Skip to content

merge datadog v3.41.0#288

Merged
korniltsev-grafanista merged 48 commits intografana:mainfrom
korniltsev-grafanista-yolo-vibecoder239:kk/fork-update-3.41.0
Apr 21, 2026
Merged

merge datadog v3.41.0#288
korniltsev-grafanista merged 48 commits intografana:mainfrom
korniltsev-grafanista-yolo-vibecoder239:kk/fork-update-3.41.0

Conversation

@korniltsev-grafanista-yolo-vibecoder239
Copy link
Copy Markdown
Contributor

@korniltsev-grafanista-yolo-vibecoder239 korniltsev-grafanista-yolo-vibecoder239 commented Apr 15, 2026
edited by cursor Bot
Loading

Merge dd-trace-dotnet v3.41.0 into the fork.

Summary

This release is a straightforward version bump with no functional profiler changes. The profiler version is updated from 3.40.0 to 3.41.0, and libdatadog is upgraded from v25.0.0 to v30.0.0. All other upstream changes were tracer-only and have been stripped as usual.

Upstream profiler commits

Commit Message
5d7fb15b bump libdatadog version to v30 (#8282)
85ca320d [Version Bump] 3.41.0 (#8355)

Note

Medium Risk
Primarily version/metadata bumps, but it upgrades the shipped libdatadog native binaries, which could impact runtime behavior or platform builds if the new artifacts differ unexpectedly.

Overview
Updates the profiler/package version from 3.40.0 → 3.41.0 across build metadata (CMakeLists.txt, dd_profiler_version.h, ProductVersion.props, version.h) and bumps the Windows MSI naming/constants accordingly.

Upgrades the fetched/bundled libdatadog from v25.0.0 → v30.0.0, updating the platform-specific archive checksums in FindLibdatadog.cmake and the vcpkg local port (vcpkg.json version + Windows SHA512 hashes).

Reviewed by Cursor Bugbot for commit e62234d. Bugbot is set up for automated code reviews on this repo. Configure here.

dd-octo-sts Bot and others added 30 commits March 23, 2026 12:58
@dd-octo-sts @zacharycmontoya
[Version Bump] 3.41.0 (#8355)
85ca320 
The following files were found to be modified (as expected)

- [x] docs/CHANGELOG.md
- [x] .azure-pipelines/ultimate-pipeline.yml
- [x]
profiler/src/ProfilerEngine/Datadog.Profiler.Native.Linux/CMakeLists.txt
- [x]
profiler/src/ProfilerEngine/Datadog.Profiler.Native.Windows/Resource.rc
- [x]
profiler/src/ProfilerEngine/Datadog.Profiler.Native/dd_profiler_version.h
- [x]
profiler/src/ProfilerEngine/Datadog.Linux.ApiWrapper/CMakeLists.txt
- [x] profiler/src/ProfilerEngine/ProductVersion.props
- [x] shared/src/Datadog.Trace.ClrProfiler.Native/CMakeLists.txt
- [x] shared/src/Datadog.Trace.ClrProfiler.Native/Resource.rc
- [x] shared/src/msi-installer/WindowsInstaller.wixproj
- [x] shared/src/native-src/version.h
- [x] tracer/build/artifacts/dd-dotnet.sh
- [x] tracer/build/_build/Build.cs
- [x]
tracer/samples/AutomaticTraceIdInjection/MicrosoftExtensionsExample/MicrosoftExtensionsExample.csproj
- [x]
tracer/samples/AutomaticTraceIdInjection/Log4NetExample/Log4NetExample.csproj
- [x]
tracer/samples/AutomaticTraceIdInjection/NLog40Example/NLog40Example.csproj
- [x]
tracer/samples/AutomaticTraceIdInjection/NLog45Example/NLog45Example.csproj
- [x]
tracer/samples/AutomaticTraceIdInjection/NLog46Example/NLog46Example.csproj
- [x]
tracer/samples/AutomaticTraceIdInjection/SerilogExample/SerilogExample.csproj
- [x] tracer/samples/ConsoleApp/Alpine3.10.dockerfile
- [x] tracer/samples/ConsoleApp/Alpine3.9.dockerfile
- [x] tracer/samples/ConsoleApp/Debian.dockerfile
- [x] tracer/samples/OpenTelemetry/Debian.dockerfile
- [x] tracer/samples/WindowsContainer/Dockerfile
- [x] tracer/src/Datadog.Trace.ClrProfiler.Managed.Loader/Startup.cs
- [x] tracer/src/Datadog.Tracer.Native/CMakeLists.txt
- [x] tracer/src/Datadog.Tracer.Native/dd_profiler_constants.h
- [x] tracer/src/Datadog.Tracer.Native/Resource.rc
- [x] tracer/src/Directory.Build.props
- [x] tracer/src/Datadog.Trace/TracerConstants.cs

@DataDog/apm-dotnet

Co-authored-by: zacharycmontoya <13769665+zacharycmontoya@users.noreply.github.com>
@chojomok @lucaspimentel
[tracing] add support for DiagnosticSource (and Quartz) in .NET Fra…
75d765c 
…mework (#7687)

## Summary of changes
Adds `.NET Framework` support for the `DiagnosticManager` /
`DiagnosticObserver` infrastructure and uses it to enhance Quartz span
metadata on both Framework and non-Framework
targets.
## Reason for change
The `DiagnosticObserver` class was previously gated behind `#if
!NETFRAMEWORK`, limiting tracing integrations that depend on it to
modern .NET only. Quartz is the first
   
## Implementation details
                                                                       
  ### DiagnosticManager — Framework support
On `!NETFRAMEWORK`, the existing path is unchanged:
`DiagnosticListener.AllListeners.Subscribe(new
DiagnosticListenerObserver(this))`.
On `NETFRAMEWORK`, `DiagnosticListener` isn't available at compile time
(it ships as a NuGet package, not part of the BCL). Two problems had to
be solved:
1. **Accessing the static `AllListeners` property** — solved with
reflection to locate the `DiagnosticListener` type and read its static
property at runtime.
2. **Generic invariance** — `AllListeners.Subscribe` expects
`IObserver<DiagnosticListener>` (the real type). A new
`FrameworkDiagnosticListenerObserver` reverse duck type
(`[DuckReverseMethod]` + `.DuckImplement()`) generates a proxy at
runtime that satisfies the exact generic interface, forwarding each
`OnNext` call back to `DiagnosticManager`.
                                                                       
### DiagnosticObserver — duck typed DiagnosticListener
`SubscribeIfMatch` was updated to accept `IDiagnosticListener` (a new
duck type interface) instead of the concrete `DiagnosticListener`,
removing the compile-time dependency on
the type across the whole observer hierarchy.
   
### Quartz
- `QuartzDiagnosticObserver` is registered in `StartDiagnosticManager`
unconditionally (both platforms).
- `QuartzCommon` was enhanced to set the `component: quartz` tag and
activity kind on the pre-`IActivity5` fallback path (< .NET 5), bringing
its span metadata in line with
newer runtimes.
   
### Cleanup
- Consolidated the duplicate `#if !NETFRAMEWORK` / `#else` split of
`StartDiagnosticManager` in `Instrumentation.cs` into a single method
with an inline directive.
- Removed an unnecessary `#if NETFRAMEWORK` block in
`ActivityListener.cs` that duplicated
`CreateDiagnosticSourceListenerInstance` — the IL emit approach works on
Framework
too.
## Test coverage
- New snapshot `QuartzTestsV3NETFRAMEWORK.verified.txt` covering Quartz
on .NET Framework.
- Updated `QuartzTestsV3NETCOREAPP3X.verified.txt` to include the
`component: quartz` tag now set on the pre-`IActivity5` path.
  
## Other details
<!-- Fixes #{issue} -->
<!-- ⚠️ Note:
Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member,
and one review from apm-dotnet. Trivial changes do not require 2
reviews.
MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use
the Squash and Merge button to merge the PR. If you don't have write
access, or you need help, reach out in the #apm-dotnet channel in Slack.
-->

---------

Co-authored-by: Lucas Pimentel <lucas.pimentel@datadoghq.com>
@andrewlock @claude
Fix dd-octo-sts trust policy for create-draft-release workflow (#8356)
4e38cdd 
## Summary of changes

Fix the `dd-octo-sts` trust policy that blocked the release

## Reason for change

The `create_normal_draft_release` workflow was failing at the "Get
GitHub Token via dd-octo-sts" step with:

```
subject_pattern "repo:DataDog/dd-trace-dotnet:environment:publish-debug-symbols-env"
did not match "repo:DataDog/dd-trace-dotnet:ref:refs/heads/(master|hotfix/.+)"
```

See failed run:
https://github.com/DataDog/dd-trace-dotnet/actions/runs/23446312090/job/68210958105

## Implementation details

The root cause is that the `_create_draft_release.yml` reusable workflow
specifies `environment: publish-debug-symbols-env` on the job, which is
required to access environment-scoped secrets for publishing debug
symbols. When a GitHub Actions job uses an environment, the OIDC token's
`sub` claim uses the format:

- `repo:{owner}/{repo}:environment:{env}` 
- instead of `repo:{owner}/{repo}:ref:{ref}`.
 
The trust policy's `subject_pattern` was matching against the ref-based
format, so it never matched.

This fix:
- Changes `subject_pattern` to an exact `subject` match on the
environment-based subject (more secure than a pattern)
- Adds `environment: publish-debug-symbols-env` to `claim_pattern` for
defense in depth
- Retains `ref` and `job_workflow_ref` claim patterns to continue
enforcing the branch restriction `(master|hotfix/*)` via claims

Additionally, make sure the AAS trigger job if the `curl` fails (by
adding `-f`)

## Test coverage

I wish... we'll see how it goes next time

## Other details

Need to make a fix on the AAS side too... incoming

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NachoEchevarria
Fix InvalidCastException in DefaultModelBindingContext (#8334)
390e11e 
## Summary of changes

Fix
[`InvalidCastException`](https://app.datadoghq.com/error-tracking?query=service%3Ainstrumentation-telemetry-data%20%40lib_language%3Adotnet%20version%3A3.3%2A&et-issue__tab=investigate&et-side=activity&fromUser=false&issue_states=open&order=total_count&refresh_mode=sliding&source=all&sp=%5B%7B%22p%22%3A%7B%22issueId%22%3A%22404d80aa-3ade-11f0-814f-da7ad0900002%22%7D%2C%22i%22%3A%22error-tracking-issue%22%7D%5D&from_ts=1773333586601&to_ts=1773938386601&live=true)
in `DefaultModelBindingContext_SetResult_Integration.OnMethodEnd` by
changing the `ValueProvider` field in the `DefaultModelBindingContext`
DuckCopy struct from `IList` to `object`, and safe-casting to `IList` at
the usage site.

## Reason for change

Customers using custom `IModelBinder` implementations that set
`bindingContext.ValueProvider` to a non-`CompositeValueProvider` (i.e.,
an `IValueProvider` that does not implement `IList`) trigger an
`InvalidCastException` during DuckCopy:

```
Error : Exception occurred when calling the CallTarget integration continuation.
System.InvalidCastException
   at Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore.DefaultModelBindingContext_SetResult_Integration.OnMethodEnd[TTarget](TTarget instance, Exception exception, CallTargetState& state)
   at Microsoft.AspNetCore.Mvc.ModelBinding.DefaultModelBindingContext.set_Result(ModelBindingResult value)
```

In standard MVC usage, `ValueProvider` is always a
`CompositeValueProvider` (which inherits from
`Collection<IValueProvider>` and implements `IList`), so the DuckCopy
`Castclass` IL instruction succeeds. However, when a custom model binder
assigns a plain `IValueProvider` that does not implement `IList`, the
cast fails. Additionally, `TryDuckCast` does not wrap `CreateInstance`
in a try/catch, so the exception propagates uncaught.

## Implementation details

## Test coverage

## Other details
@NachoEchevarria @datadog-prod-us1-6
Increase endpoint telemetry wait timeout (#8294)
6b6d608 
<!-- dd-meta
{"pullId":"806bee5a-6a7b-4844-99f8-37e6f6b3faa2","source":"chat","resourceId":"45756181-5088-42df-acf5-46cd00319c58","workflowId":"7279f062-bde8-4f32-93cc-ab9ed8025441","codeChangeId":"7279f062-bde8-4f32-93cc-ab9ed8025441","sourceType":"action_platform_custom_agent"}
-->
## Summary of changes
- Increased the AppEndpoints telemetry wait timeout in API Security
endpoint collection tests to reduce flakiness on slower CI environments.

## Reason for change
- `WaitForLatestTelemetryAsync` defaults to a 5-second timeout in
`MockTracerAgent`.
- Endpoint telemetry collection can take longer than 5 seconds under CI
load (cold start + endpoint discovery + heartbeat + delivery), causing
intermittent null telemetry and test failures.

## Implementation details
- Updated
`tracer/test/Datadog.Trace.Security.IntegrationTests/ApiSecurity/AspNetCoreEndpoints.cs`:
- Changed the `WaitForLatestTelemetryAsync` call in
`TestEndpointsCollection()` to pass `timeoutInMilliseconds: 30000`.
- This base test method is used by the API Security endpoint collection
test variants (including `AspNetCore5EndpointsApmTracingDisabled`), so
all relevant endpoint collection tests now use the increased timeout.

## Test coverage
- Attempted to run:
- `dotnet test
tracer/test/Datadog.Trace.Security.IntegrationTests/Datadog.Trace.Security.IntegrationTests.csproj
--filter
"FullyQualifiedName~ApiSecurity.AspNetCore5EndpointsApmTracingDisabled.TestEndpointsCollection"`
- Could not execute in this environment because the repository requires
.NET SDK `10.0.100` from `global.json`, but only SDK `8.0.412` is
installed.
- Formatting check attempted via `Format` tool, but `dotnet format`
failed for the same SDK reason.
- Lint tool could not determine a linter for the changed C# file.

## Other details
<!-- Fixes #{issue} -->

---

PR by Bits - [View session in
Datadog](https://app.datadoghq.com/code/45756181-5088-42df-acf5-46cd00319c58)

Comment @DataDog to request changes

Co-authored-by: datadog-prod-us1-6[bot] <266788760+datadog-prod-us1-6[bot]@users.noreply.github.com>
@NachoEchevarria
Fix dd_dotnet.ArtifactTests.CreatedumpTests.DisableTelemetry flakines…
fe2cdea 
…s (#8354)

## Summary of changes

Fixes intermittent `CreatedumpTests` failures on arm64 Linux by relaxing
the createdump output assertion when the .NET runtime's `createdump`
tool fails due to a known ptrace race condition.

## Reason for change

On arm64 Linux, `createdump` intermittently fails with `ptrace(ATTACH,
<tid>) FAILED No such process` — a race condition where threads exit
before createdump can attach to them. When this happens, createdump
aborts without writing `"Writing minidump with heap to file /dev/null"`,
causing the test assertion to fail even though our crash tracking code
correctly invoked createdump.

This is a known .NET runtime limitation tracked in multiple issues:
-
[dotnet/runtime#119700](dotnet/runtime#119700)
-
[dotnet/runtime#112620](dotnet/runtime#112620)
- [dotnet/runtime#77466](dotnet/runtime#77466)

Flaky test identified via [CI Test
Management](https://app.datadoghq.com/ci/test/flaky?sort=-pipelines_failed&sp=%5B%7B%22p%22%3A%7B%22fingerprintFqn%22%3A%22eb3fae1eba7c4b0b%22%7D%2C%22i%22%3A%22test-optimization-flaky-management-history%22%7D%5D&viewMode=flaky).

