Nightly dependency update: OpenTelemetry packages to latest versions #11

github-actions · 2025-09-29T02:23:13Z

Automated update of OpenTelemetry dependencies to their latest available versions.

Build Status: ❌ failure

Upstream releases with breaking changes:

…ervability#1126) *Issue #, if available:* *Description of changes:* Add new validation workflow: - This validation is to ensure that all ApplicationSignals e2e test workflows relevant to this repo are actually being used in this repo. - See: https://github.com/aws-observability/aws-application-signals-test-framework/blob/main/.github/workflows/validate-e2e-tests-are-accounted-for.yml *Testing:* <img width="3138" height="1712" alt="image" src="https://github.com/user-attachments/assets/1dfab8a9-362f-4d10-b206-e9ed2aa8ac54" /> By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

*Issue #, if available:* *Description of changes:* Emit a failure metric if main build fails. Since this workflow is triggered with pushes to main or a release branch, we want to be notified if there is a failure with the build process or e2e tests. Tested by temporarily adding an on: push: trigger to my own branch in this repo and testing the updated workflow. Verified that failure metric was successfully published to cloudwatch. https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16783145872 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Removing problematic backslash which was making the workflow invalid: https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16834776574/workflow By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

*Description of changes:* Removing problematic backslash which was making the workflow invalid: https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16840663861 Fixed in my branch release/v2.11.2 - https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16841343395 Reciprocating the same change in main By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Co-authored-by: Jeel Mehta <[email protected]>

…aws-observability#1072)

*Description of changes:* Update owasp.yml to scan 2.11.2 release. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Co-authored-by: Jeel Mehta <[email protected]>

…y#1055)

…#1140) *Description of changes:* Daily Scan failure metrics often show up for one day and are back to normal 24 hours later. The workflow error for these failures is always some timeout/transient issue that goes away if the workflow is manually re-run. We want to try to avoid alarming on these failures while catching actual, repeated failures. Moving the cadence of the daily scan to run 3 times per day with 12-6-6 hour intervals: 02:00, 14:00, 20:00 UTC times. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…rvability#930)

