Bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace from 0.20.0 to 0.44.0 #623
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
…telhttptrace Bumps [go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.20.0 to 0.44.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@v0.20.0...zpages/v0.44.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…mentation/net/http/httptrace/otelhttptrace` bump The bump of the dependency of the project's root `github.com/arduino/arduino-lint` module also requires updates to the Go dependencies metadata of the project's modules which depend on `github.com/arduino/arduino-lint`.
Go 1.17 has a different handling of dependencies. By default, it emulates the old behavior for compatibility with older Go versions. The Dependabot PRs are produced in this manner. This project now uses Go 1.17 exclusively, as is indicated by the `go` directive and by the contributor guide. There is no need to provide compatibility with unsupported Go versions, so we use the `-compat=1.17` flag in the `go mod tidy` command, as is done here.
Codecov ReportAll modified lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #623 +/- ##
=======================================
Coverage 90.05% 90.05%
=======================================
Files 44 44
Lines 6800 6800
=======================================
Hits 6124 6124
Misses 553 553
Partials 123 123
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
per1234
force-pushed
the
dependabot/go_modules/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace-0.44.0
branch
from
7ed9562 to
29d7d71
Compare
per1234
added
topic: security
… workflow Codecov claims a token is not needed when using the codecov/codecov-action GitHub Actions action in workflows of a public repository: https://github.com/codecov/codecov-action#usage > For public repositories, no token is needed However, experience shows that that step of the workflow is subject to intermittent spurious failures caused by a 404 error during the upload attempt: ``` [2023-10-17T04:37:33.792Z] ['error'] There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue.', code='not_found')} ``` It is suggested that this can be avoided by providing the upload token: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 It should be noted that PRs from forks do not have access to repository secrets, so the recommended approach of using an encrypted repository secret for the token would mean that PRs from forks (the workflow runs for which don't have access to secrets) would still be subject to the same intermittent spurious workflow run failures. The alternative solution is to add the token in plaintext directly in the workflow. The security implications of that approach are described here: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 > Public repositories that rely on PRs via forks will find that they cannot effectively use Codecov if the token is > stored as a GitHub secret. The scope of the Codecov token is only to confirm that the coverage uploaded comes from a > specific repository, not to pull down source code or make any code changes. > > For this reason, we recommend that teams with public repositories that rely on PRs via forks consider the security > ramifications of making the Codecov token available as opposed to being in a secret. > > A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if they > have access to your upload token, but would not be able to pull down source code or make any code changes. We have evaluated the risks of exposing the token and are intentionally choosing to accept the possibility of abuse.
per1234
force-pushed
the
dependabot/go_modules/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace-0.44.0
branch
from
29d7d71 to
59cc14f
Compare
per1234
approved these changes
Oct 17, 2023
per1234
deleted the
dependabot/go_modules/go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace-0.44.0
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace from 0.20.0 to 0.44.0.
Release notes
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace's releases.
... (truncated)
Changelog
Sourced from go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace's changelog.
... (truncated)
Commits
fdfa6e3Release v1.19.0/v0.44.0/v0.13.0 (#4299)aea7540build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#4297)7e88614Remove otelbeego, otelkit, otelsarama, otelmemcache, otelgocql (#4295)14f153ebuild(deps): bump actions/checkout from 3 to 4 (#4291)01c596ddependabot updates Mon Sep 11 05:08:50 UTC 2023 (#4294)50ca48fRemove high cardanility metrics from otelhttp (#4277)b6fc62fUpdate go versions used in workflow (#4278)7a8f53cAdd new gcp host attributes (#4263)aab5f49[mux] Add request filters like otelhttp (#4230)3ad5a2cDeprecate otelmemcache, otelgocql (#4164)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.