## Implementation details

- Added `AssertCreatedumpWasInvoked()` helper that, **only on arm64
Linux**, also accepts `"[createdump] Gathering state for process"` as
evidence that createdump was invoked (even if it failed due to the
ptrace race). On all other platforms, the strict assertion is preserved.
- Updated all 4 assertion sites: `Passthrough`, `BashScript`,
`DoNothingIfNotEnabled`, and `DisableTelemetry`.
- Tightened negative assertions (the "should NOT call createdump"
branches) to check for both strings.

## Test coverage

## Other details

The test's purpose is to verify that *our crash tracking code correctly
invokes createdump*, not that createdump itself succeeds. The relaxed
assertion still validates that createdump was started by our code.
@andrewlock @lucaspimentel
Add smoke tests for Datadog.AzureFunctions NuGet package (#8336)
1bb5b79 
## Summary of changes

Adds new Windows and Linux smoke tests for the Datadog.AzureFunctions
NuGet package

## Reason for change

We recently had an issue where the Datadog.AzureFunctions package was
broken, but as we don't currently test the package itself, we didn't
catch it. This adds tests to make sure we can actually install the
package that we build, similar to how we test the Datadog.Trace.Bundle
package today.

## Implementation details

This was harder than I had hoped, and required a bit of refactoring to
the Nuke smoke tests that we added in
DataDog/dd-trace-dotnet#8271, as well as
enabling the new smoke tests.

For the refactoring, this PR:
- Updates the "nuget" smoke test dockerfiles to allow providing a
`NUGET_PACKAGE` variable, so we can reuse the dockerfiles for multiple
nuget packages
- Add `IncludeDdDotnetScenario` to the windows nuget scenario - today we
always try the `dd-dotnet` case after the "env vars" case, but there's
no `dd-dotnet` in Datadog.AzureFunctions.
- Ensure we delete the logs from previous runs before starting the
tests, this bit when I was testing locally as I was failing on errors
from _previous_ runs
- Make the specifying of runtime environment variables to pass in
scenario-specific. We bake a lot of env vars into the dockerfiles, but
it means that if you need different env vars for different scenarios
that use the _same_ dockerfile, you can.

In terms of enabling the Azure Functions smoke tests:
- Add two new stages, Windows and Linux, running tests with the
Datadog.AzureFunctions NuGet package. Made them "extended" tests so they
only run on main/hotfix branches, seeing as the package will rarely
change.
- Add a couple of exceptions to warnings caused by missing libdatadog
and profiler. These are always logged today, and can't be avoided
AFAICT. They may be candidates for looking into further, but they're
benign, so this is the easiest approach.
- Update the env vars we pass in:
  - Don't set `LD_PRELOAD` (because the file doesn't exist)
  - Disable ASM and profiling (the native libraries aren't included)
  - "Pretend" to be in AAS, to try to stop using libdatadog config
- Set `AWS_LAMBDA_FUNCTION_NAME` to avoid sending config to the profiler
(we can't pretend to be in Azure functions, because otherwise we disable
the aspnetcore integration which we need😅)
- Set a fake `DD_API_KEY` otherwise we're marked as "unsafe to trace"
and disable tracing
- Add a new "Azure Functions snapshot", seeing as we have a bunch of AAS
tags added now, and are missing the ASM ones etc.

## Test coverage

More now! 🎉 

[I did a test
run](https://dev.azure.com/datadoghq/dd-trace-dotnet/_build/results?buildId=197781&view=results)
in which I restore the previous "broken" NuGet, and it causes the smoke
tests to fail (which is good):

```
 error: NU1102: Unable to find package Datadog.Trace.Annotations with version (>= 3.40.0)

```

I've done multiple runs showing it passes otherwise, but I'll do a final
run before merging to make sure

## Other details

Context:
- #8285 
- #8289

---------

Co-authored-by: Lucas Pimentel <lucas.pimentel@datadoghq.com>
@dd-octo-sts @andrewlock
[Test Package Versions Bump] Updating package versions (#8342)
3bdbbfe 
Updates the package versions for integration tests.

Co-authored-by: andrewlock <18755388+andrewlock@users.noreply.github.com>
@andrewlock
Fix CA1861 - Avoid constant arrays as arguments (#8332)
df1c8a6 
## Summary of changes

Enables the `CA1861` analyzer, and fixes all the violations

## Reason for change

The analyzer flags cases where we're creating small arrays and throwing
them away, which is generally not great for perf.

The violations we have are actually very minor, because most of the time
they're "one off" usages. However, given that there are a _bunch_ of
"one off" usages in various places, it seemed like it would make sense
to just define these statically.

Obviously as these are static readonly cases they will add a tiny bump
to long term memory pressure, so I'm not _entirely_ sure that we
shouldn't just be ignoring the violations - open to opinions there 🤔

I mostly went with this approach because the sourcelink parses
potentially run multiple times, and therefore probably _do_ need to
cache the arrays, and that's basically _all_ of the arrays we would need
everywhere so this seemed to make sense 🤷‍♂️

## Implementation details

- Enable CA1861
- Introduce `Datadog.Trace.Util.Separators` type with `static readonly
char[]`
- Use them where we can

## Test coverage

Covered by existing tests

## Other details

https://datadoghq.atlassian.net/browse/LANGPLAT-813

Looked at using `InlineArray` instead but that's only in .NET 8+ and the
APIs we're calling often don't take `Span<char>` anyway
@zacharycmontoya
[Tracing] Add experimental support for exporting traces as OTLP (.NET…
b70e6f2 
… 6+) (#8211)

## Summary of changes
Adds experimental support for exporting traces using
[OTLP](https://github.com/open-telemetry/opentelemetry-proto/blob/v1.9.0/opentelemetry/proto/trace/v1/trace.proto)
rather than the Datadog MessagePack protocols. This allows the DD SDK to
send traces to an OTel collector rather than a Datadog Trace Agent, with
limited support for non-APM products.

This feature is enabled by setting `OTEL_TRACES_EXPORTER=otlp`.

Note: This feature is currently only supported for .NET 6+, and only the
`http/json` OTLP protocol is supported at this time. Setting any other
protocol value falls back to Datadog encoding with a startup warning.

### Configuration

| Configuration | Details |
|---------------|---------|
| `OTEL_TRACES_EXPORTER=otlp` | Enables the OTLP traces export |
| `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` | See the [OTLP Exporter
Configuration
docs](https://opentelemetry.io/docs/languages/sdk-configuration/otlp-exporter/)
|
| `OTEL_EXPORTER_OTLP_TRACES_HEADERS` | See the [OTLP Exporter
Configuration
docs](https://opentelemetry.io/docs/languages/sdk-configuration/otlp-exporter/)
|
| `OTEL_EXPORTER_OTLP_TRACES_PROTOCOL` | See the [OTLP Exporter
Configuration
docs](https://opentelemetry.io/docs/languages/sdk-configuration/otlp-exporter/)
|
| `OTEL_EXPORTER_OTLP_TRACES_TIMEOUT` | See the [OTLP Exporter
Configuration
docs](https://opentelemetry.io/docs/languages/sdk-configuration/otlp-exporter/)
|


## Reason for change
We are seeing an increasing number of scenarios where users have
applications instrumented with the OTel SDK sending data to OTel
collectors, and they would like to get additional features offered by
the DD SDK without needing to update their OTel collector deployments.
Although there will be follow-up work, this provides the ability for
users to write vendor-neutral API instrumentation *and* emit
vendor-neutral telemetry data so DD SDK users don't have to feel locked
in when setting up Datadog APM.

## Implementation details

### Configuration
All OTLP exporter configuration (Traces and Metrics) is read in
`ExporterSettings` and exposed as properties (`OtlpTracesEndpoint`,
`OtlpTracesProtocol`, `OtlpTracesHeaders`, `OtlpTracesTimeoutMs`, and
the corresponding `OtlpMetrics*` properties). The `TracesEncoding`
property (of type `Datadog.Trace.Agent.TracesEncoding`) determines the
serialization format: `DatadogV0_4`, `OtlpProtobuf`, or `OtlpJson`. Only
`OtlpJson` is currently functional; `OtlpProtobuf` is defined but not
yet implemented.

OTLP endpoint resolution is handled separately from Datadog trace
transport settings to avoid comingling the two URL calculation paths.
The OTLP endpoint logic considers `DD_AGENT_HOST` before falling back to
the OTLP default host of `localhost`.

### Serialization
The `SpanBuffer` class was refactored to use a pluggable
`ISpanBufferSerializer` interface (methods: `HeaderSize`,
`SerializeSpans`, `WriteHeader`, `FinishBody`). Two implementations
exist:
- **`SpanBufferMessagePackSerializer`**: The existing Datadog
MessagePack serialization, extracted into its own class.
- **`OtlpTracesJsonSerializer`**: Serializes `TraceChunkModel` and
`Span` objects into the OTLP `ExportTraceServiceRequest` JSON structure.
Key behaviors:
- Resource attributes (service.name, service.version,
deployment.environment.name, telemetry SDK info, git metadata, runtime
ID) are emitted via `OtlpMapper.EmitResourceAttributesFromTraceChunk()`
  - Span attributes are capped at 128 per span
- Span events (128 limit), span links (128 limit), span status, and span
kind are all mapped
- Field names use lowerCamelCase and enums use integer values per the
OTLP http/json encoding spec

### Datadog-to-OTLP Mapping
The `OtlpMapper` static class (under `OpenTelemetry/`) handles the
translation between Datadog span semantics and OTLP attributes. It
determines which tags are resource-level vs. span-level, manages
attribute limits, and processes string/double/byte[] tag types via an
inner `TagWriter` struct.

### Sampling & Stats Aggregation
When OTLP export is enabled:
- **Sampling**: Only the `PrioritySampler` is used in
`ShouldKeepTrace()`, aligning with the OpenTelemetry SDK behavior of
exporting based solely on the sampling decision.
- **Default sampling rate**: A global sampling rate of 1.0 is set by
default (can be overridden by user configuration), and the
`AgentSamplingRule` is omitted since there is no Datadog Agent to
communicate sampling rules.
- **`StatsAggregationKey`**: Extended with `IsError` and `IsTopLevel`
fields for OTLP mode, allowing distinct histogram timeseries. The
Datadog mode constructor continues to set these to false for backwards
compatibility.

### Export
- **`ApiOtlp`** (NET6_0_OR_GREATER only): Implements `IApi` for OTLP
endpoints with retry logic (up to 5 attempts with exponential backoff
starting at 100ms).
- **`ManagedApiOtlp`**: Thread-safe wrapper that enables atomic swapping
of `ApiOtlp` instances (for configuration refresh).
- **Traces**: Serialized by `OtlpTracesJsonSerializer` into
`SpanBuffer`, then sent by `ApiOtlp.SendTracesAsync()` to the OTLP
traces endpoint with custom headers.
- **Metrics (trace stats)**: `SendStatsAsync` is defined but currently
returns success immediately — DDSketch-to-OTLP histogram conversion was
removed from this PR and will be introduced in a follow-up PR alongside
new unit tests.

### Wiring
In `TracerManagerFactory.GetAgentWriter()`, when `TracesEncoding` is
`OtlpProtobuf` or `OtlpJson`, the method creates a `ManagedApiOtlp` and
a `StatsAggregator` with `isOtlp: true`, then passes both to
`AgentWriter`.

## Test coverage
- **Integration test**: `OpenTelemetrySdkTests.SubmitsOtlpTraces` — A
parameterized test exercising different package versions, protocols, and
configurations. Sends OTLP traces to the dd-apm-test-agent, retrieves
payloads, validates trace/span ID formats (32-char/16-char hex), checks
resource attribute consistency across requests, normalizes dynamic
values, and performs snapshot testing.
- **Unit tests**: Tests for OTLP-specific behaviors including: stats
aggregator enablement when exporting OTLP, exporting only sampled spans,
and omission of the AgentSamplingRule.
- **Docker**: The docker-compose configuration was updated to wait for
test-agent ports 4317 (gRPC) and 4318 (HTTP) for OTLP traffic.

## Follow-up work
- Export trace metrics (APM stats) via OTLP metrics with
DDSketch-to-OTLP histogram conversion (removed from this PR —
`SendStatsAsync` currently no-ops)
- Assert against trace metrics in the `SubmitsOtlpTraces` integration
test
- Stop reading OTLP metrics settings in `TracerSettings` now that they
are being read in `ExporterSettings`
- Implement `http/protobuf` OTLP protocol support (enum value exists but
not yet functional)
@moezein0 @bouwkast
chore: disable automated dependency updater config [incident-51602] (…
6aadb93 
…#8364)

As part of #incident-51602, we are temporarily disabling all automated
dependency updaters to reduce exposure to potential zero-day
vulnerabilities in recent releases.

This PR disables the Dependabot/Renovate configuration not managed by
ADMS by commenting out (YAML) or renaming (JSON) the config file. Please
do not re-enable until further notice.

---------

Co-authored-by: Steven Bouwkamp <steven.bouwkamp@datadoghq.com>
@andrewlock
Use SpanCharSplitter for parsing source link URLs (#8349)
f3f9047 
## Summary of changes

- Add unit tests for `SourceLinkUrlParser` implementations
- Refactor implementations to reduce allocations (by using
`SpanCharSplitter` instead of `String.Split()`

## Reason for change

@lucaspimentel flagged this as an option in
DataDog/dd-trace-dotnet#8332, as it will reduce
allocations. As this is something we do for every app, it makes sense to
optimize.

## Implementation details

- Had 🤖 write some unit tests for the current behaviour
- Had 🤖 replace existing `Split` usages with `SpanCharSplitter`
- Review and tweak

There's still some allocations we could _potentially_ remove, by doing
some dangerous stuff (like we do in `UriHelpers`, to avoid hitting
`AbsolutePath` etc) but I don't know that the payoff is worth it here.
Fewer allocations is better, but it's not worth going overboard IMO.

## Test coverage

- The unit tests pass before and after the changes
- Benchmarked just one of the implementations before and after, but you
get the idea I think


| Method | Runtime | Mean | Allocated |
| ------------------------------ | ------------------ | ---------: |
--------: |
| TryParseSourceLinkUrl_Original | .NET 10.0 | 2,929.4 ns | 2552 B |
| TryParseSourceLinkUrl_Updated | .NET 10.0 | 400.4 ns | 240 B |
| TryParseSourceLinkUrl_Original | .NET 6.0 | 2,540.5 ns | 2584 B |
| TryParseSourceLinkUrl_Updated | .NET 6.0 | 376.1 ns | 240 B |
| TryParseSourceLinkUrl_Original | .NET Core 3.1 | 3,550.8 ns | 2672 B |
| TryParseSourceLinkUrl_Updated | .NET Core 3.1 | 450.3 ns | 456 B |
| TryParseSourceLinkUrl_Original | .NET Framework 4.8 | 3,875.2 ns |
4036 B |
| TryParseSourceLinkUrl_Updated | .NET Framework 4.8 | 708.1 ns | 578 B
|

<details><summary>Benchmark code</summary>
<p>

```csharp
[MemoryDiagnoser, GroupBenchmarksBy(BenchmarkLogicalGroupRule.ByCategory), CategoriesColumn]
public class UriHelperBenchmarks
{
    private string _sha;
    private string _repoUrl;
    private Uri _uri;
    private AzureDevOpsSourceLinkUrlParser _parser;
    private AzureDevOpsSourceLinkUrlParserOriginal _parser2;

    [GlobalSetup]
    public void GlobalSetup()
    {
        _parser = new AzureDevOpsSourceLinkUrlParser();
        _parser2 = new AzureDevOpsSourceLinkUrlParserOriginal();
        _uri = new Uri("https://dev.azure.com/org/proj/_apis/git/repositories/example.shopping.api/items?api-version=1.0&versionType=commit&version=0e4d29442102e6cef1c271025d513c8b2187bcd6&path=/*");
    }

    [GlobalCleanup]
    public void GlobalCleanup()
    {
        _sha = null;
        _repoUrl = null;
    }

    [Benchmark(Baseline = true)]
    public bool TryParseSourceLinkUrl_Original()
    {
        return _parser2.TryParseSourceLinkUrl(_uri, out _sha, out _repoUrl);
    }

    [Benchmark]
    public bool TryParseSourceLinkUrl_Updated()
    {
        return _parser.TryParseSourceLinkUrl(_uri, out _sha, out _repoUrl);
    }
}
```

</p>
</details> 

## Other details

Stacked on DataDog/dd-trace-dotnet#8332 for
simplicity
@bm1549 @claude
Add _dd.p.ksr propagated tag for Knuth sampling rate (#8287)
f6c4461 
## Summary of changes

Add `_dd.p.ksr` (Knuth Sampling Rate) propagated tag to spans when
sampling is applied via agent rates or trace sampling rules, per the
[Transmit Knuth Sampling Rate to Backend
RFC](https://docs.google.com/document/d/1Po3qtJb6PGheFeKFSUMv2pVY_y-HFAxTzNLuacCbCXY/edit).