…ility#1144) *Description of changes:* The current daily scan's image scan workflow would often fail with the following error: ``` 2025-08-12T22:35:36Z INFO [vuln] Vulnerability scanning is enabled 2025-08-12T22:35:36Z INFO [secret] Secret scanning is enabled 2025-08-12T22:35:36Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-08-12T22:35:36Z INFO [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection 📣 Notices: - Version 0.65.0 of Trivy is now available, current version is 0.64.1 To suppress version checks, run Trivy scans with the --skip-version-check flag 2025-08-12T22:35:37Z FATAL Fatal error run error: image scan error: scan error: unable to initialize a scan service: unable to initialize an image scan service: unable to find the specified image "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred: * docker error: unable to inspect the image (public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1): Error response from daemon: No such image: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1 * containerd error: failed to list images from containerd client: connection error: desc = "transport: Error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied" * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/1001/podman/podman.sock: no such file or directory * remote error: GET https://public.ecr.aws/v2/aws-observability/adot-autoinstrumentation-java/manifests/sha256:7ebd362ec33ad1fa0218535540cec4db3165364fe0715b892e90afdf2374b531: TOOMANYREQUESTS: Rate exceeded ``` Turns out the issue is related to making unauthenticated GET request calls to public ECR images. We make these calls both in the `pr_build` (explanation can be found in the code comment) and in `owasp.yml`. Likely, our GET requests to pull the ADOT image are being throttled as a result. https://github.com/aws-observability/aws-otel-java-instrumentation/blob/7ffb3d4f9200b10f7701926ff240dd5c0b36d136/.github/actions/image_scan/action.yml#L24 - Adding an intermediary step to log-in to ECR before making the GET request calls for `owasp.yml` image scanning. **Testing** 200 Image Scan test runs with docker login (0 failed jobs): https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16922020570/job/47950156083 200 Image Scan test runs w/o docker login (1 failed job, rest didn't run): https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/16922512730/job/47951639594 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…rvability#1120) This is the final PR for the SPI aws-sdk instrumentation. It removes the [opentelemetry-java-instrumentation](https://github.com/aws-observability/aws-otel-java-instrumentation/blob/main/.github/patches/opentelemetry-java-instrumentation.patch) patch and adds comprehensive unit test coverage for AWS experimental attributes in both AWS SDK v1.11 and v2.2 instrumentation packages. The v2.2 package introduces 29 new experimental attributes while v1.11 adds 23 new experimental attributes. All attributes are now tested through unit tests and/or contract tests. ### Description of changes: #### AWS SDK v2.2 (awssdk_v2_2) New attributes being tested: 1. AWS_BUCKET_NAME - testS3ExperimentalAttributes() & contract tests 2. AWS_QUEUE_URL - testSqsExperimentalAttributes() & contract tests 3. AWS_QUEUE_NAME - contract tests 4. AWS_STREAM_NAME - testKinesisExperimentalAttributes() & contract tests 5. AWS_STREAM_ARN - testKinesisExperimentalAttributes() & contract tests 6. AWS_TABLE_NAME - testDynamoDbExperimentalAttributes() 7. AWS_GUARDRAIL_ID - contract tests 8. AWS_GUARDRAIL_ARN - contract tests 9. AWS_AGENT_ID - testBedrockAgentExperimentalAttributes() & contract tests 10. AWS_DATA_SOURCE_ID - testBedrockDataSourceExperimentalAttributes() & contract tests 11. AWS_KNOWLEDGE_BASE_ID - testBedrockKnowledgeBaseExperimentalAttributes() & contract tests 12. GEN_AI_MODEL - testBedrockExperimentalAttributes() & contract tests 13. GEN_AI_SYSTEM - contract tests 14. GEN_AI_REQUEST_MAX_TOKENS - testBedrockExperimentalAttributes() & contract tests 15. GEN_AI_REQUEST_TEMPERATURE - testBedrockExperimentalAttributes() & contract tests 16. GEN_AI_REQUEST_TOP_P - contract tests 17. GEN_AI_RESPONSE_FINISH_REASONS - contract tests 18. GEN_AI_USAGE_INPUT_TOKENS - contract tests 19. GEN_AI_USAGE_OUTPUT_TOKENS - contract tests 20. AWS_STATE_MACHINE_ARN - testStepFunctionExperimentalAttributes() & contract tests 21. AWS_STEP_FUNCTIONS_ACTIVITY_ARN - testStepFunctionExperimentalAttributes() & contract tests 22. AWS_SNS_TOPIC_ARN - testSnsExperimentalAttributes() & contract tests 23. AWS_SECRET_ARN - testSecretsManagerExperimentalAttributes() & contract tests 24. AWS_LAMBDA_NAME - testLambdaExperimentalAttributes() 25. AWS_LAMBDA_ARN - testLambdaArnExperimentalAttribute() 26. AWS_LAMBDA_RESOURCE_ID - testLambdaResourceIdExperimentalAttribute() 27. AWS_TABLE_ARN - testTableArnExperimentalAttribute() 28. AWS_AUTH_ACCESS_KEY - testAuthAccessKeyExperimentalAttribute() 29. AWS_AUTH_REGION - testAuthRegionExperimentalAttribute() - Tests leverage AWS SDK v2's getValueForField() API for clean, mockable attribute extraction - Includes comprehensive testing for: - Core AWS services (S3, DynamoDB, SQS, SNS, Kinesis, Lambda, Step Functions, Secrets Manager) - Bedrock Gen AI attributes with JSON parsing validation - Bedrock resource attributes (Agent, Knowledge Base, Data Source) - Authentication attributes (access key, region) ### AWS SDK v1.11 (awssdk_v1_11) New attributes being tested: 1. AWS_STREAM_ARN - testKinesisExperimentalAttributes() & contract tests 2. AWS_TABLE_ARN - testTableArnExperimentalAttributes() (Service identification only) 3. AWS_AGENT_ID - contract tests 4. AWS_KNOWLEDGE_BASE_ID - contract tests 5. AWS_DATA_SOURCE_ID - contract tests 6. AWS_GUARDRAIL_ID - testBedrockGuardrailAttributes() (Service identification only) & contract tests 7. AWS_GUARDRAIL_ARN - testBedrockGuardrailAttributes() (Service identification only) & contract tests 8. AWS_BEDROCK_RUNTIME_MODEL_ID - testBedrockRuntimeAttributes() (Service identification only) & contract tests 9. AWS_BEDROCK_SYSTEM - contract tests 10. GEN_AI_REQUEST_MAX_TOKENS - contract tests 11. GEN_AI_REQUEST_TEMPERATURE - contract tests 12. GEN_AI_REQUEST_TOP_P - contract tests 13. GEN_AI_RESPONSE_FINISH_REASONS - contract tests 14. GEN_AI_USAGE_INPUT_TOKENS - contract tests 15. GEN_AI_USAGE_OUTPUT_TOKENS - contract tests 16. AWS_STATE_MACHINE_ARN - testStepFunctionsExperimentalAttributes() & contract tests 17. AWS_STEP_FUNCTIONS_ACTIVITY_ARN - contract tests 18. AWS_SNS_TOPIC_ARN - testSnsExperimentalAttributes() & contract tests 19. AWS_SECRET_ARN - testSecretsManagerExperimentalAttributes() (Service identification only) & contract tests 20. AWS_LAMBDA_NAME - testLambdaNameExperimentalAttributes() 21. AWS_LAMBDA_ARN - testLambdaArnExperimentalAttributes() 22. AWS_LAMBDA_RESOURCE_ID - testLambdaResourceIdExperimentalAttributes() (Service identification only) 23. AWS_AUTH_ACCESS_KEY - testAuthAccessKeyAttributes() *V1.11 is harder to test:* V1.11 uses Java reflection to dynamically find and call methods like getFunctionName() on AWS request objects at runtime. This creates several testing challenges: - Mock Method Mismatch: When you mock an AWS request object, it doesn't have the actual methods that reflection is trying to find. The reflection silently fails and returns null, making tests pass even though no attributes were extracted. - Class Dependencies: To test properly, you'd need real AWS SDK classes instead of mocks, creating tight coupling between tests and external dependencies. - Nested Object Complexity: Many attributes require traversing nested properties, which means mocking entire object graphs with proper method chains. Contract tests sidestep these issues by using real AWS SDK objects against LocalStack, testing the complete end-to-end flow including actual reflection behavior without the complexity of mocking Java's reflection system. ### Related - PRs for aws-sdk v1.11: aws-observability#1115 and aws-observability#1117 - PRs for aws-sdk v2.2: aws-observability#1111 and aws-observability#1113 - Replaces patch: [current patch](https://github.com/aws-observability/aws-otel-java-instrumentation/blob/main/.github/patches/opentelemetry-java-instrumentation.patch) By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…bility#1139)

