open-telemetry
diff --git a/‎.clomonitor.yml‎
Lines changed: 2 additions & 0 deletions b/‎.clomonitor.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/renovate.json5‎
Lines changed: 6 additions & 3 deletions b/‎.github/renovate.json5‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎.github/repository-settings.md‎
Lines changed: 82 additions & 52 deletions b/‎.github/repository-settings.md‎
Lines changed: 82 additions & 52 deletions
diff --git a/‎.github/workflows/build-tracecontext-testsuite.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-tracecontext-testsuite.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 6 deletions b/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/fossa.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/fossa.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/ossf-scorecard.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ossf-scorecard.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/owasp-dependency-check-daily.yml‎
Lines changed: 14 additions & 1 deletion b/‎.github/workflows/owasp-dependency-check-daily.yml‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎.github/workflows/reusable-workflow-notification.yml‎
Lines changed: 44 additions & 0 deletions b/‎.github/workflows/reusable-workflow-notification.yml‎
Lines changed: 44 additions & 0 deletions
@@ -1,3 +1,5 @@
 exemptions:
   - check: artifacthub_badge
     reason: "Artifact Hub doesn't support Java packages"
+  - check: signed_releases
+    reason: "Maven central releases are signed and there are no GitHub release artifacts"
@@ -7,10 +7,13 @@
   ],
   "packageRules": [
     {
-      // this is to reduce the number of renovate PRs by consolidating them into a weekly batch
-      "matchManagers": ["github-actions"],
+      // this is to reduce the number of renovate PRs
+      "matchManagers": [
+        "github-actions",
+        "dockerfile"
+      ],
       "extends": ["schedule:weekly"],
-      "groupName": "github actions",
+      "groupName": "weekly update"
     },
     {
       "matchPackageNames": [
 
@@ -5,71 +5,101 @@ Repository settings in addition to what's documented already at
 
 ## General > Pull Requests
 
-* Allow squash merging > Default to pull request title
+- Allow squash merging > Default to pull request title
+
+- Allow auto-merge
 
 ## Actions > General
 
-* Fork pull request workflows from outside collaborators:
+- Fork pull request workflows from outside collaborators:
   "Require approval for first-time contributors who are new to GitHub"
 
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-* Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-* Status checks that are required:
-
-  * EasyCLA
-  * required-status-check
-
-### `release/*`
-
-Same settings as above for `main`, except:
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
+## Rules > Rulesets
+
+### `main` and release branches
+
+- Targeted branches:
+  - `main`
+  - `release/*`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - Do not require status checks on creation: CHECKED
+    - Status checks that are required
+      - EasyCLA
+      - `required-status-check`
+      - `gradle-wrapper-validation`
+  - Block force pushes: CHECKED
+  - Require code scanning results: CHECKED
+    - CodeQL
+      - Security alerts: High or higher
+      - Alerts: Errors
+
+### `benchmarks` branch
+
+- Targeted branches:
+  - `benchmarks`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Block force pushes: CHECKED
+
+### Old-style release branches
+
+- Targeted branches:
+  - `v0.*`
+  - `v1.*`
+- Branch rules
+  - Restrict creations: CHECKED
+  - Restrict updates: CHECKED
+  - Restrict deletions: CHECKED
+
+### Restrict branch creation
+
+- Targeted branches
+  - Exclude:
+    - `release/*`
+    - `renovate/**/*`
+    - `otelbot/**/*`
+    - `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
+- Restrict creations: CHECKED
+
+### Restrict updating tags
+
+- Targeted tags
+  - All tags
+- Restrict updates: CHECKED
+- Restrict deletions: CHECKED
 
-* Restrict pushes that create matching branches: UNCHECKED
-
-  (So that opentelemetrybot can create release branches)
-
-### `renovate/**/**`, and `opentelemetrybot/*`
-
-* Require status checks to pass before merging: UNCHECKED
-
-  (So that renovate PRs can be rebased)
-
-* Restrict who can push to matching branches: UNCHECKED
-
-  (So that bots can create PR branches in this repository)
-
-* Allow force pushes > Everyone
-
-  (So that renovate PRs can be rebased)
-
-* Allow deletions: CHECKED
+## Branch protections
 
