open-telemetry
diff --git a/‎.fossa.yml
+3 b/‎.fossa.yml
+3
diff --git a/‎.github/repository-settings.md
+9-4 b/‎.github/repository-settings.md
+9-4
diff --git a/‎.github/scripts/check-latest-dep-test-overrides.sh
+1-1 b/‎.github/scripts/check-latest-dep-test-overrides.sh
+1-1
diff --git a/‎.github/workflows/auto-update-otel-sdk.yml
+1-1 b/‎.github/workflows/auto-update-otel-sdk.yml
+1-1
diff --git a/‎.github/workflows/backport.yml
+8-1 b/‎.github/workflows/backport.yml
+8-1
diff --git a/‎.github/workflows/build-common.yml
+13-10 b/‎.github/workflows/build-common.yml
+13-10
diff --git a/‎.github/workflows/codeql.yml
+2-2 b/‎.github/workflows/codeql.yml
+2-2
diff --git a/‎.github/workflows/ossf-scorecard.yml
+3-3 b/‎.github/workflows/ossf-scorecard.yml
+3-3
diff --git a/‎.github/workflows/owasp-dependency-check-daily.yml
+1-1 b/‎.github/workflows/owasp-dependency-check-daily.yml
+1-1
diff --git a/‎.github/workflows/prepare-patch-release.yml
+1-1 b/‎.github/workflows/prepare-patch-release.yml
+1-1
diff --git a/‎.github/workflows/prepare-release-branch.yml
+2-2 b/‎.github/workflows/prepare-release-branch.yml
+2-2
diff --git a/‎.github/workflows/publish-petclinic-benchmark-image.yml
+1-1 b/‎.github/workflows/publish-petclinic-benchmark-image.yml
+1-1
diff --git a/‎.github/workflows/release-update-cloudfoundry-index.yml
+2-2 b/‎.github/workflows/release-update-cloudfoundry-index.yml
+2-2
diff --git a/‎.github/workflows/release.yml
+7-5 b/‎.github/workflows/release.yml
+7-5
diff --git a/‎.github/workflows/reusable-native-tests.yml
+1-1 b/‎.github/workflows/reusable-native-tests.yml
+1-1
diff --git a/‎.github/workflows/reusable-test-indy.yml
+1-5 b/‎.github/workflows/reusable-test-indy.yml
+1-5
@@ -49,6 +49,9 @@ targets:
     - type: gradle
       path: ./
       target: ':testing:agent-for-testing'
+    - type: gradle
+      path: ./
+      target: ':instrumentation:activej-http-6.0:javaagent'
     - type: gradle
       path: ./
       target: ':instrumentation:alibaba-druid-1.0:javaagent'
 
@@ -32,21 +32,26 @@ settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-conf
   - `release/*`
 - Branch rules
   - Restrict deletions: CHECKED
-  - Require linear history: CHECKED
   - Require a pull request before merging: CHECKED
     - Required approvals: 1
     - Require review from Code Owners: CHECKED
     - Allowed merge methods: Squash
   - Require status checks to pass
-    - EasyCLA
-    - `required-status-check`
-    - `gradle-wrapper-validation`
+    - Do not require status checks on creation: CHECKED
+    - Status checks that are required
+      - EasyCLA
+      - `required-status-check`
+      - `gradle-wrapper-validation`
   - Block force pushes: CHECKED
   - Require code scanning results: CHECKED
     - CodeQL
       - Security alerts: High or higher
       - Alerts: Errors
 
+> [!NOTE]
+> This repository can't "require linear history" because there is an old merge commit on `main`
+> (and so also on the release branches).
+
 ### `cloudfoundry` branch
 
 - Targeted branches:
 
@@ -3,7 +3,7 @@
 # all missing version coverage should be documented in supported-libraries.md
 
 if grep -r --include build.gradle.kts latestDepTestLibrary instrumentation \
-    | grep -v :+\" \
+    | grep -v -e :+\" -e :latest.release\" \
     | grep -v "// see .* module" \
     | grep -v "// see test suite below" \
     | grep -v "// no longer applicable" \
 
