Merge branch 'main' into gh-5973

Author: martincostello

.github/dependabot.yml

@@ -1,75 +1,10 @@
+# This file is retained solely for automated tooling to see we do automated
+# dependency updates as not all such scanners recognize the use of Renovate.
 version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-    labels:
-      - "infra"
-  - package-ecosystem: "docker"
-    directory: "/examples/MicroserviceExample/WebApi"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
-    labels:
-      - "infra"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-major"
-          - "version-update:semver-minor"
-  - package-ecosystem: "docker"
-    directory: "examples/MicroserviceExample/WorkerService"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
-    labels:
-      - "infra"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-major"
-          - "version-update:semver-minor"
-  - package-ecosystem: "docker"
-    directory: "test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
-    labels:
-      - "infra"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-major"
-          - "version-update:semver-minor"
-  - package-ecosystem: "docker"
-    directory: "test/OpenTelemetry.Instrumentation.W3cTraceContext.Tests"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
-    labels:
-      - "infra"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-major"
-          - "version-update:semver-minor"
-  - package-ecosystem: "dotnet-sdk"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
-    labels:
-      - "infra"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-major"
-          - "version-update:semver-minor"
-  - package-ecosystem: "pip"
-    directory: "test/OpenTelemetry.Instrumentation.W3cTraceContext.Tests"
-    schedule:
-      interval: "weekly"
-      day: "wednesday"
+      interval: yearly
     labels:
       - "infra"

.github/renovate.json

@@ -0,0 +1,60 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "additionalBranchPrefix": "{{manager}}/",
+  "automerge": false,
+  "commitBodyTable": true,
+  "commitMessageAction": "Bump",
+  "dependencyDashboard": false,
+  "extends": [
+    "config:best-practices",
+    "customManagers:dockerfileVersions",
+    "customManagers:githubActionsVersions",
+    ":automergeRequireAllStatusChecks",
+    ":disableRateLimiting",
+    ":enableVulnerabilityAlerts",
+    ":gitSignOff",
+    ":ignoreUnstable"
+  ],
+  "labels": ["dependencies", "infra"],
+  "packageRules": [
+    {
+      "matchManagers": ["dockerfile"],
+      "addLabels": ["docker"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "addLabels": ["github_actions"]
+    },
+    {
+      "matchManagers": ["nuget"],
+      "addLabels": [".NET"]
+    },
+    {
+      "matchManagers": ["pypi"],
+      "addLabels": ["python"]
+    },
+    {
+      "description": ["Skip pinned NuGet package versions"],
+      "matchManagers": ["nuget"],
+      "matchCurrentValue": "^\\[[^,]+,\\)$",
+      "enabled": false
+    },
+    {
+      "extends": ["monorepo:dotnet"],
+      "description": ["Disable major version updates for .NET"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    },
+    {
+      "matchDepNames": ["xunit"],
+      "description": ["Disable major version updates for xunit"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    }
+  ],
+  "schedule": ["* 8-17 * * 3"],
+  "timezone": "Etc/UTC",
+  "vulnerabilityAlerts": {
+    "addLabels": ["security"]
+  }
+}

.github/workflows/automation.yml

@@ -5,14 +5,16 @@ on:
     outputs:
       enabled:
         value: ${{ jobs.resolve-automation.outputs.enabled == 'true' }}
-      token-secret-name:
-        value: ${{ jobs.resolve-automation.outputs.token-secret-name }}
       username:
         value: ${{ vars.AUTOMATION_USERNAME }}
       email:
         value: ${{ vars.AUTOMATION_EMAIL }}
+      application-name:
+        value: ${{ vars.AUTOMATION_APPLICATION_NAME }}
+      application-username:
+        value: ${{ vars.AUTOMATION_APPLICATION_USERNAME }}
     secrets:
-      OPENTELEMETRYBOT_GITHUB_TOKEN:
+      OTELBOT_DOTNET_PRIVATE_KEY:
         required: false
 
 permissions:
@@ -25,13 +27,11 @@ jobs:
 
     outputs:
       enabled: ${{ steps.evaluate.outputs.enabled }}
-      token-secret-name: ${{ steps.evaluate.outputs.token-secret-name }}
 
     env:
-      OPENTELEMETRYBOT_GITHUB_TOKEN_EXISTS: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN != '' }}
+      OTELBOT_DOTNET_PRIVATE_KEY_EXISTS: ${{ secrets.OTELBOT_DOTNET_PRIVATE_KEY != '' }}
 
     steps:
     - id: evaluate
       run: |
-        echo "enabled=${{ env.OPENTELEMETRYBOT_GITHUB_TOKEN_EXISTS == 'true' }}" >> "$GITHUB_OUTPUT"
-        echo "token-secret-name=OPENTELEMETRYBOT_GITHUB_TOKEN" >> "$GITHUB_OUTPUT"
+        echo "enabled=${{ env.OTELBOT_DOTNET_PRIVATE_KEY_EXISTS == 'true' }}" >> "$GITHUB_OUTPUT"

