apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[release-11.5.5] Backport workflow fixes (#104694)

Browse Source 
* Copy workflows and actions from main

* add zizmor.yml
pull/104749/head
Kevin Minehart 2 months ago committed by GitHub
parent 64a3a01892
commit 7b1be85980
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
78 changed files with 2030 additions and 686 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 48
      .github/actions/setup-enterprise/action.yml
  2. 45
      .github/actions/setup-grafana-bench/action.yml
  3. 50
      .github/actions/test-coverage-processor/action.yml
  4. 46
      .github/workflows/actions/changelog/index.js
  5. 16
      .github/workflows/add-to-whats-new.yml
  6. 8
      .github/workflows/alerting-swagger-gen.yml
  7. 137
      .github/workflows/alerting-update-module.yml
  8. 25
      .github/workflows/analytics-events-report.yml
  9. 2
      .github/workflows/auto-milestone.yml
  10. 3
      .github/workflows/auto-triager/labels.txt
  11. 74
      .github/workflows/backend-code-checks.yml
  12. 71
      .github/workflows/backend-unit-tests.yml
  13. 28
      .github/workflows/backport.yml
  14. 32
      .github/workflows/bump-version.yml
  15. 44
      .github/workflows/changelog.yml
  16. 44
      .github/workflows/close-milestone.yml
  17. 6
      .github/workflows/codeowners-validator.yml
  18. 15
      .github/workflows/codeql-analysis.yml
  19. 12
      .github/workflows/commands.yml
  20. 2
      .github/workflows/community-release.yml
  21. 52
      .github/workflows/core-plugins-build-and-release.yml
  22. 2
      .github/workflows/create-next-release-branch.yml
  23. 5
      .github/workflows/create-security-patch-from-security-mirror.yml
  24. 15
      .github/workflows/dashboards-issue-add-label.yml
  25. 21
      .github/workflows/deploy-pr-preview.yml
  26. 36
      .github/workflows/detect-breaking-changes-levitate.yml
  27. 26
      .github/workflows/doc-validator.yml
  28. 19
      .github/workflows/documentation-ci.yml
  29. 3
      .github/workflows/ephemeral-instances-pr-comment.yml
  30. 149
      .github/workflows/epic-add-to-platform-ux-parent-project.yml
  31. 25
      .github/workflows/feature-toggles-ci.yml
  32. 133
      .github/workflows/frontend-lint.yml
  33. 2
      .github/workflows/github-release.yml
  34. 32
      .github/workflows/go-lint.yml
  35. 27
      .github/workflows/i18n-crowdin-create-tasks.yml
  36. 68
      .github/workflows/i18n-crowdin-download.yml
  37. 6
      .github/workflows/i18n-crowdin-upload.yml
  38. 23
      .github/workflows/issue-opened.yml
  39. 62
      .github/workflows/lint-build-docs.yml
  40. 6
      .github/workflows/metrics-collector.yml
  41. 2
      .github/workflows/migrate-prs.yml
  42. 19
      .github/workflows/milestone.yml
  43. 71
      .github/workflows/pr-backend-coverage.yml
  44. 3
      .github/workflows/pr-checks.yml
  45. 53
      .github/workflows/pr-codeql-analysis-go.yml
  46. 7
      .github/workflows/pr-codeql-analysis-javascript.yml
  47. 7
      .github/workflows/pr-codeql-analysis-python.yml
  48. 3
      .github/workflows/pr-commands.yml
  49. 9
      .github/workflows/pr-dependabot-update-go-workspace.yml
  50. 72
      .github/workflows/pr-e2e-tests.yml
  51. 69
      .github/workflows/pr-frontend-unit-tests.yml
  52. 9
      .github/workflows/pr-go-workspace-check.yml
  53. 9
      .github/workflows/pr-k8s-codegen-check.yml
  54. 8
      .github/workflows/pr-patch-check-event.yml
  55. 89
      .github/workflows/pr-test-integration.yml
  56. 5
      .github/workflows/publish-kinds-next.yml
  57. 7
      .github/workflows/publish-kinds-release.yml
  58. 4
      .github/workflows/publish-technical-documentation-next.yml
  59. 5
      .github/workflows/publish-technical-documentation-release.yml
  60. 21
      .github/workflows/release-comms.yml
  61. 107
      .github/workflows/release-pr.yml
  62. 60
      .github/workflows/remove-milestone.yml
  63. 130
      .github/workflows/run-dashboard-search-e2e.yml
  64. 39
      .github/workflows/run-e2e-suite.yml
  65. 46
      .github/workflows/run-schema-v2-e2e.yml
  66. 15
      .github/workflows/sbom-report.yml
  67. 84
      .github/workflows/scripts/crowdin/create-tasks.js
  68. 106
      .github/workflows/skye-add-to-project.yml
  69. 48
      .github/workflows/storybook-verification.yml
  70. 23
      .github/workflows/sync-mirror-event.yml
  71. 28
      .github/workflows/trigger-dashboard-search-e2e.yml
  72. 19
      .github/workflows/trivy-scan.yml
  73. 52
      .github/workflows/update-changelog.yml
  74. 6
      .github/workflows/update-make-docs.yml
  75. 5
      .github/workflows/verify-kinds.yml
  76. 23
      .github/workflows/zizmor.yml
  77. 31
      .github/zizmor.yml
  78. 2
      pkg/build/actions/bump-version/action.yml

48
.github/actions/setup-enterprise/action.yml
Unescape View File

@ -0,0 +1,48 @@
name: 'Setup Grafana Enterprise'
description: 'Clones and sets up Grafana Enterprise repository for testing'
inputs:
github-app-name:
description: 'Name of the GitHub App in Vault'
required: false
default: 'grafana-ci-bot'
runs:
using: "composite"
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id
APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
- name: Generate GitHub App token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.APP_ID }}
private-key: ${{ env.PRIVATE_KEY }}
repositories: "grafana-enterprise"
owner: "grafana"
- name: Setup Enterprise
shell: bash
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
run: |
git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
cd ../grafana-enterprise
if git checkout ${GITHUB_HEAD_REF}; then
echo "checked out ${GITHUB_HEAD_REF}"
elif git checkout ${GITHUB_BASE_REF}; then
echo "checked out ${GITHUB_BASE_REF}"
else
git checkout main
fi
./build.sh

45
.github/actions/setup-grafana-bench/action.yml
Unescape View File

@ -0,0 +1,45 @@
name: 'Setup Grafana Bench'
description: 'Sets up and installs Grafana Bench'
inputs:
github-app-name:
description: 'Name of the GitHub App in Vault'
required: false
default: 'grafana-ci-bot'
branch:
description: 'The branch to install from'
required: false
default: 'main'
runs:
using: "composite"
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id
APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
- name: Generate GitHub App token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.APP_ID }}
private-key: ${{ env.PRIVATE_KEY }}
repositories: "grafana-bench"
owner: "grafana"
- name: Setup Bench
shell: bash
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
BRANCH: ${{ inputs.branch }}
run: |
git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-bench.git ../grafana-bench
cd ../grafana-bench
git switch "$BRANCH"
go install .