…ty#1145) This PR upgrades these two upstream dependencies in ADOT Java from v1.28.0 to v1.29.0. io.opentelemetry.semconv:opentelemetry-semconv io.opentelemetry.semconv:opentelemetry-semconv-incubating Upstream OTel Java Agent v2.11 is using semconv v1.29.0, not v1.28.0. This PR keeps OTel and ADOT in sync automatically on semconv. ADOT now relies on "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha" to get the version of semconv, instead of explicitly declaring one. In March 2024, upstream stopped using semconv keys from package "io.opentelemetry.semconv.SemanticAttributes". Semconv 1.25.0 migration #10983 open-telemetry/opentelemetry-java-instrumentation#10983 ADOT Java did not follow. It's still using keys from this package: https://github.com/aws-observability/aws-otel-java-instrumentation/blob/release/v2.11.x/awsagentprovider/src/main/java/software/amazon/opentelemetry/javaagent/providers/AwsSpanProcessingUtil.java#L18 Unfortunately, in this Jan., this package was deleted from upstream. This is causing ADOT Java build break if we need upgrade upstream dependencies. This PR replaces these old keys in ADOT Java code base. Basically, it is doing the same update upstream had done in last March. The code change is safe. It has a limited scope that only updates the definitions of semconv keys. The text content of these keys remain untouched. Test: ./gradlew build Pass ./gradlew test. Pass Manual E2E test Pass Backward Compatibility: This change is backward compatible. It does not change any runtime behaviors. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

