open-telemetry
diff --git a/‎.github/component_owners.yml
-4 b/‎.github/component_owners.yml
-4
diff --git a/‎.github/renovate.json5
+26-18 b/‎.github/renovate.json5
+26-18
diff --git a/‎.github/repository-settings.md
+72-36 b/‎.github/repository-settings.md
+72-36
diff --git a/‎.github/workflows/assign-reviewers.yml
-18 b/‎.github/workflows/assign-reviewers.yml
-18
diff --git a/‎.github/workflows/auto-update-otel-sdk.yml
+6-3 b/‎.github/workflows/auto-update-otel-sdk.yml
+6-3
diff --git a/‎.github/workflows/backport.yml
+12-4 b/‎.github/workflows/backport.yml
+12-4
@@ -1,7 +1,9 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests"
   ],
   "ignorePaths": ["instrumentation/**"],
   // needed in order to get patch-only updates in package rules below
@@ -33,14 +35,6 @@
       "ignoreUnstable": false,
       "allowedVersions": "!/\\-SNAPSHOT$/"
     },
-    {
-      "matchPackagePrefixes": ["ch.qos.logback:"],
-      "groupName": "logback packages"
-    },
-    {
-      "matchPackagePrefixes": ["com.google.guava:"],
-      "groupName": "guava packages"
-    },
     {
       "matchPackagePrefixes": ["io.quarkus"],
       "groupName": "quarkus packages"
@@ -49,10 +43,6 @@
       "matchPackagePrefixes": ["com.gradle.develocity"],
       "groupName": "gradle develocity packages"
     },
-    {
-      "matchPackagePrefixes": ["org.eclipse.jetty:"],
-      "groupName": "jetty packages"
-    },
     {
       "matchPackagePrefixes": ["com.linecorp.armeria:"],
       "groupName": "armeria packages"
@@ -65,10 +55,6 @@
       "matchPackagePrefixes": ["net.bytebuddy:"],
       "groupName": "byte buddy packages"
     },
-    {
-      "matchPackagePrefixes": ["com.fasterxml.jackson"],
-      "groupName": "jackson packages"
-    },
     {
       "matchPackagePrefixes": ["com.gradleup.shadow"],
       "groupName": "gradle shadow packages"
@@ -173,8 +159,8 @@
     },
     {
       // intentionally using Java 11 in some examples
-      // not using matchUpdateTypes "major", because renovate wants to bump "11-jre" to "11.0.19_7-jre"
       "matchPackageNames": ["eclipse-temurin"],
+      "matchUpdateTypes": ["major"],
       "enabled": false
     },
     {
@@ -216,5 +202,27 @@
       "matchUpdateTypes": ["major"],
       "enabled": false
     }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "pypi",
+      "fileMatch": [
+        "^.github/workflows/"
+      ],
+      "matchStrings": [
+        "pip install (?<depName>[^=]+)==(?<currentValue>[^\\s]+)"
+      ]
+    },
+    {
+      "customType": "regex",
+      "datasourceTemplate": "npm",
+      "fileMatch": [
+        "^.github/workflows/"
+      ],
+      "matchStrings": [
+        "npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)"
+      ]
+    }
   ]
 }
@@ -18,45 +18,79 @@ settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-conf
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-- Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-- Status checks that are required:
-
-  - EasyCLA
-  - required-status-check
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
+## Rules > Rulesets
+
+### `main` and release branches
+
+- Targeted branches:
+  - `main`
+  - `release/*`
+  - `v0.*`
+  - `v1.*`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - EasyCLA
+    - `required-status-check`
+    - `gradle-wrapper-validation`
+  - Block force pushes: CHECKED
+
+### `cloudfoundry` branch
+
+- Targeted branches:
+  - `cloudfoundry`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - EasyCLA
+  - Block force pushes: CHECKED
+
+### `gh-pages` branch
+
+- Targeted branches:
+  - `gh-pages`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Block force pushes: CHECKED
+
+### Restrict branch creation
+
+- Targeted branches
+  - Exclude:
+    - `release/*`
+    - `renovate/**/**`
+    - `opentelemetrybot/**/**`
+- Restrict creations: CHECKED
+
+### Restrict updating tags
+
+- Targeted tags
+  - All tags
+- Restrict updates: CHECKED
+- Restrict deletions: CHECKED
 
-### `release/*`
-
-Same settings as above for [`main`](#main).
-
-### `cloudfoundry`
-
-Same settings as above for [`main`](#main),
-except for the `required-status-check` required status check.
-
-### `renovate/**/**` and `opentelemetrybot/**/**`
-
-Same settings as
-for [`dependabot/**/**`](https://github.com/open-telemetry/community/blob/main/docs/how-to-configure-new-repository.md#branch-protection-rule-dependabot)
-
-### `gh-pages`
+## Branch protections
 
-- Everything UNCHECKED
+### `main`, `release/*`, `v0.*`, `v1.*`, `cloudfoundry`
 
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [Nightly overhead benchmark](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/nightly-benchmark-overhead.yml)
-  job)
+- Restrict who can push to matching branches: CHECKED
+  - Restrict pushes that create matching branches: CHECKED
 
 ## Code security and analysis
 
@@ -80,3 +114,5 @@ for [`dependabot/**/**`](https://github.com/open-telemetry/community/blob/main/d
 ### Organization secrets
 
 - `OPENTELEMETRYBOT_GITHUB_TOKEN`
+- `OTELBOT_CLIENT_ID`
+- `OTELBOT_PRIVATE_KEY`
@@ -6,6 +6,9 @@ on:
     - cron: "46 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-versions:
     runs-on: ubuntu-latest
@@ -44,7 +47,7 @@ jobs:
 
   update-otel-sdk:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     if: |
       needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&
@@ -66,13 +69,13 @@ jobs:
         run: .github/scripts/gha-free-disk-space.sh
 
       - name: Set up JDK for running Gradle
-        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: temurin
           java-version-file: .java-version
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
 
       - name: Update license report
         run: ./gradlew generateLicenseReport
 
@@ -12,7 +12,7 @@ permissions:
 jobs:
   backport:
     permissions:
-      contents: write  # for Git to git push
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -26,14 +26,22 @@ jobs:
           # history is needed to run git cherry-pick below
           fetch-depth: 0
 
-      - name: Use CLA approved github bot
-        run: .github/scripts/use-cla-approved-github-bot.sh
+      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        id: app-token
+        with:
+          app-id: ${{ vars.OTELBOT_APP_ID }}
+          private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+
+      - name: Use CLA approved author
+        run: |
+          git config user.name otelbot
+          git config user.email [email protected]
 
       - name: Create pull request
         env:
           NUMBER: ${{ github.event.inputs.number }}
           # not using secrets.GITHUB_TOKEN since pull requests from that token do not run workflows
-          GH_TOKEN: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           commit=$(gh pr view $NUMBER --json mergeCommit --jq .mergeCommit.oid)
           title=$(gh pr view $NUMBER --json title --jq .title)