Merge branch 'main' into main

Kielek · web-flow · commit 9d85d731e196 · 2025-11-04T11:32:25.000+01:00
diff --git a/.github/workflows/codeql-analysis-steps.yml b/.github/workflows/codeql-analysis-steps.yml
@@ -35,13 +35,13 @@ jobs:
           show-progress: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         with:
           build-mode: none
           languages: ${{ matrix.language }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         with:
           category: '/language:${{ matrix.language }}'
 
diff --git a/.github/workflows/concurrency-tests.yml b/.github/workflows/concurrency-tests.yml
@@ -31,7 +31,7 @@ jobs:
 
     - name: Publish Artifacts
       if: always() && !cancelled()
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ matrix.os }}-${{ matrix.project }}-${{ matrix.version }}-coyoteoutput
         path: '**/*_CoyoteOutput.*'
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -33,7 +33,7 @@ jobs:
       # uploads of run results in SARIF format to the repository Actions tab.
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/package-validation.yml b/.github/workflows/package-validation.yml
@@ -27,7 +27,7 @@ jobs:
       run: dotnet pack ./build/OpenTelemetry.proj --configuration Release /p:EnablePackageValidation=true /p:ExposeExperimentalFeatures=false /p:RunningDotNetPack=true
 
     - name: Publish stable NuGet packages to Artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: packages-stable
         path: ./artifacts/package/release
@@ -51,7 +51,7 @@ jobs:
       run: dotnet pack ./build/OpenTelemetry.proj --configuration Release /p:EnablePackageValidation=true /p:ExposeExperimentalFeatures=true /p:RunningDotNetPack=true
 
     - name: Publish experimental NuGet packages to Artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: packages-experimental
         path: ./artifacts/package/release
diff --git a/.github/workflows/publish-packages-1.0.yml b/.github/workflows/publish-packages-1.0.yml
@@ -28,6 +28,7 @@ jobs:
   build-pack-publish:
     runs-on: windows-latest
     permissions:
+      attestations: write
       contents: read
       id-token: write
     env:
@@ -75,6 +76,12 @@ jobs:
             }
         }
 
+    - name: Create GitHub attestations for DLLs
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: |
+          ./artifacts/bin/*/release_*/OpenTelemetry*.dll
+
     - name: dotnet pack
       shell: pwsh
       env:
@@ -86,7 +93,7 @@ jobs:
         # renovate: datasource=nuget depName=dotnet-validate
         DOTNET_VALIDATE_VERSION: '0.0.1-preview.537'
         # renovate: datasource=nuget depName=Meziantou.Framework.NuGetPackageValidation.Tool
-        MEZIANTOU_VALIDATE_NUGET_PACKAGE_VERSION: '1.0.32'
+        MEZIANTOU_VALIDATE_NUGET_PACKAGE_VERSION: '1.0.34'
       run: |
         dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION} --allow-roll-forward
         dotnet tool install --global Meziantou.Framework.NuGetPackageValidation.Tool --version ${env:MEZIANTOU_VALIDATE_NUGET_PACKAGE_VERSION} --allow-roll-forward
@@ -153,7 +160,7 @@ jobs:
 
     - name: Publish Artifacts
       id: upload-artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ github.ref_name }}-packages
         path: ./artifacts/package/release
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -119,7 +119,7 @@
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="9.0.6" />
     <PackageVersion Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
-    <PackageVersion Include="Verify.Xunit" Version="31.0.4" />
+    <PackageVersion Include="Verify.Xunit" Version="31.2.0" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="[2.8.2,)" />
   </ItemGroup>
diff --git a/README.md b/README.md
@@ -216,6 +216,23 @@ cosign verify-blob \
 For more verification options please refer to the [cosign
 documentation](https://github.com/sigstore/cosign/blob/main/doc/cosign_verify-blob.md).
 
+### Attestation
+
+Starting with the `1.14.0` release the DLLs included in the packages pushed to
+NuGet are attested using [GitHub Artifact attestations](https://docs.github.com/actions/concepts/security/artifact-attestations).
+
+To verify the attestation of a DLL inside a NuGet package use the [GitHub CLI](https://cli.github.com/):
+
+```bash
+gh attestation verify --owner open-telemetry .\OpenTelemetry.dll
+```
+
+> [!NOTE]
+> A successful verification outputs `Verification succeeded!`.
+
+For more verification options please refer to the [`gh attestation verify`
+documentation](https://cli.github.com/manual/gh_attestation_verify).
+
 ## Contributing
 
 For information about contributing to the project see:
diff --git a/examples/MicroserviceExample/docker-compose.yml b/examples/MicroserviceExample/docker-compose.yml
@@ -5,7 +5,7 @@ services:
       - 9411:9411
 
   rabbitmq:
-    image: rabbitmq:4-management-alpine@sha256:5cbd7145b0306399ad68422c3350b6cbd1bb95704b39f5896480e5b6d4238a04
+    image: rabbitmq:4-management-alpine@sha256:556d88a79852874255fd904048fae637e0158ff0a61201ceae7a701fcc48ba2f
     ports:
       - 5672:5672
       - 15672:15672
diff --git a/test/OpenTelemetry.Instrumentation.W3cTraceContext.Tests/requirements.txt b/test/OpenTelemetry.Instrumentation.W3cTraceContext.Tests/requirements.txt
diff --git a/test/OpenTelemetry.Tests/Trace/BatchExportActivityProcessorTests.cs b/test/OpenTelemetry.Tests/Trace/BatchExportActivityProcessorTests.cs