## Reason for change

The backend needs to know the exact sampling rate applied by the tracer
to correctly compute effective rates during resampling (e.g., tracer 0.5
× backend 0.5 = effective 0.25). This tag enables that by propagating
the rate via `x-datadog-tags` and W3C `tracestate`.

## Implementation details

- Set `_dd.p.ksr` in `TraceContext.SetSamplingPriority()` for
`AgentRate`, `LocalTraceSamplingRule`, `RemoteAdaptiveSamplingRule`, and
`RemoteUserSamplingRule` mechanisms
- Use `TryAddTag` to preserve the original rate (consistent with
`AppliedSamplingRate ??= rate` semantics)
- Format with `"0.######"` (up to 6 decimal digits, no trailing zeros,
no scientific notation) per RFC spec
- Added `.IsOptional("_dd.p.ksr")` to `SpanTagAssertion.cs` so
integration test tag validators accept the new tag

## Test coverage

- Unit tests in `TraceContextTests_KnuthSamplingRate.cs`:
  - KSR set for agent rate sampling
- KSR set for trace sampling rules (local, remote adaptive, remote user)
- KSR NOT set for manual, AppSec, rate limiter, or single span
mechanisms
  - KSR preserved on subsequent sampling calls (TryAddTag semantics)
- Formatting with up to 6 decimal digits (boundary values including
small rates like 0.00001)
- System tests in [system-tests
#6466](DataDog/system-tests#6466)

## Other details

Related PRs across tracers:
- Java: DataDog/dd-trace-java#10802
- Ruby: DataDog/dd-trace-rb#5436
- Node.js: DataDog/dd-trace-js#7741
- PHP: DataDog/dd-trace-php#3701
- Rust: DataDog/dd-trace-rs#180
- C++: DataDog/dd-trace-cpp#288

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@vandonr @daniel-romano-DD @andrewlock
[DBM] Add container tags hash to queries (if enabled) (#8061)
0c457bf 
## Summary of changes

Add the ability to write the container tags hash to DBM queries + to the
related span.
The goal is that DBM would then query the spans bearing that hash, and
then use the container tags on this (those) spans(s) to enrich the
queries with it.
This is controlled by a setting that is disabled by default, and would
be enabled if propagation mode is "service" or greater

see RFC:
https://docs.google.com/document/d/15GtNOKGBCt6Dc-HsDNnMmCdZwhewFQx8yUlI9in5n3M
related PR in python: DataDog/dd-trace-py#15293

## Reason for change

DBM and DSM propagate service context in outbound communications (SQL
comments, message headers), but neither product has awareness of the
container environment (e.g., `kube_cluster`, `namespace`, `pod_name`).
Propagating full container tags is not feasible due to cardinality
constraints (query cache invalidation in OracleDB/SQLServer, exponential
pathway growth in DSM) and size limitations (64–128 bytes for DBM
non-comment methods).

This is needed for the **service renaming initiative** (defining
services based on container names) and **APM primary tags**
(container-based dimensions like Kubernetes cluster).

The solution: the agent computes a hash of low-cardinality container
tags and back-propagates it to the tracer, which includes it in outbound
DBM/DSM communications. DBM then resolves the hash by correlating with
APM spans that carry the same hash as a span tag.

## Implementation details

- Add `BaseHash` static class that computes an FNV-64 hash of
`ProcessTags.SerializedTags` combined with the container tags hash from
the agent, encoded as base64
- Read the container tags hash from the Datadog Agent via
`DiscoveryService`, stored in `ContainerMetadata.ContainerTagsHash`
- `ContainerMetadata` converted from static to instance class (singleton
via `ContainerMetadata.Instance`) to improve testability
- `DatabaseMonitoringPropagator` injects the base hash into SQL comments
(as `ddsh`) when `DD_DBM_INJECT_SQL_BASEHASH` is true
- Add `_dd.dbm_container_tags_hash` span tag on `SqlTags` so DBM can
correlate the hash back to the span's container tags
- New config key `DD_DBM_INJECT_SQL_BASEHASH` (disabled by default),
intended to be enabled when DBM propagation mode is `service` or higher
- Add container ID header to `MinimalAgentHeaderHelper` for agent
communication

## Test coverage

Adding a test in DbScopeFactoryTests.cs forced me to inject the value
from pretty high, which I find a bit "dirty", but at least we don't have
to rely on global static instance in tests.

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->

---------

Co-authored-by: Daniel Romano <108014683+daniel-romano-DD@users.noreply.github.com>
Co-authored-by: Andrew Lock <andrew.lock@datadoghq.com>
@NachoEchevarria @datadog-prod-us1-3
Stabilize test-agent readiness in smoke tests (#8368)
39e359b 
## Summary of changes
Increased test-agent readiness timeout from 30s to 60s and added
retry-attempt logging.

```
20:49:49 [ERR] Target RunArtifactSmokeTests has thrown an exception
System.TimeoutException: Test agent did not become ready within 30 seconds
   at SmokeTests.SmokeTestRunner.WaitForTestAgentAsync(HttpClient httpClient) in /build/SmokeTests/SmokeTestRunner.cs:line 311

```

## Reason for change
Smoke tests were intermittently [failing
](https://dev.azure.com/datadoghq/dd-trace-dotnet/_build/results?buildId=198100&view=logs&j=407dddad-44b6-5ebb-3a0f-ff0eff8ee16f&t=c183c8c0-4c19-505d-2688-c00b1688124f)in
CI when the test-agent container startup was delayed on busy runners.

## Implementation details
- Updated `WaitForTestAgentAsync` in `SmokeTestRunner.cs`
- Bumped timeout from 30s to 60s
- Added warning log on each failed readiness check (attempt number +
error message)

---------

Co-authored-by: datadog-prod-us1-3[bot] <266080212+datadog-prod-us1-3[bot]@users.noreply.github.com>
@andrewlock
Fix CA1872 - Prefer Convert.ToHexString over `BitConverter.ToStri…
da0f277 
…ng` (#8333)

## Summary of changes

Stop using `BitConverter.ToString` to convert a `byte[]` into a `string`

## Reason for change

The `CA1872` analyzer suggests to use `Convert.ToHexString` instead.
That's not available in <.NET 6, but ultimately it just calls
`HexConverter.ToString(bytes, HexConverter.Casing.Upper)` which we have
vendored, so we can just use that instead in that case.

## Implementation details

- Enable the analyzer
- Fix the one violation

## Test coverage

Covered by existing

## Other details

https://datadoghq.atlassian.net/browse/LANGPLAT-813

We could argue whether it's worth having the `#if`, but it feels like we
should generally use the built-in types where they're available. But
_maybe_ that means we should make `HexConverter.ToString()` delegate to
the built-in `Convert.ToHexString()` method? i.e. move the `#if` to be
an implementation detail of our vendored `HexConverter`? I'm undecided.
@andrewlock
Enable CA1859 - Use concrete types when possible (#8335)
314f452 
## Summary of changes

Enables the `CA1859` analyzer, and fixes the violations

## Reason for change

We want to enable these perf analyzers. The reasoning in this one is
that if you return concrete types, the compiler is more able to make
optimizations e.g. using struct-based enumerators and/or avoiding
virtual method dispatch.

That said, this one is potentially _kind_ of annoying, and I think
there's a question of whether it's worth enabling or not. All in all,
it's likely to be much more beneficial for .NET Framework for example,
vs .NET 10.

The analyzer also only applies to `private` members too, which means
there's likely a lot more low-hanging fruit that we could switch to
using `List<T>` etc for gains.

## Implementation details

- Enable the analyzer
- Fix the violations by using the suggested concrete types
- In a couple of cases where the results differ per TFM, use either
`#if` (to fix it) or `#pragma` (to ignore it)

## Test coverage

Covered by existing

## Other details

https://datadoghq.atlassian.net/browse/LANGPLAT-813

Stacked on 
- DataDog/dd-trace-dotnet#8332
- DataDog/dd-trace-dotnet#8333
@andrewlock
Enable CA1851 - Avoid multiple enumeration of collections (#8341)
3dd19e4 
## Summary of changes

Enables `CA1851`, fixes one violations, and ignores an existing

## Reason for change

We want to enable this analayzer. Although, interestingly, there are
cases where this _won't_ touch, which we should potentially also have
analyzers for. For example:

- We instrument a method that takes an `IEnumerable` (could be call
target, could be callsite aspects)
- We enumerate the collection
- The instrumented method runs, enumerating it again

If this isn't a materialized collection, this could be very expensive.
Potentially, we should instead do:

- Call `ToList()` on the parameter
- Do our thing
- Pass the list into the method

But that _also_ has risks 😅 So ideally... we just don't touch
`IEnumerable`s 😅 🤷‍♂️

## Implementation details

- Enable the analyzer
- For the `StringModuleImpl`, The `Count()` call was to ensure we pass
`addDelimiterRanges: false` on the _final_ iteration. Converting to a
"manually implemented" `foreach` using a "peek ahead" approach avoids
the multiple enumerations
- For the `Encoder`, it's all recursive and really hard to follow what
the inputs are actually going to be here, so I just declared bankruptcy
and put the `#pragma` in. If ASM want to fix it "properly" later, that's
good, but don't want to block enabling the analyzer because of it

## Test coverage

Covered by existing

## Other details

https://datadoghq.atlassian.net/browse/LANGPLAT-813

Stacked on 
- DataDog/dd-trace-dotnet#8332
- DataDog/dd-trace-dotnet#8333
- DataDog/dd-trace-dotnet#8335
@NachoEchevarria @andrewlock @bouwkast
Fix swapped SpanKinds and missing tags in IbmMqHelper (#8369)
6087ef6 
## Summary of changes

Fix three pre-existing bugs in `IbmMqHelper`:

- **Swapped SpanKinds**: `CreateProducerScope` passed
`SpanKinds.Consumer` and `CreateConsumerScope` passed
`SpanKinds.Producer` to `CreateIbmMqTags` — now corrected.
- **Missing tags in producer scope**: `CreateProducerScope` created and
populated `IbmMqTags` but never passed them to `StartActiveInternal`, so
tags (including `TopicName`) were silently discarded.

## Reason for change

Producer spans were tagged as consumers and vice versa, and producer
spans were missing messaging-specific tags entirely.

## Implementation details

- Swap `SpanKinds.Consumer` → `SpanKinds.Producer` in
`CreateProducerScope` (line 71)
- Swap `SpanKinds.Producer` → `SpanKinds.Consumer` in
`CreateConsumerScope` (line 138)
- Add `tags: tags` parameter to `StartActiveInternal` in
`CreateProducerScope`

## Test coverage

Existing integration tests cover IBM MQ span creation. No new tests
required — this is a straightforward value correction.

## Other details

Pre-existing bugs, not introduced by any recent PR.

---------

Co-authored-by: Andrew Lock <andrew.lock@datadoghq.com>
Co-authored-by: Steven Bouwkamp <stevenbouwkamp@gmail.com>
@bouwkast
Add OTEL_RESOURCE_ATTRIBUTES to claude settings (#8378)
1e350b3 
## Summary of changes

This adds `"OTEL_RESOURCE_ATTRIBUTES":
"repo.owner=DataDog,repo.name=dd-trace-dotnet"` to our claude settings

## Reason for change

This will make it so that our telemetry marks that if we are working on
the repo with Claude that it will report our repository.

I don't think there is any functional change here besides the fact that
I want to make my telemetry go from `N/A` to `dd-trace-dotnet`

## Implementation details

Followed
https://datadoghq.atlassian.net/wiki/spaces/AIDEVX/pages/5689508824/Repo+Config#Repo-Tags-in-Telemetry

## Test coverage

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@moezein0
chore: re-enable dependabot with 2-day cooldown (#8377)
05f70bb 
> [!NOTE]
> **Merge only if this is still needed and your repo is not managed by
ADMS.**
> If your repository is already managed by ADMS, feel free to close or
ignore this PR.

---

We are adding a 2-day cooldown on dependencies to reduce the risk of
zero-day vulnerabilities.

This PR re-enables your Dependabot configuration and introduces the
cooldown setting. If you notice any other Dependabot configurations in
your repo that are missing the cooldown, please ensure it is added.

If your repository is already managed by ADMS and no longer requires
these configurations, feel free to close or ignore the PR.

Signed-off-by: Moe Zein <moe.zein@datadoghq.com>
@gh-worker-campaigns-3e9aa4
chore(ci) update one-pipeline (#8351)
2f34032 
This pull request updates one-pipeline to a newer version.

Recent changes:
* Use artifact-gateway to authenticate promote-oci jobs
* Allow bigger lib injection and oci package sizes
* Config registry validation improvements and fixes


Some of these changes may have already applied depending on your
previous version of one-pipeline. See the libdatadog-build repository
for all changes

Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
@andrewlock @claude
Fix multiple termination signals on .NET 10+ (#8374)
017e910 
## Summary of changes

- Un-skip `TerminationSignalTests`
- Run `TerminationSignalTests` on more TFMs
- Fix bug with multiple-termination signals on .NET 10
- Wait for dogstatsd to finish flushing on exit

## Reason for change

As part of the recent runtime metrics work (#8265), we skipped the
`TerminationSignalTests`, as we found they were flaky with the new
changes on .NET 10 (and failed outright if we properly `await`-ed for
dogstatsd to flush on exit). Ultimately, this comes down to essentially
a race condition in the new termination behaviour on .NET 10.

Previously, we had this for .NET 10:
- On startup, register for POSIX signals
- When a posix signal fires, unregister the signals, and start
shutdown/flush etc
- After a small delay (100ms) in the test, send another posix signal
- As we have already unregistered our handler, the app goes straight to
shutdown, and we don't finish flushing.

This doesn't affect <.NET 10, because POSIX is handled by the runtime,
and they queue handling of the subsequent signals while the first one is
ongoing.

## Implementation details

The fix is essentially two changes:
- Don't un-register the POSIX handlers
- On subsequent POSIX signals wait for the first handler to complete
before exiting

This only affects the .NET 10 path, as the POSIX handlers only fire
explicitly on those paths.

As an aside, this allows enabling the statsd flush on shutdown.

## Test coverage

I unskipped the currently-skipped test, and expanded the
`TerminationSignalTests` to cover .NET 8+, instead of just .NET 10, so
that we know we're _actually_ getting the same behaviour in both cases.
(.NET 8 was a somewhat arbitrary choice, we could expand it further if
we wanted to, but doesn't necessarily seem worth it to me).

I then tested that in CI and saw it fail, before making the fix.

