Merge branch 'main' into fix-udp-workflow

Author: jj22ee

.github/workflows/owasp.yml renamed to .github/workflows/daily-scan.yml

@@ -0,0 +1,120 @@
+name: Post Release - Prepare Main for Next Development Cycle
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version number (e.g., 1.0.1)'
+        required: true
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-version:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Extract Major.Minor Version and setup Env variable
+        run: |
+          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Get current major.minor version from main branch
+        id: get_version
+        run: |
+          CURRENT_VERSION=$(grep '__version__' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py | sed -E 's/__version__ = "([0-9]+\.[0-9]+)\.[0-9]+.*"/\1/')
+          echo "CURRENT_MAJOR_MINOR_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
+
+      - name: Set major and minor for current version
+        run: |
+          echo "CURRENT_MAJOR=$(echo $CURRENT_MAJOR_MINOR_VERSION | cut -d. -f1)" >> $GITHUB_ENV
+          echo "CURRENT_MINOR=$(echo $CURRENT_MAJOR_MINOR_VERSION | cut -d. -f2)" >> $GITHUB_ENV
+
+      - name: Set major and minor for input version
+        run: |
+          echo "INPUT_MAJOR=$(echo $MAJOR_MINOR | cut -d. -f1)" >> $GITHUB_ENV
+          echo "INPUT_MINOR=$(echo $MAJOR_MINOR | cut -d. -f2)" >> $GITHUB_ENV
+
+      - name: Compare major.minor version and skip if behind
+        run: |
+          if [ "$CURRENT_MAJOR" -gt "$INPUT_MAJOR" ] || { [ "$CURRENT_MAJOR" -eq "$INPUT_MAJOR" ] && [ "$CURRENT_MINOR" -gt "$INPUT_MINOR" ]; }; then
+            echo "Input version is behind main's current major.minor version, don't need to update major version"
+            exit 1
+          fi
+  
+
+  prepare-main:
+    runs-on: ubuntu-latest
+    needs: check-version
+    steps:
+      - name: Configure AWS credentials for BOT secrets
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get Bot secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        id: bot_secrets
+        with:
+          secret-ids: |
+            BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }}
+          parse-json-secrets: true
+
+      - name: Setup Git
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions"
+          git config user.email "[email protected]"
+
+      - name: Extract Major.Minor Version and setup Env variable
+        run: |
+          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Determine release branch and checkout
+        run: |
+          RELEASE_BRANCH="release/v${MAJOR_MINOR}.x"
+          git fetch origin $RELEASE_BRANCH
+          git checkout -b "prepare-main-for-next-dev-cycle-${VERSION}" origin/$RELEASE_BRANCH
+
+      - name: Update version to next development version in main
+        run: |
+          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          sed -i'' -e "s/val adotVersion = \".*\"/val adotVersion = \"${DEV_VERSION}\"/" version.gradle.kts
+          VERSION="${{ github.event.inputs.version }}"
+          sed -i'' -e 's/adot-autoinstrumentation-java:v2.*"/adot-autoinstrumentation-java:v'$VERSION'"/' .github/workflows/daily-scan.yml
+          git add version.gradle.kts
+          git add .github/workflows/daily-scan.yml
+          git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
+          git push --set-upstream origin "prepare-main-for-next-dev-cycle-${VERSION}"
+
+      - name: Create Pull Request to main
+        env:
+          GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+        run: |
+          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
+                       --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
+          
+          This PR should only be merge when release for version v$VERSION is success.
+          
+          By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
+                       --head prepare-main-for-next-dev-cycle-${VERSION} \
+                       --base main

.github/workflows/post-release-version-bump.yml

@@ -0,0 +1,106 @@
+name: Pre Release Prepare - Update Version and Create PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version number (e.g., 1.0.1)'
+        required: true
+      is_patch:
+        description: 'Is this a patch? (true or false)'
+        required: true
+        default: 'false'
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+
+jobs:
+  update-version-and-create-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials for BOT secrets
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get Bot secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        id: bot_secrets
+        with:
+          secret-ids: |
+            BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }}
+          parse-json-secrets: true
+
+      - name: Checkout main branch
+        uses: actions/checkout@v3
+        with:
+          ref: 'main'
+          token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+
+      - name: Setup Git
+        run: |
+          git config user.name "github-actions"
+          git config user.email "[email protected]"
+
+      - name: Extract Major.Minor Version and setup Env variable
+        run: |
+          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Create branches
+        run: |
+          IS_PATCH=${{ github.event.inputs.is_patch }}
+          if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
+            echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
+            exit 1
+          fi
+          
+          
+          if git ls-remote --heads origin release/v${MAJOR_MINOR}.x | grep -q "release/v${MAJOR_MINOR}.x"; then
+            if [ "$IS_PATCH" = "true" ]; then
+              git fetch origin release/v${MAJOR_MINOR}.x
+              echo "Branch release/v${MAJOR_MINOR}.x already exists, checking out."
+              git checkout "release/v${MAJOR_MINOR}.x"
+            else 
+              echo "Error, release series branch release/v${MAJOR_MINOR}.x exist for non-patch release"
+              echo "Check your input or branch"
+              exit 1
+            fi
+          else
+            if [ "$IS_PATCH" = "true" ]; then
+              echo "Error, release series branch release/v${MAJOR_MINOR}.x NOT exist for patch release"
+              echo "Check your input or branch"
+              exit 1
+            else 
+              echo "Creating branch release/v${MAJOR_MINOR}.x."
+              git checkout -b "release/v${MAJOR_MINOR}.x"
+              git push origin "release/v${MAJOR_MINOR}.x"
+            fi
+          fi
+          
+          git checkout -b "v${VERSION}_release"
+          git push origin "v${VERSION}_release"
+
+      - name: Update version in file
+        run: |
+          sed -i'' -e "s/val adotVersion = \".*\"/val adotVersion = \"${VERSION}\"/" version.gradle.kts
+          git commit -am "Update version to ${VERSION}"
+          git push origin "v${VERSION}_release"
+
+      - name: Create pull request against the release branch
+        env:
+          GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+        run: |
+          gh pr create --title "Pre-release: Update version to ${VERSION}" \
+                       --body "This PR updates the version to ${VERSION}.
+          
+          By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
+                       --head v${{ github.event.inputs.version }}_release \
+                       --base release/v${MAJOR_MINOR}.x