-  (So that bot PR branches can be deleted)
+### `main`, `release/*`
 
-### `benchmarks`
+- Restrict who can push to matching branches: CHECKED
 
-- Everything UNCHECKED
+## Code security and analysis
 
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
-  job)
+- Secret scanning: Enabled
 
 ## Secrets and variables > Actions
 
-* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
-* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
-* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
+- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
+- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
+- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
+  - Generated at https://nvd.nist.gov/developers/request-an-api-key
+  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
@@ -29,7 +29,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: integration-tests/tracecontext/docker
           push: true
 
@@ -35,7 +35,7 @@ jobs:
           - 23
         # Collect coverage on latest LTS
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-latest
             test-java-version: 21
             coverage: true
             jmh-based-tests: true
@@ -99,12 +99,12 @@ jobs:
             exit 1
           fi
 
-      - uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+      - uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
         if: ${{ matrix.coverage }}
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: ${{ matrix.coverage }}
         with:
           name: coverage-report
@@ -161,13 +161,19 @@ jobs:
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
 
   build-graal:
+    name: Build GraalVM
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test-graal-version:
+          - 21
+          - 23
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: graalvm/setup-graalvm@aafbedb8d382ed0ca6167d3a051415f20c859274 # v1.2.8
+      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1.3.3
         with:
-          # TODO(jack-berg): Which versions do we need to test? Should we use a matrix scheme?
-          java-version: '21'
+          java-version: ${{ matrix.test-graal-version }}
           distribution: 'graalvm'
           components: 'native-image'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -37,7 +37,7 @@ jobs:
         uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           languages: java, actions
           # using "latest" helps to keep up with the latest Kotlin support
@@ -51,4 +51,4 @@ jobs:
         run: ./gradlew assemble --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
@@ -17,3 +17,4 @@ jobs:
       - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
         with:
           api-key: ${{secrets.FOSSA_API_KEY}}
+          team: OpenTelemetry
@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+      - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -33,7 +33,7 @@ jobs:
       # uploads of run results in SARIF format to the repository Actions tab.
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: results.sarif
@@ -26,9 +26,22 @@ jobs:
 
       - name: Check dependencies
         run: ./gradlew dependencyCheckAnalyze
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
 
       - name: Upload report
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           path: javaagent/build/reports
+
+  workflow-notification:
+    permissions:
+      contents: read
+      issues: write
+    needs:
+      - analyze
+    if: always()
+    uses: ./.github/workflows/reusable-workflow-notification.yml
+    with:
+      success: ${{ needs.analyze.result == 'success' }}
@@ -0,0 +1,44 @@
+# this is useful because notifications for scheduled workflows are only sent to the user who
+# initially created the given workflow
+name: Reusable - Workflow notification
+
+on:
+  workflow_call:
+    inputs:
+      success:
+        type: boolean
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  workflow-notification:
+    permissions:
+      contents: read
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Open issue or add comment if issue already open
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # TODO (trask) search doesn't support exact phrases, so it's possible that this could grab the wrong issue
+          number=$(gh issue list --search "in:title Workflow failed: $GITHUB_WORKFLOW" --limit 1 --json number -q .[].number)
+
+          echo $number
+          echo ${{ inputs.success }}
+
+          if [[ $number ]]; then
+            if [[ "${{ inputs.success }}" == "true" ]]; then
+              gh issue close $number
+            else
+              gh issue comment $number \
+                               --body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)."
+            fi
+          elif [[ "${{ inputs.success }}" == "false" ]]; then
+            gh issue create --title "Workflow failed: $GITHUB_WORKFLOW (#$GITHUB_RUN_NUMBER)" \
+                            --body "See [$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER](https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)."
+          fi