## Other details

There's one "interesting" change of behaviour in terms of `Cancel`. 🤖 is
adamant we _Shouldn't_ cancel the default signal handling on the first
handler, because we _want_ the "default signal handling" to kick in
_after_ we've run our shutdown hooks. I'm not entirely sure if that's
true or not tbh, but it doesn't seem to affect the tests one way or
another so I'm guessing, meh? 🤷‍♂️

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@andrewlock @vandonr
Move TracerSettings helper methods to TestHelpers project (#8375)
5ff69b3 
## Summary of changes

Move the `TracerSettings.Create()` methods which are only there for
testing convenience into the `TestHelpers` project

## Reason for change

They don't need to be in the main binary

## Implementation details

- Moved the settings to the TestHelpers project
- Created them as static extension members, so the call-site doesn't
change at all (partially as an experiment)
- Fixed a culture bug @vandonr was running into

## Test coverage

Covered by existing

---------

Co-authored-by: Raphaël Vandon <raphael.vandon@datadog.com>
@dependabot @andrewlock
Bump the gh-actions-packages group across 3 directories with 10 updat…
afb0834 
…es (#8381)

Bumps the gh-actions-packages group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/setup-dotnet](https://github.com/actions/setup-dotnet) |
`5.1.0` | `5.2.0` |
|
[DataDog/dd-octo-sts-action](https://github.com/datadog/dd-octo-sts-action)
| `1.0.3` | `1.0.4` |
|
[softprops/action-gh-release](https://github.com/softprops/action-gh-release)
| `2.5.0` | `2.6.1` |
| [github/codeql-action](https://github.com/github/codeql-action) |
`4.32.4` | `4.34.1` |
|
[advanced-security/filter-sarif](https://github.com/advanced-security/filter-sarif)
| `1.0.1` | `1.1` |
|
[actions/create-github-app-token](https://github.com/actions/create-github-app-token)
| `2.2.1` | `3.0.0` |

Bumps the gh-actions-packages group with 3 updates in the
/.github/actions/create-system-test-docker-base-images directory:
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action),
[docker/setup-buildx-action](https://github.com/docker/setup-buildx-action)
and
[docker/build-push-action](https://github.com/docker/build-push-action).
Bumps the gh-actions-packages group with 1 update in the
/.github/actions/publish-debug-symbols directory:
[actions/setup-node](https://github.com/actions/setup-node).

Updates `actions/setup-dotnet` from 5.1.0 to 5.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-dotnet/releases">actions/setup-dotnet's
releases</a>.</em></p>
<blockquote>
<h2>v5.2.0</h2>
<h2>What's changed</h2>
<h3>Enhancements</h3>
<ul>
<li>Add support for workloads input by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-dotnet/pull/693">actions/setup-dotnet#693</a></li>
<li>Add support for optional architecture input for cross-architecture
.NET installs by <a
href="https://github.com/priya-kinthali"><code>@​priya-kinthali</code></a>
in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/700">actions/setup-dotnet#700</a></li>
</ul>
<h3>Dependency Updates</h3>
<ul>
<li>Upgrade fast-xml-parser from 4.4.1 to 5.3.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/671">actions/setup-dotnet#671</a></li>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/705">actions/setup-dotnet#705</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-dotnet/compare/v5...v5.2.0">https://github.com/actions/setup-dotnet/compare/v5...v5.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-dotnet/commit/c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7"><code>c2fa09f</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/705">#705</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/02574b18e2dc57a218ee4e11ba1e1603c67236e8"><code>02574b1</code></a>
Add support for optional architecture input for cross-architecture .NET
insta...</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/16c7b3c2fa55a0e394467d22512b84fda46adf63"><code>16c7b3c</code></a>
Bump fast-xml-parser from 4.4.1 to 5.3.6 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/671">#671</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/131b410979e0b49e2162c0718030257b22d6dc2c"><code>131b410</code></a>
Add support for workloads input (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/693">#693</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-dotnet/compare/baa11fbfe1d6520db94683bd5c7a3818018e4309...c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7">compare
view</a></li>
</ul>
</details>
<br />

Updates `DataDog/dd-octo-sts-action` from 1.0.3 to 1.0.4
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a"><code>96a2546</code></a>
Fix typo in Readme (<a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/18">#18</a>)</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/9691c26e1de0f1f26e1e8708c5c34b4f64e43f5f"><code>9691c26</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/14">#14</a>
from DataDog/improve/parse-jwt-claims</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/b98b59d08d3575cbda7001bddfe86633787536e8"><code>b98b59d</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/13">#13</a>
from DataDog/improve/fetch-error-url-logging</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e7953d4e870e933635e6afa9172b3957b568c417"><code>e7953d4</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/15">#15</a>
from DataDog/improve/ci-workflow-hardening</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e47344e9570a80d3a7d333a339ace4a5e88b7646"><code>e47344e</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/16">#16</a>
from DataDog/improve/bump-node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/5a7a632cb3be2334cd1515df9c74eb3103942b50"><code>5a7a632</code></a>
Bump Node.js runtime from node20 to node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/260fcf964ad38660b2abc359216586af9d31a05d"><code>260fcf9</code></a>
Add parseJwtClaims() function with tests, replace fragile inline
parsing</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/371c4d81ebd5ed74dfcc7bb2ab234d9f1e30fe65"><code>371c4d8</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/1fc658893bed0edd73a7e284f6266e3fc4bdc93e"><code>1fc6588</code></a>
Include URL in fetchWithRetry error messages</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/0b31f95da950c7562ef40f6447086e75515897ce"><code>0b31f95</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li>Additional commits viewable in <a
href="https://github.com/datadog/dd-octo-sts-action/compare/acaa02eee7e3bb0839e4272dacb37b8f3b58ba80...96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a">compare
view</a></li>
</ul>
</details>
<br />

Updates `softprops/action-gh-release` from 2.5.0 to 2.6.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/releases">softprops/action-gh-release's
releases</a>.</em></p>
<blockquote>
<h2>v2.6.1</h2>
<p><code>2.6.1</code> is a patch release focused on restoring linked
discussion thread creation when
<code>discussion_category_name</code> is set. It fixes
<code>[#764](https://github.com/softprops/action-gh-release/issues/764)</code>,
where the draft-first publish flow
stopped carrying the discussion category through the final publish
step.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: preserve discussion category on publish by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/765">softprops/action-gh-release#765</a></li>
</ul>
<h2>v2.6.0</h2>
<p><code>2.6.0</code> is a minor release centered on
<code>previous_tag</code> support for
<code>generate_release_notes</code>,
which lets workflows pin GitHub's comparison base explicitly instead of
relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
<code>working_directory</code> docs sync,
a checked-bundle freshness guard for maintainers, and clearer
immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset
uploads can be published.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: support previous_tag for generate_release_notes by <a
href="https://github.com/pocesar"><code>@​pocesar</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/372">softprops/action-gh-release#372</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: recover concurrent asset metadata 404s by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/760">softprops/action-gh-release#760</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>docs: clarify reused draft release behavior by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/759">softprops/action-gh-release#759</a></li>
<li>docs: clarify working_directory input by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/761">softprops/action-gh-release#761</a></li>
<li>ci: verify dist bundle freshness by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/762">softprops/action-gh-release#762</a></li>
<li>fix: clarify immutable prerelease uploads by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/763">softprops/action-gh-release#763</a></li>
</ul>
<h2>v2.5.3</h2>
<!-- raw HTML omitted -->
<p><code>2.5.3</code> is a patch release focused on the remaining
path-handling and release-selection bugs uncovered after
<code>2.5.2</code>.
It fixes
<code>[#639](https://github.com/softprops/action-gh-release/issues/639)</code>,
<code>[#571](https://github.com/softprops/action-gh-release/issues/571)</code>,
<code>[#280](https://github.com/softprops/action-gh-release/issues/280)</code>,
<code>[#614](https://github.com/softprops/action-gh-release/issues/614)</code>,
<code>[#311](https://github.com/softprops/action-gh-release/issues/311)</code>,
<code>[#403](https://github.com/softprops/action-gh-release/issues/403)</code>,
and
<code>[#368](https://github.com/softprops/action-gh-release/issues/368)</code>.
It also adds documentation clarifications for
<code>[#541](https://github.com/softprops/action-gh-release/issues/541)</code>,
<code>[#645](https://github.com/softprops/action-gh-release/issues/645)</code>,
<code>[#542](https://github.com/softprops/action-gh-release/issues/542)</code>,
<code>[#393](https://github.com/softprops/action-gh-release/issues/393)</code>,
and
<code>[#411](https://github.com/softprops/action-gh-release/issues/411)</code>,
where the current behavior is either usage-sensitive or constrained by
GitHub platform limits rather than an action-side runtime bug.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md">softprops/action-gh-release's
changelog</a>.</em></p>
<blockquote>
<h2>2.6.1</h2>
<p><code>2.6.1</code> is a patch release focused on restoring linked
discussion thread creation when
<code>discussion_category_name</code> is set. It fixes
<code>[#764](https://github.com/softprops/action-gh-release/issues/764)</code>,
where the draft-first publish flow
stopped carrying the discussion category through the final publish
step.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: preserve discussion category on publish by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/765">softprops/action-gh-release#765</a></li>
</ul>
<h2>2.6.0</h2>
<p><code>2.6.0</code> is a minor release centered on
<code>previous_tag</code> support for
<code>generate_release_notes</code>,
which lets workflows pin GitHub's comparison base explicitly instead of
relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
<code>working_directory</code> docs sync,
a checked-bundle freshness guard for maintainers, and clearer
immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset
uploads can be published.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: support previous_tag for generate_release_notes by <a
href="https://github.com/pocesar"><code>@​pocesar</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/372">softprops/action-gh-release#372</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: recover concurrent asset metadata 404s by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/760">softprops/action-gh-release#760</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>docs: clarify reused draft release behavior by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/759">softprops/action-gh-release#759</a></li>
<li>docs: clarify working_directory input by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/761">softprops/action-gh-release#761</a></li>
<li>ci: verify dist bundle freshness by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/762">softprops/action-gh-release#762</a></li>
<li>fix: clarify immutable prerelease uploads by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/763">softprops/action-gh-release#763</a></li>
</ul>
<h2>2.5.3</h2>
<p><code>2.5.3</code> is a patch release focused on the remaining
path-handling and release-selection bugs uncovered after
<code>2.5.2</code>.
It fixes
<code>[#639](https://github.com/softprops/action-gh-release/issues/639)</code>,
<code>[#571](https://github.com/softprops/action-gh-release/issues/571)</code>,
<code>[#280](https://github.com/softprops/action-gh-release/issues/280)</code>,
<code>[#614](https://github.com/softprops/action-gh-release/issues/614)</code>,
<code>[#311](https://github.com/softprops/action-gh-release/issues/311)</code>,
<code>[#403](https://github.com/softprops/action-gh-release/issues/403)</code>,
and
<code>[#368](https://github.com/softprops/action-gh-release/issues/368)</code>.
It also adds documentation clarifications for
<code>[#541](https://github.com/softprops/action-gh-release/issues/541)</code>,
<code>[#645](https://github.com/softprops/action-gh-release/issues/645)</code>,
<code>[#542](https://github.com/softprops/action-gh-release/issues/542)</code>,
<code>[#393](https://github.com/softprops/action-gh-release/issues/393)</code>,
and
<code>[#411](https://github.com/softprops/action-gh-release/issues/411)</code>,
where the current behavior is either usage-sensitive or constrained by
GitHub platform limits rather than an action-side runtime bug.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/softprops/action-gh-release/commit/153bb8e04406b158c6c84fc1615b65b24149a1fe"><code>153bb8e</code></a>
release 2.6.1</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/569deb874d08cd8cc0aa24af7c0b21160fe4b0e4"><code>569deb8</code></a>
fix: preserve discussion category when publishing releases (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/765">#765</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/26e8ad27a09a225049a7075d7ec1caa2df6ff332"><code>26e8ad2</code></a>
release 2.6.0</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/b959f31e968fb47fb7bb823087fc092d5613e0a4"><code>b959f31</code></a>
fix: clarify immutable prerelease uploads (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/763">#763</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/8a8510e3a0d8dfc9296171fd405ca8c8ea6206a4"><code>8a8510e</code></a>
ci: verify dist bundle freshness (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/762">#762</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/438c15ddf5b01e992ef98dc29cea3f9992ab54ac"><code>438c15d</code></a>
docs: clarify working_directory input (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/761">#761</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/6ca3b5d96e3a0fac11dc53f0809c2cb029e64902"><code>6ca3b5d</code></a>
fix: recover concurrent asset metadata 404s (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/760">#760</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/11f917660b31d6d56980ea3261f210556a812bd0"><code>11f9176</code></a>
chore: add RELEASE.md</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/1f3f350167714515d2bcf8a18afcc5e8e0a362a8"><code>1f3f350</code></a>
feat: add AGENTS.md</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/37819cb191890d306d21cfb5ac4e7a358f0a6e4f"><code>37819cb</code></a>
docs: clarify reused draft release behavior (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/759">#759</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/softprops/action-gh-release/compare/a06a81a03ee405af7f2048a818ed3f03bbf83c7b...153bb8e04406b158c6c84fc1615b65b24149a1fe">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 4.32.4 to 4.34.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.34.1</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>v4.34.0</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>v4.33.0</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>v4.32.6</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li>
</ul>
<h2>v4.32.5</h2>
<ul>
<li>Repositories owned by an organization can now set up the
<code>github-codeql-disable-overlay</code> custom repository property to
disable <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis for CodeQL</a>. First, create a custom repository
property with the name <code>github-codeql-disable-overlay</code> and
the type &quot;True/false&quot; in the organization's settings. Then in
the repository's settings, set this property to <code>true</code> to
disable improved incremental analysis. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>. This
feature is not yet available on GitHub Enterprise Server. <a
href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li>
<li>Added an experimental change so that when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> fails on a runner — potentially due to
insufficient disk space — the failure is recorded in the Actions cache
so that subsequent runs will automatically skip improved incremental
analysis until something changes (e.g. a larger runner is provisioned or
a new CodeQL version is released). We expect to roll this change out to
everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li>
<li>The minimum memory check for improved incremental analysis is now
skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage.
<a
href="https://redirect.github.com/github/codeql-action/pull/3515">#3515</a></li>
<li>Reduced log levels for best-effort private package registry
connection check failures to reduce noise from workflow annotations. <a
href="https://redirect.github.com/github/codeql-action/pull/3516">#3516</a></li>
<li>Added an experimental change which lowers the minimum disk space
requirement for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>, enabling it to run on standard GitHub Actions
runners. We expect to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3498">#3498</a></li>
<li>Added an experimental change which allows the
<code>start-proxy</code> action to resolve the CodeQL CLI version from
feature flags instead of using the linked CLI bundle version. We expect
to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3512">#3512</a></li>
<li>The previously experimental changes from versions 4.32.3, 4.32.4,
3.32.3 and 3.32.4 are now enabled by default. <a
href="https://redirect.github.com/github/codeql-action/pull/3503">#3503</a>,
<a
href="https://redirect.github.com/github/codeql-action/pull/3504">#3504</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>4.33.0 - 16 Mar 2026</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>4.32.6 - 05 Mar 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li>
</ul>
<h2>4.32.5 - 02 Mar 2026</h2>
<ul>
<li>Repositories owned by an organization can now set up the
<code>github-codeql-disable-overlay</code> custom repository property to
disable <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis for CodeQL</a>. First, create a custom repository
property with the name <code>github-codeql-disable-overlay</code> and
the type &quot;True/false&quot; in the organization's settings. Then in
the repository's settings, set this property to <code>true</code> to
disable improved incremental analysis. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>. This
feature is not yet available on GitHub Enterprise Server. <a
href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li>
<li>Added an experimental change so that when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> fails on a runner — potentially due to
insufficient disk space — the failure is recorded in the Actions cache
so that subsequent runs will automatically skip improved incremental
analysis until something changes (e.g. a larger runner is provisioned or
a new CodeQL version is released). We expect to roll this change out to
everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li>
<li>The minimum memory check for improved incremental analysis is now
skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage.
<a
href="https://redirect.github.com/github/codeql-action/pull/3515">#3515</a></li>
<li>Reduced log levels for best-effort private package registry
connection check failures to reduce noise from workflow annotations. <a
href="https://redirect.github.com/github/codeql-action/pull/3516">#3516</a></li>
<li>Added an experimental change which lowers the minimum disk space
requirement for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>, enabling it to run on standard GitHub Actions
runners. We expect to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3498">#3498</a></li>
<li>Added an experimental change which allows the
<code>start-proxy</code> action to resolve the CodeQL CLI version from
feature flags instead of using the linked CLI bundle version. We expect
to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3512">#3512</a></li>
<li>The previously experimental changes from versions 4.32.3, 4.32.4,
3.32.3 and 3.32.4 are now enabled by default. <a
href="https://redirect.github.com/github/codeql-action/pull/3503">#3503</a>,
<a
href="https://redirect.github.com/github/codeql-action/pull/3504">#3504</a></li>
</ul>
<h2>4.32.4 - 20 Feb 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li>
<li>Added an experimental change which improves how certificates are
generated for the authentication proxy that is used by the CodeQL Action
in Default Setup when <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries are configured</a>. This is expected to generate more
widely compatible certificates and should have no impact on analyses
which are working correctly already. We expect to roll this change out
to everyone in February. <a
href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/38697555549f1db7851b81482ff19f1fa5c4fedc"><code>3869755</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3763">#3763</a>
from github/update-v4.34.1-095e0fe50</li>
<li><a
href="https://github.com/github/codeql-action/commit/20e68ac12bc8d1eb16a56d3ef4e78263197d2e47"><code>20e68ac</code></a>
Update changelog for v4.34.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/095e0fe505bb5ab6198675d021352632c2c69a46"><code>095e0fe</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3762">#3762</a>
from github/henrymercer/downgrade-default-bundle</li>
<li><a
href="https://github.com/github/codeql-action/commit/47b94fe61cd788995769140a7a8adffec0738aa1"><code>47b94fe</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/51a1d6917f5d33f400200c675401974da443b2ea"><code>51a1d69</code></a>
Downgrade default bundle to codeql-bundle-v2.24.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/510cf736e330d7eb9bc471636d65aaa180118824"><code>510cf73</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3589">#3589</a>
from github/mergeback/v4.34.0-to-main-c6f93110</li>
<li><a
href="https://github.com/github/codeql-action/commit/89f0c86efa3acf01faeff510383f0c4a4152760a"><code>89f0c86</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/c3f90ba975e427c1913b529a89ef97a2442493f2"><code>c3f90ba</code></a>
Update changelog and version after v4.34.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/c6f931105cb2c34c8f901cc885ba1e2e259cf745"><code>c6f9311</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3588">#3588</a>
from github/update-v4.34.0-30c555a52</li>
<li><a
href="https://github.com/github/codeql-action/commit/eeb9b3f4244c2945a20b9761dfa77f19d468d35f"><code>eeb9b3f</code></a>
Update changelog for v4.34.0</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/89a39a4e59826350b863aa6b6252a07ad50cf83e...38697555549f1db7851b81482ff19f1fa5c4fedc">compare
view</a></li>
</ul>
</details>
<br />

