merge master, update tests/code

.codecov.yml

@@ -0,0 +1,13 @@
+codecov:
+  # across
+  notify:
+    # Do not notify until at least this number of reports have been uploaded
+    # from the CI pipeline. We normally have more than that number, but 6
+    # should be enough to get a first notification.
+    after_n_builds: 6
+coverage:
+  status:
+    project:
+      default:
+        # Do not fail the commit status if the coverage was reduced up to this value
+        threshold: 0.5%

.craft.yml

@@ -1,19 +1,13 @@
-minVersion: '0.9.2'
-github:
-  owner: getsentry
-  repo: sentry-go
-preReleaseCommand: bash scripts/craft-pre-release.sh
+minVersion: 0.35.0
 changelogPolicy: simple
-statusProvider:
-  name: github
-  config:
-    contexts:
-      - Travis CI - Branch
+artifactProvider:
+  name: none
 targets:
   - name: github
-    includeNames: /none/
     tagPrefix: v
+  - name: github
+    tagPrefix: otel/v
+    tagOnly: true
   - name: registry
-    type: sdk
-    config:
-      canonical: "github:getsentry/sentry-go"
+    sdks:
+      github:getsentry/sentry-go:

.gitattributes

@@ -0,0 +1,5 @@
+# Tell Git to use LF for line endings on all platforms.
+# Required to have correct test data on Windows.
+# https://github.com/mvdan/github-actions-golang#caveats
+# https://github.com/actions/checkout/issues/135#issuecomment-613361104
+* text eol=lf

.github/SECURITY.md

@@ -0,0 +1,37 @@
+# Security
+
+## Reporting Security Issues
+
+<!-- This section is the copy of the organization security policy: https://github.com/getsentry/.github/blob/main/SECURITY.md -->
+
+If you've found a security issue in Sentry or in our supported SDKs, you can submit your report to `security[@]sentry.io` via email.
+
+Please include as much information as possible in your report to better help us understand and resolve the issue:
+
+- Where the security issue exists (ie. Sentry SaaS, a Sentry-supported SDK, infrastructure, etc.)
+- The type of issue (ex. SQL injection, cross-site scripting, missing authorization, etc.)
+- Full paths or links to the source files where the security issue exists, if possible
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof of concept or exploit code, if available
+
+If you need to encrypt sensitive information sent to us, please use [our PGP key](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x641D2F6C230DBE3B):
+
+```
+E406 C27A E971 6515 A1B1 ED86 641D 2F6C 230D BE3B
+```
+
+
+## Dependency Update Policy
+
+`sentry-go` has a number of external dependencies. While we try to keep that number low, some of those dependencies may contain security issues, and thus have to be updated.
+
+In order to stay aligned with our [compatibility philosophy](https://develop.sentry.dev/sdk/philosophy/#compatibility-is-king), we take into account the category of the affected dependency and adhere to the following guidelines:
+
+* **Core dependencies**: If there's a security issue in one of the core SDK dependencies (for example, `golang.org/x/sys`), we aim at updating it to a patched version in the next `sentry-go` release, assuming the patched version is available.
+
+* **Integration dependencies**: If a security issue is discovered in one of our integration dependencies (for example, `gin`, `echo`, or `negroni`), it is the responsibility of the end user to make sure that those modules are updated in a timely manner in their applications.
+
+  * Those frameworks and libraries are not used for the core SDK functionality, and are only present in the final dependency tree if the target application uses them as well, thanks to the [module graph pruning and lazy module loading](https://go.dev/ref/mod#graph-pruning).
+
+  * If the vulnerable dependency is bumped to a newer (patched) version in the target application, `sentry-go` will also use it (thanks to the [minimal version selection](https://go.dev/ref/mod#minimal-version-selection) algorithm), and not the minimal required version as specified in `go.mod` of `sentry-go`.

