Signed-off-by: dongjiang <dongjiang1989@126.com>

* setup ossf scorecard and codql workflows


---------

Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Co-authored-by: Ben Kochie <superq@gmail.com>

* feat(promslog): implement reserved keys, rename duplicates

This commit adds support for "reserved" keys, where upon detecting a
duplicate log attribute key, it will rename the key to prevent
collisions/issues with core slog attribute keys in use.

The reserved keys are:
- `level`
- `source` (for standard slog style)
- `caller` (for legacy go-kit style)
- `time`   (for standard slog style)
- `ts`     (for legacy go-kit style)

By supporting reserved keys, we allow users of the library to use these
keys for their own supplemental log attributes.

Fixes: #745

Example test output:
```
=== RUN   TestReservedKeys/slog_log_style
time=2025-01-13T18:32:46.508Z level=INFO source=slog_test.go:212 msg="reserved keys test for slog_log_style" logged_level="surprise! I'm a string" logged_source="surprise! I'm a string" logged_time="surprise! I'm a string"

=== RUN   TestReservedKeys/go-kit_log_style
ts=2025-01-13T18:32:46.508Z level=info caller=slog_test.go:212 msg="reserved keys test for go-kit_log_style" logged_level="surprise! I'm a string" logged_caller="surprise! I'm a string" logged_ts="surprise! I'm a string"
```

Note: this implementation only technically removes duplicates of our
core reserved keys. If a user adds multiple instances of a reserved key,
the rest get renamed to `logged_$key`, which means there could be
duplicate attributes with `logged_$key`. This is mostly to simplify
implementation so we don't need to bother reference counting in the
replace attr function to do things like `logged_$key1`, `logged_$key2`,
etc.


---------

Signed-off-by: TJ Hoplock <t.hoplock@gmail.com>

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.24.0 to 0.25.0.
- [Commits](golang/oauth2@v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.34.0.
- [Commits](golang/net@v0.33.0...v0.34.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps google.golang.org/protobuf from 1.36.1 to 1.36.3.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Peter Nguyen <petern0408@gmail.com>

* promslog: Make AllowedLevel concurrency safe.

Needed for prometheus/prometheus#10352

Also I renamed AllowedLevel and AllowedFormat to Level and Format.
Default level (and String()) is also now 'info' not empty.

It's a breaking change, but I suspect nobody was using those constructs directly, WDYT?

Signed-off-by: bwplotka <bwplotka@gmail.com>

* info is by default, so no need for the set in New

Signed-off-by: bwplotka <bwplotka@gmail.com>

---------

Signed-off-by: bwplotka <bwplotka@gmail.com>

Fix typo 'the an'

Signed-off-by: prombot <prometheus-team@googlegroups.com>

)

Bumps google.golang.org/protobuf from 1.36.3 to 1.36.4.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

)

Bumps google.golang.org/protobuf from 1.36.4 to 1.36.5.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.34.0 to 0.35.0.
- [Commits](golang/net@v0.34.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

There is a lot of confusion around this global variable.
Clarify that it is meant to indicate that a project is aware of UTF-8 support, and that those projects should have their own flags to control validation mode.

Signed-off-by: Owen Williams <owen.williams@grafana.com>

This commit fixes a spelling mistake in the godoc for ResolvedAt.

Signed-off-by: George Robinson <george.robinson@grafana.com>

Signed-off-by: prombot <prometheus-team@googlegroups.com>

… into Prometheus metric/label names

Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>

…with a digit and addMetricSuffixes is true

Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>

otlptranslator: Add dependency free package that translates OTLP data into Prometheus metric/label names