*Description of changes:* Builds are failing image scanning for `CVE-2025-55163` which recently was added as a vulnerability. GHSA-prj3-ccx8-p6x4 Should revert this once we upgrade our aws-sdk dependency to version that has this PR added: aws/aws-sdk-java-v2#6344 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Thomas Pierce <[email protected]>

*Description of changes:* Update owasp.yml to scan 2.11.3 release. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…ility#1134)

…eys (aws-observability#1150) This PR adds a utility method to help migrate deprecated semconv keys. It first checks the new key; if the new key is not available, it falls back to the legacy deprecated key. This PR also handles the following deprecated keys: MESSAGING_OPERATION SERVER_SOCKET_ADDRESS SERVER_SOCKET_PORT Tests: ./gradlew build test — Pass ./gradlew appsignals-tests:contract-tests:contractTests — Pass Manual E2E with Spring Boot sample app: Compared raw span data with and without this change — Pass By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@thpierce

…ty#1154)

…rvability#1158) ADOT Java was using an outdated Gradle release, particularly the Lambda build (v8.1.1). This PR upgrades both builds to v8.14.3, matching the version used by the upstream Java Agent. ./gradlew wrapper --gradle-version 8.14.3 Tests performed: - Local build: ./gradlew build ✅ - Unit tests: ./gradlew test ✅ - Smoke/contract tests: ./gradlew appsignals-tests:contract-tests:contractTests ✅ By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…bservability#1159) The latest release of gradle/wrapper-validation-action is v3.5, but ADOT Java is currently using v1. This PR replaces the deprecated gradle/wrapper-validation-action with the new gradle/actions/wrapper-validation action. v4.4.2 is an official release. It's commit hash is #017a9ef. https://github.com/gradle/actions/releases/tag/v4.4.2 When uses third-party action, we should always use commit hash instead of release number, for security and integrity reason. https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions References: - https://github.com/gradle/wrapper-validation-action - https://github.com/gradle/actions/releases/ By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…ervability#1185) *Issue #, if available:* aws-observability/aws-otel-python-instrumentation#458 *Description of changes:* 1. Remove new regions from COMMERCIAL_REGIONS 1. Rename COMMERCIAL_REGIONS to LEGACY_COMMERCIAL_REGIONS 1. Add comments for clarity By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

*Issue #, if available:* *Description of changes:* By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

This pr reverts the previous revert for 3p action updates for non release files. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Missed ./gradlew command. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

We depend on [OTEL Java 2.11.0](https://github.com/aws-observability/aws-otel-java-instrumentation/blob/release/v2.11.x/dependencyManagement/build.gradle.kts#L30C20-L30C26), which was released [Dec 23, 2024](https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.11.0), at which Java 23 was supported (released [2024-09-17 ](https://www.java.com/releases/)). We should have bumped this version then, but we didn't have a good process in place at the time. Bump version now. Skipping changelog as we will support Java 24 soon. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@thpierce