50
.github/actions/test-coverage-processor/action.yml
Unescape View File

@ -0,0 +1,50 @@
name: 'Go Coverage Processor'
description: 'Process Go test coverage files and generate reports'
inputs:
test-type:
description: 'Type of test (e.g., be-unit, be-integration)'
required: true
type: string
coverage-file:
description: 'Path to the Go coverage file (.cov)'
required: true
type: string
codecov-token:
description: 'Token for CodeCov (required for CodeCov reporting)'
required: false
default: ''
codecov-flag:
description: 'Flag to categorize the upload to CodeCov'
required: false
default: ''
codecov-name:
description: 'Custom name for the upload to CodeCov'
required: false
default: ''
runs:
using: 'composite'
steps:
- name: Process Go coverage output
shell: bash
env:
COVERAGE_FILE: ${{ inputs.coverage-file }}
run: |
# Ensure valid coverage file even if empty
if [ ! -s "$COVERAGE_FILE" ]; then
echo "Coverage file is empty, creating a minimal valid file"
echo "mode: set" > "$COVERAGE_FILE"
fi
- name: Report coverage to CodeCov
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
if: inputs.codecov-token != ''
with:
files: ${{ inputs.coverage-file }}
flags: ${{ inputs.codecov-flag || inputs.test-type }}
name: ${{ inputs.codecov-name || inputs.test-type }}
slug: grafana/grafana
# This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
url: https://codecov-webhook.grafana-dev.net
token: ${{ inputs.codecov-token }}

46
.github/workflows/actions/changelog/index.js
Unescape View File

@ -69,8 +69,17 @@ const graphql = async (ghtoken, query, variables) => {
}, },
body: JSON.stringify({ query, variables }), body: JSON.stringify({ query, variables }),
}); });
const { data } = await results.json();
return data; const res = await results.json();
LOG(
JSON.stringify({
status: results.status,
text: results.statusText,
})
);
return res.data;
}; };
// Using Github GraphQL API find the timestamp for the given tag/commit hash. // Using Github GraphQL API find the timestamp for the given tag/commit hash.
@ -99,20 +108,20 @@ const getCommitishDate = async (name, owner, target) => {
// Using Github GraphQL API get a list of PRs between the two "commitish" items. // Using Github GraphQL API get a list of PRs between the two "commitish" items.
// This resoves the "since" item's timestamp first and iterates over all PRs // This resoves the "since" item's timestamp first and iterates over all PRs
// till "target" using naïve pagination. // till "target" using naïve pagination.
const getHistory = async (name, owner, target, sinceDate) => { const getHistory = async (name, owner, from, to) => {
LOG(`Fetching ${owner}/${name} PRs since ${sinceDate} till ${target}`); LOG(`Fetching ${owner}/${name} PRs between ${from} and ${to}`);
const query = ` const query = `
query findCommitsWithAssociatedPullRequests( query findCommitsWithAssociatedPullRequests(
$name: String! $name: String!
$owner: String! $owner: String!
$target: String! $from: String!
$sinceDate: GitTimestamp $to: String!
$cursor: String $cursor: String
) { ) {
repository(name: $name, owner: $owner) { repository(name: $name, owner: $owner) {
object(expression: $target) { ref(qualifiedName: $from) {
... on Commit { compare(headRef: $to) {
history(first: 50, since: $sinceDate, after: $cursor) { commits(first: 25, after: $cursor) {
totalCount totalCount
pageInfo { pageInfo {
hasNextPage hasNextPage
@ -155,13 +164,13 @@ const getHistory = async (name, owner, target, sinceDate) => {
const result = await graphql(ghtoken, query, { const result = await graphql(ghtoken, query, {
name, name,
owner, owner,
target, from,
sinceDate, to,
cursor, cursor,
}); });
LOG(`GraphQL: ${JSON.stringify(result)}`); LOG(`GraphQL: ${JSON.stringify(result)}`);
nodes = [...nodes, ...result.repository.object.history.nodes]; nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
const { hasNextPage, endCursor } = result.repository.object.history.pageInfo; const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
if (!hasNextPage) { if (!hasNextPage) {
break; break;
} }
@ -175,11 +184,11 @@ const getHistory = async (name, owner, target, sinceDate) => {
// feature, deprecation, breaking change and plugin fixes/enhancements). // feature, deprecation, breaking change and plugin fixes/enhancements).
// //
// PR grouping relies on Github labels only, not on the PR contents. // PR grouping relies on Github labels only, not on the PR contents.
const getChangeLogItems = async (name, owner, sinceDate, to) => { const getChangeLogItems = async (name, owner, from, to) => {
// check if a node contains a certain label // check if a node contains a certain label
const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label); const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
// get all the PRs between the two "commitish" items // get all the PRs between the two "commitish" items
const history = await getHistory(name, owner, to, sinceDate); const history = await getHistory(name, owner, from, to);
const items = history.flatMap((node) => { const items = history.flatMap((node) => {
// discard PRs without a "changelog" label // discard PRs without a "changelog" label
@ -231,13 +240,10 @@ const previous = process.argv[3] || process.env.INPUT_PREVIOUS || (await getPrev
LOG(`Previous tag/commit: ${previous}`); LOG(`Previous tag/commit: ${previous}`);
const sinceDate = await getCommitishDate('grafana', 'grafana', previous);
LOG(`Previous tag/commit timestamp: ${sinceDate}`);
// Get all changelog items from Grafana OSS // Get all changelog items from Grafana OSS
const oss = await getChangeLogItems('grafana', 'grafana', sinceDate, target); const oss = await getChangeLogItems('grafana', 'grafana', previous, target);
// Get all changelog items from Grafana Enterprise // Get all changelog items from Grafana Enterprise
const entr = await getChangeLogItems('grafana-enterprise', 'grafana', sinceDate, target); const entr = await getChangeLogItems('grafana-enterprise', 'grafana', previous, target);
LOG(`Found OSS PRs: ${oss.length}`); LOG(`Found OSS PRs: ${oss.length}`);
LOG(`Found Enterprise PRs: ${entr.length}`); LOG(`Found Enterprise PRs: ${entr.length}`);

16
.github/workflows/add-to-whats-new.yml
Unescape View File

@ -0,0 +1,16 @@
name: Add comment about adding a What's new note
on:
pull_request:
types: [labeled]
jobs:
add-comment:
if: ${{ ! github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'add to what''s new') }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
with:
message: |
Since you've added the `Add to what's new` label, consider drafting a [What's new note](https://admin.grafana.com/content-admin/#/collections/whats-new/new) for this feature.

