Merge branch 'master' into nayeem-kamal/boomi-fix

Author: nayeem-kamal

.github/CODEOWNERS

@@ -13,7 +13,19 @@
 /.gitlab-ci.yml                        @DataDog/apm-release-platform
 
 # @DataDog/apm-sdk-api-java
-/dd-trace-ot/                          @DataDog/apm-sdk-api-java
+/dd-java-agent/agent-otel                                       @DataDog/apm-sdk-api-java
+/dd-smoke-tests/sample-trace                                    @DataDog/apm-sdk-api-java
+/dd-trace-core/src/main/java/datadog/trace/core/baggage         @DataDog/apm-sdk-api-java
+/dd-trace-core/src/test/groovy/datadog/trace/core/baggage       @DataDog/apm-sdk-api-java
+/dd-trace-core/src/main/java/datadog/trace/core/propagation     @DataDog/apm-sdk-api-java
+/dd-trace-core/src/test/groovy/datadog/trace/core/propagation   @DataDog/apm-sdk-api-java
+/dd-trace-core/src/main/java/datadog/trace/core/scopemanager    @DataDog/apm-sdk-api-java
+/dd-trace-core/src/test/groovy/datadog/trace/core/scopemanager  @DataDog/apm-sdk-api-java
+/dd-trace-ot/                                                   @DataDog/apm-sdk-api-java
+/internal-api/src/main/java/datadog/trace/bootstrap             @DataDog/apm-sdk-api-java
+/internal-api/src/test/groovy/datadog/trace/bootstrap           @DataDog/apm-sdk-api-java
+/internal-api/src/main/java/datadog/trace/api/sampling          @DataDog/apm-sdk-api-java
+/internal-api/src/test/groovy/datadog/trace/api/sampling        @DataDog/apm-sdk-api-java
 
 # @DataDog/apm-serverless
 /dd-trace-core/src/main/java/datadog/trace/lambda/ @DataDog/apm-serverless

.github/chainguard/self.gitlab.release.sts.yaml

@@ -0,0 +1,11 @@
+issuer: https://gitlab.ddbuild.io
+
+subject_pattern: "project_path:DataDog/apm-reliability/dd-trace-java:ref_type:tag:ref:v.*"
+
+claim_pattern:
+  project_path: "DataDog/apm-reliability/dd-trace-java"
+  ref_type: "tag"
+  ref: "v.*"
+
+permissions:
+  contents: "write"

.github/chainguard/self.update-docker-build-image.create-pr.sts.yaml

@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: (schedule|workflow_dispatch)
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/update-docker-build-image\.yaml@refs/heads/master
+
+permissions:
+  contents: write
+  pull_requests: write

.github/chainguard/self.update-gradle-dependencies.create-pr.sts.yaml

@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: (schedule|workflow_dispatch)
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/update-gradle-dependencies\.yaml@refs/heads/master
+
+permissions:
+  contents: write
+  pull_requests: write

.github/chainguard/self.update-jmxfetch-submodule.create-pr.sts.yaml

@@ -0,0 +1,13 @@
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dd-trace-java:ref:refs/heads/master
+
+claim_pattern:
+  event_name: (schedule|workflow_dispatch)
+  ref: refs/heads/master
+  ref_protected: "true"
+  job_workflow_ref: DataDog/dd-trace-java/\.github/workflows/update-jmxfetch-submodule\.yaml@refs/heads/master
+
+permissions:
+  contents: write
+  pull_requests: write

.github/workflows/README.md

@@ -130,6 +130,14 @@ _Action:_ Build the Java Client Library and runs [the system tests](https://gith
 
 _Recovery:_ Manually trigger the action on the desired branch.
 
+### update-jmxfetch-submodule [🔗](update-jmxfetch-submodule.yaml)
+
+_Trigger:_ Monthly or manually
+
+_Action:_ Creates a PR updating the git submodule at dd-java-agent/agent-jmxfetch/integrations-core
+
+_Recovery:_ Manually trigger the action again.
+
 ## Maintenance
 
 GitHub actions should be part of the [repository allowed actions to run](https://github.com/DataDog/dd-trace-java/settings/actions).

