Bump otelhttp to resolve CVE; Bump Go version; Bump golangci-lint + adjusted lint configs; critical copylock fix

[pintohutch]

This resolves https://nvd.nist.gov/vuln/detail/CVE-2023-45142 by bumping otelhttp to v0.45.0. It's a follow-up to
#113.

I had to bump the otlptrace packages to v1.19.0 to make go mod tidy happy as well.

[pintohutch]

Trying like hell to get the CI to pass, but hitting issues left and right...gonna let this bake overnight

[bwplotka]

Looks like golangci-lint consistently timeouts. We also run it in 3 places in our CI.. 🙈

[bwplotka]

1. -dep=false made no difference, trying to help by reverting dep=false and tryting different things.
2. Local run for 1.49.0 golancilint is timing out too. I guess it must be Go updates we made, perhaps old version had some issues. Indeed (1.51 adds Go1.20 support).
3. Trying newer version 1.55.2 immidiately shows multiple new issues.

• "depguard" - linter config changed (v1.53.x invisibly breaks configs that were valid in v1.52.x if they used depguard golangci/golangci-lint#3906)
• "revive" - new linter or more strict rules?
• "staticcheck" - new Go deprecations
• "govet" new copylocks rule?

We could downgrade golangci-lint, but soon we might have another version of Go or some important fix, so I would use latest golangci-lint on our supported fork versions. Solid question is--can we disable golangci-lint-ing. We mostly import and inject export package here, but also fixed multiple security issues... it would be nice to lint on important things.

Fixing less important linting errors is adding too much changes to our fork diff vs upstream for no good reason e.g. readability pointers:

storage/interface.go:121:35: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)

I propose adjusting certain linters:

• depguard - Disalbing. This is mostly blacklisting certain packages we migreated from in Prometheus. No need for that in our fork.
• revive - Adjusting to only show errors (critical issues)
• staticheck - filter out deprecation notices.

I fixed one govet signal which makes sense (also fixed in latest upstream) https://github.com/prometheus/prometheus/blob/main/web/web.go#L750

TL;DR we need the latest Prometheus version as our main GMP collector version ASAP ;p

[bwplotka]

Another fix - skipping linting of some documentation code, somehow downloading does not work.

[pintohutch]

Totally agree about the need to bump it (@TheSpiritXIII has a pending PR in #562) - though I wonder if we should be aiming for 2.45 for LTS support.

[pintohutch]

Thanks @bwplotka for the contributions here! Merging with your changes.

[pintohutch]

Crap - I mean to squash these commits into one.

Gonna fast-and-loose just do that in the release branch 😬