feat: go mod auto version update

[maxday]

This is a follow-up PR on this: #1839 to complete this: #1838

I've tried it on my fork and the PR with a bump is indeed created see the example here: maxday#7

Quick notes:

• Since the PR is created from a worflow step, it does NOT auto trigger the collector check to run (This is a documented mechanism to increase security + to prevent loops)
• I've added a step to run the check but there is no easy way to report the status on the PR. I think I can make it work with custom checks but I think it's good enough like this). When a new PR like this is created, we would need to manually check the status of the triggered action, IMO, it's still a huge benefit to have this auto-bump which is already detecting that we're behind one minor version 😅.

Let me know!
Max

[tylerbenson]

Is this being used anywhere else within otel?

[maxday]

@tylerbenson no I could not find other usage. Maybe we can pioneer this and influence other go repos if this is working well for us?
if you look at the code, it's a very simple action: https://github.com/030/gomod-go-version-updater-action/blob/main/main.py

[tylerbenson]

@trask @carlosalberto @jaronoff97 @codeboten WDYT? Does this need further review or good to go?

[trask]

from a security perspective, I personally avoid github actions that are not widely used, since it's one more attack vector you have to worry about

that said, I don't think we have any official guidance for OpenTelemetry repositories, and I suspect that we would first focus on limiting the github token permissions, since that's typically the easier win:

An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN. For more information, see Permissions for the GITHUB_TOKEN.

(https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow)

In this particular case though, have you checked if Renovate will automatically update this for you? The majority of OpenTelemetry repos are on Renovate now, and I believe the Go repos were early Renovate adopters.

cc @open-telemetry/sig-security-approvers @open-telemetry/go-approvers

[maxday]

oops sorry I removed the branch 😶‍🌫️ , will reopen