Update major project dependencies

[thampiotr]

#### PR Description
This PR performs a major dependency update, bumping OpenTelemetry Collector core to `v1.46.0/v0.140.0` and contrib modules to `v0.140.1`. It also updates Prometheus Server to `v0.307.3` (via a fork), Prometheus Common to `v0.67.3`, and `go.opentelemetry.io/obi` to `v1.3.8`.

A key change is the switch of `go.opentelemetry.io/ebpf-profiler` to a new fork (`github.com/thampiotr/[email protected]`), which integrates a critical race fix and compatibility with OTel 0.140 `pprofile` API, removing the previous vendored copy. The `opencensusreceiver` module remains pinned at `v0.133.0` due to its upstream removal.

The `go.mod` file has been reorganized, and integration tests for `pyroscope/java` and `remote/vault` have been updated to gracefully skip if a Docker daemon is unavailable.

#### Which issue(s) this PR fixes

<!-- Uncomment the following line if you want that GitHub issue gets automatically closed after merging the PR -->
<!-- Fixes #issue_id -->

#### Notes to the Reviewer
- The `thampiotr/opentelemetry-ebpf-profiler` fork is crucial as it includes a `processmanager` race fix (upstream rejected) and necessary `pprofile` API updates for OTel Collector `v0.140.x`.
- The `opencensusreceiver` module is intentionally kept at `v0.133.0` because it was removed from upstream OTel Collector Contrib in later versions.
- Integration tests for `pyroscope/java` and `remote/vault` now include Docker availability checks to prevent panics in environments without a running Docker daemon.
- A detailed log of the update process can be found in `deps-update-2025-11-19.md`.

#### PR Checklist

<!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->

- [ ] CHANGELOG.md updated
- [ ] Documentation added
- [x] Tests updated
- [ ] Config converters updated

---

 

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

🔍 Dependency Review

Below are the assessed go.mod changes with upgrade implications and any code changes needed. I grouped closely related modules where appropriate to keep this targeted and actionable.

---

go.opentelemetry.io/collector (family) v1.45.0/v0.139.0 → v1.46.0/v0.140.0 — ⚠️ Needs Review

Scope:

• Core: client, component, config/*, confmap, consumer, exporter, extension, featuregate, otelcol, pdata, pipeline, processor, receiver, scraper, service
• x/* helpers (connector, consumererror, exporterhelper, etc.) from v0.139.0 → v0.140.0

Why review:

• v0.140.0 of Collector and pdata includes behavioral and API surface changes that can affect code using pdata pprofile and some x/* helpers.

Key changes between 0.139.0 → 0.140.0 that may require code updates:

• pdata/pprofile: iteration APIs changed to accessor methods.
  • profile and location accessors in pprofile moved from exported fields to accessor methods (e.g., Samples(), Lines()).
• Consumer/exporter helper packages (x* submodules) saw minor internal refactors; types remain but import paths are consistent with 0.140.0.

Evidence:

• Collector release notes 0.140.0 (GitHub Releases): https://github.com/open-telemetry/opentelemetry-collector/releases/tag/v0.140.0
• pdata pprofile accessor methods visible in pprofile source (e.g., Profile.Samples(), Location.Lines())

If you have any custom code touching pprofile structures (either in-repo or in forks you replace in go.mod), update access patterns:

Code change (pprofile accessors):

- for _, s := range prof.Sample {
-     for _, l := range s.Location.Line {
-         fn := l.Function
-         // ...
-     }
- }
+ for _, s := range prof.Samples() {
+     for _, l := range s.Location.Lines() {
+         fn := l.Function()
+         // ...
+     }
+ }

Notes about the featuregate module:

• You updated go.opentelemetry.io/collector/featuregate to v1.46.0 and removed any replace to the Grafana fork.
• If your codebase (or downstream forks) relied on the fork’s SetAlreadyRegisteredErrHandler hook to bypass duplicate feature-gate panics, that hook is NOT in upstream. Reintroduce a replace to the fork if this behavior is still required during registration.