…ty#1176) Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.18.0 to 1.18.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/uuid-rs/uuid/releases">uuid's releases</a>.</em></p> <blockquote> <h2>v1.18.1</h2> <h2>What's Changed</h2> <ul> <li>Unsafe cleanup by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/841">uuid-rs/uuid#841</a></li> <li>Prepare for 1.18.1 release by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/842">uuid-rs/uuid#842</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/uuid-rs/uuid/compare/v1.18.0...v1.18.1">https://github.com/uuid-rs/uuid/compare/v1.18.0...v1.18.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/uuid-rs/uuid/commit/50d8e797ed9628820d0aff617a5f199221b82aaa"><code>50d8e79</code></a> Merge pull request <a href="https://redirect.github.com/uuid-rs/uuid/issues/842">#842</a> from uuid-rs/cargo/v1.18.1</li> <li><a href="https://github.com/uuid-rs/uuid/commit/79485925e95d507c20bc0a37e86d326715ffec9e"><code>7948592</code></a> prepare for 1.18.1 release</li> <li><a href="https://github.com/uuid-rs/uuid/commit/6d847c79d072431c5131987a39318e11f8dbfa9b"><code>6d847c7</code></a> Merge pull request <a href="https://redirect.github.com/uuid-rs/uuid/issues/841">#841</a> from uuid-rs/chore/unsafe-cleanup</li> <li><a href="https://github.com/uuid-rs/uuid/commit/675cccc829fa8ce3f225392622aee1c41268b068"><code>675cccc</code></a> re-gate zerocopy behind unstable feature flag</li> <li><a href="https://github.com/uuid-rs/uuid/commit/4dd582806081d6718b7d0cac303c241d9a7eb0c9"><code>4dd5828</code></a> Remove some unsafe; stabilize zerocopy</li> <li>See full diff in <a href="https://github.com/uuid-rs/uuid/compare/v1.18.0...v1.18.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=uuid&package-manager=cargo&previous-version=1.18.0&new-version=1.18.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @thpierce. [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Pierce <[email protected]>

@thpierce

Bumps com.diffplug.spotless from 6.25.0 to 7.0.3. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.diffplug.spotless&package-manager=gradle&previous-version=6.25.0&new-version=7.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) Dependabot will merge this PR once CI passes on it, as requested by @thpierce. [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Pierce <[email protected]>

Fixes annoying warning seen here: https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1206/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…ect user-configured OTEL_PROPAGATORS (aws-observability#1191) *Issue #, if available:* - In latest `com.amazonaws:aws-lambda-java-core:1.4.0`, Lambda Context has a new `lambdaContext.getXrayTraceId()` method. We need to use this over SystemProperty/EnvVar to support multi-concurrency in Lambda. *Description of changes:* - respect OTEL_PROPAGATORS Env Var priority - Priority logic BEFORE: - Create `carrierA` to contain headers from Lambda request http headers and the custom client context - get X-Ray Trace ID from (in order or priority) SystemProperty or EnvVar, add it to new `carrierB` - Use Global Propagator to extract trace context from `carrierB` (trace extraction only works if xray propagator is configured) - If above trace extraction results in a context that is not valid&sampled, try again with Global Propagator using `carrierA` - Priority logic AFTER: - Create `carrierA` to contain headers from Lambda request http headers and the custom client context - get X-Ray Trace ID from (in order or priority) Lambda Context, SystemProperty, or EnvVar, add it to `carrierA` (will overwrite x-ray header value if present from Lambda request http headers). - Use Global Propagator to extract trace context from `carrierA` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…ervability#1208) (aws-observability#1210) Problem: The Lambda Java layer release fails because the workflow uses the wrong artifact (layer zip file) name. https://github.com/aws-observability/aws-otel-java-instrumentation/actions/runs/17867947751 Solution: Rename aws-opentelemetry-java-layer.zip to layer.zip. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Add gate jobs that fail if any workflow job fails OR if any job is missing from the gate's needs array. Prevents both job failures and configuration drift when adding new workflow jobs. Callout: I don't think it's possible to have one gate for both workflows, but it should not be the case that we add more over time. ### Testing: See: aws-observability/aws-otel-python-instrumentation#477 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Adding workflow_dispatch for manual run option. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