.github/workflows/add-milestone-to-pull-requests.yaml

@@ -17,6 +17,8 @@ jobs:
       - name: Add milestone to merged pull requests
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # 7.0.1
         with:
+          retries: 3
+          retry-exempt-status-codes: 400,401
           script: |
             // Get project milestones
             const response = await github.rest.issues.listMilestones({

.github/workflows/add-release-to-cloudfoundry.yaml

@@ -43,7 +43,7 @@ jobs:
         run: |
           echo "${{ steps.get-release-version.outputs.VERSION }}: ${{ steps.get-release-url.outputs.URL }}" >> index.yml
       - name: Commit and push changes
-        uses: planetscale/ghcommit-action@6a383e778f6620afde4bf4b45069d3c6983c1ae2 # v0.2.15
+        uses: planetscale/ghcommit-action@322be9669498a4be9ce66efc1169f8f43f6bd883 # v0.2.17
         with:
           commit_message: "chore: Add version ${{ steps.get-release-version.outputs.VERSION }} to Cloud Foundry"
           repo: ${{ github.repository }}

.github/workflows/analyze-changes.yaml

@@ -40,14 +40,14 @@ jobs:
             ${{ runner.os }}-gradle-
         
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           languages: 'java'
           build-mode: 'manual'
 
       - name: Build dd-trace-java for creating the CodeQL database
         run: |
-          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
+          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
           JAVA_HOME=$JAVA_HOME_8_X64 \
           JAVA_8_HOME=$JAVA_HOME_8_X64 \
           JAVA_11_HOME=$JAVA_HOME_11_X64 \
@@ -57,7 +57,7 @@ jobs:
             --build-cache --parallel --stacktrace --no-daemon --max-workers=4
 
       - name: Perform CodeQL Analysis and upload results to GitHub Security tab
-        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
 
   trivy:
     name: Analyze changes with Trivy
@@ -93,7 +93,7 @@ jobs:
 
       - name: Build and publish artifacts locally
         run: |
-          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx2G -Xms2G'" \
+          GRADLE_OPTS="-Dorg.gradle.jvmargs='-Xmx3G -Xms2G'" \
           JAVA_HOME=$JAVA_HOME_8_X64 \
           JAVA_8_HOME=$JAVA_HOME_8_X64 \
           JAVA_11_HOME=$JAVA_HOME_11_X64 \
@@ -122,7 +122,7 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/update-docker-build-image.yaml

@@ -3,21 +3,27 @@ name: Update Docker Build Image
 on:
   schedule:
     # A day after creating the tag from https://github.com/DataDog/dd-trace-java-docker-build/blob/master/.github/workflows/docker-tag.yml
-    - cron: '0 0 1 2,5,8,11 *'
+    - cron: "0 0 1 2,5,8,11 *"
   workflow_dispatch:
     inputs:
       tag:
-        description: 'The tag to use for the Docker build image'
+        description: "The tag to use for the Docker build image"
         required: true
-        default: 'vYY.MM'
-    
+        default: "vYY.MM"
+
 jobs:
   update-docker-build-image:
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Required to commit and push changes to a new branch
-      pull-requests: write # Required to create a pull request
+      contents: write # Required to create and push branch
+      id-token: write # Required for OIDC token federation
     steps:
+      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        id: octo-sts
+        with:
+          scope: DataDog/dd-trace-java
+          policy: self.update-docker-build-image.create-pr
+
       - name: Checkout the repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Download ghcommit CLI
@@ -52,15 +58,15 @@ jobs:
           echo "::notice::Using Docker build image tag: ${TAG}"
       - name: Update the Docker build image in GitLab CI config
         run: |
-          sed -i '' -E 's|(BUILDER_IMAGE_VERSION_PREFIX:)[^#]*([#].*)|\1 "${{ steps.define-tag.outputs.tag }}-" \2|' .gitlab-ci.yml
+          sed -i -E 's|(BUILDER_IMAGE_VERSION_PREFIX:)[^#]*([#].*)|\1 "${{ steps.define-tag.outputs.tag }}-" \2|' .gitlab-ci.yml
       - name: Commit and push changes
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           ghcommit --repository ${{ github.repository }} --branch ${{ steps.define-branch.outputs.branch }} --add .gitlab-ci.yml --message "feat(ci): Update Docker build image"
       - name: Create pull request
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |
           gh pr create --title "Update Docker build image" \
             --base master \