /// attributes in the OTel process context entirely.
+    pub threadlocal_attribute_keys: Option<Vec<String>>,
 }
 
 #[napi]
@@ -36,6 +46,7 @@ pub fn store_metadata(data: &TracerMetadata) -> napi::Result<NapiAnonymousFileHa
         service_version: data.service_version.clone(),
         process_tags: data.process_tags.clone(),
         container_id: data.container_id.clone(),
+        threadlocal_attribute_keys: data.threadlocal_attribute_keys.clone(),
     });
 
     match res {
diff --git a/package.json b/package.json
index b8841cf..a974a2d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@datadog/libdatadog",
-  "version": "0.9.4",
+  "version": "0.10.0",
   "description": "Node.js binding for libdatadog",
   "main": "index.js",
   "scripts": {
diff --git a/test/process-discovery.js b/test/process-discovery.js
index a841d0f..ef66b84 100644
--- a/test/process-discovery.js
+++ b/test/process-discovery.js
@@ -22,6 +22,27 @@ const metadata = new process_discovery.TracerMetadata(
 const cfg_handle = process_discovery.storeMetadata(metadata)
 assert(cfg_handle !== undefined)
 
+// Same shape, plus a thread-local attribute key map (OTEP-4947). libdatadog
+// implicitly prepends `datadog.local_root_span_id` at wire index 0; entries
+// here start at wire index 1.
+const metadata_with_threadlocal = new process_discovery.TracerMetadata(
+  '7938685c-19dd-490f-b9b3-8aae4c22f898',
+  '1.0.0',
+  'my_hostname',
+  'my_svc',
+  'my_env',
+  'my_version',
+  undefined,
+  undefined,
+  ['endpoint', 'http.status'],
+)
+assert.deepStrictEqual(
+  metadata_with_threadlocal.threadlocalAttributeKeys,
+  ['endpoint', 'http.status'],
+)
+const cfg_handle_threadlocal = process_discovery.storeMetadata(metadata_with_threadlocal)
+assert(cfg_handle_threadlocal !== undefined)
+
 if (process.platform === 'linux') {
   const contains_datadog_memfd = (fds) => {
     for (const fd in fds) {