diff --git a/.github/workflows/build-daily-no-build-cache.yml b/.github/workflows/build-daily-no-build-cache.yml index d8d2852b007a..2c59b7e0afb8 100644 --- a/.github/workflows/build-daily-no-build-cache.yml +++ b/.github/workflows/build-daily-no-build-cache.yml @@ -6,6 +6,9 @@ on: - cron: "48 4 * * *" workflow_dispatch: +permissions: + contents: read + jobs: common: uses: ./.github/workflows/build-common.yml @@ -29,6 +32,8 @@ jobs: # anyway and so are already covered by the normal daily build workflow-notification: + permissions: + issues: write needs: - common - test-latest-deps diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml index dc6b3de4d45d..fb016a10ee31 100644 --- a/.github/workflows/build-daily.yml +++ b/.github/workflows/build-daily.yml @@ -6,6 +6,9 @@ on: - cron: "24 3 * * *" workflow_dispatch: +permissions: + contents: read + jobs: common: uses: ./.github/workflows/build-common.yml @@ -32,6 +35,8 @@ jobs: uses: ./.github/workflows/reusable-misspell-check.yml workflow-notification: + permissions: + issues: write needs: - common - test-latest-deps diff --git a/.github/workflows/build-pull-request.yml b/.github/workflows/build-pull-request.yml index 4008f6e2d316..6caad07f7d4f 100644 --- a/.github/workflows/build-pull-request.yml +++ b/.github/workflows/build-pull-request.yml @@ -12,6 +12,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + jobs: common: uses: ./.github/workflows/build-common.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4afe7a61729d..331ea5b42c82 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,9 @@ on: - release/* workflow_dispatch: +permissions: + contents: read + jobs: common: uses: ./.github/workflows/build-common.yml diff --git a/.github/workflows/native-tests-daily.yml b/.github/workflows/native-tests-daily.yml index 99f1419acfa8..cc1a8e799784 100644 --- a/.github/workflows/native-tests-daily.yml +++ b/.github/workflows/native-tests-daily.yml @@ -6,6 +6,9 @@ on: - cron: "0 4 * * *" workflow_dispatch: +permissions: + contents: read + jobs: graalvm-native-tests: uses: ./.github/workflows/reusable-native-tests.yml @@ -13,6 +16,8 @@ jobs: test-latest-deps: true workflow-notification: + permissions: + issues: write needs: - graalvm-native-tests if: always() diff --git a/.github/workflows/overhead-benchmark-daily.yml b/.github/workflows/overhead-benchmark-daily.yml index 378c5a8fde15..25fc0c034cf5 100644 --- a/.github/workflows/overhead-benchmark-daily.yml +++ b/.github/workflows/overhead-benchmark-daily.yml @@ -5,8 +5,13 @@ on: - cron: "0 5 * * *" workflow_dispatch: +permissions: + contents: read + jobs: run-overhead-tests: + permissions: + contents: write # for writing to the gh-pages branch runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -50,6 +55,8 @@ jobs: committer_email: 107717825+opentelemetrybot@users.noreply.github.com workflow-notification: + permissions: + issues: write needs: - run-overhead-tests if: always() diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index 14577f00cec7..a4d298aba553 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -8,6 +8,9 @@ on: - cron: "30 1 * * *" workflow_dispatch: +permissions: + contents: read + jobs: analyze: runs-on: ubuntu-latest @@ -41,6 +44,8 @@ jobs: path: javaagent/build/reports workflow-notification: + permissions: + issues: write needs: - analyze if: always() diff --git a/.github/workflows/pr-smoke-test-grpc-images.yml b/.github/workflows/pr-smoke-test-grpc-images.yml index 590f9d50aa58..e6998eadbbe5 100644 --- a/.github/workflows/pr-smoke-test-grpc-images.yml +++ b/.github/workflows/pr-smoke-test-grpc-images.yml @@ -5,13 +5,16 @@ on: paths: - "smoke-tests/images/grpc/**" - ".github/workflows/pr-smoke-test-grpc-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-pr-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: build: - uses: ./.github/workflows/reusable-smoke-test-images.yml + uses: ./.github/workflows/reusable-pr-smoke-test-images.yml with: project: ":smoke-tests:images:grpc" cache-read-only: true diff --git a/.github/workflows/pr-smoke-test-play-images.yml b/.github/workflows/pr-smoke-test-play-images.yml index 65d032fd0d19..670c7117e1fe 100644 --- a/.github/workflows/pr-smoke-test-play-images.yml +++ b/.github/workflows/pr-smoke-test-play-images.yml @@ -5,13 +5,16 @@ on: paths: - "smoke-tests/images/play/**" - ".github/workflows/pr-smoke-test-play-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-pr-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: build: - uses: ./.github/workflows/reusable-smoke-test-images.yml + uses: ./.github/workflows/reusable-pr-smoke-test-images.yml with: project: ":smoke-tests:images:play" cache-read-only: true diff --git a/.github/workflows/pr-smoke-test-quarkus-images.yml b/.github/workflows/pr-smoke-test-quarkus-images.yml index e36da5ecd82b..211a07cdd9fe 100644 --- a/.github/workflows/pr-smoke-test-quarkus-images.yml +++ b/.github/workflows/pr-smoke-test-quarkus-images.yml @@ -5,13 +5,16 @@ on: paths: - "smoke-tests/images/quarkus/**" - ".github/workflows/pr-smoke-test-quarkus-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-pr-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: build: - uses: ./.github/workflows/reusable-smoke-test-images.yml + uses: ./.github/workflows/reusable-pr-smoke-test-images.yml with: project: ":smoke-tests:images:quarkus" cache-read-only: true diff --git a/.github/workflows/pr-smoke-test-security-manager-images.yml b/.github/workflows/pr-smoke-test-security-manager-images.yml index fe787c3c01d8..1264964c0647 100644 --- a/.github/workflows/pr-smoke-test-security-manager-images.yml +++ b/.github/workflows/pr-smoke-test-security-manager-images.yml @@ -5,13 +5,16 @@ on: paths: - "smoke-tests/images/security-manager/**" - ".github/workflows/pr-smoke-test-security-manager-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-pr-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: build: - uses: ./.github/workflows/reusable-smoke-test-images.yml + uses: ./.github/workflows/reusable-pr-smoke-test-images.yml with: project: ":smoke-tests:images:security-manager" cache-read-only: true diff --git a/.github/workflows/pr-smoke-test-servlet-images.yml b/.github/workflows/pr-smoke-test-servlet-images.yml index efb6d2cd0bd2..43f3c9f7ed19 100644 --- a/.github/workflows/pr-smoke-test-servlet-images.yml +++ b/.github/workflows/pr-smoke-test-servlet-images.yml @@ -6,6 +6,9 @@ on: - "smoke-tests/images/servlet/**" - ".github/workflows/pr-smoke-test-servlet-images.yml" +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/pr-smoke-test-spring-boot-images.yml b/.github/workflows/pr-smoke-test-spring-boot-images.yml index 34cc3c74bd62..945efb420848 100644 --- a/.github/workflows/pr-smoke-test-spring-boot-images.yml +++ b/.github/workflows/pr-smoke-test-spring-boot-images.yml @@ -5,13 +5,16 @@ on: paths: - "smoke-tests/images/spring-boot/**" - ".github/workflows/pr-smoke-test-spring-boot-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-pr-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: build: - uses: ./.github/workflows/reusable-smoke-test-images.yml + uses: ./.github/workflows/reusable-pr-smoke-test-images.yml with: project: ":smoke-tests:images:spring-boot" cache-read-only: true diff --git a/.github/workflows/publish-petclinic-benchmark-image.yml b/.github/workflows/publish-petclinic-benchmark-image.yml index 5e08f26f364d..c995af24ab29 100644 --- a/.github/workflows/publish-petclinic-benchmark-image.yml +++ b/.github/workflows/publish-petclinic-benchmark-image.yml @@ -15,7 +15,6 @@ jobs: runs-on: ubuntu-latest permissions: packages: write - contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -37,3 +36,13 @@ jobs: push: true file: benchmark-overhead/Dockerfile-petclinic-base tags: ghcr.io/open-telemetry/opentelemetry-java-instrumentation/petclinic-rest-base:${{ env.TS }} + + workflow-notification: + permissions: + issues: write + needs: + - publish + if: always() + uses: ./.github/workflows/reusable-workflow-notification.yml + with: + success: ${{ needs.publish.result == 'success' }} diff --git a/.github/workflows/publish-smoke-test-early-jdk8-images.yml b/.github/workflows/publish-smoke-test-early-jdk8-images.yml index 2926e4389435..537fdcbab129 100644 --- a/.github/workflows/publish-smoke-test-early-jdk8-images.yml +++ b/.github/workflows/publish-smoke-test-early-jdk8-images.yml @@ -9,8 +9,13 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: publish: + permissions: + packages: write runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -41,6 +46,8 @@ jobs: run: ./gradlew :smoke-tests:images:early-jdk8:dockerPush -PextraTag=${{ env.TAG }} workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-fake-backend-images.yml b/.github/workflows/publish-smoke-test-fake-backend-images.yml index d18a7e80d144..eec2031ed0f7 100644 --- a/.github/workflows/publish-smoke-test-fake-backend-images.yml +++ b/.github/workflows/publish-smoke-test-fake-backend-images.yml @@ -9,8 +9,13 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: publishLinux: + permissions: + packages: write runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -41,6 +46,8 @@ jobs: run: ./gradlew :smoke-tests:images:fake-backend:jib -Djib.httpTimeout=120000 -Djib.console=plain -PextraTag=${{ env.TAG }} publishWindows: + permissions: + packages: write runs-on: windows-latest defaults: run: @@ -74,6 +81,8 @@ jobs: run: ./gradlew :smoke-tests:images:fake-backend:dockerPush -PextraTag=${{ env.TAG }} workflow-notification: + permissions: + issues: write needs: - publishLinux - publishWindows diff --git a/.github/workflows/publish-smoke-test-grpc-images.yml b/.github/workflows/publish-smoke-test-grpc-images.yml index 664fb8a047e0..51985d60f582 100644 --- a/.github/workflows/publish-smoke-test-grpc-images.yml +++ b/.github/workflows/publish-smoke-test-grpc-images.yml @@ -5,18 +5,25 @@ on: paths: - "smoke-tests/images/grpc/**" - ".github/workflows/publish-smoke-test-grpc-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-publish-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: publish: - uses: ./.github/workflows/reusable-smoke-test-images.yml + permissions: + packages: write + uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: project: ":smoke-tests:images:grpc" publish: true workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-play-images.yml b/.github/workflows/publish-smoke-test-play-images.yml index 417403740e42..90332ee0e5e6 100644 --- a/.github/workflows/publish-smoke-test-play-images.yml +++ b/.github/workflows/publish-smoke-test-play-images.yml @@ -5,18 +5,25 @@ on: paths: - "smoke-tests/images/play/**" - ".github/workflows/publish-smoke-test-play-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-publish-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: publish: - uses: ./.github/workflows/reusable-smoke-test-images.yml + permissions: + packages: write + uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: project: ":smoke-tests:images:play" publish: true workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-quarkus-images.yml b/.github/workflows/publish-smoke-test-quarkus-images.yml index f6f2c6eac4b1..b9f40c61dc55 100644 --- a/.github/workflows/publish-smoke-test-quarkus-images.yml +++ b/.github/workflows/publish-smoke-test-quarkus-images.yml @@ -5,13 +5,18 @@ on: paths: - "smoke-tests/images/quarkus/**" - ".github/workflows/publish-smoke-test-quarkus-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-publish-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: publish: - uses: ./.github/workflows/reusable-smoke-test-images.yml + permissions: + packages: write + uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: project: ":smoke-tests:images:quarkus" publish: true @@ -20,6 +25,8 @@ jobs: skip-java-11: true workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-security-manager-images.yml b/.github/workflows/publish-smoke-test-security-manager-images.yml index 567b022c7524..d0f31ffcf6c0 100644 --- a/.github/workflows/publish-smoke-test-security-manager-images.yml +++ b/.github/workflows/publish-smoke-test-security-manager-images.yml @@ -5,18 +5,25 @@ on: paths: - "smoke-tests/images/security-manager/**" - ".github/workflows/publish-smoke-test-security-manager-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-publish-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: publish: - uses: ./.github/workflows/reusable-smoke-test-images.yml + permissions: + packages: write + uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: project: ":smoke-tests:images:security-manager" publish: true workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-servlet-images.yml b/.github/workflows/publish-smoke-test-servlet-images.yml index 74b23a20eac0..ee2a1c7d5d52 100644 --- a/.github/workflows/publish-smoke-test-servlet-images.yml +++ b/.github/workflows/publish-smoke-test-servlet-images.yml @@ -9,6 +9,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: prepare: runs-on: ubuntu-latest @@ -20,6 +23,8 @@ jobs: run: echo "TAG=$(date '+%Y%m%d').$GITHUB_RUN_ID" >> $GITHUB_OUTPUT publish: + permissions: + packages: write needs: prepare runs-on: ${{ matrix.os }} defaults: @@ -81,6 +86,8 @@ jobs: run: ./gradlew :smoke-tests:images:servlet:buildWindowsTestImages pushMatrix -PextraTag=${{ needs.prepare.outputs.tag }} -PsmokeTestServer=${{ matrix.smoke-test-server }} workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/publish-smoke-test-spring-boot-images.yml b/.github/workflows/publish-smoke-test-spring-boot-images.yml index 3a458add87b0..29abebc13117 100644 --- a/.github/workflows/publish-smoke-test-spring-boot-images.yml +++ b/.github/workflows/publish-smoke-test-spring-boot-images.yml @@ -5,18 +5,25 @@ on: paths: - "smoke-tests/images/spring-boot/**" - ".github/workflows/publish-smoke-test-spring-boot-images.yml" - - ".github/workflows/reusable-smoke-test-images.yml" + - ".github/workflows/reusable-publish-smoke-test-images.yml" branches: - main +permissions: + contents: read + jobs: publish: - uses: ./.github/workflows/reusable-smoke-test-images.yml + permissions: + packages: write + uses: ./.github/workflows/reusable-publish-smoke-test-images.yml with: project: ":smoke-tests:images:spring-boot" publish: true workflow-notification: + permissions: + issues: write needs: - publish if: always() diff --git a/.github/workflows/reusable-pr-smoke-test-images.yml b/.github/workflows/reusable-pr-smoke-test-images.yml new file mode 100644 index 000000000000..dcfc8f70d193 --- /dev/null +++ b/.github/workflows/reusable-pr-smoke-test-images.yml @@ -0,0 +1,76 @@ +# Every workflow that includes this must also include the following to make sure that it +# is triggered when a new JDK is added to the matrix: +#on: +# push: +# paths: +# - ".github/workflows/reusable-pr-smoke-test-images.yml" + +name: PR build fake backend images for smoke tests + +on: + workflow_call: + inputs: + project: + type: string + required: true + cache-read-only: + type: boolean + required: false + skip-java-8: + type: boolean + required: false + skip-java-11: + type: boolean + required: false + skip-java-17: + type: boolean + required: false + skip-java-21: + type: boolean + required: false + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Free disk space + run: .github/scripts/gha-free-disk-space.sh + + - name: Set up JDK for running Gradle + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 + with: + distribution: temurin + java-version-file: .java-version + + - name: Set tag + run: echo "TAG=$(date '+%Y%m%d').