8
.github/workflows/alerting-swagger-gen.yml
Unescape View File

@ -10,18 +10,19 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
fetch-depth: 2 fetch-depth: 2
persist-credentials: false
- name: Set go version - name: Set go version
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with: with:
go-version-file: go.mod go-version-file: go.mod
- name: Build swagger - name: Build swagger
run: | run: |
make -C pkg/services/ngalert/api/tooling post.json api.json make -C pkg/services/ngalert/api/tooling post.json api.json
- name: Open Pull Request - name: Open Pull Request
uses: peter-evans/create-pull-request@v5 uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "chore: update alerting swagger spec" commit-message: "chore: update alerting swagger spec"
@ -34,4 +35,3 @@ jobs:
labels: 'area/alerting,type/docs,no-changelog' labels: 'area/alerting,type/docs,no-changelog'
team-reviewers: 'grafana/alerting-backend' team-reviewers: 'grafana/alerting-backend'
draft: false draft: false

137
.github/workflows/alerting-update-module.yml
Unescape View File

@ -0,0 +1,137 @@
name: Update Alerting Module
on:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
update-grafana:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
persist-credentials: false
- name: Check if update branch exists
run: |
if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
echo "Please review and merge/close the existing PR before running this workflow again."
exit 1
fi
- name: Setup Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0
with:
"go-version-file": "go.mod"
- name: Extract current commit hash of alerting module
id: current-commit
run: |
FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
- name: Get current branch name
id: current-branch-name
run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
- name: Get latest commit
id: latest-commit
env:
GH_TOKEN: ${{ github.token }}
run: |
BRANCH="${{ steps.current-branch-name.outputs.name }}"
TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH --jq '.sha')
if [ -z "$TO_COMMIT" ]; then
echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
exit 1
fi
echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
- name: Compare commit hashes
run: |
FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
# Compare just the length of the shorter hash
SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
exit 0
fi
echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
- name: Check for commit history
id: check-commits
env:
GH_TOKEN: ${{ github.token }}
run: |
# get all commits that contains 'Alerting:' in the message
ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
--jq '.commits[].commit.message | split("\n")[0]') || true
# Use printf instead of echo -e for better multiline handling
printf "%s\n" "$ALERTING_COMMITS"
# make the list for markdown and replace PR numbers with links
ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Update alerting module
env:
GOSUMDB: off
run: |
go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
make update-workspace
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
GITHUB_APP_ID=alerting-team:app-id
GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
- name: "Generate token"
id: generate_token
uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
with:
app-id: ${{ env.GITHUB_APP_ID }}
private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
- name: Create Pull Request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
id: create-pr
with:
token: '${{ steps.generate_token.outputs.token }}'
title: 'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
branch: alerting/update-alerting-module
delete-branch: true
body: |
Updates Grafana Alerting module to latest version.
Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
<details>
<summary>Commits</summary>
${{ steps.check-commits.outputs.alerting_commits }}
</details>
Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
- name: Add PR URL to Summary
if: steps.create-pr.outputs.pull-request-url != ''
run: |
echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY

25
.github/workflows/analytics-events-report.yml
Unescape View File

@ -0,0 +1,25 @@
name: Analytics Events Report
on:
workflow_dispatch:
jobs:
generate-report:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Generate analytics report
run: yarn analytics-report

2
.github/workflows/auto-milestone.yml
Unescape View File

@ -21,7 +21,7 @@ jobs:
# Note: Github will not trigger other actions from this because it uses # Note: Github will not trigger other actions from this because it uses
# the GITHUB_TOKEN token # the GITHUB_TOKEN token
- name: Run auto-milestone - name: Run auto-milestone
uses: grafana/grafana-github-actions-go/auto-milestone@main uses: grafana/grafana-github-actions-go/auto-milestone@d4c452f92ed826d515dccf1f62923e537953acd8 # main
with: with:
pr: ${{ github.event.pull_request.number }} pr: ${{ github.event.pull_request.number }}
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/auto-triager/labels.txt
Unescape View File

@ -32,9 +32,7 @@ area/dashboard/tv
area/dashboard/variable area/dashboard/variable
area/dashboards/panel area/dashboards/panel
area/data/export area/data/export
area/editor
area/explore area/explore
area/exploremetrics
area/expressions area/expressions
area/field/overrides area/field/overrides
area/frontend/library-panels area/frontend/library-panels
@ -43,6 +41,7 @@ area/image-rendering
area/internationalization area/internationalization
area/legend area/legend
area/library-panel area/library-panel
area/metricsdrilldown
area/navigation area/navigation
area/panel/annotation-list area/panel/annotation-list
area/panel/barchart area/panel/barchart

74
.github/workflows/backend-code-checks.yml
Unescape View File

@ -0,0 +1,74 @@
name: Backend Code Checks
description: Validate go.mod and OpenAPI specifications
on:
pull_request:
paths-ignore:
- '*.md'
- 'docs/**'
- 'latest.json'
push:
branches:
- main
paths-ignore:
- '*.md'
- 'docs/**'
- 'latest.json'
permissions:
contents: read
id-token: write
jobs:
validate-configs:
name: Validate Backend Configs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
# Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
# The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
# This ensures the GHAs environment matches what we use in the Drone pipeline
go-version: 1.24.1
cache: true
- name: Verify code generation
run: |
CODEGEN_VERIFY=1 make gen-cue
CODEGEN_VERIFY=1 make gen-jsonnet
- name: Validate go.mod
run: go run scripts/modowners/modowners.go check go.mod
# Enterprise setup is needed for complete OpenAPI spec generation
# We only do this for internal PRs
- name: Setup Grafana Enterprise
if: github.event.pull_request.head.repo.fork == false
uses: ./.github/actions/setup-enterprise
- name: Generate and Validate OpenAPI Specs
run: |
# For PRs from forks, we'll just run the basic swagger-gen without validation
if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
echo "PR is from a fork, skipping enterprise-based validation"
make swagger-gen
exit 0
fi
# Clean and regenerate OpenAPI specs
make swagger-clean && make openapi3-gen
# Check if the generated specs differ from what's in the repository
for f in public/api-merged.json public/openapi3.json; do git add $f; done
if [ -z "$(git diff --name-only --cached)" ]; then
echo "OpenAPI specs are up to date!"
else
echo "OpenAPI specs are OUT OF DATE!"
git diff --cached
echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
exit 1
fi

71
.github/workflows/backend-unit-tests.yml
Unescape View File

@ -0,0 +1,71 @@
name: Backend Unit Tests
on:
pull_request:
paths-ignore:
- 'docs/**'
- '**/*.md'
push:
branches:
- main
- release-*.*.*
paths-ignore:
- 'docs/**'
- '**/*.md'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
permissions: {}
jobs:
grafana:
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `pr-backend-unit-tests-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Grafana
runs-on: ubuntu-latest-8-cores
continue-on-error: true
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Generate Go code
run: make gen-go
- name: Run unit tests
run: make test-go-unit
grafana-enterprise:
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Grafana Enterprise
runs-on: ubuntu-latest-8-cores
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Setup Enterprise
uses: ./.github/actions/setup-enterprise
with:
github-app-name: 'grafana-ci-bot'
- name: Generate Go code
run: make gen-go
- name: Run unit tests
run: make test-go-unit

28
.github/workflows/backport.yml
Unescape View File

@ -5,24 +5,28 @@ on:
- closed - closed
- labeled - labeled
permissions:
contents: write
pull-requests: write
jobs: jobs:
main: main:
if: github.repository == 'grafana/grafana' if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
ref: main
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with: with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }} persist-credentials: false
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} - run: git config --local user.name "github-actions[bot]"
- run: git config --global user.email '132647405+grafana-delivery-bot[bot]@users.noreply.github.com' - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
- run: git config --global user.name 'grafana-delivery-bot[bot]' - run: git config --local --add --bool push.autoSetupRemote true
- run: git remote set-url origin "https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/grafana.git" - name: Set remote URL
env:
GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
- name: Run backport - name: Run backport
uses: grafana/grafana-github-actions-go/backport@main uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ secrets.GITHUB_TOKEN }}

