From 77040967501d8d7a69a8dc51ee59d395d14a4bc5 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Fri, 12 Sep 2025 07:18:29 -0700
Subject: [PATCH 1/2] Pin npm hash

---
 .github/renovate.json5                    | 10 ---------
 .github/scripts/package-lock.json         | 27 +++++++++++++++++++++++
 .github/scripts/package.json              |  9 ++++++++
 .github/workflows/assign-issue-owners.yml |  4 ++--
 4 files changed, 38 insertions(+), 12 deletions(-)
 create mode 100644 .github/scripts/package-lock.json
 create mode 100644 .github/scripts/package.json

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 6a0416b696..c6a64fbe08 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -198,16 +198,6 @@
         'npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)',
       ],
     },
-    {
-      customType: 'regex',
-      datasourceTemplate: 'npm',
-      managerFilePatterns: [
-        '.github/workflows/**',
-      ],
-      matchStrings: [
-        'npm install (?<depName>[^@\\s]+)@(?<currentValue>[^\\s]+)',
-      ],
-    },
     {
       customType: 'regex',
       datasourceTemplate: 'java-version',
diff --git a/.github/scripts/package-lock.json b/.github/scripts/package-lock.json
new file mode 100644
index 0000000000..513b765cab
--- /dev/null
+++ b/.github/scripts/package-lock.json
@@ -0,0 +1,27 @@
+{
+  "name": "github-scripts",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "github-scripts",
+      "version": "1.0.0",
+      "dependencies": {
+        "yaml": "2.8.0"
+      }
+    },
+    "node_modules/yaml": {
+      "version": "2.8.0",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.0.tgz",
+      "integrity": "sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==",
+      "license": "ISC",
+      "bin": {
+        "yaml": "bin.mjs"
+      },
+      "engines": {
+        "node": ">= 14.6"
+      }
+    }
+  }
+}
diff --git a/.github/scripts/package.json b/.github/scripts/package.json
new file mode 100644
index 0000000000..7477003a2d
--- /dev/null
+++ b/.github/scripts/package.json
@@ -0,0 +1,9 @@
+{
+  "//": "Dependencies for GitHub Actions workflows that use actions/github-script",
+  "name": "github-scripts",
+  "version": "1.0.0",
+  "private": true,
+  "dependencies": {
+    "yaml": "2.8.0"
+  }
+}
diff --git a/.github/workflows/assign-issue-owners.yml b/.github/workflows/assign-issue-owners.yml
index 11965eae58..7d7acba676 100644
--- a/.github/workflows/assign-issue-owners.yml
+++ b/.github/workflows/assign-issue-owners.yml
@@ -19,8 +19,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Install yaml
-        run: npm install yaml@2.8.1
+      - name: Install yaml dependency used below
+        run: npm install .github/scripts
 
       - name: Parse component label and assign owners
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

From 9899040d1662ebc37d20d885c1462f83aa494186 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 18 Sep 2025 22:10:08 +0000
Subject: [PATCH 2/2] fix(deps): update all patch versions

---
 .github/scripts/package-lock.json                         | 8 ++++----
 .github/scripts/package.json                              | 2 +-
 .github/workflows/auto-spotless-apply.yml                 | 2 +-
 .github/workflows/backport.yml                            | 2 +-
 .github/workflows/ossf-scorecard.yml                      | 2 +-
 .github/workflows/prepare-patch-release.yml               | 2 +-
 .github/workflows/prepare-release-branch.yml              | 4 ++--
 .github/workflows/release.yml                             | 4 ++--
 buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts | 2 +-
 dependencyManagement/build.gradle.kts                     | 4 ++--
 gcp-auth-extension/build.gradle.kts                       | 2 +-
 ibm-mq-metrics/build.gradle.kts                           | 2 +-
 .../src/test/resources/projects/springboot_1/pom.xml      | 2 +-
 .../src/test/resources/projects/springboot_2/pom.xml      | 2 +-
 14 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/scripts/package-lock.json b/.github/scripts/package-lock.json
index 513b765cab..f364e11066 100644
--- a/.github/scripts/package-lock.json
+++ b/.github/scripts/package-lock.json
@@ -8,13 +8,13 @@
       "name": "github-scripts",
       "version": "1.0.0",
       "dependencies": {
-        "yaml": "2.8.0"
+        "yaml": "2.8.1"
       }
     },
     "node_modules/yaml": {
-      "version": "2.8.0",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.0.tgz",
-      "integrity": "sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==",
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz",
+      "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
diff --git a/.github/scripts/package.json b/.github/scripts/package.json
index 7477003a2d..efca3b3457 100644
--- a/.github/scripts/package.json
+++ b/.github/scripts/package.json
@@ -4,6 +4,6 @@
   "version": "1.0.0",
   "private": true,
   "dependencies": {
-    "yaml": "2.8.0"
+    "yaml": "2.8.1"
   }
 }
diff --git a/.github/workflows/auto-spotless-apply.yml b/.github/workflows/auto-spotless-apply.yml
index 36da59e0d9..b363b4977b 100644
--- a/.github/workflows/auto-spotless-apply.yml
+++ b/.github/workflows/auto-spotless-apply.yml
@@ -32,7 +32,7 @@ jobs:
             echo "exists=true" >> $GITHUB_OUTPUT
           fi
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         if: steps.unzip-patch.outputs.exists == 'true'
         id: otelbot-token
         with:
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 582a82f3fc..a798378c62 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
index e939d15ee1..c186d16e23 100644
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: create-token
         with:
           # analyzing classic branch protections requires a token with admin read permissions
diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
index a6d2a64aa0..70bfd208a0 100644
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@@ -47,7 +47,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
index f1c5160d57..58c5dc8bbc 100644
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@@ -59,7 +59,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
@@ -116,7 +116,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 22b40d3b3c..68800fa37e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -224,7 +224,7 @@ jobs:
           java-version: 17
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+        uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
 
