Merge branch 'main' into create-pull-request/update-jmx-metric-gatherer

Author: pjanotti

.codecov.yml

@@ -0,0 +1,20 @@
+codecov:
+  notify:
+    require_ci_to_pass: yes
+    # wait for unit and integration test builds.
+    after_n_builds: 2
+  strict_yaml_branch: main  # only use the latest copy on main branch
+
+coverage:
+  precision: 2
+  round: down
+  range: "80...100"
+  status:
+    project:
+      default:
+        enabled: yes
+        target: 85%
+    patch:
+      default:
+        enabled: yes
+        target: 95%

.github/dependabot.yml

@@ -55,6 +55,13 @@ updates:
       - dependency-name: "github.com/open-telemetry/*"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "gomod"
+    directory: "/packaging/dotnet-instr-deployer-add-on"
+    ignore:
+      - dependency-name: "go.opentelemetry.io/*"
+      - dependency-name: "github.com/open-telemetry/*"
+    schedule:
+      interval: "weekly"
   - package-ecosystem: "gomod"
     directory: "/pkg/extension/smartagentextension"
     ignore:

.github/workflows/auto-instrumentation.yml

@@ -23,7 +23,7 @@ env:
   PYTHON_VERSION: '3.13'
   PIP_VERSION: '24.2'
   REQUIREMENTS_PATH: "packaging/tests/requirements.txt"
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   cross-compile:

.github/workflows/build-and-test.yml

@@ -26,7 +26,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   setup-environment:
@@ -193,16 +193,16 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: '**/go.sum'
 
-      - name: Coverage tests
-        run: |
-          make install-tools
-          make test-with-cover
+      - name: Install Tools
+        run: make install-tools
 
-      - name: Uploading artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: coverage-results
-          path: ./coverage.html
+      - name: Run Unit Tests With Coverage
+        run: make gotest-with-cover
+
+      - name: Upload coverage report
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # 5.4.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   cross-compile:
     name: cross-compile

.github/workflows/darwin-test.yml

@@ -19,7 +19,7 @@ on:
       - '!packaging/**'
 
 env:
-  GO_VERSION: '1.23.6'
+  GO_VERSION: 1.23.7
 
 concurrency:
   group: darwin-test-${{ github.event.pull_request.number || github.ref }}

.github/workflows/dotnet-instr-deployer-add-on.yml

@@ -21,7 +21,7 @@ on:
         default: '6b4ebe426ca6'
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
   # Provide default values for non-manually triggered executions
   splunk_uf_version: ${{ github.event.inputs.splunk_uf_version || '9.4.0' }}
   splunk_uf_build_hash: ${{ github.event.inputs.splunk_uf_build_hash || '6b4ebe426ca6' }}

.github/workflows/gendependabot.yml

@@ -8,7 +8,7 @@ on:
       - '.github/workflows/scripts/gendependabot.sh'
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   gendependabot:

.github/workflows/integration-test.yml

@@ -27,7 +27,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: 1.23.7
 jobs:
   agent-bundle-linux:
     runs-on: ${{ fromJSON('["ubuntu-24.04", "otel-arm64"]')[matrix.ARCH == 'arm64'] }}

.github/workflows/lint-examples.yml

@@ -14,7 +14,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   lint:

.github/workflows/linux-package-test.yml

@@ -22,7 +22,7 @@ env:
   PYTHON_VERSION: '3.13'
   PIP_VERSION: '24.2'
   REQUIREMENTS_PATH: "packaging/tests/requirements.txt"
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   setup-environment:

.github/workflows/otelcol-fips.yml

@@ -23,7 +23,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.23.6"
+  GO_VERSION: 1.23.7
 
 jobs:
   otelcol-fips:

.github/workflows/scripts/govulncheck-run.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -eo pipefail
+
+mkdir -p ./govulncheck 2>/dev/null
+
+# Get all package directories
+ALL_PKG_DIRS=$(go list ./...)
+
+# Initialize failure flag
+FAILED=0
+
+# Repository prefix to remove from package names
+REPO_PREFIX=$(go list -m)
+
+# Use a bash regex to extract the the value of the --format flag
+# from the GOVULN_OPTS environment variable
+if [[ "$GOVULN_OPTS" =~ .*--format[[:space:]]+([a-z]+).* ]]; then
+  FORMAT=${BASH_REMATCH[1]}
+fi
+
+# Run govulncheck for each package
+for pkg in $ALL_PKG_DIRS; do
+  echo -e "\n**** Running govulncheck for package $pkg"
+  set +e
+  if [[ -z $FORMAT ]]; then
+    govulncheck ${GOVULN_OPTS} $pkg
+  else
+    # Remove the repository prefix from the package name to keep the category names short
+    # and replace slashes with underscores to make clear that the categories are not nested.
+    OUTPUT_FILE="./govulncheck/$(echo "$pkg" | sed "s|^$REPO_PREFIX/||" | tr '/' '_').$FORMAT"
+    govulncheck ${GOVULN_OPTS} $pkg > $OUTPUT_FILE
+  fi
+  if [ $? -eq 0 ]; then
+    echo -e "\n**** govulncheck succeeded for package $pkg"
+  else
+    echo -e "\n**** govulncheck failed for package $pkg"
+    FAILED=1
+  fi
+  set -e
+done
+
+if [ $FAILED -ne 0 ]; then
+  echo -e "\n**** govulncheck failed for one or more packages"
+  exit 1
+fi
+
+echo -e "\n**** govulncheck completed successfully for all packages"