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule: 
+    interval: weekly
+  open-pull-requests-limit: 10

.github/workflows/codeql.yml

@@ -0,0 +1,76 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '37 3 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-extended
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/lint.yml

@@ -0,0 +1,31 @@
+name: Lint
+on:
+  push:
+    branches:
+      - master
+      - release/**
+  pull_request:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  golangci-lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+      - uses: actions/checkout@v4
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # pin@v4.0.0
+        with:
+          version: v1.54
+          only-new-issues: true
+          args: --timeout=10m
+    timeout-minutes: 10

.github/workflows/release.yml

@@ -0,0 +1,26 @@
+name: Prepare Release
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to release
+        required: true
+      force:
+        description: Force a release even when there are release-blockers (optional)
+        required: false
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    name: "Release a new version"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GH_RELEASE_PAT }}
+          fetch-depth: 0
+      - name: Prepare release
+        uses: getsentry/action-prepare-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }}
+        with:
+          version: ${{ github.event.inputs.version }}
+          force: ${{ github.event.inputs.force }}

.github/workflows/test.yml

@@ -0,0 +1,68 @@
+name: Test
+on:
+  push:
+    branches:
+      - master
+      - release/**
+  pull_request:
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash
+concurrency:
+  group: test-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  test:
+    name: Module Mode
+    runs-on: ${{ matrix.os }}-latest
+    env:
+      GO111MODULE: "on"
+      GOFLAGS: "-mod=readonly"
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        with:
+          # In order:
+          # * Module download cache
+          # * Build cache (Linux)
+          # * Build cache (Mac)
+          # * Build cache (Windows)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            %LocalAppData%\go-build
+          key: ${{ runner.os }}-go-${{ matrix.go }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ matrix.go }}-
+      - name: Build
+        run: make build
+      - name: Vet
+        run: make vet
+      - name: Check go.mod Tidiness
+        run: make mod-tidy
+        if: ${{ matrix.go == '1.20' }}
+      - name: Test
+        run: make test-coverage
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@v3.1.4
+        with:
+          directory: .coverage
+      - name: Test (with race detection)
+        run: make test-race
+        # The race detector adds considerable runtime overhead. To save time on
+        # pull requests, only run this step for a single job in the matrix. For
+        # all other workflow triggers (e.g., pushes to a release branch) run
+        # this step for the whole matrix.
+        if: ${{ github.event_name != 'pull_request' || (matrix.go == '1.22' && matrix.os == 'ubuntu') }}
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        go: ["1.22", "1.21", "1.20", "1.19", "1.18"]
+        os: [ubuntu, windows, macos]
+      fail-fast: false

.gitignore

@@ -1,6 +1,14 @@
+# Code coverage artifacts
 coverage.txt
+coverage.out
+coverage.html
+.coverage/
 
 # Just my personal way of tracking stuff — Kamil
 FIXME.md
 TODO.md
-!NOTES.md
+!NOTES.md
+
+# IDE system files
+.idea
+.vscode

.golangci.yml

@@ -2,43 +2,45 @@ linters:
   disable-all: true
   enable:
     - bodyclose
-    - deadcode
-    - depguard
     - dogsled
     - dupl
     - errcheck
+    - exportloopref
     - gochecknoinits
     - goconst
     - gocritic
     - gocyclo
     - godot
     - gofmt
     - goimports
-    - golint
     - gosec
     - gosimple
     - govet
     - ineffassign
-    - interfacer
-    - lll
-    - maligned
     - misspell
     - nakedret
     - prealloc
-    - scopelint
+    - revive
     - staticcheck
-    - structcheck
     - typecheck
     - unconvert
     - unparam
     - unused
-    - varcheck
     - whitespace
 issues:
   exclude-rules:
     - path: _test\.go
       linters:
+        - goconst
         - prealloc
+    - path: _test\.go
+      text: "G306:"
+      linters:
+        - gosec
     - path: errors_test\.go
       linters:
         - unused
+    - path: http/example_test\.go
+      linters:
+        - errcheck
+        - bodyclose