32
.github/workflows/bump-version.yml
Unescape View File

@ -11,33 +11,37 @@ on:
dry_run: dry_run:
default: false default: false
required: false required: false
permissions:
contents: write
pull-requests: write
jobs: jobs:
main: bump-version:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout Grafana - name: Checkout Grafana
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Update package.json versions - name: Update package.json versions
uses: ./pkg/build/actions/bump-version uses: ./pkg/build/actions/bump-version
with: with:
version: ${{ inputs.version }} version: ${{ inputs.version }}
- if: ${{ inputs.push }}
name: Generate token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- if: ${{ inputs.push }} - if: ${{ inputs.push }}
name: Push & Create PR name: Push & Create PR
env:
VERSION: ${{ inputs.version }}
DRY_RUN: ${{ inputs.dry_run }}
REF_NAME: ${{ github.ref_name }}
RUN_ID: ${{ github.run_id }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
git config --local user.name "github-actions[bot]" git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true git config --local --add --bool push.autoSetupRemote true
git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}" git checkout -b "bump-version/${RUN_ID}/${VERSION}"
git add . git add .
git commit -m "bump version ${{ inputs.version }}" git commit -m "bump version ${VERSION}"
git push git push
gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}" gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}

44
.github/workflows/changelog.yml
Unescape View File

@ -51,15 +51,20 @@ on:
default: false default: false
type: boolean type: boolean
permissions: permissions: {}
contents: write
pull-requests: write
jobs: jobs:
main: main:
env:
RUN_ID: ${{ github.run_id }}
VERSION: ${{ inputs.version }}
PREVIOUS_VERISON: ${{ inputs.previous_version }}
TARGET: ${{ inputs.target }}
DRY_RUN: ${{ inputs.dry_run }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
pull-requests: write
steps: steps:
- name: "Generate token" - name: "Generate token"
id: generate_token id: generate_token
@ -68,7 +73,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }} app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: "Checkout Grafana repo" - name: "Checkout Grafana repo"
uses: "actions/checkout@v4" uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with: with:
ref: main ref: main
sparse-checkout: | sparse-checkout: |
@ -79,8 +84,9 @@ jobs:
.prettierrc.js .prettierrc.js
fetch-depth: 0 fetch-depth: 0
fetch-tags: true fetch-tags: true
persist-credentials: false
- name: Setup nodejs environment - name: Setup nodejs environment
uses: actions/setup-node@v4 uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version-file: .nvmrc node-version-file: .nvmrc
- name: "Configure git user" - name: "Configure git user"
@ -89,7 +95,7 @@ jobs:
git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true git config --local --add --bool push.autoSetupRemote true
- name: "Create branch" - name: "Create branch"
run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}" run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
- name: "Generate changelog" - name: "Generate changelog"
id: changelog id: changelog
uses: ./.github/workflows/actions/changelog uses: ./.github/workflows/actions/changelog
@ -103,24 +109,24 @@ jobs:
# Prepare CHANGELOG.md content with version delimiters # Prepare CHANGELOG.md content with version delimiters
( (
echo echo
echo "# ${{ inputs.version}} ($(date '+%F'))" echo "# ${VERSION} ($(date '+%F'))"
echo echo
cat changelog_items.md cat changelog_items.md
) > CHANGELOG.part ) > CHANGELOG.part
# Check if a version exists in the changelog # Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
# Replace the content between START and END delimiters # Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..." echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \ sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
else else
# Prepend changelog part to the main changelog file # Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md" echo "Version $VERSION not found in the CHANGELOG.md"
( (
echo "<!-- ${{ inputs.version }} START -->" echo "<!-- ${VERSION} START -->"
cat CHANGELOG.part cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->" echo "<!-- ${VERSION} END -->"
cat CHANGELOG.md cat CHANGELOG.md
) > CHANGELOG.tmp ) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md mv CHANGELOG.tmp CHANGELOG.md
@ -138,11 +144,11 @@ jobs:
- name: "Create changelog PR" - name: "Create changelog PR"
run: > run: >
gh pr create \ gh pr create \
--dry-run=${{ inputs.dry_run }} \ --dry-run=${DRY_RUN} \
--label "no-backport" \ --label "no-backport" \
--label "no-changelog" \ --label "no-changelog" \
-B "${{ inputs.target }}" \ -B "${TARGET}" \
--title "Release: update changelog for ${{ inputs.version }}" \ --title "Release: update changelog for ${VERSION}" \
--body "Changelog changes for release ${{ inputs.version }}" --body "Changelog changes for release ${VERSION}"
env: env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

44
.github/workflows/close-milestone.yml
Unescape View File

@ -1,44 +0,0 @@
name: Close milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
main:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Close milestone (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/close-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Close milestone (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/close-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

6
.github/workflows/codeowners-validator.yml
Unescape View File

@ -9,9 +9,11 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Checks-out your repository, which is validated in the next step # Checks-out your repository, which is validated in the next step
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: GitHub CODEOWNERS Validator - name: GitHub CODEOWNERS Validator
uses: mszostok/codeowners-validator@v0.7.4 uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
# input parameters # input parameters
with: with:
# ==== GitHub Auth ==== # ==== GitHub Auth ====

15
.github/workflows/codeql-analysis.yml
Unescape View File

@ -3,18 +3,19 @@
# #
# You may wish to alter this file to override the set of languages analyzed, # You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic. # or to provide custom queries or build logic.
name: "CodeQL" name: "CodeQL checks"
on: on:
workflow_dispatch: workflow_dispatch:
push: push:
branches: [main, v1.8.x, v2.0.x, v2.1.x, v2.6.x, v3.0.x, v3.1.x, v4.0.x, v4.1.x, v4.2.x, v4.3.x, v4.4.x, v4.5.x, v4.6.x, v4.7.x, v5.0.x, v5.1.x, v5.2.x, v5.3.x, v5.4.x, v6.0.x, v6.1.x, v6.2.x, v6.3.x, v6.4.x, v6.5.x, v6.6.x, v6.7.x, v7.0.x, v7.1.x, v7.2.x] branches: ['**'] # run on all branches
paths-ignore: paths-ignore:
- '**/*.cue' - '**/*.cue'
- '**/*.json' - '**/*.json'
- '**/*.md' - '**/*.md'
- '**/*.txt' - '**/*.txt'
- '**/*.yml' - '**/*.yml'
- pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
schedule: schedule:
- cron: '0 4 * * 6' - cron: '0 4 * * 6'
@ -25,6 +26,7 @@ jobs:
analyze: analyze:
name: Analyze name: Analyze
runs-on: ubuntu-latest runs-on: ubuntu-latest
continue-on-error: true # doesn't block PRs from being merged if this fails
if: github.repository == 'grafana/grafana' if: github.repository == 'grafana/grafana'
strategy: strategy:
@ -38,21 +40,22 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
# We must fetch at least the immediate parents so that if this is # We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head. # a pull request then we can checkout the head.
fetch-depth: 2 fetch-depth: 2
persist-credentials: false
- if: matrix.language == 'go' - if: matrix.language == 'go'
name: Set go version name: Set go version
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with: with:
go-version-file: go.mod go-version-file: go.mod
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@v3
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@ -67,4 +70,4 @@ jobs:
make build-go make build-go
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@v3