.github/workflows/pre-release-prepare.yml

@@ -37,6 +37,8 @@ nebulaRelease {
   addReleaseBranchPattern("""v\d+\.\d+\.x""")
 }
 
+apply(from = "version.gradle.kts")
+
 nexusPublishing {
   repositories {
     sonatype {
@@ -71,7 +73,7 @@ allprojects {
       ktlint("1.4.0").editorConfigOverride(mapOf("indent_size" to "2", "continuation_indent_size" to "2"))
 
       // Doesn't support pluginManagement block
-      targetExclude("settings.gradle.kts")
+      targetExclude("settings.gradle.kts", "version.gradle.kts")
 
       if (!project.path.startsWith(":sample-apps:")) {
         licenseHeaderFile("${rootProject.projectDir}/config/license/header.java", "plugins|include|import")

build.gradle.kts

@@ -40,9 +40,10 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  // netty-bom is a fix for CVE-2025-55163 (https://github.com/advisories/GHSA-prj3-ccx8-p6x4).
-  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6344 is released.
-  "io.netty:netty-bom:4.1.124.Final",
+  // netty-bom is a fix for CVE-2025-58056 (https://github.com/advisories/GHSA-fghv-69vj-qj49).
+  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6398 and https://github.com/aws/aws-sdk-java/pull/3192
+  // are both merged and released, and we update the corresponding dependencies.
+  "io.netty:netty-bom:4.1.126.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",

dependencyManagement/build.gradle.kts

@@ -4,13 +4,20 @@ set -e
 SOURCEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 
 
+## Get ADOT version
+echo "Info: Getting ADOT Version"
+pushd "$SOURCEDIR"/..
+version=$(./gradlew -q printVersion)
+echo "Found ADOT Version: ${version}"
+popd
+
 ## Get OTel version
 echo "Info: Getting OTEL Version"
 file="$SOURCEDIR/../.github/patches/versions"
-version=$(awk -F'=v' '/OTEL_JAVA_INSTRUMENTATION_VERSION/ {print $2}' "$file")
-echo "Found OTEL Version: ${version}"
+otel_instrumentation_version=$(awk -F'=v' '/OTEL_JAVA_INSTRUMENTATION_VERSION/ {print $2}' "$file")
+echo "Found OTEL Version: ${otel_instrumentation_version}"
 # Exit if the version is empty or null
-if [[ -z "$version" ]]; then
+if [[ -z "$otel_instrumentation_version" ]]; then
   echo "Error: Version could not be found in ${file}."
   exit 1
 fi
@@ -20,7 +27,7 @@ fi
 echo "Info: Cloning and Patching OpenTelemetry Java Instrumentation Repository"
 git clone https://github.com/open-telemetry/opentelemetry-java-instrumentation.git
 pushd opentelemetry-java-instrumentation
-git checkout v${version} -b tag-v${version}
+git checkout v${otel_instrumentation_version} -b tag-v${otel_instrumentation_version}
 
 # This patch is for Lambda related context propagation
 patch -p1 < "$SOURCEDIR"/patches/opentelemetry-java-instrumentation.patch
@@ -56,7 +63,7 @@ popd
 
 ## Build ADOT Lambda Java SDK Layer Code
 echo "Info: Building ADOT Lambda Java SDK Layer Code"
-./gradlew build -PotelVersion=${version}
+./gradlew build -PotelVersion=${otel_instrumentation_version} -Pversion=${version}
 
 
 ## Copy ADOT Java Agent downloaded using Gradle task and bundle it with the Lambda handler script

lambda-layer/build-layer.sh

@@ -27,6 +27,7 @@ val javaagentDependency by configurations.creating {
   extendsFrom()
 }
 
+val version: String by project
 val otelVersion: String by project
 
 dependencies {
@@ -35,7 +36,7 @@ dependencies {
   // Already included in wrapper so compileOnly
   compileOnly("io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi")
   compileOnly("io.opentelemetry:opentelemetry-sdk-extension-aws")
-  javaagentDependency("software.amazon.opentelemetry:aws-opentelemetry-agent:$otelVersion-adot-lambda1")
+  javaagentDependency("software.amazon.opentelemetry:aws-opentelemetry-agent:$version-adot-lambda1")
 }
 
 tasks.register<Copy>("download") {

lambda-layer/build.gradle.kts

@@ -0,0 +1,24 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+val adotVersion = "2.18.0-dev0"
+
+allprojects {
+  version = if (project.hasProperty("release.version")) {
+    project.property("release.version") as String
+  } else {
+    adotVersion
+  }
+}