Merge remote-tracking branch 'upstream/main' into fossa

Author: trask

.clomonitor.yml

@@ -0,0 +1,3 @@
+exemptions:
+  - check: artifacthub_badge
+    reason: "Artifact Hub doesn't support Java packages"

.github/CODEOWNERS

@@ -2,4 +2,4 @@
 # This file controls who is tagged for review for any given pull request.
 
  # For anything not explicitly taken by someone else:
-*  @open-telemetry/java-approvers
+* @open-telemetry/java-approvers @open-telemetry/java-instrumentation-maintainers

.github/renovate.json5

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "packageRules": [
+    {
+      // this is to reduce the number of renovate PRs by consolidating them into a weekly batch
+      "matchManagers": ["github-actions"],
+      "extends": ["schedule:weekly"],
+      "groupName": "github actions"
+    }
+  ]
+}

.github/repository-settings.md

@@ -0,0 +1,6 @@
+# Repository settings
+
+Same
+as [opentelemetry-java-instrumentation repository settings](https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/.github/repository-settings.md#repository-settings),
+except that the rules for `release/*`, `v0.*`, `v1.*`, `gh-pages`, and `cloudfoundry` branches
+are not relevant in this repository.

.github/workflows/codeql.yml

@@ -0,0 +1,53 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "29 13 * * 2"  # weekly at 13:29 UTC on Tuesday
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      contents: read
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # the nebula plugin used in this repo needs the tags
+          fetch-depth: 0
+
+      - name: Set up Java 17
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        with:
+          languages: java, actions
+          # using "latest" helps to keep up with the latest Kotlin support
+          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
+          tools: latest
+
+      - name: Assemble
+        # --no-build-cache is required for codeql to analyze all modules
+        # --no-daemon is required for codeql to observe the compilation
+        # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
+        run: ./gradlew assemble --no-build-cache --no-daemon
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8

.github/workflows/gradle-wrapper-validation.yml

@@ -0,0 +1,16 @@
+name: Gradle wrapper validation
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  gradle-wrapper-validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: gradle/actions/wrapper-validation@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0

.github/workflows/main-build.yml

@@ -5,34 +5,40 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # the nebula plugin used in this repo needs the tags
           fetch-depth: 0
+
       - id: setup-java-17
         name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
-          distribution: adopt
+          distribution: temurin
           java-version: 17
-      - uses: burrunan/[email protected]
-        with:
-          remote-build-cache-proxy-enabled: false
-          arguments: build --stacktrace
-          properties: |
-            org.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}
-      - uses: burrunan/[email protected]
-        with:
-          remote-build-cache-proxy-enabled: false
-          arguments: snapshot --stacktrace
-          properties: |
-            org.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+      - name: Build
+        run: >
+          ./gradlew build --stacktrace
+          "-Porg.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}"
+
+      - name: Publish snapshot
         env:
           SONATYPE_USER: ${{ secrets.SONATYPE_USER }}
           SONATYPE_KEY: ${{ secrets.SONATYPE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
+        run: >
+          ./gradlew snapshot --stacktrace
+          "-Porg.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}"

.github/workflows/ossf-scorecard.yml

@@ -0,0 +1,47 @@
+name: OSSF Scorecard
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "43 6 * * 5" # weekly at 06:43 (UTC) on Friday
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: results.sarif

.github/workflows/pr-build.yml

@@ -5,23 +5,30 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # the nebula plugin used in this repo needs the tags
           fetch-depth: 0
+
       - id: setup-java-17
         name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
-          distribution: adopt
+          distribution: temurin
           java-version: 17
-      - uses: burrunan/[email protected]
-        with:
-          remote-build-cache-proxy-enabled: false
-          arguments: build --stacktrace
-          properties: |
-            org.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+      - name: Build
+        run: >
+          ./gradlew build --stacktrace
+          "-Porg.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}"

.github/workflows/release-build.yml

@@ -7,41 +7,51 @@ on:
         description: The version to tag the release with, e.g., 1.2.0, 1.2.1-alpha.1
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write # for creating the release
     name: Build
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # the nebula plugin used in this repo needs the tags
           fetch-depth: 0
+
       - id: setup-java-17
         name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
-          distribution: adopt
+          distribution: temurin
           java-version: 17
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
       - name: Use CLA approved github bot
         run: .github/scripts/use-cla-approved-github-bot.sh
-      - uses: burrunan/[email protected]
-        with:
-          remote-build-cache-proxy-enabled: false
-          arguments: build --stacktrace
-          properties: |
-            release.version=${{ github.event.inputs.version }}
-            org.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}
-      - uses: burrunan/[email protected]
-        with:
-          remote-build-cache-proxy-enabled: false
-          arguments: final closeAndReleaseSonatypeStagingRepository --stacktrace
-          properties: |
-            release.version=${{ github.event.inputs.version }}
-            org.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}
+
+      - name: Build
+        run: >
+          ./gradlew build --stacktrace
+          -Prelease.version=${{ github.event.inputs.version }}
+          "-Porg.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}"
+
+      - name: Publish release
         env:
           SONATYPE_USER: ${{ secrets.SONATYPE_USER }}
           SONATYPE_KEY: ${{ secrets.SONATYPE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
+        run: >
+          ./gradlew final closeAndReleaseSonatypeStagingRepository --stacktrace
+          -Prelease.version=${{ github.event.inputs.version }}
+          "-Porg.gradle.java.installations.paths=${{ steps.setup-java-17.outputs.path }}"
+
       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}