12
.github/workflows/commands.yml
Unescape View File

@ -12,9 +12,7 @@ on:
concurrency: concurrency:
group: issue-commands-${{ github.event.issue.number }} group: issue-commands-${{ github.event.issue.number }}
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
config: config:
@ -34,10 +32,13 @@ jobs:
needs: config needs: config
if: needs.config.outputs.has-secrets if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps: steps:
- name: "Get vault secrets" - name: "Get vault secrets"
id: vault-secrets id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with: with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: | repo_secrets: |
@ -52,11 +53,12 @@ jobs:
private_key: ${{ env.GH_APP_PEM }} private_key: ${{ env.GH_APP_PEM }}
- name: Checkout Actions - name: Checkout Actions
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: ./actions path: ./actions
ref: main ref: main
persist-credentials: false
- name: Install Actions - name: Install Actions
run: npm install --production --prefix ./actions run: npm install --production --prefix ./actions

2
.github/workflows/community-release.yml
Unescape View File

@ -36,7 +36,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Run community-release (manually invoked) - name: Run community-release (manually invoked)
uses: grafana/grafana-github-actions-go/community-release@main uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }} version: ${{ inputs.version }}

52
.github/workflows/core-plugins-build-and-release.yml
Unescape View File

@ -33,6 +33,8 @@ permissions:
jobs: jobs:
build-and-publish: build-and-publish:
env:
PLUGIN_ID: ${{ inputs.plugin_id }}
name: Build and publish ${{ inputs.plugin_id }} name: Build and publish ${{ inputs.plugin_id }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
@ -41,12 +43,14 @@ jobs:
version: ${{ steps.build_frontend.outputs.version }} version: ${{ steps.build_frontend.outputs.version }}
steps: steps:
- name: checkout - name: checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Verify inputs - name: Verify inputs
run: | run: |
if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
- id: get-secrets - id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with: with:
# Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
repo_secrets: | repo_secrets: |
@ -54,13 +58,13 @@ jobs:
PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
- name: 'Authenticate to Google Cloud' - name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2' uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with: with:
credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}' credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
- name: 'Set up Cloud SDK' - name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2' uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
- name: Setup nodejs environment - name: Setup nodejs environment
uses: actions/setup-node@v4 uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version-file: .nvmrc node-version-file: .nvmrc
cache: yarn cache: yarn
@ -70,7 +74,7 @@ jobs:
run: | run: |
dir=$(dirname \ dir=$(dirname \
$(egrep -lir --include=plugin.json --exclude-dir=dist \ $(egrep -lir --include=plugin.json --exclude-dir=dist \
'"id": "${{ inputs.plugin_id }}"' \ '"id": "${PLUGIN_ID}"' \
public/app/plugins \ public/app/plugins \
) \ ) \
) )
@ -85,19 +89,19 @@ jobs:
working-directory: ${{ steps.get_dir.outputs.dir }} working-directory: ${{ steps.get_dir.outputs.dir }}
run: | run: |
[ ! -d ./bin ] && mkdir -pv ./bin || true [ ! -d ./bin ] && mkdir -pv ./bin || true
curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
chmod 0755 ./bin/grabpl chmod 0755 ./bin/grabpl
- name: Check backend - name: Check backend
id: check_backend id: check_backend
shell: bash shell: bash
run: | run: |
if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
echo "has_backend=true" >> $GITHUB_OUTPUT echo "has_backend=true" >> $GITHUB_OUTPUT
else else
echo "has_backend=false" >> $GITHUB_OUTPUT echo "has_backend=false" >> $GITHUB_OUTPUT
fi fi
- name: Setup golang environment - name: Setup golang environment
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
if: steps.check_backend.outputs.has_backend == 'true' if: steps.check_backend.outputs.has_backend == 'true'
with: with:
go-version-file: go.mod go-version-file: go.mod
@ -151,7 +155,7 @@ jobs:
# Release branch, do not add commit hash to version # Release branch, do not add commit hash to version
command="plugin:build" command="plugin:build"
fi fi
yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}" yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version) version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
echo "version=${version}" >> $GITHUB_OUTPUT echo "version=${version}" >> $GITHUB_OUTPUT
- name: build:backend - name: build:backend
@ -160,7 +164,7 @@ jobs:
env: env:
VERSION: ${{ steps.build_frontend.outputs.version }} VERSION: ${{ steps.build_frontend.outputs.version }}
run: | run: |
make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }} make build-plugin-go PLUGIN_ID=$PLUGIN_ID
- name: package - name: package
working-directory: ${{ steps.get_dir.outputs.dir }} working-directory: ${{ steps.get_dir.outputs.dir }}
run: | run: |
@ -175,7 +179,7 @@ jobs:
VERSION: ${{ steps.build_frontend.outputs.version }} VERSION: ${{ steps.build_frontend.outputs.version }}
run: | run: |
api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \ api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
'${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \ '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
-H 'accept: application/json') -H 'accept: application/json')
api_res_code=$(echo $api_res | jq -r .code) api_res_code=$(echo $api_res | jq -r .code)
if [ "$api_res_code" = "NotFound" ]; then if [ "$api_res_code" = "NotFound" ]; then
@ -197,10 +201,10 @@ jobs:
run: | run: |
echo "Publish release to Google Cloud Storage:" echo "Publish release to Google Cloud Storage:"
touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux
gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
- name: Publish new plugin version on grafana.com - name: Publish new plugin version on grafana.com
if: steps.check_backend.outputs.has_backend == 'true' if: steps.check_backend.outputs.has_backend == 'true'
working-directory: ${{ steps.get_dir.outputs.dir }} working-directory: ${{ steps.get_dir.outputs.dir }}
@ -214,27 +218,27 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\", \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": { \"download\": {
\"linux-amd64\": { \"linux-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
}, },
\"linux-arm64\": { \"linux-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
}, },
\"linux-arm\": { \"linux-arm\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
}, },
\"windows-amd64\": { \"windows-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
}, },
\"darwin-amd64\": { \"darwin-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
}, },
\"darwin-arm64\": { \"darwin-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
} }
} }
@ -257,7 +261,7 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\", \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": { \"download\": {
\"any\": { \"any\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\", \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
\"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\" \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
} }
} }

2
.github/workflows/create-next-release-branch.yml
Unescape View File

@ -46,7 +46,7 @@ jobs:
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Create release branch - name: Create release branch
id: branch id: branch
uses: grafana/grafana-github-actions-go/bump-release@main uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
with: with:
ownerRepo: ${{ inputs.ownerRepo }} ownerRepo: ${{ inputs.ownerRepo }}
source: ${{ inputs.source }} source: ${{ inputs.source }}

