[infra] Fix OneCollector Dangerous-Workflow v2 (#3256)

Co-authored-by: Martin Costello <[email protected]>

Author: Kielek

.github/codeql/codeql-config.yml

@@ -0,0 +1,12 @@
+name: "CodeQL config"
+
+queries:
+  - uses: security-extended
+
+# Disable specific queries
+query-filters:
+  - exclude:
+      id:
+        - actions/untrusted-checkout
+        - actions/untrusted-checkout/high
+        - actions/untrusted-checkout/medium

.github/workflows/ci-Exporter.OneCollector-Integration.yml

@@ -24,32 +24,21 @@ jobs:
 
   build-integration-test:
     needs: authorize
-
     strategy:
-      fail-fast: false # ensures the entire test matrix is run, even if one permutation fails
+      fail-fast: false
       matrix:
         os: [ windows-latest, ubuntu-24.04 ]
         version: [ net462, net8.0 ]
         exclude:
         - os: ubuntu-24.04
           version: net462
-
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        ref: refs/pull/${{ github.event.pull_request.number }}/merge # Run on the merge commit once approved
-
-    - name: Setup dotnet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-
-    - name: dotnet restore Component.proj for OpenTelemetry.Exporter.OneCollector
-      run: dotnet restore build/Projects/Component.proj -p:BUILD_COMPONENT=OpenTelemetry.Exporter.OneCollector
-
-    - name: dotnet build Component.proj for OpenTelemetry.Exporter.OneCollector
-      run: dotnet build build/Projects/Component.proj --configuration Release --no-restore -p:BUILD_COMPONENT=OpenTelemetry.Exporter.OneCollector
-
-    - name: dotnet test Component.proj for OpenTelemetry.Exporter.OneCollector
-      run: dotnet test build/Projects/Component.proj --filter CategoryName=OneCollectorIntegrationTests --framework ${{ matrix.version }} --configuration Release --no-restore --no-build -p:BUILD_COMPONENT=OpenTelemetry.Exporter.OneCollector --logger:"console;verbosity=detailed"
-      env:
-        OTEL_ONECOLLECTOR_INSTRUMENTATION_KEY: ${{ secrets.OTEL_ONECOLLECTOR_INSTRUMENTATION_KEY }}
+    uses: ./.github/workflows/integration-test-reusable.yml
+    with:
+      component: OpenTelemetry.Exporter.OneCollector
+      os: ${{ matrix.os }}
+      version: ${{ matrix.version }}
+      test-filter: OneCollectorIntegrationTests
+      env-var-name: OTEL_ONECOLLECTOR_INSTRUMENTATION_KEY
+      checkout-ref: refs/pull/${{ github.event.pull_request.number }}/merge
+    secrets:
+      instrumentation-key: ${{ secrets.OTEL_ONECOLLECTOR_INSTRUMENTATION_KEY }}

.github/workflows/codeql-analysis-steps.yml

@@ -39,6 +39,7 @@ jobs:
         with:
           build-mode: none
           languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8

.github/workflows/integration-test-reusable.yml

@@ -0,0 +1,65 @@
+name: Reusable Integration Test
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      component:
+        description: 'Component to build and test'
+        required: true
+        type: string
+      os:
+        description: 'Operating system to run on'
+        required: true
+        type: string
+      version:
+        description: 'Framework version to test'
+        required: true
+        type: string
+      test-filter:
+        description: 'Test filter category'
+        required: true
+        type: string
+      env-var-name:
+        description: 'Environment variable name for instrumentation key'
+        required: false
+        type: string
+        default: 'INSTRUMENTATION_KEY'
+      checkout-ref:
+        description: 'Git ref to checkout'
+        required: false
+        type: string
+        default: ''
+    secrets:
+      instrumentation-key:
+        description: 'Instrumentation key for testing'
+        required: false
+
+jobs:
+  build-and-test:
+    runs-on: ${{ inputs.os }}
+    steps:
+    # Security: When called from pull_request_target with untrusted PR code,
+    # this checkout requires prior approval via the 'authorize' job environment.
+    # The workflow has limited permissions (contents: read) and uses persist-credentials: false
+    # to prevent credential theft.
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+        ref: ${{ inputs.checkout-ref }}
+
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+
+    - name: dotnet restore Component.proj
+      run: dotnet restore build/Projects/Component.proj -p:BUILD_COMPONENT=${{ inputs.component }}
+
+    - name: dotnet build Component.proj
+      run: dotnet build build/Projects/Component.proj --configuration Release --no-restore -p:BUILD_COMPONENT=${{ inputs.component }}
+
+    - name: dotnet test Component.proj
+      run: dotnet test build/Projects/Component.proj --filter CategoryName=${{ inputs.test-filter }} --framework ${{ inputs.version }} --configuration Release --no-restore --no-build -p:BUILD_COMPONENT=${{ inputs.component }} --logger:"console;verbosity=detailed"
+      env:
+        ${{ inputs.env-var-name }}: ${{ secrets.instrumentation-key }}

test/OpenTelemetry.Instrumentation.SqlClient.Tests/SqlClientTests.cs

@@ -20,7 +20,7 @@ public enum SqlClientLibrary
 [Collection("SqlClient")]
 public class SqlClientTests : IDisposable
 {
-    private const string TestConnectionString = "Data Source=(localdb)\\MSSQLLocalDB;Database=master";
+    private const string TestConnectionString = "Data Source=(localdb)\\MSSQLLocalDB;Database=master;Encrypt=True;TrustServerCertificate=True";
 
     public static IEnumerable<object[]> TestData => SqlClientTestCases.GetTestCases();
 

test/OpenTelemetry.Instrumentation.SqlClient.Tests/SqlClientTraceInstrumentationOptionsTests.cs

@@ -17,7 +17,7 @@ namespace OpenTelemetry.Instrumentation.SqlClient.Tests;
 [Collection("SqlClient")]
 public class SqlClientTraceInstrumentationOptionsTests
 {
-    private const string TestConnectionString = "Data Source=(localdb)\\MSSQLLocalDB;Database=master";
+    private const string TestConnectionString = "Data Source=(localdb)\\MSSQLLocalDB;Database=master;Encrypt=True;TrustServerCertificate=True";
 
     [Fact]
     public void ShouldEmitOldAttributesWhenStabilityOptInIsDatabaseDup()