aws-observability
diff --git a/‎.github/actions/artifacts_build/action.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/actions/artifacts_build/action.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/actions/image_scan/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/image_scan/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/lambda_artifacts_build/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/lambda_artifacts_build/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/set_up/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/set_up/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/application-signals-e2e-test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/application-signals-e2e-test.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/daily-scan.yml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/daily-scan.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/main-build.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/main-build.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/post-release-version-bump.yml‎
Lines changed: 31 additions & 6 deletions b/‎.github/workflows/post-release-version-bump.yml‎
Lines changed: 31 additions & 6 deletions
diff --git a/‎.github/workflows/pr-build.yml‎
Lines changed: 48 additions & 6 deletions b/‎.github/workflows/pr-build.yml‎
Lines changed: 48 additions & 6 deletions
@@ -52,7 +52,7 @@ runs:
 
     - name: Configure AWS Credentials
       if: ${{ inputs.push_image == true || inputs.push_image == 'true' }}
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
       with:
         role-to-assume: ${{ inputs.snapshot-ecr-role }}
         aws-region: ${{ inputs.aws-region }}
@@ -67,14 +67,14 @@ runs:
         npm pack
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #3.6.0
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
 
     - name: Login to private AWS ECR
       if: ${{ inputs.push_image == true || inputs.push_image == 'true' }}
-      uses: docker/login-action@v3
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
       with:
         registry: ${{ inputs.image_registry }}
       env:
@@ -90,7 +90,7 @@ runs:
       run: docker logout public.ecr.aws
 
     - name: Build and push image according to input
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
       with:
         push: ${{ inputs.push_image }}
         context: .
 
@@ -32,7 +32,7 @@ runs:
     run: docker logout public.ecr.aws
 
   - name: Run Trivy vulnerability scanner on image
-    uses: aquasecurity/trivy-action@master
+    uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
     with:
       image-ref: ${{ inputs.image-ref }}
       severity: ${{ inputs.severity }}
 
@@ -24,7 +24,7 @@ runs:
   using: 'composite'
   steps:
     - name: Download Tarball to GitHub Actions
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
       with:
         name: ${{ inputs.staging_tarball}}
         path: ./aws-distro-opentelemetry-node-autoinstrumentation/
 
@@ -20,7 +20,7 @@ runs:
   using: "composite"
   steps:
     - name: Set up node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
       with:
         node-version: ${{ inputs.node_version }}
         registry-url: 'https://registry.npmjs.org'
 
@@ -29,12 +29,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: arn:aws:iam::637423224110:role/${{ secrets.STAGING_ARTIFACTS_ACCESS_ROLE_NAME }}
           aws-region: us-east-1
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
         with:
           name: ${{ inputs.staging-instrumentation-name }}
 
 
@@ -55,11 +55,11 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@16df4fbc19aea13d921737861d6c622bf3cefe23 #v2.23.0
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -87,6 +87,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 #v2.23.0
       with:
         category: "/language:${{matrix.language}}"
@@ -26,23 +26,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo for dependency scan
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           fetch-depth: 0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
         with:
           node-version: "20"
 
       - name: Configure AWS credentials for dependency scan
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
       - name: Get NVD API key for dependency scan
-        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
         id: nvd_api_key
         with:
           secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
@@ -70,13 +70,13 @@ jobs:
         run: less dependency-check-report.html
 
       - name: Configure AWS credentials for image scan
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
       - name: Login to Public ECR
-        uses: docker/login-action@v3
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
         with:
           registry: public.ecr.aws
 
@@ -100,7 +100,7 @@ jobs:
 
       - name: Configure AWS Credentials for emitting metrics
         if: always()
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
@@ -33,7 +33,7 @@ jobs:
       staging_tarball_file: ${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
     steps:
       - name: Checkout Contrib Repo @ SHA - ${{ github.sha }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
 
       - name: Get Node Distro Output
         id: node_output
@@ -73,7 +73,7 @@ jobs:
           aws s3 cp aws-distro-opentelemetry-node-autoinstrumentation/${{ steps.staging_tarball_output.outputs.STAGING_TARBALL }} s3://${{ env.STAGING_S3_BUCKET }}
 