…lity#1212) Add validation step to require commit SHAs instead of version tags for third-party GitHub actions in workflow files. Repo config `Require actions to be pinned to a full-length commit SHA` will protect against this if we missed any others. ### Testing done * See: aws-observability/aws-otel-python-instrumentation#475 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

This reverts commit e12d79c.

srprash and others added 30 commits August 1, 2025 10:18

Fix Otlp Aws exporters failures for GZIP compressed telemetry exports (…

b8dffa7

…aws-observability#1124)

Bump docker/build-push-action from 5 to 6 (aws-observability#929)

25851ba

Bump actions/download-artifact from 4 to 5 (aws-observability#1136)

bb2a092

Bump org.apache.tomcat.embed:tomcat-embed-core from 10.1.10 to 11.0.6 (…

e7fc979

…aws-observability#1072)

Bump actions/setup-java from 3 to 4 (aws-observability#1138)

0a87c6c

Bump burrunan/gradle-cache-action from 1 to 2 (aws-observability#931)

7ffb3d4

Bump codecov/codecov-action from 3 to 5 (aws-observability#954)

aecbf9d

Bump uuid from 1.5.0 to 1.16.0 in /tools/cp-utility (aws-observabilit…

b091e6a

…y#1055)

Bump aws-actions/aws-secretsmanager-get-secrets from 1 to 2 (aws-obse…

3f34807

…rvability#930)

Bump org.testcontainers:postgresql from 1.19.3 to 1.21.3 (aws-observa…

4e45621

…bility#1139)

Update image scan to point to 2.11.3 release (aws-observability#1151)

d345cda

*Description of changes:* Update owasp.yml to scan 2.11.3 release. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Bump tempfile from 3.9.0 to 3.20.0 in /tools/cp-utility (aws-observab…

492f406

…ility#1134)

Bump docker/library/rust from 1.86 to 1.89 (aws-observability#1135)

39e6c30

Bump burrunan/gradle-cache-action from 2 to 3 (aws-observability#1153)

9134679

Bump uuid from 1.16.0 to 1.18.0 in /tools/cp-utility (aws-observabili…

e77a26d

…ty#1154)

jj22ee and others added 30 commits September 17, 2025 21:52

Update image to 2.11.5 in daily-scan.yml (aws-observability#1194)

82a5538

*Issue #, if available:* *Description of changes:* By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Reverting previous revert for 3p actions update (aws-observability#1198)

8e6889d

This pr reverts the previous revert for 3p action updates for non release files. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Update main-build.yml (aws-observability#1200)

1a32279

Missed ./gradlew command. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Add adaptive sampling e2e test to build (aws-observability#1211)

74f7105

Merge 2.11.5 back into main branch (aws-observability#1201)

a4d69a7

Update main-build.yml (aws-observability#1217)

fbeaff8

Adding workflow_dispatch for manual run option. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

add script to bump otel dependencies

383f29c

add nightly build workflow

c4395a7

update main build to run on nightly build branch

e12d79c

update contrib dependencies together in script

a821678

add logic to link releases with breaking changes

ea7f372

Revert "update main build to run on nightly build branch"

8cf6aac

This reverts commit e12d79c.

fix branching logic and add metric

ed8294e

add main build call and update metric

edcdb15

add test trigger to workflow

3393cf7

fix bug and job title

27155e2

fix credential for metric publishing

735e6af

fix regex matching for breaking changes

cdad72c

chore: update OpenTelemetry dependencies to latest versions

ad69ca1

chore: update OpenTelemetry dependencies to latest versions

161f7b4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Nightly dependency update: OpenTelemetry packages to latest versions #11

Nightly dependency update: OpenTelemetry packages to latest versions #11

Uh oh!

github-actions bot commented Sep 29, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

14 participants

Nightly dependency update: OpenTelemetry packages to latest versions #11

Are you sure you want to change the base?

Nightly dependency update: OpenTelemetry packages to latest versions #11

Uh oh!

Conversation

github-actions bot commented Sep 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

14 participants

github-actions bot commented Sep 29, 2025 •

edited

Loading