aws-observability
diff --git a/‎.github/actions/image_scan/action.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/actions/image_scan/action.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/application-signals-e2e-test.yml‎
Lines changed: 17 additions & 1 deletion b/‎.github/workflows/application-signals-e2e-test.yml‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docker-build-corretto-slim.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/docker-build-corretto-slim.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/docker-build-smoke-tests-fake-backend.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker-build-smoke-tests-fake-backend.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/e2e-tests-app-with-java-agent.yml‎
Lines changed: 20 additions & 20 deletions b/‎.github/workflows/e2e-tests-app-with-java-agent.yml‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎.github/workflows/e2e-tests-with-operator.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/e2e-tests-with-operator.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/main-build.yml‎
Lines changed: 22 additions & 17 deletions b/‎.github/workflows/main-build.yml‎
Lines changed: 22 additions & 17 deletions
diff --git a/‎.github/workflows/nightly-upstream-snapshot-build.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/nightly-upstream-snapshot-build.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/owasp.yml‎
Lines changed: 23 additions & 6 deletions b/‎.github/workflows/owasp.yml‎
Lines changed: 23 additions & 6 deletions
@@ -11,6 +11,11 @@ inputs:
   severity:
     required: true
     description: "List of severities that will cause a failure"
+  logout:
+    required: true
+    description: |
+      Whether to logout of public AWS ECR. Set to 'true' for PR workflows to avoid potential call failures,
+      'false' for daily scans which has a higher bar for passing regularly and specifically wants to sign in.
 
 runs:
   using: "composite"
@@ -22,6 +27,7 @@ runs:
     # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
     # PRs created from forked repos.
     - name: Logout of public AWS ECR
+      if: inputs.logout == 'true'
       shell: bash
       run: docker logout public.ecr.aws
 
 
@@ -31,7 +31,7 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ACCOUNT_ID }}:role/${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ROLE_NAME }}
           aws-region: us-east-1
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v5
         with:
           name: aws-opentelemetry-agent.jar
 
@@ -245,3 +245,19 @@ jobs:
     with:
       aws-region: us-east-1
       caller-workflow-name: 'main-build'
+
+  # This validation is to ensure that all test workflows relevant to this repo are actually
+  # being used in this repo, which is referring to all the other jobs in this file.
+  #
+  # If this starts failing, then it most likely means that new e2e test workflow was
+  # added to `aws-observability/aws-application-signals-test-framework`, but was not
+  # added to this file. It could also mean that a test in this file has been removed.
+  #
+  # If a particular test file is intended to not be tested in this repo and should not
+  # be failing this particular validation, then choose one of the following options:
+  # - Add the test file to the exclusions input (CSV format) to the workflow
+  #   (see: https://github.com/aws-observability/aws-application-signals-test-framework/blob/main/.github/workflows/validate-e2e-tests-are-accounted-for.yml#L1)
+  # - Update the `validate-e2e-tests-are-accounted-for` job to change which "workflow files are expected to be used by this repo"
+  #   (see: https://github.com/aws-observability/aws-application-signals-test-framework/blob/main/.github/workflows/validate-e2e-tests-are-accounted-for.yml)
+  validate-all-tests-are-accounted-for:
+    uses: aws-observability/aws-application-signals-test-framework/.github/workflows/validate-e2e-tests-are-accounted-for.yml@main
@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
 
@@ -19,7 +19,7 @@ jobs:
   build-corretto:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: gradle/wrapper-validation-action@v1
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -36,7 +36,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           push: true
           context: scripts/docker/corretto-slim
 
@@ -20,7 +20,7 @@ jobs:
   build-docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-java@v4
         with:
           java-version: 17
 
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Java Instrumentation repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -71,15 +71,15 @@ jobs:
         env:
           COMMIT_HASH: ${{ inputs.image_tag }}
 
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@v5
 
   test_Spring_App_With_Java_Agent:
     name: Test Spring App with AWS OTel Java agent
     needs: [ build_Images_For_Testing_Sample_App_With_Java_Agent ]
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: actions/setup-java@v4
         with:
@@ -110,7 +110,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: actions/setup-java@v4
         with:
@@ -141,7 +141,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: actions/setup-java@v4
         with:
@@ -167,18 +167,18 @@ jobs:
           VALIDATOR_COMMAND: -c spark-otel-trace-metric-validation.yml --endpoint http://app:4567 --metric-namespace aws-otel-integ-test -t ${{ github.run_id }}-${{ github.run_number }}
 
   # publish status
-  publish-build-status:
-    needs: [ test_Spring_App_With_Java_Agent, test_Spark_App_With_Java_Agent, test_Spark_AWS_SDK_V1_App_With_Java_Agent ]
-    if: ${{ always() }}
-    uses: ./.github/workflows/publish-status.yml
-    with:
-      namespace: 'ADOT/GitHubActions'
-      repository: ${{ github.repository }}
-      branch: ${{ github.ref_name }}
-      workflow: ${{ inputs.caller-workflow-name }}
-      success: ${{  needs.test_Spring_App_With_Java_Agent.result == 'success'  &&
-                    needs.test_Spark_App_With_Java_Agent.result == 'success'  &&
-                    needs.test_Spark_AWS_SDK_V1_App_With_Java_Agent.result == 'success' }}
-      region: us-east-1
-    secrets:
-      roleArn: ${{ secrets.METRICS_ROLE_ARN }}
+  # publish-build-status:
+  #   needs: [ test_Spring_App_With_Java_Agent, test_Spark_App_With_Java_Agent, test_Spark_AWS_SDK_V1_App_With_Java_Agent ]
+  #   if: ${{ always() }}
+  #   uses: ./.github/workflows/publish-status.yml
+  #   with:
+  #     namespace: 'ADOT/GitHubActions'
+  #     repository: ${{ github.repository }}
+  #     branch: ${{ github.ref_name }}
+  #     workflow: ${{ inputs.caller-workflow-name }}
+  #     success: ${{  needs.test_Spring_App_With_Java_Agent.result == 'success'  &&
+  #                   needs.test_Spark_App_With_Java_Agent.result == 'success'  &&
+  #                   needs.test_Spark_AWS_SDK_V1_App_With_Java_Agent.result == 'success' }}
+  #     region: us-east-1
+  #   secrets:
+  #     roleArn: ${{ secrets.METRICS_ROLE_ARN }}
@@ -34,7 +34,7 @@ jobs:
   build-sample-app:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -84,14 +84,14 @@ jobs:
       test-case-batch-value: ${{ steps.set-batches.outputs.batch-values }}
     steps:
       - name: Checkout Testing Framework repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ env.TESTING_FRAMEWORK_REPO }}
           path: testing-framework
           ref: ${{ inputs.test_ref }}
 