Updates `advanced-security/filter-sarif` from 1.0.1 to 1.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/advanced-security/filter-sarif/releases">advanced-security/filter-sarif's
releases</a>.</em></p>
<blockquote>
<h2>v1.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Specify category in upload by <a
href="https://github.com/felickz"><code>@​felickz</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/10">advanced-security/filter-sarif#10</a></li>
<li>Fix minimal example glob by <a
href="https://github.com/aegilops"><code>@​aegilops</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/12">advanced-security/filter-sarif#12</a></li>
<li>Update recommended usage to preserve diagnostics for failed runs by
<a href="https://github.com/henrymercer"><code>@​henrymercer</code></a>
in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/13">advanced-security/filter-sarif#13</a></li>
<li>Update filter_sarif.py: use UTF-8 as encoding for reading/writing
SARIF content by <a
href="https://github.com/aibaars"><code>@​aibaars</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/14">advanced-security/filter-sarif#14</a></li>
<li>Add optional severity filter for SARIF alerts by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/17">advanced-security/filter-sarif#17</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/felickz"><code>@​felickz</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/10">advanced-security/filter-sarif#10</a></li>
<li><a
href="https://github.com/henrymercer"><code>@​henrymercer</code></a>
made their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/13">advanced-security/filter-sarif#13</a></li>
<li><a href="https://github.com/aibaars"><code>@​aibaars</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/14">advanced-security/filter-sarif#14</a></li>
<li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/17">advanced-security/filter-sarif#17</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/advanced-security/filter-sarif/compare/v1...v1.1">https://github.com/advanced-security/filter-sarif/compare/v1...v1.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/2da736ff05ef065cb2894ac6892e47b5eac2c3c0"><code>2da736f</code></a>
Merge pull request <a
href="https://redirect.github.com/advanced-security/filter-sarif/issues/17">#17</a>
from advanced-security/copilot/add-severity-filter-option</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/b82026b24b33bcb263e8ee8be0e9dc61b95137d7"><code>b82026b</code></a>
Remove [DEBUG] print statements from production code</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/f15e3e496e74f52fd73ef988f9b6692bffde8d7d"><code>f15e3e4</code></a>
Update action.yml</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/f74eb2048e037d62d353dcf15316cbd3fb6338bb"><code>f74eb20</code></a>
Refactor collect_rule_severities to streamline rule processing and
enhance de...</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/da97499204a010ddc00eac572e68ff4c026c76f4"><code>da97499</code></a>
Fix severity filter: results no longer incorrectly filtered when level
is mis...</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/be3128116e74f051368d9cbe782b7e035ead7b7f"><code>be31281</code></a>
Initial plan for severity filter bug fix</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/4bddfd62c6b03e66ae8b8e81c9757e6b3d30c26a"><code>4bddfd6</code></a>
Address code review: use env var for shell safety, fix double strip</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/e304681acdb034e246e8f32c24f8f6f31ae128a9"><code>e304681</code></a>
Add optional severity filter for SARIF alerts</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/36dc0cede241fb8e0885f26bdb054a35fc868e7b"><code>36dc0ce</code></a>
Initial plan</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/59d0a64b3c0a34d787819f6659708915b6210582"><code>59d0a64</code></a>
Merge pull request <a
href="https://redirect.github.com/advanced-security/filter-sarif/issues/14">#14</a>
from aibaars/patch-1</li>
<li>Additional commits viewable in <a
href="https://github.com/advanced-security/filter-sarif/compare/f3b8118a9349d88f7b1c0c488476411145b6270d...2da736ff05ef065cb2894ac6892e47b5eac2c3c0">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/create-github-app-token` from 2.2.1 to 3.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v2.2.2...v3.0.0">3.0.0</a>
(2026-03-14)</h1>
<ul>
<li>feat!: node 24 support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/275">#275</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/2e564a0bb8e7cc2b907b2401a2afe177882d4325">2e564a0</a>)</li>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458">4451bcb</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e">dce0ab0</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
<li>Requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later if you are using a self-hosted runner.</li>
</ul>
<h2>v3.0.0-beta.6</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.5...v3.0.0-beta.6">3.0.0-beta.6</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​actions/core</code> from 1.11.1
to 3.0.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/337">#337</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b04413352d4644ac2131b9a90c074f5e93ca18a1">b044133</a>)</li>
<li><strong>deps:</strong> bump minimatch from 9.0.5 to 9.0.9 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/335">#335</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5cbc65624c9ddc4589492bda7c8b146223e8c3e4">5cbc656</a>)</li>
<li><strong>deps:</strong> bump the production-dependencies group with 4
updates (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/336">#336</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/6bda5bc1410576b9a0879ce6076d53345485bba9">6bda5bc</a>)</li>
<li><strong>deps:</strong> bump undici from 7.16.0 to 7.18.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/323">#323</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b4f638f48ee0dcdbb0bc646c48e4cb2a2de847fe">b4f638f</a>)</li>
</ul>
<h2>v3.0.0-beta.5</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.4...v3.0.0-beta.5">3.0.0-beta.5</a>
(2026-03-13)</h1>
<ul>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/d53a1cdfde844c958786293adcaf739ecb8b5eb9">d53a1cd</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
</ul>
<h2>v3.0.0-beta.4</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.3...v3.0.0-beta.4">3.0.0-beta.4</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​octokit/auth-app</code> from
7.2.1 to 8.0.1 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/257">#257</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1">bef1eaf</a>)</li>
<li><strong>deps:</strong> bump <code>@​octokit/request</code> from
9.2.3 to 10.0.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/256">#256</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130">5d7307b</a>)</li>
<li><strong>deps:</strong> bump glob from 10.4.5 to 10.5.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/305">#305</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5480f4325a18c025ee16d7e081413854624e9edc">5480f43</a>)</li>
<li><strong>deps:</strong> bump p-retry from 6.2.1 to 7.1.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/294">#294</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce3be8b284f45e65caed11a610e2bef738d15b4">dce3be8</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/create-github-app-token/commit/f8d387b68d61c58ab83c6c016672934102569859"><code>f8d387b</code></a>
build(release): 3.0.0 [skip ci]</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/d2129bd463d4feb8723edeea9437baa7db58e41e"><code>d2129bd</code></a>
style: remove extra blank line in release workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/77b94efc3e5f99a45abdd163fe04a4ebb95e98d6"><code>77b94ef</code></a>
build: refresh generated artifacts</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3ab4c6689898955f913a485593b36b197c6dbbdc"><code>3ab4c66</code></a>
chore: move undici to devDependencies</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/739cf66feb937a443e4b6b7626bedd98f9fef6df"><code>739cf66</code></a>
docs: update README action versions</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/db40289976a36527816d4f6f45765fdee71f134b"><code>db40289</code></a>
build(deps): bump actions versions in test.yml</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/496a7ac4eb472eeac44d67818d1ce7f5e9e5fc97"><code>496a7ac</code></a>
test: migrate from AVA to Node.js native test runner (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/346">#346</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3870dc3051e3f1fc3a2faa17bcbb00f31fe1dd6c"><code>3870dc3</code></a>
Rename end-to-end proxy job in test workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458"><code>4451bcb</code></a>
fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e"><code>dce0ab0</code></a>
fix: remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/create-github-app-token/compare/29824e69f54612133e76f7eaac726eef6c875baf...f8d387b68d61c58ab83c6c016672934102569859">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-qemu-action` from 3.7.0 to 4.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/245">docker/setup-qemu-action#245</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/241">docker/setup-qemu-action#241</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/244">docker/setup-qemu-action#244</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.67.0 to 0.77.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/243">docker/setup-qemu-action#243</a></li>
<li>Bump <code>@​isaacs/brace-expansion</code> from 5.0.0 to 5.0.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/240">docker/setup-qemu-action#240</a></li>
<li>Bump js-yaml from 3.14.1 to 3.14.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/231">docker/setup-qemu-action#231</a></li>
<li>Bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/238">docker/setup-qemu-action#238</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v3.7.0...v4.0.0">https://github.com/docker/setup-qemu-action/compare/v3.7.0...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce360397dd3f832beb865e1373c09c0e9f86d70a"><code>ce36039</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/245">#245</a>
from crazy-max/node24</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/63863443c130689b5b352363f362c820cf73b26d"><code>6386344</code></a>
node 24 as default runtime</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/1ea3db7bfb6d247e5e3511955d6e476a8d400ef3"><code>1ea3db7</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/243">#243</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b56a0022b9d517f4d4f8f8357e107e587548db78"><code>b56a002</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/c43f02d0c908d30161ad4230a59285d9e442956d"><code>c43f02d</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.67.0 to
0.77.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce10c58dd1801e20f2e65c72aff588c6fc5f6609"><code>ce10c58</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/244">#244</a>
from docker/dependabot/npm_and_yarn/actions/core-3.0.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/429fc9dbdab394ec482946ef7f7b60be3a169336"><code>429fc9d</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/060e5f8b59ae7d2a0e4dcf681f8625f0e54e2024"><code>060e5f8</code></a>
build(deps): bump <code>@​actions/core</code> from 1.11.1 to 3.0.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/44be13e7d9ba38145b648950e52ac18e2a4efd3a"><code>44be13e</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/231">#231</a>
from docker/dependabot/npm_and_yarn/js-yaml-3.14.2</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/1897438ed3baad455b19c89cda913ca4f31dd079"><code>1897438</code></a>
chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/c7c53464625b32c7a7e944ae62b3e17d2b600130...ce360397dd3f832beb865e1373c09c0e9f86d70a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/483">docker/setup-buildx-action#483</a></li>
<li>Remove deprecated inputs/outputs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/464">docker/setup-buildx-action#464</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/481">docker/setup-buildx-action#481</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/475">docker/setup-buildx-action#475</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.63.0 to 0.79.0 in
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/482">docker/setup-buildx-action#482</a>
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/485">docker/setup-buildx-action#485</a></li>
<li>Bump js-yaml from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/452">docker/setup-buildx-action#452</a></li>
<li>Bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/472">docker/setup-buildx-action#472</a></li>
<li>Bump minimatch from 3.1.2 to 3.1.5 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/480">docker/setup-buildx-action#480</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0">https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd"><code>4d04d5d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/485">#485</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/cd74e05d9bae4eeec789f90ba15dc6fb4b60ae5d"><code>cd74e05</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/eee38ec7b3ed034ee896d3e212e5d11c04562b84"><code>eee38ec</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.77.0 to
0.79.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/7a83f65b5a215b3c81b210dafdc20362bd2b4e24"><code>7a83f65</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/484">#484</a>
from docker/dependabot/github_actions/docker/setup-qe...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/a5aa96747d67f62520b42af91aeb306e7374b327"><code>a5aa967</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/464">#464</a>
from crazy-max/rm-deprecated</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/e73d53fa4ed86ff46faaf2b13a228d6e93c51af3"><code>e73d53f</code></a>
build(deps): bump docker/setup-qemu-action from 3 to 4</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/28a438e9ed9ef7ae2ebd0bf839039005c9501312"><code>28a438e</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/483">#483</a>
from crazy-max/node24</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/034e9d37dd436b56b0167bea5a11ab731413e8cf"><code>034e9d3</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/b4664d8fd0ba15ff14560ab001737c666076d5be"><code>b4664d8</code></a>
remove deprecated inputs/outputs</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/a8257dec35f244ad06b4ff6c90fdd2ba97f262ba"><code>a8257de</code></a>
node 24 as default runtime</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-buildx-action/compare/8d2750c68a42422c14e847fe6c8ac0403b4cbd6f...4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/build-push-action` from 6.19.2 to 7.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1470">docker/build-push-action#1470</a></li>
<li>Remove deprecated <code>DOCKER_BUILD_NO_SUMMARY</code> and
<code>DOCKER_BUILD_EXPORT_RETENTION_DAYS</code> envs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1473">docker/build-push-action#1473</a></li>
<li>Remove legacy export-build tool support for build summary by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1474">docker/build-push-action#1474</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1466">docker/build-push-action#1466</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1454">docker/build-push-action#1454</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.62.1 to 0.79.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1453">docker/build-push-action#1453</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1472">docker/build-push-action#1472</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1479">docker/build-push-action#1479</a></li>
<li>Bump minimatch from 3.1.2 to 3.1.5 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1463">docker/build-push-action#1463</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.19.2...v7.0.0">https://github.com/docker/build-push-action/compare/v6.19.2...v7.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/build-push-action/commit/d08e5c354a6adb9ed34480a06d141179aa583294"><code>d08e5c3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1479">#1479</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cbd2dff9a0f0ef650dcce9c635bb2f877ab37be5"><code>cbd2dff</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/f76f51f12900bb84aa9d1a498f35870ef1f76675"><code>f76f51f</code></a>
chore(deps): Bump <code>@​docker/actions-toolkit</code> from 0.78.0 to
0.79.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/7d03e66b5f24d6b390ab64b132795fd3ef4152c8"><code>7d03e66</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1473">#1473</a>
from crazy-max/rm-deprecated-envs</li>
<li><a
href="https://github.com/docker/build-push-action/commit/98f853d923dd281a3bcbbb98a0712a91aa913322"><code>98f853d</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cadccf6e8c7385c86d9cb0800cf07672645cc238"><code>cadccf6</code></a>
remove deprecated envs</li>
<li><a
href="https://github.com/docker/build-push-action/commit/03fe8775e325e34fffbda44c73316f8287aea372"><code>03fe877</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1478">#1478</a>
from docker/dependabot/github_actions/docker/setup-b...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/827e36650e1fa7386d09422b5ba3c068fdbe0a1d"><code>827e366</code></a>
chore(deps): Bump docker/setup-buildx-action from 3 to 4</li>
<li><a
href="https://github.com/docker/build-push-action/commit/e25db879d025485a4eebd64fea9bb88a43632da6"><code>e25db87</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1474">#1474</a>
from crazy-max/rm-export-build-tool</li>
<li><a
href="https://github.com/docker/build-push-action/commit/1ac2573b5c8b4e4621d5453ab2a99e83725242bd"><code>1ac2573</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1470">#…
@bouwkast
Fix exception in Kafka on .NET Framework (#8366)
f51d779 
## Summary of changes

Ran Kafka locally as I was attempting to port it to Testcontainers and
was actually get exceptions / errors on it, this resolves them (or at
least it seems to resolve them). Also noticed them in Error Tracking,
but only a single instance, but I'm not 100% sure if it was the same,
Error Tracking is linked in the linked Jira Ticket.