.github/workflows/splunk-ta-otel.yml

@@ -19,7 +19,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   setup-environment:

.github/workflows/vuln-scans.yml

@@ -14,7 +14,7 @@ on:
     - cron: '0 0 * * 1-5' # Every weekday at midnight UTC
 
 env:
-  GO_VERSION: '1.23.6'
+  GO_VERSION: 1.23.7
 
 concurrency:
   group: vuln-scans-${{ github.event.pull_request.number || github.ref }}
@@ -267,9 +267,9 @@ jobs:
         with:
           sarif_file: snyk.sarif
 
-  govulncheck:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
+  govulncheck-run:
+    # Running on a large macOS runner to reliably use scan mode as symbol without hitting OOM.
+    runs-on: macos-14-large
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -278,11 +278,69 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: '**/go.sum'
+
       - name: Install Tools
         run: make install-tools
-      - name: Run `govulncheck`
-        run: govulncheck -format sarif ./... > govulncheck.sarif
+
+      - run: govulncheck --version
+
+      - name: Run `govulncheck` to generate SARIF files
+        env:
+          GOVULN_OPTS: --format sarif --scan symbol
+        run: ./.github/workflows/scripts/govulncheck-run.sh
+
+      - name: Save govulncheck results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: govulncheck-results
+          path: ./govulncheck/
+
+      - name: Run `govulncheck` to fail the workflow if vulnerabilities are found
+        env:
+          GOVULN_OPTS: --show verbose --scan symbol
+        run: ./.github/workflows/scripts/govulncheck-run.sh
+
+  govulncheck-categories:
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.capture-packages.outputs.matrix }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: '**/go.sum'
+      - name: Capture Go Packages
+        id: capture-packages
+        run: |
+          repoPrefix=$(go list -m)
+          packages=$(go list ./... | sed "s|^$repoPrefix/||" | tr '/' '_')
+          category=$(for p in $(echo -e "$packages"); do echo "\"$p\","; done)
+          matrix=$(echo "{\"category\": [${category%,}]}" | tr -d '\n')
+          echo "$matrix" | jq
+          echo "matrix=${matrix}" >> $GITHUB_OUTPUT
+
+  govulncheck-upload:
+    runs-on: ubuntu-24.04
+    needs: [govulncheck-run, govulncheck-categories]
+    if: always() # Always run to upload results to code-scanning even if the scan fails
+    strategy:
+      matrix: ${{ fromJSON(needs.govulncheck-categories.outputs.matrix) }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Download govulncheck results artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: govulncheck-results
+          path: ./govulncheck/
+
       - name: Upload result to GitHub Code Scanning
+        if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: govulncheck.sarif
+          sarif_file: ./govulncheck/${{ matrix.category }}.sarif
+          category: ${{ matrix.category }}

.github/workflows/win-package-test.yml

@@ -22,7 +22,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.23.7
 
 jobs:
   setup-environment:
@@ -189,7 +189,7 @@ jobs:
       - name: Add msbuild to PATH
         uses: microsoft/setup-msbuild@v2
 
-      - uses: actions/[email protected].0
+      - uses: actions/[email protected].1
         with:
           dotnet-version: |
             6.0.407

.github/workflows/windows-test.yml

@@ -18,7 +18,7 @@ on:
       - '!packaging/**'
 
 env:
-  GO_VERSION: '1.23.6'
+  GO_VERSION: 1.23.7
 
 concurrency:
   group: windows-test-${{ github.event.pull_request.number || github.ref }}

.gitignore

@@ -23,6 +23,7 @@ coverage.txt
 coverage_all.txt
 coverage_old.txt
 coverage.html
+coverage/*
 
 # Exclude folders used to build MSI locally
 /build/
@@ -55,3 +56,6 @@ deployments/heroku/test/node_modules
 
 # temp file created during testing
 tests/installation/testdata/systemd/splunk-otel-collector.conf
+
+# For convenience excluding sarif files generated by ./.github/workflows/scripts/govulncheck-run.sh
+/govulncheck/