Use sonatype guide dependency audit (#2812)

trask · web-flow · commit 430d40c1ce68 · 2026-05-04T19:09:52.000Z
diff --git a/.github/repository-settings.md b/.github/repository-settings.md
@@ -22,8 +22,7 @@ private admin repo.
 
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-- `SONATYPE_OSS_INDEX_USER` - owned by [@trask](https://github.com/trask)
-- `SONATYPE_OSS_INDEX_PASSWORD` - owned by [@trask](https://github.com/trask)
+- `SONATYPE_GUIDE_PAT` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_KEY` - owned by [@trask](https://github.com/trask)
 - `SONATYPE_USER` - owned by [@trask](https://github.com/trask)
 
diff --git a/.github/workflows/sonatype-guide-dependency-audit-daily.yml b/.github/workflows/sonatype-guide-dependency-audit-daily.yml
@@ -1,6 +1,6 @@
 # the benefit of this over renovate is that this also analyzes transitive dependencies
 # while renovate (at least currently) only analyzes top-level dependencies
-name: OSS Index dependency audit (daily)
+name: Sonatype Guide dependency audit (daily)
 
 on:
   schedule:
@@ -29,14 +29,13 @@ jobs:
         run: ./gradlew ossIndexAudit --no-configuration-cache --no-parallel
         continue-on-error: true
         env:
-          SONATYPE_OSS_INDEX_USER: ${{ secrets.SONATYPE_OSS_INDEX_USER }}
-          SONATYPE_OSS_INDEX_PASSWORD: ${{ secrets.SONATYPE_OSS_INDEX_PASSWORD }}
+          SONATYPE_GUIDE_PAT: ${{ secrets.SONATYPE_GUIDE_PAT }}
           DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
       - name: Print vulnerability report
         if: steps.audit.outcome == 'failure'
         run: |
-          echo "=== OSS Index Vulnerability Report ==="
+          echo "=== Sonatype Guide Vulnerability Report ==="
           find . -name "oss-index-cyclonedx-bom.json" | xargs cat
           exit 1
 
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -221,6 +221,7 @@ ossIndexAudit {
   isExcludeCompileOnly = true
   outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4
 
-  username = System.getenv("SONATYPE_OSS_INDEX_USER")
-  password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD")
+  // Guide PAT authentication ignores this, but the scan plugin requires it.
+  username = "unused"
+  password = System.getenv("SONATYPE_GUIDE_PAT") ?: ""
 }

Original file line number	Diff line number	Diff line change
`@@ -221,6 +221,7 @@ ossIndexAudit {`
`221`	`221`	`isExcludeCompileOnly = true`
`222`	`222`	`outputFormat = org.sonatype.gradle.plugins.scan.ossindex.OutputFormat.JSON_CYCLONE_DX_1_4`
`223`	`223`
`224`		`- username = System.getenv("SONATYPE_OSS_INDEX_USER")`
`225`		`- password = System.getenv("SONATYPE_OSS_INDEX_PASSWORD")`
	`224`	`+ // Guide PAT authentication ignores this, but the scan plugin requires it.`
	`225`	`+ username = "unused"`
	`226`	`+ password = System.getenv("SONATYPE_GUIDE_PAT") ?: ""`
`226`	`227`	`}`