Merge branch 'develop-hybrid-core-tracing' into hybrid-agent-wsgi-traces

mergify[bot] · web-flow · commit 38edb2b03268 · 2025-12-29T19:16:37.000Z
diff --git a/.github/.trivyignore b/.github/.trivyignore
@@ -1,9 +1,15 @@
+# =============================
+# Accepted Risk Vulnerabilities
+# =============================
+
+# Accepting risk due to Python 3.8 support.
+CVE-2025-50181  # Requires misconfiguration of urllib3, which agent does not do without intervention
+CVE-2025-66418  # Malicious servers could cause high resource consumption
+CVE-2025-66471  # Malicious servers could cause high resource consumption
+
 # =======================
 # Ignored Vulnerabilities
 # =======================
 
-# Accepting risk due to Python 3.8 support.
-CVE-2025-50181
-
 # Not relevant, only affects Pyodide
 CVE-2025-50182
diff --git a/.github/workflows/addlicense.yml b/.github/workflows/addlicense.yml
@@ -39,7 +39,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
 
       - name: Fetch git tags
         run: |
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -38,7 +38,7 @@ jobs:
       BASE_SHA: ${{ github.event.pull_request.base.sha }}
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/build-ci-image.yml b/.github/workflows/build-ci-image.yml
@@ -43,14 +43,14 @@ jobs:
     name: Docker Build ${{ matrix.platform }}
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # 3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0
 
       # Lowercase image name and append -ci
       - name: Generate Image Name
@@ -97,7 +97,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload Digest
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # 5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
         with:
           name: digests-${{ matrix.cache_tag }}
           path: ${{ runner.temp }}/digests/*
@@ -114,7 +114,7 @@ jobs:
 
     steps:
       - name: Download Digests
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
@@ -129,7 +129,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # 3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0
 
       # Lowercase image name and append -ci
       - name: Generate Image Name
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -69,7 +69,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -97,7 +97,7 @@ jobs:
           CIBW_TEST_SKIP: "*-win_arm64"
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # 5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
         with:
           name: ${{ github.job }}-${{ matrix.wheel }}
           path: ./wheelhouse/*.whl
@@ -109,7 +109,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -134,7 +134,7 @@ jobs:
           openssl md5 -binary "dist/${tarball}" | xxd -p | tr -d '\n' > "dist/${md5_file}"
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # 5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
         with:
           name: ${{ github.job }}-sdist
           path: |
@@ -166,7 +166,7 @@ jobs:
     environment: ${{ matrix.pypi-instance }}
 
     steps:
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
         with:
           path: ./dist/
           merge-multiple: true
@@ -196,7 +196,7 @@ jobs:
           repository-url: https://test.pypi.org/legacy/
 
       - name: Attest
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # 3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # 3.1.0
         id: attest
         with:
           subject-path: |
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -45,7 +45,7 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
           fetch-depth: 0 # Required for pushing commits to PRs
@@ -68,7 +68,7 @@ jobs:
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
         if: success() || failure()
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # 5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # 6.0.0
         with:
           name: MegaLinter reports
           include-hidden-files: "true"
@@ -109,7 +109,7 @@ jobs:
         run: sudo chown -Rc $UID .git/
 
       - name: Commit and push applied linter fixes
-        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # 7.0.0
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # 7.1.0
         if: env.APPLY_FIXES_IF_COMMIT == 'true'
         with:
           branch: >-
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
