Merge branch 'main' into codeql2

.github/renovate.json5

@@ -74,5 +74,12 @@
         'com.diffplug.spotless{/,}**',
       ],
     },
+    {
+      // equals verifier v4+ requires java 17+
+      groupName: 'nl.jqno.equalsverifier',
+      matchPackageNames: [ 'equalsverifier'],
+      matchUpdateTypes: [ 'major' ],
+      enabled: false
+    }
   ],
 }

.github/workflows/benchmark-tags.yml

@@ -56,7 +56,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
       - name: Run jmh
         run: ./gradlew jmhJar
 

.github/workflows/benchmark.yml

@@ -26,7 +26,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
       - name: Run jmh
         run: ./gradlew jmhJar
 

.github/workflows/build.yml

@@ -69,7 +69,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
       - name: Build
         run: >
             ./gradlew build
@@ -145,7 +145,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
         # skipping release branches because the versions in those branches are not snapshots
         # (also this skips pull requests)
         if: ${{ github.ref_name == 'main' && github.repository == 'open-telemetry/opentelemetry-java' }}

.github/workflows/codeql.yml

@@ -42,10 +42,10 @@ jobs:
 
       - name: Set up gradle
         if: matrix.language == 'java'
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           languages: ${{ matrix.language }}
           # using "latest" helps to keep up with the latest Kotlin support
@@ -60,6 +60,6 @@ jobs:
         run: ./gradlew assemble --no-build-cache --no-daemon
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:${{matrix.language}}"

.github/workflows/gradle-wrapper-validation.yml

@@ -13,4 +13,4 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+      - uses: gradle/actions/wrapper-validation@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1

.github/workflows/javadoc-crawler.yml

@@ -20,7 +20,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Run crawler
         run: ./gradlew :javadoc-crawler:crawl

.github/workflows/ossf-scorecard.yml

@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           sarif_file: results.sarif

.github/workflows/owasp-dependency-check-daily.yml

@@ -22,7 +22,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Check dependencies
         run: ./gradlew dependencyCheckAnalyze

.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0
+        uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Build and publish artifacts
         run: ./gradlew assemble publishToSonatype closeAndReleaseSonatypeStagingRepository

README.md

@@ -176,7 +176,7 @@ Snapshots of the `main` branch are available as follows:
 
 ```groovy
 repositories {
-    maven { url 'https://oss.sonatype.org/content/repositories/snapshots' }
+    maven { url 'https://central.sonatype.com/repository/maven-snapshots/' }
 }
 
 dependencies {
@@ -193,8 +193,8 @@ dependencies {
   <project>
     <repositories>
       <repository>
-        <id>oss.sonatype.org-snapshot</id>
-        <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+        <id>sonatype-snapshot-repository</id>
+        <url>https://central.sonatype.com/repository/maven-snapshots/</url>
       </repository>
     </repositories>
     <dependencyManagement>

buildSrc/build.gradle.kts

@@ -65,7 +65,7 @@ dependencies {
   implementation("net.ltgt.gradle:gradle-errorprone-plugin:4.2.0")
   implementation("net.ltgt.gradle:gradle-nullaway-plugin:2.2.0")
   implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:2.1.21")
-  implementation("org.owasp:dependency-check-gradle:12.1.2")
+  implementation("org.owasp:dependency-check-gradle:12.1.3")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:2.0.1")
 }
 

buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts

@@ -42,7 +42,7 @@ java {
 
 checkstyle {
   configDirectory.set(file("$rootDir/buildscripts/"))
-  toolVersion = "10.25.0"
+  toolVersion = "10.26.0"
   isIgnoreFailures = false
   configProperties["rootDir"] = rootDir
 }

context/src/main/java/io/opentelemetry/context/ContextKey.java

@@ -16,7 +16,7 @@ package io.opentelemetry.context;
  *   private static final ContextKey<MyState> KEY = ContextKey.named("MyState");
  *
  *   public Context startWork() {
- *     return Context.withValues(KEY, new MyState());
+ *     return Context.with(KEY, new MyState());
  *   }
  *
  *   public void continueWork(Context context) {

dependencyManagement/build.gradle.kts

@@ -17,13 +17,13 @@ val DEPENDENCY_BOMS = listOf(
   "com.google.guava:guava-bom:33.4.8-jre",
   "com.google.protobuf:protobuf-bom:4.31.1",
   "com.squareup.okhttp3:okhttp-bom:4.12.0",
-  "com.squareup.okio:okio-bom:3.12.0", // applies to transitive dependencies of okhttp
+  "com.squareup.okio:okio-bom:3.13.0", // applies to transitive dependencies of okhttp
   "io.grpc:grpc-bom:1.73.0",
   "io.netty:netty-bom:4.2.2.Final",
   "io.zipkin.brave:brave-bom:6.3.0",
   "io.zipkin.reporter2:zipkin-reporter-bom:3.5.1",
   "org.assertj:assertj-bom:3.27.3",
-  "org.testcontainers:testcontainers-bom:1.21.1",
+  "org.testcontainers:testcontainers-bom:1.21.2",
   "org.snakeyaml:snakeyaml-engine:2.9"
 )
 
@@ -68,7 +68,7 @@ val DEPENDENCIES = listOf(
   "io.prometheus:prometheus-metrics-exposition-formats-no-protobuf:${prometheusServerVersion}",
   "javax.annotation:javax.annotation-api:1.3.2",
   "com.github.stefanbirkner:system-rules:1.19.0",
-  "com.google.api.grpc:proto-google-common-protos:2.58.0",
+  "com.google.api.grpc:proto-google-common-protos:2.58.2",
   "com.google.code.findbugs:jsr305:3.0.2",
   "com.google.guava:guava-beta-checker:1.0",
   "com.sun.net.httpserver:http:20070405",
@@ -79,7 +79,7 @@ val DEPENDENCIES = listOf(
   "io.github.netmikey.logunit:logunit-jul:2.0.0",
   "io.jaegertracing:jaeger-client:1.8.1",
   "io.opentelemetry.contrib:opentelemetry-aws-xray-propagator:1.46.0-alpha",
-  "io.opentelemetry.semconv:opentelemetry-semconv-incubating:1.32.0-alpha",
+  "io.opentelemetry.semconv:opentelemetry-semconv-incubating:1.34.0-alpha",
   "io.opentelemetry.proto:opentelemetry-proto:1.7.0-alpha",
   "io.opentracing:opentracing-api:0.33.0",
   "io.opentracing:opentracing-noop:0.33.0",

integration-tests/tracecontext/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.13.4@sha256:eb120d016adcbc8bac194e15826bbb4f1d1569d298d8817bb5049ed5e59f41d9 AS build
+FROM python:3.13.5@sha256:5f69d22a88dd4cc4ee1576def19aef48c8faa1b566054c44291183831cbad13b AS build
 
 # Main branch SHA as of April-1-2021
 ARG TRACECONTEXT_GIT_TAG="dcd3ad9b7d6ac36f70ff3739874b73c11b0302a1"
@@ -11,7 +11,7 @@ RUN unzip trace-context.zip
 RUN rm trace-context.zip
 RUN mv trace-context-${TRACECONTEXT_GIT_TAG}/test /tracecontext-testsuite
 
-FROM python:3.13.4-slim@sha256:d97b595c5f4ac718102e5a5a91adaf04b22e852961a698411637c718d45867c8
+FROM python:3.13.5-slim@sha256:f2fdaec50160418e0c2867ba3e254755edd067171725886d5d303fd7057bbf81
 
 RUN pip install aiohttp
 

settings.gradle.kts

@@ -1,6 +1,6 @@
 pluginManagement {
   plugins {
-    id("com.gradleup.shadow") version "8.3.6"
+    id("com.gradleup.shadow") version "8.3.7"
     id("com.gradle.develocity") version "4.0.2"
     id("de.undercouch.download") version "5.6.0"
     id("org.jsonschema2pojo") version "1.2.2"