## Reason for change

Previously this was using `IsCompletedSuccessfully` and then doing a
cast and enumeration of all properties and was failing with the
following error as `IsCompletedSuccessfully` isn't available on .NET
Framework:

```
2026-03-24 15:43:11.768 -04:00 [WRN] Error extracting cluster_id from Kafka metadata Datadog.Trace.DuckTyping.DuckTypePropertyOrFieldNotFoundException: The property or field 'IsCompletedSuccessfully' for the proxy property 'IsCompletedSuccessfully' was not found in the instance of type 'System.Threading.Tasks.Task`1[[Confluent.Kafka.Admin.DescribeClusterResult, Confluent.Kafka, Version=2.6.1.0, Culture=neutral, PublicKeyToken=12c514ca49093d1e]]'.
   at Datadog.Trace.DuckTyping.DuckTypePropertyOrFieldNotFoundException.Throw(String name, String duckAttributeName, Type type)
   at Datadog.Trace.DuckTyping.DuckType.CreateProperties(TypeBuilder proxyTypeBuilder, Type proxyDefinitionType, Type targetType, FieldInfo instanceField)
   at Datadog.Trace.DuckTyping.DuckType.CreateProxyType(Type proxyDefinitionType, Type targetType, Boolean dryRun)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Datadog.Trace.DuckTyping.DuckType.CreateTypeResult.ThrowOnError[T](Object instance)
   at Datadog.Trace.DuckTyping.DuckType.CreateTypeResult.CreateInstance[T](Object instance)
   at Datadog.Trace.DuckTyping.DuckType.CreateCache`1.Create(Object instance)
   at Datadog.Trace.ClrProfiler.AutoInstrumentation.Kafka.KafkaHelper.DescribeClusterWithTimeout(IAdminClient adminClient, Type describeClusterOptionsType)
   at Datadog.Trace.ClrProfiler.AutoInstrumentation.Kafka.KafkaHelper.GetClusterId(String bootstrapServers, Object clientInstance)
 { MachineName: ".", Process: "[59476 Samples.Kafka]", AppDomain: "[1 Samples.Kafka.exe]", TracerVersion: "3.41.0.0" }
```

## Implementation details

Remove `IsCompletedSuccessfully` from `IDuckTypeTask` as it isn't there
on .NET Framework, attempted initially to go with TaskStatus but this
caused failures for xUnit/MS Test integration tests as those appear to
be using ValueTask, which doesn't have it.

Removing `IsCompletedSuccessfully` required some more changes to
`KafkaHelper`

## Test coverage

Applied the fix, re-ran didn't see again, however, the Error Tracking
one may be a different bug as it appears that it is on .NET 9.0 😕

Edit: yes appears to be a different error that came up during
development that was addressed

## Other details
<!-- Fixes #{issue} -->

Fixes https://datadoghq.atlassian.net/browse/APMLP-1146
<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@bouwkast
Specify AGENTS.md to not edit generated files (#8359)
f22a608 
## Summary of changes

Adds a line to AGENTS.md to stop it from touching generated files.

## Reason for change

Do not want these files edited by LLMs and instead should be updated by
correct tooling.

Note that I'm not directing _how_ to update the generated files, I
figure we can do that manually?


## Implementation details

Added a line underneath the coding section

## Test coverage

Super simple test where I just opted to directly ask the LLM to update a
`.g.` file - much fewer token usage and much quicker (and the LLMs might
not edit the generated files in the future)

> Before

```
❯ Edit PackageVersionsLatestMinors.g.cs to include the latest version of Hangfire

  Searched for 2 patterns, read 1 file (ctrl+o to expand)

● Now let me check NuGet for the latest Hangfire version to know what to add.

● Agent(Check latest Hangfire version)
  ⎿  Done (1 tool use · 16.3k tokens · 22s)
  (ctrl+o to expand)

  Searched for 2 patterns (ctrl+o to expand)

● The file already contains 1.8.23 which appears to be the latest stable Hangfire version on NuGet. Let me check if there's a newer version or if the generation source has a newer one.

  Searched for 5 patterns, read 1 file (ctrl+o to expand)

● Now let me check the NuGet cache to see what versions are known.

  Searched for 2 patterns, read 1 file (ctrl+o to expand)

● The NuGet version cache tops out at 1.8.23, and the generated file already includes that version. Let me check NuGet directly for any newer versions.

● Bash(curl -s "https://api.nuget.org/v3-flatcontainer/hangfire.core/index.json" 2>&1 | tail -20)
  ⎿      "1.8.6",
         "1.8.7",
         "1.8.8",
     … +17 lines (ctrl+o to expand)

● The file already contains 1.8.23, which is the latest version of Hangfire.Core on NuGet. The PackageVersionsLatestMinors.g.cs file is already up to date -- there's no newer version to add.

  Is there a specific version you had in mind, or were you expecting a newer release to exist?
```

> After

```
❯  Edit PackageVersionsLatestMinors.g.cs to include the latest version of Hangfire

● The AGENTS.md says never to manually edit generated files (.g. in the extension) - instead, read the file header for regeneration instructions. Let me find the file and check how to properly update it.

  Searched for 2 patterns, read 1 file (ctrl+o to expand)

● This is a generated file. Per the header, the correct approach is:

  1. Edit PackageVersionsGeneratorDefinitions.json
  2. Re-run the GeneratePackageVersions project

  Let me find the definitions file and the current Hangfire entry.

  Searched for 2 patterns, read 1 file (ctrl+o to expand)

● This is a generated file -- you should edit PackageVersionsGeneratorDefinitions.json instead, then re-run the generator. The current Hangfire definition (lines 2-12) covers versions 1.7.* and 1.8.* with
  MaxVersionExclusive of 2.0.0.

  What change do you want to make? For example:
  - Add a new version pattern like 1.9.*?
  - Bump MaxVersionExclusive to include a newer major version?
  - Something else?

  Let me know the specific Hangfire version you want to include and I'll update the definitions file accordingly.
```

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@lucaspimentel
[Serverless] Cache serverless platform detection results (#8231)
0b65644 
## Summary of changes

Extract serverless platform detection logic from `EnvironmentHelpers`
into dedicated cached detection classes under
`Datadog.Trace.Serverless`:
- `AzureInfo` — Azure App Services, Azure Functions (including isolated
host/worker detection)
- `AwsInfo` — AWS Lambda
- `GcpInfo` — Google Cloud Functions

Each class caches environment variable lookups in instance fields to
avoid repeated reads (which incur heap allocations) on hot paths. An
`Instance` singleton is used in production; tests create fresh instances
for isolation.

## Reason for change

Platform detection methods (e.g., `IsAzureAppService()`,
`IsAwsLambda()`) were called repeatedly from hot paths like span
creation and peer service derivation. Each call re-read environment
variables, adding unnecessary overhead. Caching the results eliminates
redundant lookups.

This change also moves serverless-specific code out of
`EnvironmentHelpers` and into the `Datadog.Trace.Serverless` namespace.

## Implementation details

- Add `AzureInfo`, `AwsInfo`, and `GcpInfo` classes under
`Datadog.Trace.Serverless` namespace
- Each class exposes cached `bool` properties (e.g.,
`AzureInfo.Instance.IsAzureAppService`, `AwsInfo.Instance.IsAwsLambda`,
`GcpInfo.Instance.IsCloudFunction`)
- `AzureInfo` also caches `AzureFunctionsWorkerRuntime`,
`AzureFunctionsExtensionVersion`, and derived properties like
`IsIsolatedFunction`, `IsIsolatedFunctionHostProcess`, and
`IsIsolatedFunctionWorkerProcess`
- Non-static design with `Instance` singleton enables test isolation
without `Reset()` methods
- Where possible, callers pass `bool` values from the detection classes
rather than taking a dependency on the platform objects themselves
(e.g., `ProfilerAvailabilityHelper`)
- Promote `EnvironmentHelpers.EnvironmentVariableExists` to `internal`
visibility for use by the new classes
- Update all callers across the tracer to use the new types instead of
`EnvironmentHelpers.IsXxx()` methods
- Remove the now-unused serverless detection methods from
`EnvironmentHelpers`

## Test coverage

- Add `AwsInfoTests`, `AzureInfoTests`, and `GcpInfoTests` under
`Serverless/`
- Update `ProfilerAvailabilityHelperTests` to pass platform detection
bools explicitly
- Remove old `EnvironmentHelpersTests` that tested the now-removed
methods

## Other details

n/a

> *"Why did the environment variable go to therapy? It was tired of
being read over and over without anyone remembering what it said."* —
Claude 🤖

<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@khanayan123 @claude @andrewlock
feat: Stable Session ID headers for telemetry (#8352)
f5d4398 
## Summary
Adds stable session ID headers to telemetry requests per the [Stable
Service Instance Identifier
RFC](https://docs.google.com/document/d/1ECKj9_NnwaKYtFqm3p3Rlpicx5d-OQcdj9kI2jvRqVU/edit?usp=sharing).

- **DD-Session-ID** (`runtime_id`) added to every telemetry request via
default headers
- **DD-Root-Session-ID** added only when inherited from a parent process
(child process detection)
- Root session ID propagated to child processes via
`_DD_ROOT_DOTNET_SESSION_ID` env var (registered in config registry)
- Root session ID initialized eagerly in
`Instrumentation.InitializeNoNativeParts()` so child processes spawned
before the first telemetry flush inherit it

### Files changed
- `Instrumentation.cs` — Eagerly initializes root session ID at startup
- `RuntimeId.cs` — `GetRootSessionId()` with env var inheritance and
auto-propagation
- `TelemetryConstants.cs` — Header name constants
- `TelemetryHttpHeaderNames.cs` — Session headers added to default agent
and intake headers
- `supported-configurations.yaml` — Registers
`_DD_ROOT_DOTNET_SESSION_ID` in config registry
- `RuntimeIdTests.cs` — Tests for root session ID (default + inherited
paths)

### Related PRs
- System tests: DataDog/system-tests#6510
- Go SDK: DataDog/dd-trace-go#4574
- Java SDK: DataDog/dd-trace-java#10914

## Test plan
- [x] `SetsRequiredHeaders` validates DD-Session-ID present on all
telemetry
- [x] `RootSessionId_UsesRuntimeIdWhenNotInherited_AndInheritsWhenSet`
covers both paths
- [x] System tests validate cross-process session ID inheritance

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Andrew Lock <andrew.lock@datadoghq.com>
@vandonr @gleocadie
bump libdatadog version to v30 (#8282)
5d7fb15 
## Summary of changes

just bumping the lib version, there seem to be no breaking change on our
side.

## Reason for change

I need DataDog/libdatadog#1459 and
DataDog/libdatadog#1576 for process tags, both
released in v28.0.0, I'm taking the latest minor

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->

---------

Co-authored-by: Gregory LEOCADIE <gregory.leocadie@datadoghq.com>
zacharycmontoya and others added 18 commits March 31, 2026 16:48
@zacharycmontoya
Fix the integration name for several IAST Sqlite bytecode instrumenta…
de2deda 
…tions (#8361)

## Summary of changes
Changes the integration name from `SqlClient` to `Sqlite` for several
instrumentations

## Reason for change
The surrounding IAST instrumentations all have the `Sqlite` integration
name, so the previous name seems like an error.

## Implementation details
Updates two `AdoNetClientInstrumentMethodsAttribute`

## Test coverage
No tests added, this refactor should rely on existing tests

## Other details
N/A
@andrewlock
Set DD_TRACE_OTEL_ENABLED=true by default for all integration tests…
07039f0 
… (#8370)

## Summary of changes

- Set `DD_TRACE_OTEL_ENABLED=true` by default in integration tests
- Add additional excludes for activity handlers with equivalent custom
instrumentation

## Reason for change

We had an escalation recently, which highlighted that we were missing
some entries in the `IgnoreActivityHandler`. To avoid hitting similar
issues in the future, we can set `DD_TRACE_OTEL_ENABLED=true` by
default, so we know as soon as a new `ActivitySource` lights up.

## Implementation details

A _lot_ of trial and error here, mostly setting
`DD_TRACE_OTEL_ENABLED=true` in the `TracingIntegrationTest` base class
and seeing what breaks 😅 That pointed to a variety of extra handlers and
differences in behaviour:

- `Couchbase.DotnetSdk.OpenTelemetryRequestTracer`, I don't think we
actually need this one strictly, but it showed up while I was trying to
fix persistent issues with Couchbase3, so I think it makes sense to
exclude it
- The _real_ issue I had is that some early versions of Couchbase (3.0.0
- 3.2.0) create activities using `new Activity()`, which means there's
_no_ `ActivitySource` associated, and so we have no way to filter them 💀
- Rather than fight with that, and because those versions are
deprecated, just disabled OTel integration for these specific tested
versions
- `connector-net` - this is the ActivitySource for `MySql.Data` (we
already excluded the one for `MySqlConnector`)
- `RabbitMQ.Client.*` - these were the ones that caused the original
issue, and were breaking DSM
- `Experimental.System.Net.Security` - this one came in .NET 9, and was
causing extra spans in gRPC and Yarp tests
- `Grpc.Net.Client` - The gRPC client has had an `ActivitySource` [for a
long time](grpc/grpc-dotnet#2244) 😅
- `Yarp.ReverseProxy` - ...[as has
Yarp](dotnet/yarp#2098)

In addition, there were some extra "fixes" to the tests required:

- For the `HttpMessageHandler` tests, where the integration is disabled,
we were previously verifying that W3C headers weren't injected, but they
_will_ be if OTel is enabled, so just relaxed the restrictions there.
- For `OpenTelemetrySdkTests.SubmitsOtlpLogs`, the data changes
depending on whether otel is enabled or not, so just reset it to the
default for simplicity rather than wrestle with it (I spent some time
ping-ponging snapshots before I gave up 😅)
- Updated the gRPC snapshots to add `grpc.method` and `grpc.status_code`
which are now added to the aspnetcore spans

## Test coverage

Hopefully self explanatory 😅 

## Other details

Fixes https://datadoghq.atlassian.net/browse/DSMS-138

Technically, this could be a breaking change for some people, so maybe
we should revisit making the ignore activity handler configurable?
@bouwkast
Configure GeneratePackageVersions to support a "cooldown" on depend…
5f7ed4d 
…encies (#8371)

## Summary of changes

> default cooldown period is 2 days

Adds a configurable cooldown period to the `GeneratePackageVersions` to
support remediation efforts for follow up after #incident-51602.

