Merge branch 'main' into fix-duplicate-attributes-1650

Author: albertlockett

.github/actions/install-symcrypt/action.yml

@@ -0,0 +1,45 @@
+name: Install SymCrypt
+description: Download a pinned Windows AMD64 SymCrypt release and expose it to GitHub Actions jobs.
+
+runs:
+  using: composite
+  steps:
+    - name: Download and configure SymCrypt
+      shell: pwsh
+      run: |
+        $tag = 'v103.11.0'
+        $assetName = 'symcrypt-windows-amd64-release-103.11.0-748c20f1.zip'
+        $assetSha256 = '5E2A9E60C03A60B952E84A3B50984F0D723A4B3EC1585F9CF6E800D4BD61159E'
+
+        $release = Invoke-RestMethod -Uri "https://api.github.com/repos/microsoft/SymCrypt/releases/tags/$tag" -Headers @{
+          Accept = 'application/vnd.github+json'
+          Authorization = 'Bearer ${{ github.token }}'
+          'X-GitHub-Api-Version' = '2022-11-28'
+        }
+        $asset = $release.assets | Where-Object { $_.name -eq $assetName } | Select-Object -First 1
+        if (-not $asset) {
+          throw "Unable to find pinned SymCrypt asset '$assetName' in release '$tag'."
+        }
+
+        $downloadPath = Join-Path $env:RUNNER_TEMP $asset.name
+        $extractRoot = Join-Path $env:RUNNER_TEMP 'symcrypt'
+        Invoke-WebRequest -Uri $asset.browser_download_url -OutFile $downloadPath
+        $downloadHash = (Get-FileHash -Path $downloadPath -Algorithm SHA256).Hash
+        if ($downloadHash -ne $assetSha256) {
+          throw "SymCrypt digest mismatch. Expected '$assetSha256' but got '$downloadHash'."
+        }
+        if (Test-Path $extractRoot) {
+          Remove-Item -Recurse -Force $extractRoot
+        }
+        Expand-Archive -Path $downloadPath -DestinationPath $extractRoot -Force
+
+        $dllDir = Get-ChildItem -Path $extractRoot -Directory -Recurse |
+          Where-Object { $_.Name -eq 'dll' } |
+          Select-Object -First 1 -ExpandProperty FullName
+        if (-not $dllDir) {
+          throw 'Unable to locate the extracted SymCrypt dll directory.'
+        }
+
+        "SYMCRYPT_LIB_PATH=$dllDir" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+        $dllDir | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+

.github/codecov.yaml

@@ -2,8 +2,10 @@ coverage:
   status:
     project: # Overall repo coverage
       default:
-        target: auto # Increase
-        threshold: 0.1% # Allow small fluctuation
+        target: 85%
+    patch: # Changed lines in PR
+      default:
+        target: 70%
 
 ignore:
   - "rust/otap-dataflow/crates/quiver-e2e/**" # Test tool, not production code
@@ -25,10 +27,6 @@ component_management:
       name: "query_engine"
       paths:
         - "rust/experimental/query_engine/"
-    - component_id: "syslog_cef_receivers"
-      name: "syslog_cef_receivers"
-      paths:
-        - "rust/experimental/syslog-cef-receivers/"
     - component_id: "otel_arrow_go"
       name: "otel-arrow-go"
       paths:

.github/workflows/dataflow-engine-binary-size.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.platform.runner }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
           egress-policy: audit
 
@@ -34,7 +34,7 @@ jobs:
           submodules: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build dataflow_engine for ${{ matrix.platform.name }}
         run: |
@@ -88,7 +88,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Download all size reports
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: size-report-*
           merge-multiple: true
@@ -104,13 +104,12 @@ jobs:
           echo "|----------|------|"
           for json in all-reports/*.json; do
             PLATFORM=$(jq -r '.[0].name' "$json" | sed 's/-binary-size//')
-            SIZE_BYTES=$(jq -r '.[0].value' "$json")
-            SIZE_HR=$(numfmt --to=iec-i --suffix=B $SIZE_BYTES)
-            echo "| $PLATFORM | $SIZE_HR |"
+            SIZE_MB=$(jq -r '.[0].value' "$json")
+            echo "| $PLATFORM | ${SIZE_MB} MB |"
           done
 
       - name: Update binary size benchmarks
-        uses: benchmark-action/github-action-benchmark@4bdcce38c94cec68da58d012ac24b7b1155efe8b # v1.20.7
+        uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
         with:
           tool: "customSmallerIsBetter"
           output-file-path: consolidated-sizes.json

.github/workflows/docker-build-check.yml

@@ -0,0 +1,47 @@
+name: Docker Build Check
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'rust/otap-dataflow/Dockerfile'
+      - 'rust/otap-dataflow/cross-arch-build.sh'
+      - 'rust/otap-dataflow/Cargo.toml'
+      - 'rust/otap-dataflow/Cargo.lock'
+      - 'rust/otap-dataflow/src/**'
+      - 'rust/otap-dataflow/crates/**'
+      - 'THIRD_PARTY_NOTICES.txt'
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  docker-build:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build Docker image
+        run: |
+          cd rust/otap-dataflow
+          docker buildx build \
+            --build-context otel-arrow=../../ \
+            -f Dockerfile \
+            -t df_engine:check \
+            --load \
+            .

