Merge branch 'main' into dependabot/pip/contract-tests/tests/requests-2.32.4

Author: thpierce

.github/actions/artifacts_build/action.yml

@@ -103,4 +103,5 @@ runs:
       uses: ./.github/actions/image_scan
       with:
         image-ref: ${{ inputs.image_uri_with_tag }}
-        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+        logout: 'true'

.github/actions/image_scan/action.yml

@@ -11,6 +11,11 @@ inputs:
   severity:
     required: true
     description: "List of severities that will cause a failure"
+  logout:
+    required: true
+    description: |
+      Whether to logout of public AWS ECR. Set to 'true' for PR workflows to avoid potential call failures,
+      'false' for daily scans which has a higher bar for passing regularly and specifically wants to sign in.
 
 runs:
   using: "composite"
@@ -22,6 +27,7 @@ runs:
   # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
   # PRs created from forked repos.
   - name: Logout of public AWS ECR
+    if: inputs.logout == 'true'
     shell: bash
     run: docker logout public.ecr.aws
 
@@ -30,4 +36,4 @@ runs:
     with:
       image-ref: ${{ inputs.image-ref }}
       severity: ${{ inputs.severity }}
-      exit-code: '1'
+      exit-code: '1'

.github/workflows/daily-scan.yml

@@ -8,8 +8,10 @@
 name: Daily scan
 
 on:
-  schedule:
-    - cron: '0 18 * * *' # scheduled to run at 18:00 UTC every day
+  schedule: # scheduled to run at 14:00, 20:00, 02:00 UTC every day
+    - cron: '0 14 * * *' # 6:00/7:00   PST/PDT (14:00 UTC)
+    - cron: '0 20 * * *' # 12:00/13:00 PST/PDT (20:00 UTC)
+    - cron: '0 02 * * *' # 18:00/19:00 PST/PDT (02:00 UTC)
   workflow_dispatch: # be able to run the workflow on demand
 
 env:
@@ -66,24 +68,35 @@ jobs:
       - name: Print dependency scan results on failure
         if: ${{ steps.dep_scan.outcome != 'success' }}
         run: less dependency-check-report.html
+      
+      - name: Configure AWS credentials for image scan
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
 
-      # TODO: Update image to public once available
       - name: Perform high image scan
         if: always()
         id: high_scan
         uses: ./.github/actions/image_scan
         with:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-node:v0.7.0"
           severity: 'CRITICAL,HIGH'
+          logout: 'false'
 
-      # TODO: Update image to public once available
       - name: Perform low image scan
         if: always()
         id: low_scan
         uses: ./.github/actions/image_scan
         with:
           image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-node:v0.7.0"
           severity: 'MEDIUM,LOW,UNKNOWN'
+          logout: 'false'
 
       - name: Configure AWS Credentials for emitting metrics
         if: always()

.github/workflows/pr-build.yml

@@ -38,6 +38,15 @@ jobs:
         run: npm ci
       - name: Compile all NPM projects
         run: npm run compile
+      - name: Build Tarball and Image Files
+        uses: ./.github/actions/artifacts_build
+        with:
+          image_uri_with_tag: pr-build/${{ matrix.node }}
+          push_image: false
+          load_image: true
+          node_version: ${{ matrix.node }}
+          package_name: aws-distro-opentelemetry-node-autoinstrumentation
+          os: ubuntu-latest
       - name: Build Lambda Layer
         run: npm run build-lambda
       - name: Unit tests (Full)