.github/workflows/ci.yml

@@ -16,6 +16,13 @@ jobs:
   lint-misspell-sanitycheck:
     uses: ./.github/workflows/sanitycheck.yml
 
+  code-ql:
+    uses: ./.github/workflows/codeql-analysis-steps.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
   detect-changes:
     runs-on: windows-latest
     outputs:
@@ -175,6 +182,7 @@ jobs:
   build-test:
     needs: [
       detect-changes,
+      code-ql,
       lint-misspell-sanitycheck,
       lint-md,
       lint-dotnet-format,
@@ -192,5 +200,15 @@ jobs:
     if: always() && !cancelled()
     runs-on: ubuntu-22.04
     steps:
-    - run: |
-          if ( ${{ contains(needs.*.result, 'failure') }} == true ); then echo 'build failed'; exit 1; else echo 'build complete'; fi
+    - name: Report CI status
+      shell: bash
+      env:
+        CI_SUCCESS: ${{ !contains(needs.*.result, 'failure') }}
+      run: |
+        if [ "${CI_SUCCESS}" == "true" ]
+        then
+          echo 'Build complete'
+        else
+          echo 'Build failed'
+          exit 1
+        fi

.github/workflows/codeql-analysis-steps.yml

@@ -0,0 +1,65 @@
+name: codeql-analysis-steps
+
+on:
+  workflow_call:
+
+permissions: {}
+
+jobs:
+  analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    runs-on: windows-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions', 'csharp']
+
+    steps:
+      - name: Configure Pagefile
+        if: matrix.language == 'csharp'
+        uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
+        with:
+          minimum-size: 8GB
+          maximum-size: 32GB
+          disk-root: "D:"
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          filter: 'tree:0'
+          persist-credentials: false
+          show-progress: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          build-mode: none
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          category: '/language:${{ matrix.language }}'
+
+  results:
+    if: ${{ !cancelled() }}
+    needs: [ analyze ]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Report status
+        shell: bash
+        env:
+          SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+        run: |
+          if [ "${SCAN_SUCCESS}" == "true" ]
+          then
+            echo 'CodeQL analysis successful'
+          else
+            echo 'CodeQL analysis failed'
+            exit 1
+          fi

.github/workflows/codeql-analysis.yml

@@ -1,71 +1,16 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches: [ 'main' ]
-  pull_request:
-    branches: [ 'main' ]
   schedule:
     - cron: '0 0 * * *' # once in a day at 00:00
   workflow_dispatch:
 
 permissions: {}
 
 jobs:
-  analyze:
+  code-ql:
+    uses: ./.github/workflows/codeql-analysis-steps.yml
     permissions:
-      actions: read  # for github/codeql-action/init to get workflow details
-      contents: read  # for actions/checkout to fetch code
-      security-events: write  # for github/codeql-action/analyze to upload SARIF results
-    runs-on: windows-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['actions', 'csharp']
-
-    steps:
-    - name: Configure Pagefile
-      if: matrix.language == 'csharp'
-      uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
-      with:
-        minimum-size: 8GB
-        maximum-size: 32GB
-        disk-root: "D:"
-
-    - name: Checkout repository
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        filter: 'tree:0'
-        persist-credentials: false
-        show-progress: false
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
-      with:
-        build-mode: none
-        languages: ${{ matrix.language }}
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
-      with:
-        category: '/language:${{ matrix.language }}'
-
-  codeql:
-    if: ${{ !cancelled() }}
-    needs: [ analyze ]
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Report status
-      shell: bash
-      env:
-        SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-      run: |
-        if [ "${SCAN_SUCCESS}" == "true" ]
-        then
-          echo 'CodeQL analysis successful'
-        else
-          echo 'CodeQL analysis failed'
-          exit 1
-        fi
+      actions: read
+      contents: read
+      security-events: write