.github/workflows/flaky-test-tracker.yml

@@ -0,0 +1,126 @@
+name: Flaky Test Tracker
+
+# Runs daily and on-demand to detect flaky tests from recent CI runs.
+# Parses JUnit XML artifacts from Rust-CI workflow runs, identifies tests
+# marked as flaky (failed then passed on retry), and creates/updates a
+# tracking issue with a summary table.
+
+permissions:
+  contents: read
+  issues: write
+  actions: read
+
+on:
+  schedule:
+    # Run daily at 06:00 UTC
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+
+env:
+  # The label applied to the flaky test tracking issue.
+  FLAKY_ISSUE_LABEL: "flaky-test"
+  # How many recent Rust-CI workflow runs to scan.
+  LOOKBACK_RUNS: 20
+
+jobs:
+  detect-flaky-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Ensure flaky-test label exists
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh label create "$FLAKY_ISSUE_LABEL" \
+            --description "Automatically detected flaky tests" \
+            --color "FBCA04" \
+            --force
+
+      - name: Download JUnit XML from recent Rust-CI runs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          mkdir -p junit-artifacts
+
+          # Get the workflow ID for Rust-CI
+          WORKFLOW_ID=$(gh api "repos/${{ github.repository }}/actions/workflows" \
+            --jq '.workflows[] | select(.name == "Rust-CI") | .id')
+
+          if [[ -z "$WORKFLOW_ID" ]]; then
+            echo "::warning::Could not find Rust-CI workflow"
+            exit 0
+          fi
+
+          echo "Rust-CI workflow ID: $WORKFLOW_ID"
+
+          # Get recent completed runs on the default branch
+          RUN_IDS=$(gh api "repos/${{ github.repository }}/actions/workflows/$WORKFLOW_ID/runs?branch=main&status=completed&per_page=$LOOKBACK_RUNS" \
+            --jq '.workflow_runs[].id')
+
+          echo "Found $(echo "$RUN_IDS" | wc -l) recent runs"
+
+          for RUN_ID in $RUN_IDS; do
+            echo "Checking run $RUN_ID for JUnit artifacts..."
+            # List artifacts for this run that match our naming pattern
+            ARTIFACT_INFO=$(gh api "repos/${{ github.repository }}/actions/runs/$RUN_ID/artifacts" \
+              --jq '.artifacts[] | select(.name | startswith("junit-xml-")) | "\(.id) \(.name)"' || true)
+
+            while IFS=' ' read -r ARTIFACT_ID ARTIFACT_NAME; do
+              [[ -z "$ARTIFACT_ID" ]] && continue
+              echo "  Downloading artifact $ARTIFACT_NAME ($ARTIFACT_ID) from run $RUN_ID"
+              DEST_DIR="junit-artifacts/run-$RUN_ID/$ARTIFACT_NAME"
+              mkdir -p "$DEST_DIR"
+              gh api "repos/${{ github.repository }}/actions/artifacts/$ARTIFACT_ID/zip" \
+                > "$DEST_DIR/artifact.zip" || true
+              (cd "$DEST_DIR" && unzip -o -q "artifact.zip" 2>/dev/null && rm -f "artifact.zip") || true
+            done <<< "$ARTIFACT_INFO"
+          done
+
+          echo "Downloaded artifacts:"
+          find junit-artifacts -name '*.xml' | head -50 || echo "No XML files found"
+
+      - name: Parse JUnit XML and detect flaky tests
+        id: parse
+        env:
+          GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+          FLAKY_ISSUE_LABEL: ${{ env.FLAKY_ISSUE_LABEL }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: python3 .github/workflows/scripts/parse_flaky.py
+
+      - name: Create or update tracking issue
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          BODY=$(cat flaky-report.md)
+          TITLE="Flaky Test Report (automated)"
+
+          # Find existing open issue with the flaky-test label and our title
+          EXISTING_ISSUE=$(gh issue list \
+            --label "$FLAKY_ISSUE_LABEL" \
+            --state open \
+            --search "$TITLE" \
+            --json number,title \
+            --jq '.[] | select(.title == "'"$TITLE"'") | .number' \
+            | head -1)
+
+          if [[ -n "$EXISTING_ISSUE" ]]; then
+            echo "Updating existing issue #$EXISTING_ISSUE"
+            gh issue edit "$EXISTING_ISSUE" --body "$BODY"
+          else
+            echo "Creating new tracking issue"
+            gh issue create \
+              --title "$TITLE" \
+              --body "$BODY" \
+              --label "$FLAKY_ISSUE_LABEL"
+          fi
+
+      - name: Post summary
+        if: always()
+        run: |
+          if [[ -f flaky-report.md ]]; then
+            cat flaky-report.md >> "$GITHUB_STEP_SUMMARY"
+          fi

.github/workflows/fossa.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: fossas/fossa-action@c414b9ad82eaad041e47a7cf62a4f02411f427a0 # v1.8.0
+      - uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0
         with:
           api-key: ${{secrets.FOSSA_API_KEY}}
           team: OpenTelemetry

.github/workflows/go-ci.yml

@@ -29,14 +29,14 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: "1.26.0"
+          go-version: "1.26.1"
       - name: Run tests with coverage
         run: go test -cover -coverprofile=coverage.txt -covermode=atomic -coverpkg=./... ./...
         working-directory: ./go/${{ matrix.folder }}
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
@@ -48,9 +48,9 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: "1.26.0"
+          go-version: "1.26.1"
       - name: Build the test collector
         run: make otelarrowcol
 
@@ -61,13 +61,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: "1.26.0"
-    - uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        go-version: "1.26.1"
+    - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         languages: go
-    - uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+    - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       timeout-minutes: 60
 
   # Aggregated status check for all Go CI jobs

.github/workflows/issue_triage.yml

@@ -16,7 +16,7 @@ jobs:
       issues: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
           egress-policy: audit
 

.github/workflows/ossf-scorecard.yml

@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif