Add OTLP header-secret fallback to smoke OTEL backend workflow

[Copilot]

The OTEL backend smoke run showed remote export failures (401 Unauthorized), which left Sentry unable to observe the current run even though local spans were emitted. The workflow documentation and runtime config were also split across two secret conventions: *_HEADERS vs *_AUTHORIZATION.

• What changed

  • Moved the smoke workflow’s OTLP config into smoke-otel-backends.md so the backend auth wiring is explicit in the workflow being debugged.
  • Added header fallback logic for both Sentry and Grafana:
    • prefer GH_AW_OTEL_*_HEADERS
    • fall back to GH_AW_OTEL_*_AUTHORIZATION by wrapping it as Authorization=...
  • Updated the required-secrets section to reflect both supported secret shapes.
  • Recompiled smoke-otel-backends.lock.yml to carry the new OTLP env wiring into the generated workflow.

• Why this is the minimal fix

  • The failing path was export auth, not Sentry query access.
  • This keeps existing *_AUTHORIZATION deployments working while allowing workflows documented with *_HEADERS to authenticate correctly.
  • No behavior changes were made outside the smoke OTEL workflow and its generated lockfile.

• Security review

  • New optional restricted secrets introduced by this workflow change:
    • GH_AW_OTEL_SENTRY_HEADERS
    • GH_AW_OTEL_GRAFANA_HEADERS
  • These are used only to populate OTLP exporter headers for the existing Sentry and Grafana endpoints; no new actions, containers, or network destinations were added beyond the workflow’s existing observability backends.

• Example

  observability:
    otlp:
      endpoint:
        - url: ${{ secrets.GH_AW_OTEL_SENTRY_ENDPOINT }}
          headers: "${{ secrets.GH_AW_OTEL_SENTRY_HEADERS || (secrets.GH_AW_OTEL_SENTRY_AUTHORIZATION && format('Authorization={0}', secrets.GH_AW_OTEL_SENTRY_AUTHORIZATION)) }}"
        - url: ${{ secrets.GH_AW_OTEL_GRAFANA_ENDPOINT }}
          headers: "${{ secrets.GH_AW_OTEL_GRAFANA_HEADERS || (secrets.GH_AW_OTEL_GRAFANA_AUTHORIZATION && format('Authorization={0}', secrets.GH_AW_OTEL_GRAFANA_AUTHORIZATION)) }}"

[mnkiefer]

@copilot Using the shared import should be equivalent, revert this change and consider other issues.

[Copilot]

@copilot Using the shared import should be equivalent, revert this change and consider other issues.

Addressed in b0bff37.

[Copilot]

Copilot wasn't able to review any files in this pull request.