5
.github/workflows/create-security-patch-from-security-mirror.yml
Unescape View File

@ -17,7 +17,7 @@ on:
jobs: jobs:
trigger_downstream_create_security_patch: trigger_downstream_create_security_patch:
concurrency: create-patch-${{ github.ref_name }} concurrency: create-patch-${{ github.ref_name }}
uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
if: github.repository == 'grafana/grafana-security-mirror' if: github.repository == 'grafana/grafana-security-mirror'
with: with:
repo: "${{ github.repository }}" repo: "${{ github.repository }}"
@ -25,5 +25,4 @@ jobs:
patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main" patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
patch_repo: "grafana/grafana-security-patches" patch_repo: "grafana/grafana-security-patches"
patch_prefix: "${{ github.event.pull_request.number }}" patch_prefix: "${{ github.event.pull_request.number }}"
secrets: inherit secrets: inherit # zizmor: ignore[secrets-inherit]

15
.github/workflows/dashboards-issue-add-label.yml
Unescape View File

@ -22,7 +22,7 @@ jobs:
steps: steps:
- name: "Get vault secrets" - name: "Get vault secrets"
id: vault-secrets id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with: with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: | repo_secrets: |
@ -38,11 +38,13 @@ jobs:
- name: Check if issue is in target project - name: Check if issue is in target project
env: env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }} GH_TOKEN: ${{ steps.generate_token.outputs.token }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
run: | run: |
gh api graphql -f query=' gh api graphql -f query='
query($org: String!, $repo: String!) { query($org: String!, $repo: String!) {
repository(name: $repo, owner: $org) { repository(name: $repo, owner: $org) {
issue (number: ${{ github.event.issue.number }}) { issue (number: $ISSUE_NUMBER) {
id id
projectItems(first:20) { projectItems(first:20) {
nodes { nodes {
@ -55,12 +57,14 @@ jobs:
} }
}' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.TARGET_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
- name: Set up label array - name: Set up label array
if: env.IN_TARGET_PROJ if: env.IN_TARGET_PROJ
env:
LABEL_IDS: ${{ env.LABEL_IDS }}
run: | run: |
IFS=',' read -ra LABEL_IDs <<< "${{ env.LABEL_IDs }}" IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
for item in "${LABEL_IDs[@]}"; do for item in "${LABEL_IDs[@]}"; do
echo "Item: $item" echo "Item: $item"
done done
@ -68,6 +72,7 @@ jobs:
if: env.IN_TARGET_PROJ if: env.IN_TARGET_PROJ
env: env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }} GH_TOKEN: ${{ steps.generate_token.outputs.token }}
LABEL_IDS: ${{ env.LABEL_IDS }}
run: | run: |
gh api graphql -f query=' gh api graphql -f query='
mutation ($labelableId: ID!, $labelIds: [ID!]!) { mutation ($labelableId: ID!, $labelIds: [ID!]!) {
@ -76,4 +81,4 @@ jobs:
) { ) {
clientMutationId clientMutationId
} }
}' -f labelableId=$ITEM_ID -f labelIds=${{ env.LABEL_IDs }} }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS

21
.github/workflows/deploy-pr-preview.yml
Unescape View File

@ -11,14 +11,21 @@ on:
jobs: jobs:
deploy-pr-preview: deploy-pr-preview:
if: ${{ ! github.event.pull_request.head.repo.fork }} if: "!github.event.pull_request.head.repo.fork"
uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
with: with:
sha: ${{ github.event.pull_request.head.sha }}
branch: ${{ github.head_ref }} branch: ${{ github.head_ref }}
event_number: ${{ github.event.number }} event_number: ${{ github.event.number }}
title: ${{ github.event.pull_request.title }}
repo: grafana repo: grafana
website_directory: content/docs/grafana/latest sha: ${{ github.event.pull_request.head.sha }}
relative_prefix: /docs/grafana/latest/ sources: |
index_file: true [
{
"index_file": "content/docs/grafana/_index.md",
"relative_prefix": "/docs/grafana/latest/",
"repo": "grafana",
"source_directory": "docs/sources",
"website_directory": "content/docs/grafana/latest"
}
]
title: ${{ github.event.pull_request.title }}

36
.github/workflows/detect-breaking-changes-levitate.yml
Unescape View File

@ -6,9 +6,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
id-token: write
on: on:
pull_request: pull_request:
@ -24,12 +22,16 @@ jobs:
defaults: defaults:
run: run:
working-directory: './pr' working-directory: './pr'
permissions:
contents: read
id-token: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
path: './pr' path: './pr'
- uses: actions/setup-node@v4 persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version: 22.11.0 node-version: 22.11.0
@ -67,17 +69,20 @@ jobs:
buildBase: buildBase:
name: Build Base packages artifacts name: Build Base packages artifacts
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
defaults: defaults:
run: run:
working-directory: './base' working-directory: './base'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
path: './base' path: './base'
ref: ${{ github.event.pull_request.base.ref }} ref: ${{ github.event.pull_request.base.ref }}
- uses: actions/setup-node@v4 - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version: 22.11.0 node-version: 22.11.0
@ -123,8 +128,8 @@ jobs:
id-token: 'write' id-token: 'write'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@v4 - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version: 22.11.0 node-version: 22.11.0
@ -145,14 +150,14 @@ jobs:
run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
- id: 'auth' - id: 'auth'
uses: 'google-github-actions/auth@v2' uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with: with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }} workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.LEVITATE_SA }} service_account: ${{ secrets.LEVITATE_SA }}
project_id: 'grafanalabs-global' project_id: 'grafanalabs-global'
- name: 'Set up Cloud SDK' - name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2' uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
with: with:
version: '>= 363.0.0' version: '>= 363.0.0'
project_id: 'grafanalabs-global' project_id: 'grafanalabs-global'
@ -180,6 +185,9 @@ jobs:
name: Report breaking changes in PR comment name: Report breaking changes in PR comment
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: ['Detect'] needs: ['Detect']
permissions:
contents: read
id-token: write
steps: steps:
- name: "Generate token" - name: "Generate token"
@ -189,7 +197,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }} app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }} private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: 'Download artifact' - name: 'Download artifact'
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
@ -238,7 +246,7 @@ jobs:
# Comment on the PR # Comment on the PR
- name: Comment on PR - name: Comment on PR
if: steps.levitate-run.outputs.exit_code == 1 if: steps.levitate-run.outputs.exit_code == 1
uses: marocchino/sticky-pull-request-comment@v2 uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with: with:
header: levitate-breaking-change-comment header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }} number: ${{ github.event.pull_request.number }}
@ -255,7 +263,7 @@ jobs:
# Remove comment from the PR (no more breaking changes) # Remove comment from the PR (no more breaking changes)
- name: Remove comment from PR - name: Remove comment from PR
if: steps.levitate-run.outputs.exit_code == 0 if: steps.levitate-run.outputs.exit_code == 0
uses: marocchino/sticky-pull-request-comment@v2 uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with: with:
header: levitate-breaking-change-comment header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }} number: ${{ github.event.pull_request.number }}

