fix(tracing): use agentId as span reference_id

[ionmincu]

Summary

Tracing

• Set UiPathSpan.reference_id from the agentId attribute (sourced from the PROJECT_KEY env var) instead of the unset referenceId attribute, so coded-agent spans carry a meaningful reference back to their agent.
• Bump uipath-platform to 0.1.49.

Integration tests workflow

Make Dependabot PRs actually able to run integration tests, without exposing the full secret blast radius to arbitrary fork PRs:

• Add pull_request_target trigger alongside the existing pull_request, gated by actor so it fires only for dependabot[bot]. Regular PRs continue to use pull_request exactly as before. No double-runs.
• Set actions/checkout to ref: ${{ github.event.pull_request.head.sha }} so the PR's code is tested in both event contexts (default for pull_request_target is base).
• Restrict the Dependabot matrix to the alpha environment only (skip cloud and staging) to minimize credential exposure for dependency-bump PRs.
• Omit App Insights / telemetry secrets for Dependabot runs.
• Add a Check secrets availability step that emits a ::warning:: annotation when any of CLIENT_ID/CLIENT_SECRET/BASE_URL is empty, so the previously-misleading downstream UIPATH_ACCESS_TOKEN is not set failure now has clear context (useful for non-Dependabot fork PRs).

Test plan

• CI green on this PR (non-Dependabot path)
• Verify emitted spans include ReferenceId matching the project/agent id
• Confirm next Dependabot PR runs integration tests against alpha only and passes

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🚨 Heads up: uipath-langchain cross-tests are FAILING 🚨

Your changes may break the uipath-langchain-python integration.

⚠️ These checks are NOT enforced by branch protection rules. Please review the failures before merging.

🔍 Inspect the failed run →