[repo] markdownlint ci changes

[CodeBlanch]

Changes

• Resolving build failures due to links in markdown files (ex https://github.com/open-telemetry/opentelemetry-dotnet/actions/runs/7701990497/job/20993415110?pr=5255#step:4:14) by switching to markdownlint-cli2 GitHub Action v14 (15 is the latest and generates errors)

• Also updated the CI pipeline so that md & dotnet-format branches are run if build artifacts (like workflows) are changed

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)

[codecov]

Codecov Report

Attention: 16 lines in your changes are missing coverage. Please review.

Comparison is base (6250307) 83.38% compared to head (31c69f9) 83.07%.
Report is 38 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5281      +/-   ##
==========================================
- Coverage   83.38%   83.07%   -0.31%     
==========================================
  Files         297      272      -25     
  Lines       12531    11965     -566     
==========================================
- Hits        10449     9940     -509     
+ Misses       2082     2025      -57     

Flag	Coverage Δ
unittests	?
unittests-Instrumentation-Experimental	24.92% <93.75%> (?)
unittests-Instrumentation-Stable	24.92% <93.75%> (?)
unittests-Solution-Experimental	82.96% <54.28%> (?)
unittests-Solution-Stable	83.02% <54.28%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...etryProtocol/Implementation/ExperimentalOptions.cs	100.00% <ø> (ø)
...tation/OpenTelemetryProtocolExporterEventSource.cs	100.00% <100.00%> (ø)
...rotocol/Implementation/OtlpLogRecordTransformer.cs	93.45% <100.00%> (ø)
...tation.AspNetCore/Implementation/HttpInListener.cs	89.79% <100.00%> (+0.21%)	⬆️
...AspNetCore/Implementation/HttpInMetricsListener.cs	89.74% <100.00%> (+0.26%)	⬆️
....GrpcNetClient/GrpcClientInstrumentationOptions.cs	100.00% <ø> (+25.00%)	⬆️
...ent/Implementation/GrpcClientDiagnosticListener.cs	75.80% <100.00%> (-2.77%)	⬇️
...n.GrpcNetClient/TracerProviderBuilderExtensions.cs	100.00% <100.00%> (ø)
...plementation/HttpWebRequestActivitySource.netfx.cs	80.77% <100.00%> (ø)
...emetry/Metrics/Exemplar/SimpleExemplarReservoir.cs	80.43% <100.00%> (ø)
... and 1 more

... and 34 files with indirect coverage changes

[reyang]

I have a general question - how do we decide when to trust something like this or not?

[alanwest]

I'd hope that this will be more secure. I assume that now that we're using an actual version rather than just blindly downloading the latest, that dependabot can help alert us of vulnerabilities

[CodeBlanch]

It is a great question and I don't have an answer other than it is something we should discuss on SIG 🤣

Some thoughts...

• This particular thing DavidAnson/markdownlint-cli2-action seems to be made by the same guy who makes markdownlint itself so high confidence here.

• There is table which shows permissions for "pull requests from public forked repositories": https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

  I don't worry much about the CI workflow(s) because it seems GitHub has a pretty good safe-by-default policy. I would worry more about a release job using random actions but for this repo we don't have a release job (we do it manually). The contrib repo does use workflows to release though.