Merge branch 'main' of https://github.com/open-telemetry/opentelemetry-java-contrib

Author: AsakerMohd

.github/component_owners.yml

@@ -89,3 +89,4 @@ components:
     - sylvainjuge
   opamp-client:
     - LikeTheSalad
+    - jackshirazi

.github/repository-settings.md

@@ -1,24 +1,12 @@
 # Repository settings
 
-Same
-as [opentelemetry-java-instrumentation repository settings](https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/.github/repository-settings.md#repository-settings),
-except for
+This document describes any changes that have been made to the
+settings in this repository outside the settings tracked in the
+private admin repo.
 
-- The rules for `gh-pages` and `cloudfoundry` branches are not relevant in this repository.
+## Merge queue for `main`
 
-and the enablement of merge queues below.
-
-## Merge queue
-
-Needs to be enabled using classic branch protection (instead of rule set)
-because of our use of the classic branch protection "Restrict who can push to matching branches"
-which otherwise will block the merge queue from merging to main.
-
-### Restrict branch creation
-
-- Additional exclusion for `gh-readonly-queue/main/pr-*`
-
-### Classic branch protection for `main`
+[The admin repo doesn't currently support tracking merge queue settings.]
 
 - Require merge queue: CHECKED
   - Build concurrency: 5

.github/workflows/codeql.yml

@@ -6,6 +6,9 @@ on:
       - main
       - release/*
   pull_request:
+    branches:
+      - main
+      - release/*
   # TODO (trask) adding this to the merge queue causes the merge queue to fail
   # see related issues
   # - https://github.com/github/codeql-action/issues/1572
@@ -20,36 +23,48 @@ permissions:
 
 jobs:
   analyze:
+    name: Analyze (${{ matrix.language }})
     permissions:
       contents: read
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: java
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Java 17
+        if: matrix.language == 'java'
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
+        if: matrix.language == 'java'
         uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
-          languages: java, actions
+          languages: ${{ matrix.language }}
           # using "latest" helps to keep up with the latest Kotlin support
           # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
           tools: latest
 
       - name: Assemble
+        if: matrix.language == 'java'
         # --no-build-cache is required for codeql to analyze all modules
         # --no-daemon is required for codeql to observe the compilation
         # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
         run: ./gradlew assemble --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/issue-management-feedback-label.yml

@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       issues: write
+      pull-requests: write
     if: >
       contains(github.event.issue.labels.*.name, 'needs author feedback') &&
       github.event.comment.user.login == github.event.issue.user.login

.github/workflows/ossf-scorecard.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

CONTRIBUTING.md

@@ -40,8 +40,8 @@ In order to build and test this whole repository you need JDK 11+.
 
 For developers testing code changes before a release is complete, there are
 snapshot builds of the `main` branch. They are available from
-the Sonatype OSS snapshots repository at `https://oss.sonatype.org/content/repositories/snapshots/`
-([browse](https://oss.sonatype.org/content/repositories/snapshots/io/opentelemetry/contrib/))
+the Sonatype snapshot repository at `https://central.sonatype.com/repository/maven-snapshots/`
+([browse](https://central.sonatype.com/service/rest/repository/browse/maven-snapshots/io/opentelemetry/contrib/)).
 
 #### Building from source
 

RELEASING.md

@@ -7,8 +7,8 @@ The version is specified in [version.gradle.kts](version.gradle.kts).
 ## Snapshot builds
 
 Every successful CI build of the main branch automatically executes `./gradlew publishToSonatype`
-as the last step, which publishes a snapshot build to
-[Sonatype OSS snapshots repository](https://oss.sonatype.org/content/repositories/snapshots/io/opentelemetry/contrib/).
+as the last step, which publishes a snapshot build to the
+[Sonatype snapshot repository](https://central.sonatype.com/service/rest/repository/browse/maven-snapshots/io/opentelemetry/contrib/).
 
 ## Release cadence
 

build.gradle.kts

@@ -14,7 +14,10 @@ nexusPublishing {
   packageGroup.set("io.opentelemetry")
 
   repositories {
+    // see https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/#configuration
     sonatype {
+      nexusUrl.set(uri("https://ossrh-staging-api.central.sonatype.com/service/local/"))
+      snapshotRepositoryUrl.set(uri("https://central.sonatype.com/repository/maven-snapshots/"))
       username.set(System.getenv("SONATYPE_USER"))
       password.set(System.getenv("SONATYPE_KEY"))
     }

buildSrc/build.gradle.kts

@@ -15,7 +15,7 @@ dependencies {
   implementation("com.diffplug.spotless:spotless-plugin-gradle:7.0.4")
   implementation("net.ltgt.gradle:gradle-errorprone-plugin:4.2.0")
   implementation("net.ltgt.gradle:gradle-nullaway-plugin:2.2.0")
-  implementation("org.owasp:dependency-check-gradle:12.1.1")
+  implementation("org.owasp:dependency-check-gradle:12.1.3")
 }
 
 spotless {

buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts

@@ -135,7 +135,7 @@ testing {
     dependencies {
       implementation(project(project.path))
 
-      implementation(enforcedPlatform("org.junit:junit-bom:5.12.2"))
+      implementation(enforcedPlatform("org.junit:junit-bom:5.13.1"))
       implementation(enforcedPlatform("org.testcontainers:testcontainers-bom:1.21.1"))
       implementation(enforcedPlatform("com.google.guava:guava-bom:33.4.8-jre"))
       implementation(enforcedPlatform("com.linecorp.armeria:armeria-bom:1.32.5"))