       - name: Upload Tarball to GitHub Actions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
         with:
           name: ${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
           path: aws-distro-opentelemetry-node-autoinstrumentation/${{ steps.staging_tarball_output.outputs.STAGING_TARBALL}}
@@ -112,7 +112,7 @@ jobs:
     if: always()
     steps:
       - name: Configure AWS Credentials for emitting metrics
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
@@ -6,6 +6,10 @@ on:
       version:
         description: 'Version number (e.g., 1.0.1)'
         required: true
+      is_patch:
+        description: 'Is this a patch? (true or false)'
+        required: true
+        default: 'false'
 
 env:
   AWS_DEFAULT_REGION: us-east-1
@@ -20,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout main
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           ref: main
           fetch-depth: 0
@@ -59,21 +63,21 @@ jobs:
     needs: check-version
     steps:
       - name: Configure AWS credentials for BOT secrets
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
       - name: Get Bot secrets
-        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
         id: bot_secrets
         with:
           secret-ids: |
             BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }}
           parse-json-secrets: true
 
       - name: Setup Git
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           fetch-depth: 0
           token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
@@ -95,7 +99,7 @@ jobs:
           git checkout -b "prepare-main-for-next-dev-cycle-${VERSION}" origin/$RELEASE_BRANCH
 
       - name: Set up node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  #v5.0.0
         with:
           node-version: 20
 
@@ -109,6 +113,17 @@ jobs:
           VERSION="${{ github.event.inputs.version }}"
           npm install
           sed -i  "s|\(/aws-observability/adot-autoinstrumentation-node:\)v[0-9]\+\.[0-9]\+\.[0-9]\+|\1v${{github.event.inputs.version}}|g" .github/workflows/daily-scan.yml
+
+          # for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
+          if [[ "${{ github.event.inputs.is_patch }}" == "true" ]]; then
+            # Copy the patch release entries
+            sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
+            git fetch origin main
+            git show origin/main:CHANGELOG.md > CHANGELOG.md
+            # Insert the patch release entries after Unreleased
+            awk -i inplace '/^## v[0-9]/ && !inserted { system("cat /tmp/patch_release_section.txt"); inserted=1 } {print}' CHANGELOG.md
+          fi
+
           git add .
           git status
           git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
@@ -126,4 +141,14 @@ jobs:
           
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
                        --head prepare-main-for-next-dev-cycle-${VERSION} \
-                       --base main
+                       --base main
+      
+      - name: Force our CHANGELOG to override merge conflicts
+        run: |
+          git merge origin/main || true
+          git checkout --ours CHANGELOG.md
+          git add CHANGELOG.md
+          if ! git diff --quiet --cached; then
+            git commit -m "Force our CHANGELOG to override merge conflicts"
+            git push origin "prepare-main-for-next-dev-cycle-${VERSION}"
+          fi
@@ -1,6 +1,12 @@
 name: JavaScript Instrumentation PR Build
 on:
   pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+      - unlabeled
     branches:
       - main
       - "release/v*"
@@ -10,6 +16,42 @@ permissions:
   contents: read
 
 jobs:
+  changelog-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          fetch-depth: 0
+          
+      - name: Check CHANGELOG
+        run: |
+          # Check if PR is from workflows bot or dependabot
+          if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
+            echo "Skipping check: PR from aws-application-signals-bot"
+            exit 0
+          fi
+          
+          if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+            echo "Skipping check: PR from dependabot"
+            exit 0
+          fi
+          
+          # Check for skip changelog label
+          if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
+            echo "Skipping check: skip changelog label found"
+            exit 0
+          fi
+          
+          # Fetch base branch and check for CHANGELOG modifications
+          git fetch origin ${{ github.base_ref }}
+          if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then
+            echo "CHANGELOG.md entry found - check passed"
+            exit 0
+          fi
+          
+          echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
+          exit 1
+
   build:
     runs-on: ubuntu-latest
     strategy:
@@ -23,11 +65,11 @@ jobs:
       NPM_CONFIG_UNSAFE_PERM: true
     steps:
       - name: Checkout Repo @ SHA - ${{ github.sha }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           fetch-depth: 0
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
         with:
           node-version: ${{ matrix.node }}
       - name: Update npm to a version that supports workspaces (v7 or later)
@@ -53,14 +95,14 @@ jobs:
         run: npm run test:coverage
       - name: Report Coverage
         if: ${{ matrix.code-coverage && !cancelled()}}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1
         with:
           verbose: true
 
   contract-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
       - name: run contract tests
         run: |
           bash ./scripts/build_and_install_distro.sh
@@ -71,8 +113,8 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
         with:
           node-version: 18
           cache: 'npm'