Merge branch 'jaegertracing:main' into master

.github/workflows/ci-all-in-one-build.yml

@@ -7,33 +7,42 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   all-in-one:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
-    - uses: actions/setup-node@v2.5.1
+    - uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
       with:
-        node-version: '10'
+        node-version: '16'
 
     - name: Export BRANCH variable
       uses: ./.github/actions/setup-branch
 
     - name: Install tools
       run: make install-ci
-    
-    - uses: docker/setup-qemu-action@v1
+
+    - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
 
     - name: Build, test, and publish all-in-one image
       run: bash scripts/build-all-in-one-image.sh

.github/workflows/ci-build-binaries.yml

@@ -7,6 +7,10 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   build-binaries:
     runs-on: ubuntu-latest
@@ -29,17 +33,22 @@ jobs:
           task: build-binaries-ppc64le
     name: build binaries for ${{ matrix.platform.name }}
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Export BRANCH variable
       uses: ./.github/actions/setup-branch

.github/workflows/ci-cassandra.yml

@@ -7,6 +7,10 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   cassandra:
     runs-on: ubuntu-latest
@@ -23,11 +27,16 @@ jobs:
           schema: v004
     name: ${{ matrix.version.distribution }} ${{ matrix.version.major }}
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Run cassandra integration tests
       run: bash scripts/cassandra-integration-test.sh ${{ matrix.version.image }} ${{ matrix.version.schema }}

.github/workflows/ci-crossdock.yml

@@ -7,38 +7,42 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   crossdock:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        steps:
-        - name: crossdock
-          cmd: bash scripts/build-crossdock.sh
-    name: ${{ matrix.steps.name }}
+
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Export BRANCH variable
       uses: ./.github/actions/setup-branch
 
     - name: Install tools
       run: make install-ci
-
-    - uses: docker/setup-qemu-action@v1
 
-    - name: Build, test, and publish ${{ matrix.steps.name }} image
-      run: ${{ matrix.steps.cmd }}
+    - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
+
+    - name: Build, test, and publish crossdock image
+      run: bash scripts/build-crossdock.sh
       env:
         DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}

.github/workflows/ci-docker-build.yml

@@ -7,34 +7,43 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   docker-images:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
-    - uses: actions/setup-node@v2.5.1
+    - uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
       with:
-        node-version: '10'
+        node-version: '16'
 
     - name: Export BRANCH variable
       uses: ./.github/actions/setup-branch
 
     - name: Install tools
       run: make install-ci
 
-    - uses: docker/setup-qemu-action@v1
+    - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
 
     - name: Build and upload all docker images
       run: bash scripts/build-upload-docker-images.sh

.github/workflows/ci-elasticsearch.yml

@@ -7,6 +7,10 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   elasticsearch:
     runs-on: ubuntu-latest
@@ -24,22 +28,27 @@ jobs:
           distribution: elasticsearch
     name: ${{ matrix.version.distribution }} ${{ matrix.version.major }}
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Install tools
       run: make install-ci
 
-    - uses: docker/setup-qemu-action@v1
+    - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
 
     - name: Run elasticsearch integration tests
       run: bash scripts/es-integration-test.sh ${{ matrix.version.distribution }} ${{ matrix.version.image }}

.github/workflows/ci-grpc-badger.yml

@@ -7,15 +7,24 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   grpc-and-badger:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Run Badger storage integration tests
       run: make badger-storage-integration-test

.github/workflows/ci-hotrod.yml

@@ -7,29 +7,38 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   hotrod:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       with:
         submodules: true
 
     - name: Fetch git tags
       run: |
         git fetch --prune --unshallow --tags
 
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Export BRANCH variable
       uses: ./.github/actions/setup-branch
 
     - name: Install tools
       run: make install-ci
-    
-    - uses: docker/setup-qemu-action@v1
+
+    - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
 
     - name: Build, test, and publish hotrod image
       run: bash scripts/hotrod-integration-test.sh

.github/workflows/ci-kafka.yml

@@ -7,19 +7,28 @@ on:
   pull_request:
     branches: [main]
 
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   kafka:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2.4.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+
+    - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
       with:
-        go-version: ^1.17
+        go-version: 1.19.x
 
     - name: Run kafka integration tests
       run: bash scripts/kafka-integration-test.sh
-    
+
     services:
       zookeeper:
         image: bitnami/zookeeper