@@ -84,7 +84,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
 
@@ -29,7 +29,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
@@ -48,7 +48,14 @@ jobs:
 
           git checkout -b $branch
           git cherry-pick $commit
+
+          # note this push will fail if the backport contains any workflow files
+          # because secrets.GITHUB_TOKEN doesn't have this permission
+          # supporting this would require another access token with content write
+          # and workflow write permissions
+          # so for now at least PRs that update workflow files need to be backported manually
           git push --set-upstream origin $branch
+
           gh pr create --title "[$GITHUB_REF_NAME] $title" \
                        --body "Clean cherry-pick of #$NUMBER to the \`$GITHUB_REF_NAME\` branch." \
                        --base $GITHUB_REF_NAME
@@ -205,7 +205,7 @@ jobs:
           fi
 
       - name: Upload agent jar
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: opentelemetry-javaagent.jar
           path: javaagent/build/libs/opentelemetry-javaagent-*-SNAPSHOT.jar
@@ -216,7 +216,7 @@ jobs:
           mkdir sboms
           cp javaagent/build/spdx/*.spdx.json sboms
 
-      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         name: Upload SBOMs
         with:
           name: opentelemetry-java-instrumentation-SBOM.zip
@@ -272,7 +272,7 @@ jobs:
 
       # vaadin tests use pnpm
       - name: Cache pnpm modules
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
         with:
           path: ~/.pnpm-store
           key: ${{ runner.os }}-test-cache-pnpm-modules
@@ -310,7 +310,6 @@ jobs:
           -Porg.gradle.java.installations.paths=${{ steps.setup-test-java.outputs.path }}
           -Porg.gradle.java.installations.auto-download=false
           ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
-          ${{ inputs.max-test-retries && format(' -PmaxTestRetries={0}', inputs.max-test-retries) || '' }}
 
       - name: Build scan
         if: ${{ !cancelled() && hashFiles('build-scan.txt') != '' }}
@@ -348,15 +347,15 @@ jobs:
 
       - name: Upload deadlock detector artifacts if any
         if: failure()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: deadlock-detector-test-${{ matrix.test-java-version }}-${{ matrix.vm }}-${{ matrix.test-partition }}
           path: /tmp/deadlock-detector-*
           if-no-files-found: ignore
 
       - name: Upload jvm crash dump files if any
         if: failure()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: javacore-test-${{ matrix.test-java-version }}-${{ matrix.test-partition }}
           path: |
@@ -416,11 +415,11 @@ jobs:
         run: ./gradlew :smoke-tests:test -PsmokeTestSuite=none --no-daemon ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
 
       - name: Test
-        run: ./gradlew :smoke-tests:test -PsmokeTestSuite=${{ matrix.smoke-test-suite }}${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
+        run: ./gradlew :smoke-tests:test -PsmokeTestSuite=${{ matrix.smoke-test-suite }} ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
 
       - name: Upload jvm crash dump files if any
         if: failure()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: javacore-smoke-test-${{ matrix.smoke-test-suite }}-${{ matrix.os }}
           # we expect crash dumps either in root director or in smoke-tests
@@ -490,13 +489,17 @@ jobs:
         working-directory: gradle-plugins
 
       - name: Build distro
-        run: ./gradlew build --init-script ../../.github/scripts/local.init.gradle.kts${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
+        run: ./gradlew build --init-script ../../.github/scripts/local.init.gradle.kts ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
         working-directory: examples/distro
 
       - name: Build extension
-        run: ./gradlew build --init-script ../../.github/scripts/local.init.gradle.kts${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
+        run: ./gradlew build --init-script ../../.github/scripts/local.init.gradle.kts ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
         working-directory: examples/extension
 
+      - name: Build benchmark-overhead
+        run: ./gradlew assemble ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
+        working-directory: benchmark-overhead
+
       - name: Run muzzle check against extension
         run: ./gradlew muzzle --init-script ../../.github/scripts/local.init.gradle.kts
         working-directory: examples/extension
@@ -50,7 +50,7 @@ jobs:
           cache-read-only: ${{ github.event_name == 'pull_request' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           languages: java, actions
           # using "latest" helps to keep up with the latest Kotlin support
@@ -65,4 +65,4 @@ jobs:
         run: ./gradlew assemble -x javadoc -x :instrumentation:quarkus-resteasy-reactive:quarkus3-testing:quarkusGenerateCodeDev -x :instrumentation:quarkus-resteasy-reactive:quarkus2-testing:quarkusGenerateCodeDev --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+      - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -33,7 +33,7 @@ jobs:
       # uploads of run results in SARIF format to the repository Actions tab.
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
 