26
.github/workflows/doc-validator.yml
Unescape View File

@ -1,26 +0,0 @@
name: "doc-validator"
on:
workflow_dispatch:
inputs:
include:
description: |
Regular expression that matches paths to include in linting.
For example: docs/sources/(?:alerting|fundamentals)/.+\.md
required: true
jobs:
doc-validator:
runs-on: "ubuntu-latest"
container:
image: "grafana/doc-validator:v5.2.0"
steps:
- name: "Checkout code"
uses: "actions/checkout@v4"
- name: "Run doc-validator tool"
# Only run doc-validator on specific directories.
run: >
doc-validator
'--include=${{ inputs.include }}'
'--skip-checks=^(?:image.+|canonical-does-not-match-pretty-URL)$'
./docs/sources
/docs/grafana/latest

19
.github/workflows/documentation-ci.yml
Unescape View File

@ -0,0 +1,19 @@
name: Documentation CI
on:
pull_request:
branches: ["main"]
paths: ["docs/sources/**"]
workflow_dispatch:
jobs:
vale:
runs-on: ubuntu-latest
container:
image: grafana/vale:latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
with:
filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
token: ${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/ephemeral-instances-pr-comment.yml
Unescape View File

@ -41,12 +41,13 @@ jobs:
private_key: ${{ secrets.EI_APP_PRIVATE_KEY }} private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}
- name: Checkout ephemeral instances repository - name: Checkout ephemeral instances repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
repository: grafana/ephemeral-grafana-instances-github-action repository: grafana/ephemeral-grafana-instances-github-action
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
ref: main ref: main
path: ephemeral path: ephemeral
persist-credentials: false
- name: build and deploy ephemeral instance - name: build and deploy ephemeral instance
uses: ./ephemeral uses: ./ephemeral

149
.github/workflows/epic-add-to-platform-ux-parent-project.yml
Unescape View File

@ -1,149 +0,0 @@
name: When epic issues changed in Platform UX squad projects, check if epic is part of specified child projects and update on Platform UX parent project
on:
issues:
types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
labels:
- 'type/epic'
env:
GH_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
ORGANIZATION: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
PARENT_PROJECT: 304
CHILD_PROJECT_1: 78
CHILD_PROJECT_2: 111
CHILD_PROJECT_3: 202
concurrency:
group: issue-add-to-parent-project-${{ github.event.number }}
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GH_BOT_PROJECTS_ACCESS_TOKEN != '') || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets && contains(github.event.issue.labels.*.name, 'type/epic')
runs-on: ubuntu-latest
steps:
- name: Check if issue is in child or parent projects
run: |
gh api graphql -f query='
query($org: String!, $repo: String!) {
repository(name: $repo, owner: $org) {
issue (number: ${{ github.event.issue.number }}) {
projectItems(first:20) {
nodes {
id,
project {
number,
title
},
fieldValueByName(name:"Status") {
... on ProjectV2ItemFieldSingleSelectValue {
optionId
name
}
}
}
}
}
}
}' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
echo 'IN_PARENT_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
echo 'PARENT_PROJ_STATUS_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | select(.fieldValueByName != null) | .fieldValueByName.optionId' projects_data.json) >> $GITHUB_ENV
echo 'ITEM_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .id' projects_data.json) >> $GITHUB_ENV
echo 'IN_CHILD_PROJ='$(jq 'first(.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | .project != null)' projects_data.json) >> $GITHUB_ENV
echo 'CHILD_PROJ_STATUS='$(jq -r '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | select(.fieldValueByName != null) | .fieldValueByName.name' projects_data.json) >> $GITHUB_ENV
- name: Get parent project project data
if: env.IN_CHILD_PROJ
run: |
gh api graphql -f query='
query($org: String!, $number: Int!) {
organization(login: $org){
projectV2(number: $number) {
id
fields(first:20) {
nodes {
... on ProjectV2Field {
id
name
}
... on ProjectV2SingleSelectField {
id
name
options {
id
name
}
}
}
}
}
}
}' -f org=$ORGANIZATION -F number=$PARENT_PROJECT > project_data.json
echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
echo 'STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' project_data.json) >> $GITHUB_ENV
echo 'TODO_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Todo") |.id' project_data.json) >> $GITHUB_ENV
echo 'PROGRESS_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="In Progress") |.id' project_data.json) >> $GITHUB_ENV
echo 'DONE_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Done") |.id' project_data.json) >> $GITHUB_ENV
- name: Add issue to parent project
if: env.IN_CHILD_PROJ && !env.IN_PARENT_PROJ
run: |
item_id="$( gh api graphql -f query='
mutation($project:ID!, $issue:ID!) {
addProjectV2ItemById(input: {projectId: $project, contentId: $issue}) {
item {
id
}
}
}' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
echo 'ITEM_ID='$item_id >> $GITHUB_ENV
- name: Set parent project status Done
if: contains(env.CHILD_PROJ_STATUS, 'Done')
run: |
echo 'OPTION_ID='$DONE_OPTION_ID >> $GITHUB_ENV
- name: Set parent project status In Progress
if: contains(env.CHILD_PROJ_STATUS, 'In ') || contains(env.CHILD_PROJ_STATUS, 'Blocked')
run: |
echo 'OPTION_ID='$PROGRESS_OPTION_ID >> $GITHUB_ENV
- name: Set parent project status To do
if: env.CHILD_PROJ_STATUS && !contains(env.CHILD_PROJ_STATUS, 'In ') && !contains(env.CHILD_PROJ_STATUS, 'Blocked') && ! contains(env.CHILD_PROJ_STATUS, 'Done')
run: |
echo 'OPTION_ID='$TODO_OPTION_ID >> $GITHUB_ENV
- name: Set issue status in parent project
if: env.OPTION_ID && (env.OPTION_ID != env.PARENT_PROJ_STATUS_ID)
run: |
gh api graphql -f query='
mutation (
$project: ID!
$item: ID!
$status_field: ID!
$status_value: String!
) {
set_status: updateProjectV2ItemFieldValue(input: {
projectId: $project
itemId: $item
fieldId: $status_field
value: {
singleSelectOptionId: $status_value
}
}) {
projectV2Item {
id
}
}
}' -f project=$PROJECT_ID -f item=$ITEM_ID -f status_field=$STATUS_FIELD_ID -f status_value=${{ env.OPTION_ID }} --silent

25
.github/workflows/feature-toggles-ci.yml
Unescape View File

@ -0,0 +1,25 @@
name: Feature toggles CI
on:
pull_request:
paths:
- 'pkg/services/featuremgmt/toggles_gen_test.go'
- 'pkg/services/featuremgmt/registry.go'
- 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true
- name: Run feature toggle tests
run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/

