Merge branch 'main' into feat/typed-metric-family-descriptor

Author: zeitlinger

.gitattributes

@@ -0,0 +1,3 @@
+CHANGELOG.md linguist-generated
+**/src/main/generated/** linguist-generated
+docs/** linguist-documentation

.github/config/flint.toml

@@ -1,7 +1,5 @@
 [settings]
-# These paths are generated, vendored, or handled by other checks.
-exclude = ["CHANGELOG.md", "**/src/main/generated/**", "docs/themes/**", "mvnw", "simpleclient-archive/**"]
-setup_migration_version = 2
+exclude = ["docs/themes/**", "mvnw", "simpleclient-archive/**"]
 
 [checks.renovate-deps]
 exclude_managers = ["github-actions", "github-runners", "maven"]

.github/renovate-tracked-deps.json

@@ -7,7 +7,7 @@
   },
   "files": {
     ".github/renovate.json5": {
-      "renovate-config-presets": [
+      "renovate-config": [
         "grafana/flint"
       ]
     },
@@ -41,6 +41,11 @@
         "mise"
       ]
     },
+    ".github/workflows/micrometer-compatibility.yml": {
+      "regex": [
+        "mise"
+      ]
+    },
     ".github/workflows/native-tests.yml": {
       "regex": [
         "mise"
@@ -133,7 +138,8 @@
         "shellcheck",
         "shfmt",
         "taplo",
-        "typos"
+        "typos",
+        "zizmor"
       ]
     },
     "mvnw": {

.github/renovate.json5

@@ -1,6 +1,6 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: ["config:best-practices", "config:recommended", "github>grafana/flint#v0.22.2"],
+  extends: ["config:best-practices", "config:recommended", "github>grafana/flint#v0.22.4"],
   platformCommit: "enabled",
   automerge: true,
   ignorePaths: [

.github/workflows/acceptance-tests.yml

@@ -15,7 +15,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
-          version: v2026.5.11
-          sha256: 9bb41ae4dbe2bcdfdbe36cf3c737a8bdb72035c03af3b7218a70780988f62b9b
+          version: v2026.5.18
+          sha256: cfac593469d028d7ae5fe36e37bd7c59118b5238e92d8a876209578464f24a84
       - name: Run acceptance tests
         run: mise run acceptance-test

.github/workflows/build.yml

@@ -14,14 +14,12 @@ jobs:
           persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
-          version: v2026.5.11
-          sha256: 9bb41ae4dbe2bcdfdbe36cf3c737a8bdb72035c03af3b7218a70780988f62b9b
+          version: v2026.5.18
+          sha256: cfac593469d028d7ae5fe36e37bd7c59118b5238e92d8a876209578464f24a84
       - name: Cache local Maven repository
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
       - name: Run the Maven verify phase
         run: mise run ci

.github/workflows/codeql.yml

@@ -0,0 +1,60 @@
+---
+name: CodeQL Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "29 13 * * 2" # Weekly Tuesday 13:29 UTC
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze Java
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: read # required for github/codeql-action/init to get workflow details
+      contents: read
+      security-events: write # required for github/codeql-action/analyze to upload SARIF
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Set up Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "25"
+
+      - name: Cache Maven repository
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-codeql-${{ hashFiles('**/pom.xml') }}
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          languages: java
+          tools: linked
+          queries: security-extended
+
+      # Do not use autobuild — the multi-module Maven structure requires explicit
+      # build invocation so that CodeQL can trace the compilation correctly.
+      # Do not use mise-action here — CodeQL needs to trace the raw Maven build.
+      - name: Build (CodeQL traces the build)
+        run: >
+          ./mvnw clean compile
+          -DskipTests
+          -Dcoverage.skip=true
+          -Dcheckstyle.skip=true
+          -Djavadoc.skip=true
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          category: /language:java

.github/workflows/generate-protobuf.yml

@@ -12,17 +12,16 @@ jobs:
   generate:
     runs-on: ubuntu-24.04
     permissions:
-      contents: write
+      contents: read # checkout + read-only `git fetch origin main` for the verify step
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.ref }}
-          # zizmor: ignore[artipacked] -- needs credentials to push
-          persist-credentials: true
+          persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
-          version: v2026.5.11
-          sha256: 9bb41ae4dbe2bcdfdbe36cf3c737a8bdb72035c03af3b7218a70780988f62b9b
+          version: v2026.5.18
+          sha256: cfac593469d028d7ae5fe36e37bd7c59118b5238e92d8a876209578464f24a84
       - name: Cache local Maven repository
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
@@ -45,18 +44,48 @@ jobs:
           fi
       - name: Generate protobuf sources
         run: mise run generate
-      - name: Commit and push generated sources
+      - name: Validate and export generated sources as a patch
         run: |
-          git diff --quiet && exit 0
           UNEXPECTED=$(git diff --name-only | grep -v '\.java$' || true)
           if [[ -n "$UNEXPECTED" ]]; then
             echo "::error::Unexpected files changed:"
             echo "$UNEXPECTED"
             exit 1
           fi
+          git diff --binary > /tmp/protobuf-sources.patch
+      - name: Upload generated patch
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: protobuf-sources-patch
+          path: /tmp/protobuf-sources.patch
+          retention-days: 5
+
+  publish:
+    runs-on: ubuntu-24.04
+    needs: generate
+    permissions:
+      contents: write # push regenerated sources back to the renovate branch
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.ref }}
+          # zizmor: ignore[artipacked] -- needs credentials to push
+          persist-credentials: true
+      - name: Download generated patch
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: protobuf-sources-patch
+          path: /tmp/patch
+      - name: Commit and push generated sources
+        run: |
+          PATCH=/tmp/patch/protobuf-sources.patch
+          if [[ ! -s "$PATCH" ]]; then
+            echo "No generated changes to commit"
+            exit 0
+          fi
+          git apply "$PATCH"
           # Note: GITHUB_TOKEN pushes don't trigger CI re-runs.
           # Close and reopen the PR to trigger CI after this commit.
-          # TODO: switch to PROMBOT_GITHUB_TOKEN once it's added to this repo.
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add '*.java'

.github/workflows/github-pages.yaml

@@ -39,8 +39,8 @@ jobs:
           fetch-depth: 0
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
-          version: v2026.5.11
-          sha256: 9bb41ae4dbe2bcdfdbe36cf3c737a8bdb72035c03af3b7218a70780988f62b9b
+          version: v2026.5.18
+          sha256: cfac593469d028d7ae5fe36e37bd7c59118b5238e92d8a876209578464f24a84
           cache: "false"
       - name: Setup Pages
         id: pages

.github/workflows/issue-management-stale-action.yml

@@ -25,7 +25,7 @@ jobs:
       # Handle stale PRs
       # - After 120 days inactive: Adds "stale" label + warning comment
       # - After 30 more days inactive: Closes
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
         with:
           days-before-issue-stale: -1
           days-before-issue-close: -1
@@ -43,7 +43,7 @@ jobs:
       # Handle stale issues
       # - After 360 days (12 months) inactive: Adds "stale" label + warning comment
       # - After 30 more days inactive: Closes
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
         with:
           days-before-issue-stale: 360
           days-before-issue-close: 30