open-telemetry
diff --git a/‎.github/config/markdown-lint-config.yml‎ renamed to ‎.github/config/markdownlint.yml‎ b/‎.github/config/markdown-lint-config.yml‎ renamed to ‎.github/config/markdownlint.yml‎
diff --git a/‎.github/renovate.json5‎
Lines changed: 21 additions & 9 deletions b/‎.github/renovate.json5‎
Lines changed: 21 additions & 9 deletions
diff --git a/‎.github/workflows/assign-reviewers.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/assign-reviewers.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/workflows/backport.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/backport.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 17 additions & 14 deletions b/‎.github/workflows/build.yml‎
Lines changed: 17 additions & 14 deletions
diff --git a/‎.github/workflows/codeql-daily.yml‎
Lines changed: 0 additions & 45 deletions b/‎.github/workflows/codeql-daily.yml‎
Lines changed: 0 additions & 45 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 67 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎.github/workflows/gradle-wrapper-validation.yml‎
Lines changed: 8 additions & 8 deletions b/‎.github/workflows/gradle-wrapper-validation.yml‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎.github/workflows/issue-management-feedback-label.yml‎
Lines changed: 10 additions & 3 deletions b/‎.github/workflows/issue-management-feedback-label.yml‎
Lines changed: 10 additions & 3 deletions
@@ -1,9 +1,17 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests"
   ],
   "packageRules": [
+    {
+      // this is to reduce the number of renovate PRs by consolidating them into a weekly batch
+      "matchManagers": ["github-actions"],
+      "extends": ["schedule:weekly"],
+      "groupName": "github actions"
+    },
     {
       "matchPackageNames": [
         "io.opentelemetry:**",
@@ -16,14 +24,6 @@
       // of that release instead of the unstable version for a future release
       "ignoreUnstable": false
     },
-    {
-      "matchPackagePrefixes": ["ch.qos.logback:"],
-      "groupName": "logback packages"
-    },
-    {
-      "matchPackagePrefixes": ["io.micrometer:"],
-      "groupName": "micrometer packages"
-    },
     {
       // prevent 3.0.1u2 -> 3.0.1
       "matchPackageNames": ["com.google.code.findbugs:annotations"],
@@ -99,5 +99,17 @@
       "matchUpdateTypes": ["major"],
       "enabled": false,
     }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "npm",
+      "fileMatch": [
+        "^.github/workflows/"
+      ],
+      "matchStrings": [
+        "npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)"
+      ]
+    }
   ]
 }
@@ -8,10 +8,16 @@ on:
   # because repository write permission is needed to assign reviewers
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   assign-reviewers:
+    permissions:
+      contents: read
+      pull-requests: write  # for assigning reviewers
     runs-on: ubuntu-latest
     steps:
-      - uses: open-telemetry/assign-reviewers-action@main
+      - uses: open-telemetry/assign-reviewers-action@b101a9c17274e3d4fff0853898007e9e3a366675 # main
         with:
           config-file: .github/component_owners.yml
@@ -6,8 +6,13 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -16,7 +21,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # history is needed to run git cherry-pick below
           fetch-depth: 0
 
@@ -8,6 +8,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
@@ -16,16 +19,16 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
         with:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
       - name: Gradle build and test
@@ -43,24 +46,24 @@ jobs:
           - 20
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - id: setup-test-java
         name: Set up JDK ${{ matrix.test-java-version }} for running tests
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           # using zulu because new releases get published quickly
           distribution: zulu
           java-version: ${{ matrix.test-java-version }}
 
       - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
         with:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
       - name: Gradle test
@@ -73,24 +76,24 @@ jobs:
   integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
         with:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
 
       - name: Integration test
         run: ./gradlew integrationTest
 
       - name: Save integration test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: always()
         with:
           name: integration-test-results
@@ -125,16 +128,16 @@ jobs:
       - integration-test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK for running Gradle
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
         # skipping release branches because the versions in those branches are not snapshots
         # (also this skips pull requests)
         if: ${{ github.ref_name == 'main' && github.repository == 'open-telemetry/opentelemetry-java-contrib' }}
 
@@ -0,0 +1,67 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches:
+      - main
+      - release/*
+      - v0.*
+      - v1.*
+  push:
+    branches:
+      - main
+      - release/*
+      - v0.*
+      - v1.*
+  schedule:
+    - cron: "29 13 * * 2"  # weekly at 13:29 UTC on Tuesday
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      contents: read
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Java 17
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        with:
+          languages: java, actions
+          # using "latest" helps to keep up with the latest Kotlin support
+          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
+          tools: latest
+
+      - name: Assemble
+        # --no-build-cache is required for codeql to analyze all modules
+        # --no-daemon is required for codeql to observe the compilation
+        # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
+        run: ./gradlew assemble --no-build-cache --no-daemon
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+
+  workflow-notification:
+    permissions:
+      contents: read
+      issues: write
+    needs:
+      - analyze
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ needs.analyze.result == 'success' }}
@@ -1,16 +1,16 @@
 name: Gradle wrapper validation
+
 on:
-  pull_request:
-    paths:
-      - '**/gradle/wrapper/**'
   push:
-    paths:
-      - '**/gradle/wrapper/**'
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
-  validation:
+  gradle-wrapper-validation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: gradle/wrapper-validation[email protected].0
+      - uses: gradle/actions/wrapper-validation@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
@@ -1,21 +1,28 @@
-name: Issue management - remove needs feedback label
+name: Issue management - remove labels as needed
 
 on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment:
+    permissions:
+      contents: read
+      issues: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Remove label
+      - name: Remove labels
         env:
           ISSUE_NUMBER: ${{ github.event.issue.number }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh issue edit --remove-label "needs author feedback" $ISSUE_NUMBER
+          gh issue edit --remove-label "stale" $ISSUE_NUMBER