       - name: Update apidiff baseline
         env:
@@ -237,7 +237,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 48f443d672..2c2cca8f07 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -153,7 +153,7 @@ testing {
       implementation(enforcedPlatform("org.junit:junit-bom:5.13.4"))
       implementation(enforcedPlatform("org.testcontainers:testcontainers-bom:1.21.3"))
       implementation(enforcedPlatform("com.google.guava:guava-bom:33.4.8-jre"))
-      implementation(enforcedPlatform("com.linecorp.armeria:armeria-bom:1.33.2"))
+      implementation(enforcedPlatform("com.linecorp.armeria:armeria-bom:1.33.3"))
 
       compileOnly("com.google.auto.value:auto-value-annotations")
       compileOnly("com.google.errorprone:error_prone_annotations")
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 637f8fbac9..481f978e62 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -45,8 +45,8 @@ dependencies {
 
     api("com.google.code.findbugs:annotations:3.0.1u2")
     api("com.google.code.findbugs:jsr305:3.0.2")
-    api("com.uber.nullaway:nullaway:0.12.9")
-    api("org.assertj:assertj-core:3.27.4")
+    api("com.uber.nullaway:nullaway:0.12.10")
+    api("org.assertj:assertj-core:3.27.5")
     api("org.awaitility:awaitility:4.3.0")
     api("org.bouncycastle:bcpkix-jdk15on:1.70")
     api("org.junit-pioneer:junit-pioneer:1.9.1")
diff --git a/gcp-auth-extension/build.gradle.kts b/gcp-auth-extension/build.gradle.kts
index 9803ef0801..d7e99ad306 100644
--- a/gcp-auth-extension/build.gradle.kts
+++ b/gcp-auth-extension/build.gradle.kts
@@ -24,7 +24,7 @@ dependencies {
   compileOnly("io.opentelemetry:opentelemetry-exporter-otlp")
 
   // Only dependencies added to `implementation` configuration will be picked up by Shadow plugin
-  implementation("com.google.auth:google-auth-library-oauth2-http:1.39.0")
+  implementation("com.google.auth:google-auth-library-oauth2-http:1.39.1")
 
   // Test dependencies
   testCompileOnly("com.google.auto.service:auto-service-annotations")
diff --git a/ibm-mq-metrics/build.gradle.kts b/ibm-mq-metrics/build.gradle.kts
index 2370f28939..8645c6d39e 100644
--- a/ibm-mq-metrics/build.gradle.kts
+++ b/ibm-mq-metrics/build.gradle.kts
@@ -42,7 +42,7 @@ dependencies {
   implementation("org.slf4j:slf4j-simple:2.0.17")
   testImplementation("com.google.guava:guava")
   testImplementation("io.opentelemetry:opentelemetry-sdk-testing")
-  integrationTestImplementation("org.assertj:assertj-core:3.27.4")
+  integrationTestImplementation("org.assertj:assertj-core:3.27.5")
   integrationTestImplementation("org.junit.jupiter:junit-jupiter-api:5.13.4")
   integrationTestImplementation("io.opentelemetry:opentelemetry-sdk-testing")
   integrationTestImplementation("com.ibm.mq:com.ibm.mq.jakarta.client:9.4.3.1")
diff --git a/maven-extension/src/test/resources/projects/springboot_1/pom.xml b/maven-extension/src/test/resources/projects/springboot_1/pom.xml
index d1c65f6d02..16201b2d9e 100644
--- a/maven-extension/src/test/resources/projects/springboot_1/pom.xml
+++ b/maven-extension/src/test/resources/projects/springboot_1/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.5.5</version>
+    <version>3.5.6</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
   <groupId>io.opentelemetry.contrib.maven.test</groupId>
diff --git a/maven-extension/src/test/resources/projects/springboot_2/pom.xml b/maven-extension/src/test/resources/projects/springboot_2/pom.xml
index e46320f277..7b594aa8d8 100644
--- a/maven-extension/src/test/resources/projects/springboot_2/pom.xml
+++ b/maven-extension/src/test/resources/projects/springboot_2/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.5.5</version>
+    <version>3.5.6</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
   <groupId>io.opentelemetry.contrib.maven.test</groupId>