Align OTLP shared import with header-based secret contract

[Copilot]

The OTEL smoke test was failing on the local write path with a 401 from one configured OTLP backend. The root cause was a contract mismatch: the shared OTLP import still generated GH_AW_OTEL_*_AUTHORIZATION wiring while the workflow/docs expected GH_AW_OTEL_*_HEADERS.

• What changed

  • Updated .github/workflows/shared/observability-otlp.md to consume GH_AW_OTEL_SENTRY_HEADERS and GH_AW_OTEL_GRAFANA_HEADERS.
  • Regenerated smoke-otel-backends.lock.yml so the compiled workflow now passes the header secrets through OTEL_EXPORTER_OTLP_HEADERS, GH_AW_OTLP_ALL_HEADERS, and GH_AW_OTLP_ENDPOINTS consistently.

• Why this addresses the failure

  • The exporter already supports full header strings per endpoint.
  • Using the documented *_HEADERS secrets removes the stale Authorization=... wrapper assumption and restores the intended secret contract for multi-endpoint OTLP fan-out.

• Regression coverage

  • Added a focused compiler test to ensure imported workflows compile with GH_AW_OTEL_*_HEADERS and no longer reference the deprecated GH_AW_OTEL_*_AUTHORIZATION secrets.

observability:
  otlp:
    endpoint:
      - url: ${{ secrets.GH_AW_OTEL_SENTRY_ENDPOINT }}
        headers: ${{ secrets.GH_AW_OTEL_SENTRY_HEADERS }}
      - url: ${{ secrets.GH_AW_OTEL_GRAFANA_ENDPOINT }}
        headers: ${{ secrets.GH_AW_OTEL_GRAFANA_HEADERS }}

[mnkiefer]

@copilot _HEADERS only valuables are outdated. We now have _AUTHORIZATION ones. Don't keep legacy ones.

[Copilot]

@copilot _HEADERS only valuables are outdated. We now have _AUTHORIZATION ones. Don't keep legacy ones.

Addressed in 1d96d95. The shared OTLP import, generated smoke workflow, and regression test now all use the _AUTHORIZATION secrets again.

[mnkiefer]

@copilot Update PR body

[Copilot]

@copilot Update PR body

Updated the PR body to reflect the current _AUTHORIZATION contract and the regenerated workflow/test coverage on 4810ba1.

[Copilot]

Pull request overview

This PR aims to align shared OTLP workflow imports with the documented header-based secret contract for observability backends.

Changes:

• Adds a compiler regression test for the shared OTLP import.
• Regenerates selected workflow lock files, mostly updating generated heredoc delimiters and adding OTLP header secrets in some manifests/job secrets.
• Updates generated secret wiring for selected workflows, though some compiled OTLP env blocks still retain authorization-secret references.

Show a summary per file

File	Description
pkg/workflow/observability_shared_import_test.go	Adds regression coverage for compiling the shared OTLP import.
.github/workflows/smoke-codex.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/smoke-call-workflow.lock.yml	Adds OTLP header secrets to generated metadata/job secrets and regenerates delimiters.
.github/workflows/schema-feature-coverage.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/necromancer.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/issue-arborist.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/grumpy-reviewer.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/duplicate-code-detector.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/dependabot-campaign.lock.yml	Adds OTLP header secrets to generated metadata/job secrets.
.github/workflows/daily-observability-report.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/daily-fact.lock.yml	Regenerates generated heredoc delimiters.
.github/workflows/daily-cache-strategy-analyzer.lock.yml	Regenerates generated heredoc delimiters.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 12/12 changed files
• Comments generated: 3