Merge branch 'main' into pr-1404-3

Author: kaylareopelle

.cspell.yml

@@ -38,6 +38,7 @@ words:
   - gemfile
   - Gitter
   - gruf
+  - hibachrach
   - HTTPX
   - httpx
   - instrumenter

.github/actions/test_gem/action.yml

@@ -84,7 +84,7 @@ runs:
     # ...but not for appraisals, sadly.
     - name: Install Ruby ${{ inputs.ruby }} with dependencies
       if: "${{ steps.setup.outputs.appraisals == 'false' }}"
-      uses: ruby/setup-ruby@v1.221.0
+      uses: ruby/setup-ruby@v1.229.0
       with:
         ruby-version: "${{ inputs.ruby }}"
         working-directory: "${{ steps.setup.outputs.gem_dir }}"
@@ -95,7 +95,7 @@ runs:
     # If we're using appraisals, do it all manually.
     - name: Install Ruby ${{ inputs.ruby }} without dependencies
       if: "${{ steps.setup.outputs.appraisals == 'true' }}"
-      uses: ruby/setup-ruby@v1.221.0
+      uses: ruby/setup-ruby@v1.229.0
       with:
         ruby-version: "${{ inputs.ruby }}"
         bundler:  "latest"

.github/workflows/fossa.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+      - uses: fossas/fossa-action@c0a7d013f84c8ee5e910593186598625513cc1e4 # v1.6.0
         with:
           api-key: ${{secrets.FOSSA_API_KEY}}
           team: OpenTelemetry

.github/workflows/installation-tests.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v4
         # ATTENTION: Dependabot does not know how to update shared actions file.
         # If you see it update setup-ruby here also update it as part of actions/test_gem/action.yml
-      - uses: ruby/setup-ruby@v1.221.0
+      - uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: ${{ matrix.ruby-version }}
       - name: "Install Latest Gem Versions on ${{ matrix.ruby-version }}"

.github/workflows/ossf-scorecard.yml

@@ -0,0 +1,48 @@
+name: OSSF Scorecard
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "18 23 * * 6" # once a week
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    if: ${{ github.repository == 'open-telemetry/opentelemetry-ruby-contrib' }}
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          sarif_file: results.sarif

.github/workflows/release-hook-on-closed.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Ruby ${{ env.ruby_version }}
-        uses: ruby/setup-ruby@v1.221.0
+        uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: ${{ env.ruby_version }}
       - name: Checkout repo

.github/workflows/release-hook-on-push.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Ruby ${{ env.ruby_version }}
-        uses: ruby/setup-ruby@v1.221.0
+        uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: ${{ env.ruby_version }}
       - name: Checkout repo

.github/workflows/release-perform.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Ruby ${{ env.ruby_version }}
-        uses: ruby/setup-ruby@v1.221.0
+        uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: ${{ env.ruby_version }}
       - name: Checkout repo

.github/workflows/release-please.yaml

@@ -17,7 +17,7 @@ jobs:
     name: Process Release
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4.1.4
+      - uses: googleapis/release-please-action@v4.2.0
         id: prepare
         # with:
         #   token: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN }}
@@ -50,7 +50,7 @@ jobs:
           chmod 0600 $HOME/.gem/credentials
           printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
 
-      - uses: ruby/setup-ruby@v1.221.0
+      - uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: "3.1"
           bundler: latest

.github/workflows/release-request-weekly.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Ruby ${{ env.ruby_version }}
-        uses: ruby/setup-ruby@v1.221.0
+        uses: ruby/setup-ruby@v1.229.0
         with:
           ruby-version: ${{ env.ruby_version }}
       - name: Checkout repo