$GITHUB_RUN_ID" >> $GITHUB_ENV + + - name: Set up Gradle cache + uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 + with: + cache-read-only: ${{ inputs.cache-read-only }} + + - name: Build Java 8 Docker image + if: "!inputs.skip-java-8" + run: ./gradlew ${{ inputs.project }}:jibDockerBuild -Ptag=${{ env.TAG }} -PtargetJDK=8 -Djib.httpTimeout=120000 -Djib.console=plain + + - name: Build Java 11 Docker image + if: "!inputs.skip-java-11" + run: ./gradlew ${{ inputs.project }}:jibDockerBuild -Ptag=${{ env.TAG }} -PtargetJDK=11 -Djib.httpTimeout=120000 -Djib.console=plain + + - name: Build Java 17 Docker image + if: "!inputs.skip-java-17" + run: ./gradlew ${{ inputs.project }}:jibDockerBuild -Ptag=${{ env.TAG }} -PtargetJDK=17 -Djib.httpTimeout=120000 -Djib.console=plain + + - name: Build Java 21 Docker image + if: "!inputs.skip-java-21" + run: ./gradlew ${{ inputs.project }}:jibDockerBuild -Ptag=${{ env.TAG }} -PtargetJDK=21 -Djib.httpTimeout=120000 -Djib.console=plain + + - name: Build Java 23 Docker image + if: "!inputs.skip-java-23" + run: ./gradlew ${{ inputs.project }}:jibDockerBuild -Ptag=${{ env.TAG }} -PtargetJDK=23 -Djib.httpTimeout=120000 -Djib.console=plain diff --git a/.github/workflows/reusable-smoke-test-images.yml b/.github/workflows/reusable-publish-smoke-test-images.yml similarity index 66% rename from .github/workflows/reusable-smoke-test-images.yml rename to .github/workflows/reusable-publish-smoke-test-images.yml index 9829e512cf37..da7d222cbb18 100644 --- a/.github/workflows/reusable-smoke-test-images.yml +++ b/.github/workflows/reusable-publish-smoke-test-images.yml @@ -3,7 +3,7 @@ #on: # push: # paths: -# - ".github/workflows/reusable-smoke-test-images.yml" +# - ".github/workflows/reusable-publish-smoke-test-images.yml" name: PR build fake backend images for smoke tests @@ -13,9 +13,6 @@ on: project: type: string required: true - publish: - type: boolean - required: false cache-read-only: type: boolean required: false @@ -39,7 +36,7 @@ jobs: build: runs-on: ubuntu-latest permissions: - packages: write # for publishing docker image to github packages + packages: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -70,20 +67,20 @@ jobs: - name: Build Java 8 Docker image if: "!inputs.skip-java-8" - run: ./gradlew ${{ inputs.project }}:${{ inputs.publish && 'jib' || 'jibDockerBuild' }} -Ptag=${{ env.TAG }} -PtargetJDK=8 -Djib.httpTimeout=120000 -Djib.console=plain + run: ./gradlew ${{ inputs.project }}:jib -Ptag=${{ env.TAG }} -PtargetJDK=8 -Djib.httpTimeout=120000 -Djib.console=plain - name: Build Java 11 Docker image if: "!inputs.skip-java-11" - run: ./gradlew ${{ inputs.project }}:${{ inputs.publish && 'jib' || 'jibDockerBuild' }} -Ptag=${{ env.TAG }} -PtargetJDK=11 -Djib.httpTimeout=120000 -Djib.console=plain + run: ./gradlew ${{ inputs.project }}:jib -Ptag=${{ env.TAG }} -PtargetJDK=11 -Djib.httpTimeout=120000 -Djib.console=plain - name: Build Java 17 Docker image if: "!inputs.skip-java-17" - run: ./gradlew ${{ inputs.project }}:${{ inputs.publish && 'jib' || 'jibDockerBuild' }} -Ptag=${{ env.TAG }} -PtargetJDK=17 -Djib.httpTimeout=120000 -Djib.console=plain + run: ./gradlew ${{ inputs.project }}:jib -Ptag=${{ env.TAG }} -PtargetJDK=17 -Djib.httpTimeout=120000 -Djib.console=plain - name: Build Java 21 Docker image if: "!inputs.skip-java-21" - run: ./gradlew ${{ inputs.project }}:${{ inputs.publish && 'jib' || 'jibDockerBuild' }} -Ptag=${{ env.TAG }} -PtargetJDK=21 -Djib.httpTimeout=120000 -Djib.console=plain + run: ./gradlew ${{ inputs.project }}:jib -Ptag=${{ env.TAG }} -PtargetJDK=21 -Djib.httpTimeout=120000 -Djib.console=plain - name: Build Java 23 Docker image if: "!inputs.skip-java-23" - run: ./gradlew ${{ inputs.project }}:${{ inputs.publish && 'jib' || 'jibDockerBuild' }} -Ptag=${{ env.TAG }} -PtargetJDK=23 -Djib.httpTimeout=120000 -Djib.console=plain + run: ./gradlew ${{ inputs.project }}:jib -Ptag=${{ env.TAG }} -PtargetJDK=23 -Djib.httpTimeout=120000 -Djib.console=plain