[security] audit repository tooling about build-tools HOT 6 OPEN

@arminru Please confirm if vulnerability reporting, dependabot alerts are configured for the repo as I don't have enough access to see those. I do see we have majority of the repo in Python with a lil of Go but I don't see us using any staticcode checker for Python, do you folks have any suggestion in mind for the same? I know we can use Mypy or Pylint.

Meanwhile I will open a PR for CodeQL scanning with schedule same as other repos.

from build-tools.

@open-telemetry/technical-committee I think you are still the only ones that have access to view the mentioned settings. Please check.

@sakshi-1505 For Python we already use both mypy and pylint, and addtionally flake8 (and black + isort but these are probably less security relevant). https://github.com/open-telemetry/build-tools/blob/main/.github/workflows/semconvgen.yml Most of these could use an upgrade (we have dependabot PRs but with new linter errors that would need to be fixed), and there is also https://github.com/astral-sh/ruff which seems to be the new cool tool that would replace all 3 of pylint, flake8 and isort while being faster. So if somebody has time, there is always potential for improvement, but I think we have the basics covered (and note that the semantic convention generator is development tooling and not distributed to or used by end users)

from build-tools.

@Oberon00 please check #214

from build-tools.

@Oberon00 I looked into the repo settings mentioned in the issue description, adjusted them where needed, and ticked the boxes.

from build-tools.

Thanks a lot @arminru , can you please also review #214?

from build-tools.

cc: @codeboten

from build-tools.