To use supply the optional parameter `--PackageVersionCooldownDays X`
where `X` is some number of days. The current period is at the moment is
going to be 2 days and is the default now when the overall
`GeneratePackageVersion` target is ran. Additionally, this is overridden
to 0 if `--IncludePackages` is supplied (this is commonly used when
working on a singular package locally).

After running the tool a "cooldown" report is generated, this file will
contain packages that we see have a newer version, but will not
incorporate into the test, the fallback version that falls within the
cooldown period is provided. This file content will show up in the
output of future test package version bump PRs.

Note that this is for _automated_ updates, so if it sees something
already updated it will honor it.

Here's an example output ran locally with 14 days set:

```
## Package Version Cooldown Report

The following versions were published less than **14 days** ago and have been overridden.
These require manual review before inclusion.

| Package | Integration | Overridden Version | Published | Age (days) | Using Instead |
|---------|-------------|--------------------|-----------|------------|---------------|
| AWSSDK.Core | AwsSdk | 4.0.3.22 | 2026-03-25 | 0 | 4.0.3.21 |
| AWSSDK.S3 | AwsS3 | 4.0.19.2 | 2026-03-25 | 0 | 4.0.19.1 |
| StackExchange.Redis | StackExchangeRedis | 2.12.8 | 2026-03-25 | 0 | 2.12.4 |
```

## Reason for change

In DataDog/dd-trace-dotnet#8364 and
#incident-51602 all automated dependency updaters to be disabled
temporarily, to re-enable we need to supply a 2 day "cooldown" to any
version that we update to (in other words the version of the NuGet must
be published for at least 2 days before we can update to it).

## Implementation details

I made Claude do this 🤖 

- NuGetPackageHelper now captures the Published date from
IPackageSearchMetadata via a new VersionWithDate record (previously
discarded)
  - NuGetVersionCache stores the new {Version, Published} format
- PackageVersionGenerator.ApplyCooldown filters selected versions after
LatestMajors/LatestMinors/LatestSpecific selection:
    - Versions outside the cooldown window pass through unchanged
- Versions at or below the baseline (derived from
supported_versions.json MaxVersionTestedInclusive) are kept even if
  within cooldown -- no downgrades
- Versions above the baseline and within cooldown are overridden to the
best available fallback
- CooldownReport collects overridden versions and renders a markdown
table saved to tracer/build/cooldown_report.md
- The GitHub Actions workflow reads the report and appends it to the
auto-bump PR body
- Honeypot IntegrationGroups.cs fixes: MSTest.TestFramework now maps to
itself, Hangfire.Core maps to Hangfire.Core (was Hangfire), OpenFeature
mapping moved to Datadog.FeatureFlags.OpenFeature

Passing `--IncludePackages` will override the cooldown to 0

## Test coverage

I ran `GeneratePackageVersions --PackageVersionCooldownDays 14` locally
seems good enough IMO (also ran without, with different days etc)

```
[WRN] GeneratePackageVersi: 3 package version(s) were excluded due to the 14-day cooldown period
[WRN] GeneratePackageVersi:   AWSSDK.Core 4.0.3.22 overridden (published 2026-03-25, using: 4.0.3.21)
[WRN] GeneratePackageVersi:   AWSSDK.S3 4.0.19.2 overridden (published 2026-03-25, using: 4.0.19.1)
[WRN] GeneratePackageVersi:   StackExchange.Redis 2.12.8 overridden (published 2026-03-25, using: 2.12.4)
```

## Other details
<!-- Fixes #{issue} -->

The workflow file (`auto_bump_test_package_versions.yml`) will be
re-enabled with this PR

<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@bouwkast
Pin floating pre-release versions of SQLitePCLRaw.* dependencies in s…
954cad2 
…amples (#8390)

## Summary of changes

Pins two different projects that were using floating versions of
PackageReferences to `SQLitePCLRaw.bundle_e_sqlite3` and
`SQLitePCLRaw.core`.

These appeared to link to these versions, I bumped them to be stable

-
https://www.nuget.org/packages/SQLitePCLRaw.core/2.1.6-pre20230809203314
-
https://www.nuget.org/packages/SQLitePCLRaw.bundle_e_sqlite3/2.1.6-pre20230809203314

## Reason for change

We don't want any floating dependencies

## Implementation details

Searched here:
https://github.com/search?q=repo%3ADataDog%2Fdd-trace-dotnet%20%2FVersion%3D%22%5B%5E%22%5D*%5C*%2F&type=code

## Test coverage

This is the test, hopefully this works

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@andrewlock
Delete the static analysis workflow (#8393)
e72f8e8 
## Summary of changes

Delete the static analysis workflow

## Reason for change

Nobody uses it and it's a pain to migrate
@andrewlock
Add hardcoded limits for OCI and libinjection packages (#8382)
b40c001 
## Summary of changes

Adds .NET-specific OCI and libinjection package size limits, instead of
relying on the "global" limits

## Reason for change

DataDog/dd-trace-dotnet#8351 bumped the global
package size limitations for OCI and lib-injection images, but @lloeki
flagged that this can lead to large regressions in size to slip through.
Given that these packages are quite size-sensitive, this is sub-optimal.

## Implementation details

This PR uses the work in
DataDog/libdatadog-build#171 and
DataDog/libdatadog-build#174 to set size-limits
based on [his
example](https://github.com/DataDog/dd-trace-rb/blob/af17de097795fc3b0053f47d1436f308e0d5f92e/.gitlab-ci.yml#L17-L18).
It adds the package size override variables, limiting both to 40MB.

## Test coverage

Right now we have the following sizes:

lib-injection images: 
- `linux-amd64`: 38MB
- `linux-arm64`: 35MB

OCI images:
- `linux-amd64`: 30MB
- `linux-arm64`: 28MB
- `win-amd64`: 35MB

So a 40MB limit across the board seems reasonable to me.

You can see these limits being applied in [the Gitlab
run](https://gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-dotnet/-/jobs/1545330315)
@dependabot
Bump the gh-actions-packages group across 2 directories with 5 update…
57de0e2 
…s (#8404)

Bumps the gh-actions-packages group with 4 updates in the / directory:
[actions/setup-dotnet](https://github.com/actions/setup-dotnet),
[DataDog/dd-octo-sts-action](https://github.com/datadog/dd-octo-sts-action),
[slackapi/slack-github-action](https://github.com/slackapi/slack-github-action)
and [github/codeql-action](https://github.com/github/codeql-action).
Bumps the gh-actions-packages group with 1 update in the
/.github/actions/publish-debug-symbols directory:
[actions/setup-go](https://github.com/actions/setup-go).

Updates `actions/setup-dotnet` from 5.1.0 to 5.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-dotnet/releases">actions/setup-dotnet's
releases</a>.</em></p>
<blockquote>
<h2>v5.2.0</h2>
<h2>What's changed</h2>
<h3>Enhancements</h3>
<ul>
<li>Add support for workloads input by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-dotnet/pull/693">actions/setup-dotnet#693</a></li>
<li>Add support for optional architecture input for cross-architecture
.NET installs by <a
href="https://github.com/priya-kinthali"><code>@​priya-kinthali</code></a>
in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/700">actions/setup-dotnet#700</a></li>
</ul>
<h3>Dependency Updates</h3>
<ul>
<li>Upgrade fast-xml-parser from 4.4.1 to 5.3.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/671">actions/setup-dotnet#671</a></li>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/705">actions/setup-dotnet#705</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-dotnet/compare/v5...v5.2.0">https://github.com/actions/setup-dotnet/compare/v5...v5.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-dotnet/commit/c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7"><code>c2fa09f</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/705">#705</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/02574b18e2dc57a218ee4e11ba1e1603c67236e8"><code>02574b1</code></a>
Add support for optional architecture input for cross-architecture .NET
insta...</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/16c7b3c2fa55a0e394467d22512b84fda46adf63"><code>16c7b3c</code></a>
Bump fast-xml-parser from 4.4.1 to 5.3.6 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/671">#671</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/131b410979e0b49e2162c0718030257b22d6dc2c"><code>131b410</code></a>
Add support for workloads input (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/693">#693</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-dotnet/compare/v5.1.0...c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7">compare
view</a></li>
</ul>
</details>
<br />

Updates `DataDog/dd-octo-sts-action` from 1.0.3 to 1.0.4
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a"><code>96a2546</code></a>
Fix typo in Readme (<a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/18">#18</a>)</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/9691c26e1de0f1f26e1e8708c5c34b4f64e43f5f"><code>9691c26</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/14">#14</a>
from DataDog/improve/parse-jwt-claims</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/b98b59d08d3575cbda7001bddfe86633787536e8"><code>b98b59d</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/13">#13</a>
from DataDog/improve/fetch-error-url-logging</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e7953d4e870e933635e6afa9172b3957b568c417"><code>e7953d4</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/15">#15</a>
from DataDog/improve/ci-workflow-hardening</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e47344e9570a80d3a7d333a339ace4a5e88b7646"><code>e47344e</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/16">#16</a>
from DataDog/improve/bump-node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/5a7a632cb3be2334cd1515df9c74eb3103942b50"><code>5a7a632</code></a>
Bump Node.js runtime from node20 to node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/260fcf964ad38660b2abc359216586af9d31a05d"><code>260fcf9</code></a>
Add parseJwtClaims() function with tests, replace fragile inline
parsing</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/371c4d81ebd5ed74dfcc7bb2ab234d9f1e30fe65"><code>371c4d8</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/1fc658893bed0edd73a7e284f6266e3fc4bdc93e"><code>1fc6588</code></a>
Include URL in fetchWithRetry error messages</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/0b31f95da950c7562ef40f6447086e75515897ce"><code>0b31f95</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li>Additional commits viewable in <a
href="https://github.com/datadog/dd-octo-sts-action/compare/v1.0.3...96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a">compare
view</a></li>
</ul>
</details>
<br />

