From 1ceb151f0c1cd74a6007fe9a997502de9265360c Mon Sep 17 00:00:00 2001
From: Kevin Minehart <kevin.minehart@proton.me>
Date: Tue, 22 Apr 2025 08:33:08 -0500
Subject: [PATCH] update sync-mirror action

---
 .github/workflows/sync-mirror-event.yml | 43 +++++++++++++++++++++++++
 .github/workflows/sync-mirror.yml       | 25 --------------
 2 files changed, 43 insertions(+), 25 deletions(-)
 create mode 100644 .github/workflows/sync-mirror-event.yml
 delete mode 100644 .github/workflows/sync-mirror.yml

diff --git a/.github/workflows/sync-mirror-event.yml b/.github/workflows/sync-mirror-event.yml
new file mode 100644
index 00000000000..b1a1466fdf9
--- /dev/null
+++ b/.github/workflows/sync-mirror-event.yml
@@ -0,0 +1,43 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Dispatch sync to mirror
+run-name: dispatch-sync-to-mirror-${{ github.ref_name }}
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  dispatch-job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - uses: actions/github-script@v7
+        if: github.repository == 'grafana/grafana'
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'mirror-branch-and-apply-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_ref: "${{ github.ref_name }}",
+                  src_repo: "${{ github.repository }}",
+                  src_sha: "${{ github.sha }}",
+                  dest_repo: "${{ github.repository }}-security-mirror",
+                  patch_repo: "${{ github.repository }}-security-patches"
+                }
+            })
diff --git a/.github/workflows/sync-mirror.yml b/.github/workflows/sync-mirror.yml
deleted file mode 100644
index 09c8f87d509..00000000000
--- a/.github/workflows/sync-mirror.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-# Owned by grafana-release-guild
-# Intended to be dropped into the base repo, Ex: grafana/grafana
-name: Sync to mirror
-run-name: sync-to-mirror-${{ github.ref_name }}
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-# This is run after the pull request has been merged, so we'll run against the target branch
-jobs:
-  trigger_downstream_patch_mirror:
-    concurrency: patch-mirror-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
-    if: github.repository == 'grafana/grafana'
-    with:
-      ref: "${{ github.ref_name }}" # this is the target branch name, Ex: "main"
-      src_repo: "${{ github.repository }}"
-      dest_repo: "${{ github.repository }}-security-mirror"
-      patch_repo: "${{ github.repository }}-security-patches"
-    secrets: inherit
-