Sync with all changes in 6ea0ae3

Author: jj22ee

.github/actions/cpUtility-testing/action.yml

@@ -25,28 +25,28 @@ runs:
   using: "composite"
   steps:
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #3.6.0
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
       with:
         driver-opts: image=moby/buildkit:v0.15.1
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
       with:
         role-to-assume: ${{ inputs.snapshot-ecr-role }}
         aws-region: ${{ inputs.aws-region }}
 
     - name: Login to private staging ecr
-      uses: docker/login-action@v3
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
       with:
         registry: ${{ inputs.image_registry }}
       env:
         AWS_REGION: ${{ inputs.aws-region }}
 
     - name: Build image for testing
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
       with:
         push: false
         build-args: "ADOT_JAVA_VERSION=${{ inputs.adot-java-version }}"
@@ -60,7 +60,7 @@ runs:
       run: .github/scripts/test-adot-javaagent-image.sh "${{ inputs.image_uri_with_tag }}" "${{ inputs.adot-java-version }}"
 
     - name: Build and push image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
       with:
         push: true
         build-args: "ADOT_JAVA_VERSION=${{ inputs.adot-java-version }}"

.github/actions/image_scan/action.yml

@@ -11,6 +11,11 @@ inputs:
   severity:
     required: true
     description: "List of severities that will cause a failure"
+  logout:
+    required: true
+    description: |
+      Whether to logout of public AWS ECR. Set to 'true' for PR workflows to avoid potential call failures,
+      'false' for daily scans which has a higher bar for passing regularly and specifically wants to sign in.
 
 runs:
   using: "composite"
@@ -22,11 +27,12 @@ runs:
     # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
     # PRs created from forked repos.
     - name: Logout of public AWS ECR
+      if: inputs.logout == 'true'
       shell: bash
       run: docker logout public.ecr.aws
 
     - name: Run Trivy vulnerability scanner on image
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
       with:
         image-ref: ${{ inputs.image-ref }}
         severity: ${{ inputs.severity }}

.github/actions/patch-dependencies/action.yml

@@ -60,21 +60,22 @@ runs:
     - name: Clone and patch repositories
       run: .github/scripts/patch.sh
       if: ${{ env.patch_otel_java == 'true' ||
-              env.patch_otel_java_contrib == 'true' }}
+              env.patch_otel_java_contrib == 'true' ||
+              env.patch_otel_java_instrumentation == 'true' }}
       shell: bash
 
     - name: Build opentelemetry-java with tests
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java == 'true' && inputs.run_tests != 'false' }}
       with:
-        arguments: build publishToMavenLocal
+        arguments: build publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java
 
     - name: Build opentelemetry-java
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java == 'true' && inputs.run_tests == 'false' }}
       with:
-        arguments: publishToMavenLocal
+        arguments: publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java
 
     - name: cleanup opentelemetry-java
@@ -83,17 +84,17 @@ runs:
       shell: bash
 
     - name: Build opentelemetry-java-contrib with tests
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java_contrib == 'true' && inputs.run_tests != 'false' }}
       with:
-        arguments: build publishToMavenLocal
+        arguments: build publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java-contrib
 
     - name: Build opentelemetry-java-contrib
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java_contrib == 'true' && inputs.run_tests == 'false' }}
       with:
-        arguments: publishToMavenLocal
+        arguments: publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java-contrib
 
     - name: cleanup opentelemetry-java-contrib
@@ -102,20 +103,20 @@ runs:
       shell: bash
 
     - name: Build opentelemetry-java-instrumentation with tests
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java_instrumentation == 'true' && inputs.run_tests != 'false' }}
       with:
-        arguments: check -x spotlessCheck publishToMavenLocal
+        arguments: check -x spotlessCheck publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java-instrumentation
 
     - name: Build opentelemetry java instrumentation
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
       if: ${{ env.patch_otel_java_instrumentation == 'true' && inputs.run_tests == 'false' }}
       with:
-        arguments: publishToMavenLocal
+        arguments: publishToMavenLocal --scan --no-daemon
         build-root-directory: opentelemetry-java-instrumentation
 
     - name: cleanup opentelmetry-java-instrumentation
       run: rm -rf opentelemetry-java-instrumentation
       if: ${{ env.patch_otel_java_instrumentation == 'true' }}
-      shell: bash
+      shell: bash