Merge branch 'main' of https://github.com/open-telemetry/opentelemetry-java into config-provider

Author: jack-berg

.clomonitor.yml

@@ -0,0 +1,5 @@
+exemptions:
+  - check: artifacthub_badge
+    reason: "Artifact Hub doesn't support Java packages"
+  - check: signed_releases
+    reason: "Maven central releases are signed and there are no GitHub release artifacts"

.codecov.yaml

@@ -11,7 +11,7 @@ coverage:
   status:
     project:
       default:
-        target: 90%
+        target: 89%
         paths:
           - "!opencensus-shim/"
           - "!opentracing-shim/"

.fossa.yml

@@ -0,0 +1,40 @@
+version: 3
+
+targets:
+  only:
+    - type: gradle
+  exclude:
+    # these modules are not published and so consumers will not be exposed to them
+    - type: gradle
+      path: ./
+      target: ':api:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':exporters:otlp:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal-incubating'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:otlp'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:tracecontext'
+    - type: gradle
+      path: ./
+      target: ':perf-harness'
+    - type: gradle
+      path: ./
+      target: ':testing-internal'
+
+experimental:
+  gradle:
+    configurations-only:
+      # consumer will only be exposed to these dependencies
+      - runtimeClasspath

.github/config/markdown-link-check-config.json

@@ -1,9 +1,20 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests"
   ],
   "packageRules": [
+    {
+      // this is to reduce the number of renovate PRs
+      "matchManagers": [
+        "github-actions",
+        "dockerfile"
+      ],
+      "extends": ["schedule:weekly"],
+      "groupName": "weekly update"
+    },
     {
       "matchPackageNames": [
         "io.opentelemetry.proto:opentelemetry-proto",

.github/renovate.json5

@@ -5,75 +5,101 @@ Repository settings in addition to what's documented already at
 
 ## General > Pull Requests
 
-* Allow squash merging > Default to pull request title
+- Allow squash merging > Default to pull request title
+
+- Allow auto-merge
 
 ## Actions > General
 
-* Fork pull request workflows from outside collaborators:
+- Fork pull request workflows from outside collaborators:
   "Require approval for first-time contributors who are new to GitHub"
 
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-* Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-* Status checks that are required:
-
-  * EasyCLA
-  * required-status-check
-
-### `release/*`
-
-Same settings as above for `main`, except:
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
+## Rules > Rulesets
+
+### `main` and release branches
+
+- Targeted branches:
+  - `main`
+  - `release/*`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - Do not require status checks on creation: CHECKED
+    - Status checks that are required
+      - EasyCLA
+      - `required-status-check`
+      - `gradle-wrapper-validation`
+  - Block force pushes: CHECKED
+  - Require code scanning results: CHECKED
+    - CodeQL
+      - Security alerts: High or higher
+      - Alerts: Errors
+
+### `benchmarks` branch
+
+- Targeted branches:
+  - `benchmarks`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Block force pushes: CHECKED
+
+### Old-style release branches
+
+- Targeted branches:
+  - `v0.*`
+  - `v1.*`
+- Branch rules
+  - Restrict creations: CHECKED
+  - Restrict updates: CHECKED
+  - Restrict deletions: CHECKED
+
+### Restrict branch creation
+
+- Targeted branches
+  - Exclude:
+    - `release/*`
+    - `renovate/**/*`
+    - `otelbot/**/*`
+    - `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
+- Restrict creations: CHECKED
+
+### Restrict updating tags
+
+- Targeted tags
+  - All tags
+- Restrict updates: CHECKED
+- Restrict deletions: CHECKED
 
-* Restrict pushes that create matching branches: UNCHECKED
-
-  (So that opentelemetrybot can create release branches)
-
-### `renovate/**/**`, and `opentelemetrybot/*`
-
-* Require status checks to pass before merging: UNCHECKED
-
-  (So that renovate PRs can be rebased)
-
-* Restrict who can push to matching branches: UNCHECKED
-
-  (So that bots can create PR branches in this repository)
-
-* Allow force pushes > Everyone
-
-  (So that renovate PRs can be rebased)
-
-* Allow deletions: CHECKED
+## Branch protections
 
-  (So that bot PR branches can be deleted)
+### `main`, `release/*`
 
-### `benchmarks`
+- Restrict who can push to matching branches: CHECKED
 
-- Everything UNCHECKED
+## Code security and analysis
 
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
-  job)
+- Secret scanning: Enabled
 
 ## Secrets and variables > Actions
 
-* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
-* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-* `DEVELOCITY_ACCESS_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
-  * Generated at https://ge.opentelemetry.io > My settings > Access keys
-  * format of env var is `ge.opentelemetry.io=<access key>`,
-    see [docs](https://docs.gradle.com/enterprise/gradle-plugin/#via_environment_variable)
-* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
-* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
+- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
+- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
+- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
+  - Generated at https://nvd.nist.gov/developers/request-an-api-key
+  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)

.github/repository-settings.md

@@ -6,8 +6,13 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -16,7 +21,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # history is needed to run git cherry-pick below
           fetch-depth: 0

.github/scripts/markdown-link-check-with-retry.sh

@@ -3,8 +3,13 @@ name: Benchmark Tags
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sdk-benchmark:
+    permissions:
+      contents: write # for git push to benchmarks branch
     name: Benchmark SDK
     runs-on: self-hosted
     timeout-minutes: 10
@@ -39,31 +44,29 @@ jobs:
           - v1.30.0
           - v1.30.1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.tag-version }}
 
       - id: setup-java
         name: Set up Java for build
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
       - name: Run jmh
         run: ./gradlew jmhJar
-        env:
-          GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
 
       - name: Run Benchmark
         run: |
           cd sdk/trace/build
           java -jar libs/opentelemetry-sdk-trace-*-jmh.jar -rf json SpanBenchmark SpanPipelineBenchmark ExporterBenchmark
 
       - name: Store benchmark results
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
         with:
           tool: 'jmh'
           output-file-path: sdk/trace/build/jmh-result.json

.github/workflows/backport.yml

@@ -5,35 +5,38 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sdk-benchmark:
+    permissions:
+      contents: write # for git push to benchmarks branch
     name: Benchmark SDK
     runs-on: self-hosted
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - id: setup-java
         name: Set up Java for build
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
       - name: Run jmh
         run: ./gradlew jmhJar
-        env:
-          GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
 
       - name: Run Benchmark
         run: |
           cd sdk/trace/build
           java -jar libs/opentelemetry-sdk-trace-*-jmh.jar -rf json SpanBenchmark SpanPipelineBenchmark ExporterBenchmark
 
       - name: Store benchmark results
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
         with:
           tool: 'jmh'
           output-file-path: sdk/trace/build/jmh-result.json