Merge branch 'main' into x-foo-1-secretsmanager

Author: laurit

.github/workflows/auto-update-pull-request.yml

@@ -55,11 +55,22 @@ jobs:
           git config user.name otelbot
           git config user.email [email protected]
 
+      - id: gradle-task
+        if: steps.unzip-patch.outputs.exists == 'true'
+        run: |
+          if [[ "${{ github.event.workflow_run.name }}" == "Auto spotless" ]]; then
+            echo "name=spotlessApply" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.event.workflow_run.name }}" == "Auto license report" ]]; then
+            echo "name=generateLicenseReport" >> $GITHUB_OUTPUT
+          else
+            echo "name=unknown" >> $GITHUB_OUTPUT
+          fi
+
       - name: Apply patch and push
         if: steps.unzip-patch.outputs.exists == 'true'
         run: |
           git apply "${{ runner.temp }}/patch"
-          git commit -a -m "./gradlew spotlessApply"
+          git commit -a -m "./gradlew ${{ steps.gradle-task.outputs.name }}"
           git push
 
       - id: get-pr
@@ -84,12 +95,12 @@ jobs:
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
           PR_NUMBER: ${{ steps.get-pr.outputs.number }}
         run: |
-          gh pr comment $PR_NUMBER --body "🔧 The result from spotlessApply was committed to the PR branch."
+          gh pr comment $PR_NUMBER --body "🔧 The result from ${{ steps.gradle-task.outputs.name }} was committed to the PR branch."
 
       - if: steps.unzip-patch.outputs.exists == 'true' && failure()
         env:
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
           PR_NUMBER: ${{ steps.get-pr.outputs.number }}
         run: |
-          gh pr comment $PR_NUMBER --body "❌ The result from spotlessApply could not be committed to the PR branch, see logs: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID."
+          gh pr comment $PR_NUMBER --body "❌ The result from ${{ steps.gradle-task.outputs.name }} could not be committed to the PR branch, see logs: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID."

.github/workflows/codeql.yml

@@ -21,12 +21,18 @@ permissions:
 
 jobs:
   analyze:
+    name: Analyze (${{ matrix.language }})
     permissions:
       contents: read
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: java
     runs-on: oracle-8cpu-32gb-x86-64
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -44,25 +50,29 @@ jobs:
           # and so it uses more parallelism which uses more memory
           sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx8g /" gradle.properties
 
-      - name: Setup Gradle
+      - name: Set up Gradle
+        if: matrix.language == 'java'
         uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
         with:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
-          languages: java, actions
+          languages: ${{ matrix.language }}
           # using "latest" helps to keep up with the latest Kotlin support
           # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
           tools: latest
 
-      - name: Build
+      - name: Assemble
+        if: matrix.language == 'java'
         # --no-build-cache is required for codeql to analyze all modules
         # --no-daemon is required for codeql to observe the compilation
         # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
         # quarkus tasks are disabled because they often cause the build to fail (see https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/13284)
         run: ./gradlew assemble -x javadoc -x :instrumentation:quarkus-resteasy-reactive:quarkus3-testing:quarkusGenerateCodeDev -x :instrumentation:quarkus-resteasy-reactive:quarkus2-testing:quarkusGenerateCodeDev --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/ossf-scorecard.yml

@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

.github/workflows/reusable-markdown-link-check.yml

@@ -22,5 +22,6 @@ jobs:
             --exclude "^http://code.google.com/p/concurrentlinkedhashmap$"
             --exclude "^https://softwareengineering.stackexchange.com/questions/29727"
             --max-retries 6
-            --max-concurrency 1
+            --max-concurrency 4
+            --github-token ${{ github.token }}
             .

.gitignore

@@ -57,7 +57,7 @@ derby.log
 hs_err_pid*
 replay_pid*
 .attach_pid*
-**/.telemetry*
+.telemetry*
 
 !java-agent/benchmark/releases/*.jar
 

CONTRIBUTING.md

@@ -17,8 +17,8 @@ See [Running the tests](./docs/contributing/running-tests.md) for more details.
 
 For developers testing code changes before a release is complete, there are
 snapshot builds of the `main` branch. They are available from
-the Sonatype OSS snapshots repository at `https://oss.sonatype.org/content/repositories/snapshots/`
-([browse](https://oss.sonatype.org/content/repositories/snapshots/io/opentelemetry/))
+the Sonatype snapshot repository at `https://central.sonatype.com/repository/maven-snapshots/`
+([browse](https://central.sonatype.com/service/rest/repository/browse/maven-snapshots/io/opentelemetry/)).
 
 ### Building from source
 

RELEASING.md

@@ -8,7 +8,7 @@ The version is specified in [version.gradle.kts](version.gradle.kts).
 
 Every successful CI build of the main branch automatically executes `./gradlew publishToSonatype`
 as the last step, which publishes a snapshot build to
-[Sonatype OSS snapshots repository](https://oss.sonatype.org/content/repositories/snapshots/io/opentelemetry/).
+[Sonatype snapshot repository](https://central.sonatype.com/service/rest/repository/browse/maven-snapshots/io/opentelemetry/).
 
 ## Release cadence
 

benchmark-overhead/Dockerfile.petclinic

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:11.0.27_6-jdk@sha256:2efe33b5bd32f948e827c66761f0190150103ba3316395703a6e14322b0f4b87 as app-build
+FROM eclipse-temurin:11.0.27_6-jdk@sha256:2ecaad32bb7a709078bac5a56669c292cfb1bb2cbabcdbe8340e9367bbf7e5d4 as app-build
 
 # This is the base image that will contain a built version of the spring-petclinic-rest
 # application. Installing the dependencies and maven compiling the application is time

buildscripts/dependency-check-suppressions.xml

@@ -13,4 +13,16 @@
     <vulnerabilityName>CVE-2023-45142</vulnerabilityName>
     <vulnerabilityName>CVE-2023-47108</vulnerabilityName>
   </suppress>
+  <suppress>
+    <!-- detected CVE is for a different project https://www.cve.org/CVERecord?id=CVE-2018-17046 -->
+    <packageUrl>pkg:maven/codes.rafael.asmjdkbridge/[email protected]</packageUrl>
+    <vulnerabilityName>CVE-2018-17046</vulnerabilityName>
+  </suppress>
+  <suppress>
+    <!-- detected CVEs are json-java not groovy-json, https://www.cve.org/CVERecord?id=CVE-2022-45688
+      https://nvd.nist.gov/vuln/detail/cve-2023-5072 -->
+    <packageUrl>pkg:maven/org.codehaus.groovy/[email protected]</packageUrl>
+    <vulnerabilityName>CVE-2022-45688</vulnerabilityName>
+    <vulnerabilityName>CVE-2023-5072</vulnerabilityName>
+  </suppress>
 </suppressions>

conventions/build.gradle.kts

@@ -60,7 +60,7 @@ dependencies {
   implementation("com.gradleup.shadow:shadow-gradle-plugin:8.3.6")
   implementation("org.apache.httpcomponents:httpclient:4.5.14")
   implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:4.0.2")
-  implementation("org.owasp:dependency-check-gradle:12.1.2")
+  implementation("org.owasp:dependency-check-gradle:12.1.3")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1")
   implementation("org.spdx:spdx-gradle-plugin:0.9.0")
   // When updating, also update dependencyManagement/build.gradle.kts