Recommended safety checks:

• Run integration tests that exercise any custom pprofile usage.
• Confirm you don’t rely on a fork-only featuregate hook. If you do, add:

+ replace go.opentelemetry.io/collector/featuregate => github.com/grafana/opentelemetry-collector feature-gate-registration-error-handler

---

github.com/open-telemetry/opentelemetry-collector-contrib (family) v0.139.0 → v0.140.1 — ⚠️ Needs Review

Scope:

• Connectors (servicegraphconnector, spanmetricsconnector)
• Exporters (awss3exporter, datadogexporter, faroexporter, googlecloudexporter, googlecloudpubsubexporter, kafkaexporter, loadbalancingexporter, splunkhecexporter, syslogexporter, prometheusexporter pinned)
• Extensions (basicauthextension, bearertokenauthextension, headerssetterextension, jaegerremotesampling, oauth2clientauthextension, sigv4authextension, storage/filestorage)
• Processors (attributes, cumulativetodelta, deltatocumulative, filter, groupbyattrs, interval, k8sattributes, probabilisticsampler, resourcedetection, span, tailsampling, transform)
• Receivers (awscloudwatch, awsecscontainermetrics, cloudflare, datadogreceiver, faro, filelog, filestats, fluentforward, googlecloudpubsubreceiver, influxdbreceiver, jaegerreceiver, kafkareceiver, splunkhec/syslog/tcplog/opencensus pinned, vcenter, zipkin)
• Internal/pkg helpers

Why review:

• Monthly contrib releases often ship small config changes, bug fixes and refactors. No large API breaks were announced between 0.139.x and 0.140.x, but compatibility should be verified for components you use directly.

Notable items:

• loadbalancingexporter: you moved off the 0.138.0 pin (which had a 0.139 bug) to 0.140.1, where the bug is fixed.
• prometheusexporter and translator/otlptranslator remain pinned (per your inline TODO) — no action needed now.

Evidence:

• Contrib release notes 0.140.x: https://github.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.140.1

Action:

• No code updates appear required in this repo for the bumped components.
• Validate configuration compatibility in integration tests for the components above.

Status: Minor review recommended; likely build-only change.

---

github.com/prometheus/prometheus v0.305.1-0… → v0.307.3 — ⚠️ Needs Review

Context:

• You previously referenced a fork (Grafana: staleness_disabling) for per-target disablement of staleness markers and a slicelabel fix. The go.mod in this PR now requires upstream v0.307.3 and removes the earlier replace to the fork.

Why review:

• If you depend on the fork-only “disable staleness markers” feature, it is not present in upstream 3.7.3 (module v0.307.3). Upstream PR scrape: Allow disabling end-of-run staleness markers for targets prometheus/prometheus#17431 was merged after 3.7.3 and is not in that released tag.

Evidence:

• Upstream 3.7.3 tag: https://github.com/prometheus/prometheus/releases/tag/v3.7.3
• Fork’s feature branch: https://github.com/grafana/prometheus (staleness_disabling_v3.7.3)

Action:

• If Alloy relies on “disable staleness markers,” reintroduce the replace to the fork until an upstream release includes the patch:

+ replace github.com/prometheus/prometheus => github.com/grafana/prometheus staleness_disabling_v3.7.3

• If not used, this bump is safe (patch-level).

---

go.opentelemetry.io/obi v1.3.7 → v1.3.8 (Grafana fork) — ✅ Safe

Notes:

• Fork adds minor improvements (SDK name vendor, metric sync/test stability).
• No code changes needed here.

Evidence:

• Fork release: https://github.com/grafana/opentelemetry-ebpf-instrumentation/releases/tag/v1.3.8

---

go.opentelemetry.io/ebpf-profiler replaced → github.com/thampiotr/opentelemetry-ebpf-profiler fe6dbb9 — ⚠️ Needs Review

Context:

• You switched replaces from Grafana’s fork to thampiotr’s fork that incorporates the race fix and adapts to Collector 0.140 pprofile API (Samples()/Lines()).