       - name: Upload report
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           path: javaagent/build/reports
 
 
@@ -51,7 +51,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
 
@@ -63,7 +63,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
@@ -120,7 +120,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
 
@@ -32,7 +32,7 @@ jobs:
         run: echo "TS=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_ENV
 
       - name: Push to GitHub packages
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
         with:
           push: true
           file: benchmark-overhead/Dockerfile.petclinic
 
@@ -22,7 +22,7 @@ jobs:
         # need to run this script before we switch branches
         # since the script doesn't exist on the cloudfoundry branch
       - name: Use CLA approved github bot
-        run: .github/scripts/use-cla-approved-github-bot.sh
+        run: .github/scripts/use-cla-approved-bot.sh
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -44,7 +44,7 @@ jobs:
       - name: display changes
         run: git diff
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
 
@@ -120,7 +120,7 @@ jobs:
           cp javaagent/build/spdx/*.spdx.json sboms
           zip opentelemetry-java-instrumentation-SBOM.zip sboms/*
 
-      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         name: Upload SBOMs
         with:
           name: opentelemetry-java-instrumentation-SBOM
@@ -181,7 +181,7 @@ jobs:
                             --notes-file /tmp/release-notes.txt \
                             v$VERSION \
                             opentelemetry-javaagent.jar \
-                            opentelemetry-javaagent.asc.jar \
+                            opentelemetry-javaagent.jar.asc \
                             opentelemetry-java-instrumentation-SBOM.zip
 
           # these are used as job outputs
@@ -219,7 +219,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
@@ -253,6 +253,8 @@ jobs:
                        --base main
 
   update-apidiff-baseline-to-released-version:
+    permissions:
+      contents: write # for git push to PR branch
     runs-on: ubuntu-latest
     needs:
       - release
@@ -286,7 +288,7 @@ jobs:
       - name: Use CLA approved bot
         run: .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+      - uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
@@ -299,7 +301,7 @@ jobs:
           GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
         run: |
           message="Update apidiff baseline to released version $VERSION"
-          body="Update apidiff baseline to released version \`$version\`."
+          body="Update apidiff baseline to released version \`$VERSION\`."
           branch="otelbot/update-apidiff-baseline-to-released-version-${VERSION}"
 
           git checkout -b $branch
 
@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - id: read-java
         run: echo "version=$(cat .java-version)" >> "$GITHUB_OUTPUT"
-      - uses: graalvm/setup-graalvm@aafbedb8d382ed0ca6167d3a051415f20c859274 # v1.2.8.1
+      - uses: graalvm/setup-graalvm@b0cb26a8da53cb3e97cdc0c827d8e3071240e730 # v1.3.1.1
         with:
           version: "latest"
           java-version: "${{ steps.read-java.outputs.version }}"
 
@@ -9,9 +9,6 @@ on:
       no-build-cache:
         type: boolean
         required: false
-      max-test-retries:
-        type: string
-        required: false
     secrets:
       FLAKY_TEST_REPORTER_ACCESS_KEY:
         required: false
@@ -55,7 +52,7 @@ jobs:
 
       # vaadin tests use pnpm
       - name: Cache pnpm modules
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
         with:
           path: ~/.pnpm-store
           key: ${{ runner.os }}-test-latest-cache-pnpm-modules
@@ -82,7 +79,6 @@ jobs:
           ${{ env.test-tasks }}
           -PtestIndy=true
           ${{ inputs.no-build-cache && ' --no-build-cache' || '' }}
-          ${{ inputs.max-test-retries && format(' -PmaxTestRetries={0}', inputs.max-test-retries) || '' }}
 
       - name: Build scan
         if: ${{ !cancelled() && hashFiles('build-scan.txt') != '' }}