       - name: Checkout Java Instrumentation repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           path: aws-otel-java-instrumentation
@@ -126,7 +126,7 @@ jobs:
     steps:
       # required for versioning
       - name: Checkout Java Instrumentation repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           path: aws-otel-java-instrumentation
@@ -151,7 +151,7 @@ jobs:
           role-duration-seconds: 14400
 
       - name: Checkout Testing Framework repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ env.TESTING_FRAMEWORK_REPO }}
           path: testing-framework
 
@@ -22,7 +22,7 @@ jobs:
     name: Test patches applied to dependencies
     runs-on: aws-otel-java-instrumentation_ubuntu-latest_32-core
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-java@v4
         with:
           java-version: 17
@@ -54,7 +54,7 @@ jobs:
       staging_registry: ${{ steps.imageOutput.outputs.stagingRegistry }}
       staging_repository: ${{ steps.imageOutput.outputs.stagingRepository }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - uses: actions/setup-java@v4
@@ -189,7 +189,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - uses: actions/setup-java@v4
@@ -229,7 +229,7 @@ jobs:
   application-signals-lambda-layer-build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - uses: actions/setup-java@v4
@@ -263,16 +263,21 @@ jobs:
       adot-image-name: ${{ needs.build.outputs.staging-image }}
 
   publish-build-status:
-    needs: [ build, contract-tests ]
-    if: ${{ always() }}
-    uses: ./.github/workflows/publish-status.yml
-    with:
-      namespace: 'ADOT/GitHubActions'
-      repository: ${{ github.repository }}
-      branch: ${{ github.ref_name }}
-      workflow: main-build
-      success: ${{  needs.build.result == 'success' &&
-                    needs.contract-tests.result == 'success'  }}
-      region: us-east-1
-    secrets:
-      roleArn: ${{ secrets.METRICS_ROLE_ARN }}
+    name: "Publish Main Build Status"
+    needs: [ build, e2e-test, contract-tests, application-signals-lambda-layer-build, application-signals-e2e-test ]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Configure AWS Credentials for emitting metrics
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.METRICS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Publish main build status
+        run: |
+          value="${{ needs.build.result == 'success' && needs.e2e-test.result == 'success' && needs.contract-tests.result == 'success' && needs.application-signals-lambda-layer-build.result == 'success' && needs.application-signals-e2e-test.result == 'success' && '0.0' || '1.0' }}"
+          aws cloudwatch put-metric-data --namespace 'ADOT/GitHubActions' \
+            --metric-name Failure \
+            --dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=main_build \
+            --value $value
@@ -23,7 +23,7 @@ jobs:
       image_name: ${{ steps.imageOutput.outputs.imageName }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -129,7 +129,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - uses: actions/setup-java@v4
 
@@ -8,8 +8,10 @@
 name: Daily scan
 
 on:
-  schedule:
-    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  schedule: # scheduled to run at 14:00, 20:00, 02:00 UTC every day
+    - cron: '0 14 * * *' # 6:00/7:00   PST/PDT (14:00 UTC)
+    - cron: '0 20 * * *' # 12:00/13:00 PST/PDT (20:00 UTC)
+    - cron: '0 02 * * *' # 18:00/19:00 PST/PDT (02:00 UTC)
   workflow_dispatch: # be able to run the workflow on demand
 
 env:
@@ -24,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo for dependency scan
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -41,7 +43,7 @@ jobs:
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
       - name: Get NVD API key for dependency scan
-        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
         id: nvd_api_key
         with:
           secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
@@ -76,13 +78,25 @@ jobs:
         if: ${{ steps.dep_scan.outcome != 'success' }}
         run: less dependency-check-report.html
 
+      - name: Configure AWS credentials for image scan
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+
       - name: Perform high image scan on v1
         if: always()
         id: high_scan_v1
         uses: ./.github/actions/image_scan
         with:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
           severity: 'CRITICAL,HIGH'
+          logout: 'false'
 
       - name: Perform low image scan on v1
         if: always()
@@ -91,22 +105,25 @@ jobs:
         with:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0"
           severity: 'MEDIUM,LOW,UNKNOWN'
+          logout: 'false'
 
       - name: Perform high image scan on v2
         if: always()
         id: high_scan_v2
         uses: ./.github/actions/image_scan
         with:
-          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1"
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.2"
           severity: 'CRITICAL,HIGH'
+          logout: 'false'
 
       - name: Perform low image scan on v2
         if: always()
         id: low_scan_v2
         uses: ./.github/actions/image_scan
         with:
-          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1"
+          image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.2"
           severity: 'MEDIUM,LOW,UNKNOWN'
+          logout: 'false'
 
       - name: Configure AWS Credentials for emitting metrics
         if: always()