Impact:

• Build issues you saw with 0.140 pprofile APIs are handled inside the fork; no further code changes are required in this repo.
• If you maintain downstream integrations consuming pprofile structures directly, ensure they use the new accessor methods (see pprofile snippet above).

Action:

• None in this repo; just keep an eye on upstreaming and retag to an official release once available.

---

github.com/testcontainers/testcontainers-go v0.39.0 → v0.40.0 — ⚠️ Needs Review

Notes:

• Minor release with improvements; no API breaks noted in changelog for common usage. However, tests can fail noisily when Docker is not available (seen in CI). You’ve already added a defensive check to skip when daemon is unreachable.

Suggested test pattern (you added this already):

cli, _ := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
if _, err := cli.Ping(ctx); err != nil {
    t.Skipf("Docker daemon unreachable: %v", err)
}

Evidence:

• Changelog: https://github.com/testcontainers/testcontainers-go/releases

Status:

• Safe with your Docker-availability guard.

---

github.com/docker/docker v28.5.1 → v28.5.2 — ✅ Safe

• Patch release; no API changes used by this repo.
• Your tests already include a client ping, which works with this version.

---

sigs.k8s.io/controller-runtime v0.22.2 → v0.22.4 — ✅ Safe

• Patch release; no code changes required.

---

github.com/prometheus/common v0.67.1 → v0.67.3 — ✅ Safe

• Patch release; no code changes required.

---

AWS SDK v2 (core and services) minor bumps — ✅ Safe

Changed:

• github.com/aws/aws-sdk-go-v2 and selected services (s3, servicediscovery, cloudwatchlogs, ec2, sts), internals (eventstream, checksum, presigned-url, s3shared, v4a), and credentials packages.

Impact:

• Patch/minor bumps within a stable major. No API surface used here requires changes.

---

golang.org/x/oauth2 v0.32.0 → v0.33.0; golang.org/x/sync v0.17.0 → v0.18.0 — ✅ Safe

• Patch/minor bumps, no code changes required.

---

google.golang.org/api v0.254.0 → v0.256.0 — ✅ Safe

• Patch bumps across generated clients; no code changes required.

---

Misc. small bumps (gopsutil, franz-go, google/go-tpm, enterprise-certificate-proxy) — ✅ Safe

• Patch-level updates; APIs used here are unchanged.

---

📎 Relevant snippets and references

• pprofile accessor migration (Collector 0.140):

- for _, s := range prof.Sample {
-     for _, l := range s.Location.Line {
-         // ...
-     }
- }
+ for _, s := range prof.Samples() {
+     for _, l := range s.Location.Lines() {
+         // ...
+     }
+ }

• Optional: keep Prometheus fork while waiting on upstream release with staleness-disable:

+ replace github.com/prometheus/prometheus => github.com/grafana/prometheus staleness_disabling_v3.7.3

• Optional: keep featuregate fork if you rely on duplicate-registry handler:

+ replace go.opentelemetry.io/collector/featuregate => github.com/grafana/opentelemetry-collector feature-gate-registration-error-handler

• Testcontainers: Docker availability guard (you added this, good for CI stability)

func dockerAvailable(t *testing.T) bool {
    ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
    defer cancel()
    cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
    if err != nil { t.Logf("docker client unavailable: %v", err); return false }
    defer cli.Close()
    if _, err := cli.Ping(ctx); err != nil {
        t.Logf("docker daemon unreachable: %v", err)
        return false
    }
    return true
}

---

📝 Notes

• The opencensusreceiver remains pinned at v0.133.0 since it was removed upstream after that version. No action needed unless you plan to migrate off opencensus.
• You moved several modules from indirect to direct (e.g., caarlos0/env/v9, channelmeter/iso8601duration, ianlancetaylor/demangle). Same versions — no code changes required.
• If the intent was to keep using the Prometheus and OTel featuregate forks per your Step 3 notes, ensure the replace directives are present in go.mod; they aren’t in this PR’s go.mod diff.