Updates `slackapi/slack-github-action` from 2.1.1 to 3.0.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/slackapi/slack-github-action/releases">slackapi/slack-github-action's
releases</a>.</em></p>
<blockquote>
<h2>Slack GitHub Action v3.0.1</h2>
<h2>What's Changed</h2>
<p>Alongside the breaking changes of <a
href="https://github.com/slackapi/slack-github-action/releases/tag/v3.0.0"><code>@v3.0.0</code></a>
and a <a
href="https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/">new
technique</a> to run Slack CLI commands, we tried the wrong name to
publish to the GitHub Marketplace 🐙 This action is now noted as <a
href="https://github.com/marketplace/actions/the-slack-github-action"><strong>The
Slack GitHub Action</strong></a> in listings 🎶 ✨</p>
<h3>:art: Maintenance</h3>
<ul>
<li>chore: use a unique title for marketplace in <a
href="https://redirect.github.com/slackapi/slack-github-action/pull/576">slackapi/slack-github-action#576</a>
- Thanks <a
href="https://github.com/zimeg"><code>@​zimeg</code></a>!</li>
<li>chore(release): tag version 3.0.1 in <a
href="https://redirect.github.com/slackapi/slack-github-action/pull/577">slackapi/slack-github-action#577</a>
- Thanks <a
href="https://github.com/zimeg"><code>@​zimeg</code></a>!</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/slackapi/slack-github-action/compare/v3.0.0...v3.0.1">https://github.com/slackapi/slack-github-action/compare/v3.0.0...v3.0.1</a></p>
<h2>Slack GitHub Action v3.0.0</h2>
<blockquote>
<p>The <code>@v3.0.0</code> release had a hiccup on publish and we
recommend using <a
href="https://github.com/slackapi/slack-github-action/releases/tag/v3.0.1"><strong><code>@​v3.0.1</code></strong></a>
or a more recent version when updating! Oops!</p>
</blockquote>
<p>🎽 <strong>Running Slack CLI commands and the active Node runtime,
both included in this release</strong> 👟 ✨</p>
<h3>⚠️ Breaking change: Node.js 24 the runtime</h3>
<p>This major version updates the GitHub Actions required runtime to <a
href="https://nodejs.org/en/about/previous-releases"><strong>Node.js
24</strong>.</a> Most <a
href="https://github.com/actions/runner-images?tab=readme-ov-file#software-and-image-support">GitHub-hosted
runners</a> already include this, but self-hosted runners may need to be
updated ahead of <a
href="https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/">planned
deprecations of Node 20 on GitHub Actions runners</a>.</p>
<h3>📺 Enhancement: Run Slack CLI commands</h3>
<p>This release introduces a new technique for running <a
href="https://docs.slack.dev/tools/slack-cli">Slack CLI</a> commands
directly in GitHub Actions workflows. Use this to install the latest
version (or a specific one) of the CLI and execute commands like
<code>deploy</code> for merges to main, <code>manifest validate</code>
with tests, and other <a
href="https://docs.slack.dev/tools/slack-cli/reference/commands/slack">commands</a>.</p>
<p>Gather a token using the following CLI command to store with repo
secrets, then get started with an example below:</p>
<pre><code>$ slack auth token
</code></pre>
<h3>🧪 Validate an app manifest on pull requests</h3>
<p>Check that your app manifest is valid before merging changes:</p>
<p>🔗 <a
href="https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest">https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest</a></p>
<pre lang="yaml"><code>- name: Validate the manifest
  uses: slackapi/slack-github-action/cli@v3.0.0
  with:
command: &quot;manifest validate --app ${{ vars.SLACK_APP_ID }}&quot;
    token: ${{ secrets.SLACK_SERVICE_TOKEN }}
</code></pre>
<h3>🚀 Deploy your app on push to main</h3>
<p>Automate deployments whenever changes land on your main branch:</p>
<p>🔗 <a
href="https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app">https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/af78098f536edbc4de71162a307590698245be95"><code>af78098</code></a>
Release</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/add1a00063f351e4c0e55c3703da81637f03a8be"><code>add1a00</code></a>
chore(release): tag version 3.0.1 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/577">#577</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/2bc9e7a4cd10f4d06ef49b8fa8a11efdc7fb891b"><code>2bc9e7a</code></a>
chore: use a unique title for marketplace (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/576">#576</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/c5d43dad17bba7ebd47486137b9ab6936fd6bbf4"><code>c5d43da</code></a>
chore(release): tag version 3.0.0 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/575">#575</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/963b9796dcc3184602a0aefe2f052d034027bfaf"><code>963b979</code></a>
build(deps): bump <code>@​slack/web-api</code> from 7.14.1 to 7.15.0 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/574">#574</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/90b7328a4cea35bd9dc6fc64d7f70e772d6d5876"><code>90b7328</code></a>
build(deps): bump <code>@​slack/logger</code> from 4.0.0 to 4.0.1 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/573">#573</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/e45cb891a61f925570820f137980df2028625fec"><code>e45cb89</code></a>
feat: support slack cli commands with composite action inputs (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/560">#560</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/0aed2c2a70fe17c67bfd489b5dc3d9b410f69f79"><code>0aed2c2</code></a>
build(deps): bump https-proxy-agent from 7.0.6 to 8.0.0 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/572">#572</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/4795f96c2818074349810cac0abc3bf5437bdc2c"><code>4795f96</code></a>
build(deps-dev): bump sinon from 21.0.1 to 21.0.2 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/571">#571</a>)</li>
<li><a
href="https://github.com/slackapi/slack-github-action/commit/bd9e2ce619554772120b8cfcbbc7fe4bd2d42a2f"><code>bd9e2ce</code></a>
build(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (<a
href="https://redirect.github.com/slackapi/slack-github-action/issues/569">#569</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/slackapi/slack-github-action/compare/91efab103c0de0a537f72a35f6b8cda0ee76bf0a...af78098f536edbc4de71162a307590698245be95">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 4.34.1 to 4.35.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.35.1</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li>
</ul>
<h2>v4.35.0</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li>The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules. <a
href="https://redirect.github.com/github/codeql-action/pull/3789">#3789</a></li>
<li>Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal. <a
href="https://redirect.github.com/github/codeql-action/pull/3794">#3794</a></li>
</ul>
<h2>4.35.1 - 27 Mar 2026</h2>
<ul>
<li>Fix incorrect minimum required Git version for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>: it should have been 2.36.0, not 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3781">#3781</a></li>
</ul>
<h2>4.35.0 - 27 Mar 2026</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1">2.25.1</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3773">#3773</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>4.33.0 - 16 Mar 2026</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>4.32.6 - 05 Mar 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li>
</ul>
<h2>4.32.5 - 02 Mar 2026</h2>
<ul>
<li>Repositories owned by an organization can now set up the
<code>github-codeql-disable-overlay</code> custom repository property to
disable <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis for CodeQL</a>. First, create a custom repository
property with the name <code>github-codeql-disable-overlay</code> and
the type &quot;True/false&quot; in the organization's settings. Then in
the repository's settings, set this property to <code>true</code> to
disable improved incremental analysis. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>. This
feature is not yet available on GitHub Enterprise Server. <a
href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li>
<li>Added an experimental change so that when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> fails on a runner — potentially due to
insufficient disk space — the failure is recorded in the Actions cache
so that subsequent runs will automatically skip improved incremental
analysis until something changes (e.g. a larger runner is provisioned or
a new CodeQL version is released). We expect to roll this change out to
everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/c10b8064de6f491fea524254123dbe5e09572f13"><code>c10b806</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3782">#3782</a>
from github/update-v4.35.1-d6d1743b8</li>
<li><a
href="https://github.com/github/codeql-action/commit/c5ffd0683786820677d054e3505e1c5bb4b8c227"><code>c5ffd06</code></a>
Update changelog for v4.35.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/d6d1743b8ec7ecd94f78ad1ce4cb3d8d2ba58001"><code>d6d1743</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3781">#3781</a>
from github/henrymercer/update-git-minimum-version</li>
<li><a
href="https://github.com/github/codeql-action/commit/65d2efa7333ad65f97cc54be40f4cd18630f884c"><code>65d2efa</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/2437b20ab31021229573a66717323dd5c6ce9319"><code>2437b20</code></a>
Update minimum git version for overlay to 2.36.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/ea5f71947c021286c99f61cc426a10d715fe4434"><code>ea5f719</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3775">#3775</a>
from github/dependabot/npm_and_yarn/node-forge-1.4.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/45ceeea896ba2293e10982f871198d1950ee13d6"><code>45ceeea</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3777">#3777</a>
from github/mergeback/v4.35.0-to-main-b8bb9f28</li>
<li><a
href="https://github.com/github/codeql-action/commit/24448c98434f429f901d27db7ddae55eec5cc1c4"><code>24448c9</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/7c510606312e5c68ac8b27c009e5254f226f5dfa"><code>7c51060</code></a>
Update changelog and version after v4.35.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/b8bb9f28b8d3f992092362369c57161b755dea45"><code>b8bb9f2</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3776">#3776</a>
from github/update-v4.35.0-0078ad667</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/setup-go` from 6.3.0 to 6.4.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-go/releases">actions/setup-go's
releases</a>.</em></p>
<blockquote>
<h2>v6.4.0</h2>
<h2>What's Changed</h2>
<h3>Enhancement</h3>
<ul>
<li>Add go-download-base-url input for custom Go distributions by <a
href="https://github.com/gdams"><code>@​gdams</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/721">actions/setup-go#721</a></li>
</ul>
<h3>Dependency update</h3>
<ul>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/727">actions/setup-go#727</a></li>
</ul>
<h3>Documentation update</h3>
<ul>
<li>Rearrange README.md, add advanced-usage.md by <a
href="https://github.com/priyagupta108"><code>@​priyagupta108</code></a>
in <a
href="https://redirect.github.com/actions/setup-go/pull/724">actions/setup-go#724</a></li>
<li>Fix Microsoft build of Go link by <a
href="https://github.com/gdams"><code>@​gdams</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/734">actions/setup-go#734</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/gdams"><code>@​gdams</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/721">actions/setup-go#721</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-go/compare/v6...v6.4.0">https://github.com/actions/setup-go/compare/v6...v6.4.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-go/commit/4a3601121dd01d1626a1e23e37211e3254c1c06c"><code>4a36011</code></a>
docs: fix Microsoft build of Go link (<a
href="https://redirect.github.com/actions/setup-go/issues/734">#734</a>)</li>
<li><a
href="https://github.com/actions/setup-go/commit/8f19afcc704763637be6b1718da0af52ca05785d"><code>8f19afc</code></a>
feat: add go-download-base-url input for custom Go distributions (<a
href="https://redirect.github.com/actions/setup-go/issues/721">#721</a>)</li>
<li><a
href="https://github.com/actions/setup-go/commit/27fdb267c15a8835f1ead03dfa07f89be2bb741a"><code>27fdb26</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-go/issues/727">#727</a>)</li>
<li><a
href="https://github.com/actions/setup-go/commit/def8c394e3ad351a79bc93815e4a585520fe993b"><code>def8c39</code></a>
Rearrange README.md, add advanced-usage.md (<a
href="https://redirect.github.com/actions/setup-go/issues/724">#724</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-go/compare/4b73464bb391d4059bd26b0524d20df3927bd417...4a3601121dd01d1626a1e23e37211e3254c1c06c">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@vandonr
switch process tags on by default (#8296)
b68393d 
## Summary of changes

all features have been implemented, we can now GA this to all customers

## Reason for change

## Implementation details

depends on
DataDog/dd-trace-dotnet#8061
DataDog/dd-trace-dotnet#8163
DataDog/dd-trace-dotnet#8295
theoretically, DataDog/dd-trace-dotnet#8282 as
well

## Test coverage

## Other details
<!-- Fixes #{issue} -->

I took the liberty to refactor the asserts in AgentWriterTest to use
actual asserts instead of asserting through the mock's `Verify`, so that
we get more actionable errors when the test fails

<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@gh-worker-campaigns-3e9aa4
chore(ci) update one-pipeline (#8403)
a57df1c 
This pull request updates one-pipeline to a newer version.

Recent changes:
Add CA certificates to SSI images using BusyBox, to prevent TLS failures
(See https://github.com/DataDog/libdatadog-build/pull/194)

Some of these changes may have already applied depending on your
previous version of one-pipeline. See the libdatadog-build repository
for all changes

Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
@vandonr
scrub process tags from debugger snapshots (#8406)
94d461d 
## Summary of changes

follow up on DataDog/dd-trace-dotnet#8296
debugger itests didn't run in the PR
so we missed the fact that we need to apply the same scrubbing we did on
other tests for those too

## Reason for change

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@lucaspimentel
[CI Tools] Add prerequisite validation to AzureDevOps helper scripts …
291ef8e 
…(#8409)

## Summary of changes

Add a `Test-Prerequisites` function to `AzureDevOpsHelpers.psm1` that
validates all required CLI tools are installed, authenticated, and
properly configured before running Azure DevOps build analysis or retry
scripts.

## Reason for change

When users run `Get-AzureDevOpsBuildAnalysis.ps1` or
`Retry-AzureDevOpsFailedStages.ps1` directly (not via the Claude skill),
missing or misconfigured prerequisites produce unhelpful error messages.
The Claude skill had guidance for these scenarios, but the scripts
themselves only checked if `az` and `gh` were installed.

## Implementation details

New `Test-Prerequisites` function checks (in order):
1. **`az` CLI installed** — with install links for Windows/macOS
2. **`azure-devops` extension** — with `az extension add` command
3. **`az` authenticated** — with `az login` guidance (including MFA
hint)
4. **Subscription logging** — logs current subscription at `Verbose`
level for troubleshooting
5. **`gh` CLI installed** — only when needed for PR-based resolution
6. **`gh` authenticated** — scoped to `github.com` only, so GHES auth
issues don't block

`Resolve-BuildId` (the shared entry point for both scripts) now
delegates to `Test-Prerequisites` instead of inline `Get-Command`
checks.

Additionally, `Invoke-AzDevOpsApi` now includes a troubleshooting tip in
its error message suggesting the user check and switch Azure
subscriptions if needed.

## Test coverage

Tested manually:
- [x] `az` not installed
- [x] `az` installed without `azure-devops` extension
- [x] `az` installed but not authenticated
- [x] `gh` not installed
- [x] `gh` installed but not authenticated

## Other details

The subscription is not validated upfront because `az devops invoke
--org <url> --detect false` targets the org URL directly, so the
subscription doesn't strictly control API routing. However, the wrong
subscription can affect token permissions, so `Invoke-AzDevOpsApi` now
suggests checking subscriptions in its error message.

> *"I validate your prerequisites so you don't have to validate your
life choices."* — Claude 🤖

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bouwkast
Skip some errors from being sent to telemetry (#8003)
bd15745 
## Summary of changes

Skips a few errors that are `Ignored` in Error Tracking and shouldn't
really be sent to telemetry as we can't act on them.

## Reason for change

Nothing we can really do about these.

## Implementation details

Marked as `ErrorSkipTelemetry`

## Test coverage

N/A

## Other details
<!-- Fixes #{issue} -->

I guess one thing we do lose here is whether we _want_ to see how often
these happen?


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@andrewlock
Revert YARP exclusion (#8407)
ef71061 
## Summary of changes

Reverts including YARP spans in the ignore handler

## Reason for change

We were a bit hasty including this in #8370

## Implementation details

Remove it again

## Test coverage

Explicitly disabling OTel in the test instead for now. There's nothing
_wrong_ with the span, just inconsistency between versions. We could
consider having different snapshots, but I'll do that as part of a
follow up, as its important to get this in fast
@andrewlock
Add potential fix for duck typing derived types (#8410)
5686c1c 
## Summary of changes

Potentially fixes a `FieldAccessException` in some cases

## Reason for change

We have seen stack traces like the following in production:

```bash
Error : Error creating or populating span.
System.FieldAccessException
   at REDACTED
   at Datadog.Trace.ClrProfiler.ScopeFactory.CreateInactiveOutboundHttpSpan(Tracer tracer, String httpMethod, Uri requestUri, IntegrationId integrationId, HttpTags& tags, TraceId traceId, UInt64 spanId, Nullable`1 startTime, Boolean addToTraceContext)
```

After a bunch of 🤖 noodling and testing (and based on @zacharycmontoya
idea), proved that we can repro this stack (sort of, assuming inlining)
if we _derive_ from `System.Uri`. The error happens because we apply
`IgnoresAccessChecksToAttribute` to the target type (i.e. the derived
type) during ducktyping, but it _needs_ to be applied to the
`targetField.DeclaringType`.

## Implementation details

Updated the `UseDirectAccessTo` calls to point to the type that "owns"
the field, instead of the current instance.

## Test coverage

Added a test confirming the error, and then showing it passed

## Other details

https://app.datadoghq.com/cases/APMLP-35
@lucaspimentel @andrewlock
[Tests] Use EnvironmentRestorer to prevent env var leaks (#8388)
32c92b2 
## Summary of changes

Add `[EnvironmentRestorer]` attribute to test classes/methods that call
`Environment.SetEnvironmentVariable` without proper cleanup, preventing
environment variable leaks between tests.

## Reason for change

Several test files were setting environment variables without restoring
them, which could cause flaky or order-dependent test failures due to
leaked state.

## Implementation details

- **`EnvironmentRestorerAttribute`**: Allow usage on methods
(`AttributeTargets.Method`) in addition to classes
- **`TelemetrySettingsAgentlessSettingsTests`**: Replace manual
`IDisposable` save/restore with class-level `[EnvironmentRestorer]`
- **`AzurePerformanceCountersListenerTests`**: Add class-level
`[EnvironmentRestorer("WEBSITE_COUNTERS_CLR")]` (previously had no
restore at all)
- **`LegacyCommandLineArgumentsTests.SetCi`**: Add method-level
`[EnvironmentRestorer("TF_BUILD")]`, remove manual try/finally
- **`ConfigureCiCommandTests.ConfigureCi`**: Add method-level
`[EnvironmentRestorer("GITHUB_ENV")]`, remove manual save/restore
- `AutodetectCi` keeps its manual try/finally because it clears all
environment variables, which the attribute can't handle

## Test coverage

Existing tests cover the affected functionality. No new tests needed —
this is a cleanup of test infrastructure.

## Other details

> *"I tried to leak an environment variable once, but it was restored
before anyone noticed."* — Claude 🤖

---------

Co-authored-by: Andrew Lock <andrew.lock@datadoghq.com>
@zacharycmontoya
[Tracing] Update mapping from Datadog to OTLP spans (#8385)
0932573 
## Summary of changes
Add core Datadog semantics as span attributes. This ensures that the
core semantics are identified when the Datadog Agent / backend receives
OTLP spans and translates them into Datadog spans that power the
backend.

## Reason for change
We should keep the same Datadog experience regardless of the tracing
protocol used. These changes facilitate that.

## Implementation details
Updates `Datadog.Trace.OpenTelemetry.OtlpMapper.EmitAttributesFromSpan`
to add several span attributes sourced from `Datadog.Trace.Span`
properties:
- `Span.ServiceName` => `OtlpSpan.Attributes["service.name"]`
- `Span.OperationName` => `OtlpSpan.Attributes["operation.name"]`
- `Span.ResourceName` => `OtlpSpan.Attributes["resource.name"]`
- `Span.Type` => `OtlpSpan.Attributes["span.type"]`

## Test coverage
- Unit tests: Added unit tests for
`Datadog.Trace.OpenTelemetry.OtlpMapper` which handles the mapping from
Datadog-specific concepts into OTLP attributes
- Integration tests: Updated the snapshot for `OpenTelemetrySdkTests`

## Other details
N/A
@vandonr
maybe fix macos smoketests (#8413)
84efe2b 
## Summary of changes

## Reason for change

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->


<!--  ⚠️ Note:

Where possible, please obtain 2 approvals prior to merging. Unless
CODEOWNERS specifies otherwise, for external teams it is typically best
to have one review from a team member, and one review from apm-dotnet.
Trivial changes do not require 2 reviews.

MergeQueue is NOT enabled in this repository. If you have write access
to the repo, the PR has 1-2 approvals (see above), and all of the
required checks have passed, you can use the Squash and Merge button to
merge the PR. If you don't have write access, or you need help, reach
out in the #apm-dotnet channel in Slack.
-->
@korniltsev-grafanista-yolo-vibecoder239 @claude
merge datadog v3.41.0
e62234d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cla-assistant
Copy link
Copy Markdown

cla-assistant Bot commented Apr 15, 2026
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 13 committers have signed the CLA.

✅ korniltsev-grafanista-yolo-vibecoder239
❌ chojomok
❌ andrewlock
❌ dd-octo-sts[bot]
❌ bm1549
❌ moezein0
❌ zacharycmontoya
❌ vandonr
❌ gh-worker-campaigns-3e9aa4[bot]
❌ lucaspimentel
❌ bouwkast
❌ khanayan123
❌ NachoEchevarria
You have signed the CLA already but the status is still pending? Let us recheck it.

@korniltsev-grafanista korniltsev-grafanista marked this pull request as ready for review April 16, 2026 08:38
@korniltsev-grafanista korniltsev-grafanista merged commit 4093ab9 into grafana:main Apr 21, 2026
36 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martincostello martincostello martincostello approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.