open-telemetry
diff --git a/‎.github/repository-settings.md‎
Lines changed: 2 additions & 73 deletions b/‎.github/repository-settings.md‎
Lines changed: 2 additions & 73 deletions
diff --git a/‎.github/workflows/auto-license-report.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/auto-license-report.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/auto-spotless.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/auto-spotless.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/auto-update-otel-sdk.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/auto-update-otel-sdk.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/auto-update-pull-request.yml‎
Lines changed: 14 additions & 3 deletions b/‎.github/workflows/auto-update-pull-request.yml‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎.github/workflows/build-common.yml‎
Lines changed: 12 additions & 8 deletions b/‎.github/workflows/build-common.yml‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 17 additions & 7 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 17 additions & 7 deletions
diff --git a/‎.github/workflows/gradle-wrapper-validation.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/gradle-wrapper-validation.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/issue-management-feedback-label.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/issue-management-feedback-label.yml‎
Lines changed: 1 addition & 0 deletions
@@ -1,79 +1,8 @@
 # Repository settings
 
 This document describes any changes that have been made to the
-settings for this repository beyond the [OpenTelemetry default repository
-settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-configure-new-repository.md#repository-settings).
-
-## General > Pull Requests
-
-- Allow squash merging > Default to pull request title
-
-- Allow auto-merge
-
-## Actions > General
-
-- Fork pull request workflows from outside collaborators:
-  "Require approval for first-time contributors who are new to GitHub"
-
-  (To reduce friction for new contributors,
-  as the default is "Require approval for first-time contributors")
-
-- Workflow permissions
-  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
-    Read repository contents and packages permissions
-  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
-
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-- Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-- Status checks that are required:
-
-  - EasyCLA
-  - required-status-check
-  - gradle-wrapper-validation
-  - CodeQL
-
-### `release/*`
-
-Same settings as above for [`main`](#main).
-
-### `v0.*` and `v1.*` (old-style release branches)
-
-- Lock branch: CHECKED
-
-- Do not allow bypassing the above settings: CHECKED
-
-### `cloudfoundry`
-
-Same settings as above for [`main`](#main),
-except for the `required-status-check` required status check.
-
-### `renovate/**/*` and `otelbot/**/*`
-
-Same settings as
-for [`dependabot/**/*`](https://github.com/open-telemetry/community/blob/main/docs/how-to-configure-new-repository.md#branch-protection-rule-dependabot)
-
-### `gh-pages`
-
-- Everything UNCHECKED
-
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [Nightly overhead benchmark](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/nightly-benchmark-overhead.yml)
-  job)
-
-## Code security and analysis
-
-- Secret scanning: Enabled
+settings in this repository outside the settings tracked in the
+private admin repo.
 
 ## Secrets and variables > Actions
 
 
@@ -28,7 +28,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: true
 
@@ -43,6 +43,7 @@ jobs:
       - id: create-patch
         name: Create patch file
         run: |
+          git add -N licenses
           git diff > patch
           if [ -s patch ]; then
             echo "exists=true" >> "$GITHUB_OUTPUT"
 
@@ -28,7 +28,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: true
 
 
@@ -72,7 +72,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Update license report
         run: ./gradlew generateLicenseReport
 
@@ -55,11 +55,22 @@ jobs:
           git config user.name otelbot
           git config user.email [email protected]
 
+      - id: gradle-task
+        if: steps.unzip-patch.outputs.exists == 'true'
+        run: |
+          if [[ "${{ github.event.workflow_run.name }}" == "Auto spotless" ]]; then
+            echo "name=spotlessApply" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event.workflow_run.name }}" == "Auto license report" ]]; then
+            echo "name=generateLicenseReport" >> $GITHUB_OUTPUT
+          else
+            echo "name=unknown" >> $GITHUB_OUTPUT
+          fi
+
       - name: Apply patch and push
         if: steps.unzip-patch.outputs.exists == 'true'
         run: |
           git apply "${{ runner.temp }}/patch"
-          git commit -a -m "./gradlew spotlessApply"
+          git commit -a -m "./gradlew ${{ steps.gradle-task.outputs.name }}"
           git push
 
       - id: get-pr
@@ -84,12 +95,12 @@ jobs:
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
           PR_NUMBER: ${{ steps.get-pr.outputs.number }}
         run: |
-          gh pr comment $PR_NUMBER --body "🔧 The result from spotlessApply was committed to the PR branch."
+          gh pr comment $PR_NUMBER --body "🔧 The result from ${{ steps.gradle-task.outputs.name }} was committed to the PR branch."
 
       - if: steps.unzip-patch.outputs.exists == 'true' && failure()
         env:
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
           PR_NUMBER: ${{ steps.get-pr.outputs.number }}
         run: |
-          gh pr comment $PR_NUMBER --body "❌ The result from spotlessApply could not be committed to the PR branch, see logs: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID."
+          gh pr comment $PR_NUMBER --body "❌ The result from ${{ steps.gradle-task.outputs.name }} could not be committed to the PR branch, see logs: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID."
@@ -41,7 +41,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
@@ -63,7 +63,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
@@ -102,7 +102,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
@@ -189,7 +189,7 @@ jobs:
           sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx3g /" gradle.properties
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
@@ -301,7 +301,7 @@ jobs:
         run: .github/scripts/deadlock-detector.sh
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           # only push cache for one matrix option since github action cache space is limited
           cache-read-only: ${{ inputs.cache-read-only || matrix.test-java-version != 11 || matrix.vm != 'hotspot' }}
@@ -432,7 +432,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Set up Gradle cache
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           # only push cache for one matrix option per OS since github action cache space is limited
           cache-read-only: ${{ inputs.cache-read-only || matrix.smoke-test-suite != 'tomcat' }}
@@ -445,6 +445,10 @@ jobs:
       - name: Test
         run: ./gradlew :smoke-tests:test -PsmokeTestSuite=${{ matrix.smoke-test-suite }} ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
 
+      - name: Build scan
+        if: ${{ !cancelled() && hashFiles('build-scan.txt') != '' }}
+        run: cat build-scan.txt
+
       - name: Upload jvm crash dump files if any
         if: failure()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -480,7 +484,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
@@ -503,7 +507,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Set up Gradle cache
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ inputs.cache-read-only }}
 
 
@@ -76,7 +76,7 @@ jobs:
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Build and publish artifact snapshots
         env:
 
@@ -21,12 +21,18 @@ permissions:
 
 jobs:
   analyze:
+    name: Analyze (${{ matrix.language }})
     permissions:
       contents: read
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: java
     runs-on: oracle-8cpu-32gb-x86-64
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -44,25 +50,29 @@ jobs:
           # and so it uses more parallelism which uses more memory
           sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx8g /" gradle.properties
 
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+      - name: Set up Gradle
+        if: matrix.language == 'java'
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         with:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
         with:
-          languages: java, actions
+          languages: ${{ matrix.language }}
           # using "latest" helps to keep up with the latest Kotlin support
           # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
           tools: latest
 
-      - name: Build
+      - name: Assemble
+        if: matrix.language == 'java'
         # --no-build-cache is required for codeql to analyze all modules
         # --no-daemon is required for codeql to observe the compilation
         # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
         # quarkus tasks are disabled because they often cause the build to fail (see https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/13284)
         run: ./gradlew assemble -x javadoc -x :instrumentation:quarkus-resteasy-reactive:quarkus3-testing:quarkusGenerateCodeDev -x :instrumentation:quarkus-resteasy-reactive:quarkus2-testing:quarkusGenerateCodeDev --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
+        with:
+          category: "/language:${{matrix.language}}"
@@ -14,4 +14,4 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # this needs to be in its own workflow in order to make OSSF scorecard happy
-      - uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+      - uses: gradle/actions/wrapper-validation@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       issues: write
+      pull-requests: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login