133
.github/workflows/frontend-lint.yml
Unescape View File

@ -0,0 +1,133 @@
name: Lint Frontend
on:
pull_request:
push:
branches:
- main
- release-*.*.*
permissions: {}
jobs:
lint-frontend-verify-i18n:
name: Verify i18n
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- run: yarn install --immutable --check-cache
- run: |
extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
make i18n-extract || (echo "${extract_error_message}" && false)
- run: |
uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
file_diff=$(git diff --dirstat public/locales)
if [ -n "$file_diff" ]; then
echo $file_diff
echo "${uncommited_error_message}"
exit 1
fi
lint-frontend-prettier:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-prettier-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- run: yarn install --immutable --check-cache
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-prettier-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- name: Setup Enterprise
uses: ./.github/actions/setup-enterprise
with:
github-app-name: 'grafana-ci-bot'
- run: yarn install --immutable --check-cache
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-typecheck:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-typecheck-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-typecheck-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- name: Setup Enterprise
uses: ./.github/actions/setup-enterprise
with:
github-app-name: 'grafana-ci-bot'
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-betterer:
permissions:
contents: read
id-token: write
name: Betterer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- run: yarn install --immutable --check-cache
- run: yarn run betterer:ci

2
.github/workflows/github-release.yml
Unescape View File

@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Create GitHub release (manually invoked) - name: Create GitHub release (manually invoked)
uses: grafana/grafana-github-actions-go/github-release@main uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }} version: ${{ inputs.version }}

32
.github/workflows/go-lint.yml
Unescape View File

@ -0,0 +1,32 @@
name: golangci-lint
on:
push:
paths:
- pkg/**
- .github/workflows/go-lint.yml
- go.*
branches:
- main
pull_request:
permissions:
contents: read
jobs:
lint-go:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: ./go.mod
- run: make gen-go
- name: golangci-lint
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
with:
version: v2.0.2
args: |
--verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
install-mode: binary

27
.github/workflows/i18n-crowdin-create-tasks.yml
Unescape View File

@ -0,0 +1,27 @@
name: Crowdin Create Tasks
on:
workflow_dispatch:
# schedule:
# - cron: "0 0 * * *"
jobs:
create-tasks-in-crowdin:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
- name: Create tasks
env:
CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
run: node ./.github/workflows/scripts/crowdin/create-tasks.js

68
.github/workflows/i18n-crowdin-download.yml
Unescape View File

@ -3,7 +3,7 @@ name: Crowdin Download Action
on: on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "0 * * * *" - cron: "0 0 * * *"
jobs: jobs:
download-sources-from-crowdin: download-sources-from-crowdin:
@ -12,6 +12,7 @@ jobs:
permissions: permissions:
contents: write # needed to commit changes into the PR contents: write # needed to commit changes into the PR
pull-requests: write # needed to update PR description, labels, etc pull-requests: write # needed to update PR description, labels, etc
id-token: write # needed to get vault secrets
steps: steps:
- name: Generate token - name: Generate token
@ -21,14 +22,15 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }} app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }} private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
ref: ${{ github.head_ref }} ref: ${{ github.head_ref }}
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Download sources - name: Download sources
id: crowdin-download id: crowdin-download
uses: crowdin/github-action@v2 uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with: with:
upload_sources: false upload_sources: false
upload_translations: false upload_translations: false
@ -41,17 +43,11 @@ jobs:
pull_request_body: | pull_request_body: |
:robot: Automatic download of translations from Crowdin. :robot: Automatic download of translations from Crowdin.
Steps for merging: This runs once per day and will merge automatically if all the required checks pass.
1. A quick sanity check of the changes and approve. Things to look out for:
- No changes in the English file. The source of truth is in the main branch, NOT in Crowdin.
- Translations maybe be removed if the English phrase was removed, but there should not be many of these
- Anything else that looks 'funky'. Ask if you're not sure.
2. Approve & (Auto-)merge. :tada:
If there's a conflict, close the pull request and **delete the branch**. A GH action will recreate the pull request. If there's a conflict, close the pull request and **delete the branch**.
Remember, the longer this pull request is open, the more likely it is that it'll get conflicts. You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport' pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
pull_request_reviewers: 'grafana-frontend-platform'
pull_request_base_branch_name: 'main' pull_request_base_branch_name: 'main'
base_url: 'https://grafana.api.crowdin.com' base_url: 'https://grafana.api.crowdin.com'
config: 'crowdin.yml' config: 'crowdin.yml'
@ -77,7 +73,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Get project board ID - name: Get project board ID
uses: octokit/graphql-action@v2.x uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
id: get-project-id id: get-project-id
if: steps.crowdin-download.outputs.pull_request_url if: steps.crowdin-download.outputs.pull_request_url
with: with:
@ -97,7 +93,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Add to project board - name: Add to project board
uses: octokit/graphql-action@v2.x uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
if: steps.crowdin-download.outputs.pull_request_url if: steps.crowdin-download.outputs.pull_request_url
with: with:
projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }} projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@ -114,8 +110,50 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Run auto-milestone - name: Run auto-milestone
uses: grafana/grafana-github-actions-go/auto-milestone@main uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
if: steps.crowdin-download.outputs.pull_request_url if: steps.crowdin-download.outputs.pull_request_url
with: with:
pr: ${{ steps.crowdin-download.outputs.pull_request_number }} pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
- name: Get vault secrets
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
repo_secrets: |
GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
- name: Generate approver token
if: steps.crowdin-download.outputs.pull_request_url
id: generate_approver_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
- name: Approve and automerge PR
if: steps.crowdin-download.outputs.pull_request_url
shell: bash
# Only approve if:
# - the PR does not modify files other than json files under the public/locales/ directory
# - the PR does not modify the en-US locale
run: |
filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
echo "Non-i18n changes detected, not approving"
exit 1
fi
if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
echo "public/locales/en-US changes detected, not approving"
exit 1
fi
echo "Approving and enabling automerge"
gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
env:
GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}

6
.github/workflows/i18n-crowdin-upload.yml
Unescape View File

@ -14,10 +14,12 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Upload sources - name: Upload sources
uses: crowdin/github-action@v2 uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with: with:
upload_sources: true upload_sources: true
upload_sources_args: '--dest=public/locales/en-US/grafana.json' upload_sources_args: '--dest=public/locales/en-US/grafana.json'

23
.github/workflows/issue-opened.yml
Unescape View File

@ -10,22 +10,24 @@ on:
concurrency: concurrency:
group: issue-opened-${{ github.event.issue.number }} group: issue-opened-${{ github.event.issue.number }}
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
main: main:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana' if: github.repository == 'grafana/grafana'
permissions:
contents: read
id-token: write
steps: steps:
- name: Checkout Actions - name: Checkout Actions
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: ./actions path: ./actions
ref: main ref: main
persist-credentials: false
- name: Install Actions - name: Install Actions
run: npm install --production --prefix ./actions run: npm install --production --prefix ./actions
@ -37,7 +39,7 @@ jobs:
- name: "Get vault secrets" - name: "Get vault secrets"
id: vault-secrets id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with: with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: | repo_secrets: |
@ -60,13 +62,16 @@ jobs:
auto-triage: auto-triage:
needs: [main] needs: [main]
permissions:
contents: read
id-token: write
if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER' if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: "Get vault secrets" - name: "Get vault secrets"
id: vault-secrets id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with: with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
repo_secrets: | repo_secrets: |
@ -83,11 +88,11 @@ jobs:
private_key: ${{ env.GH_APP_PEM }} private_key: ${{ env.GH_APP_PEM }}
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Send issue to the auto triager action - name: Send issue to the auto triager action
id: auto_triage id: auto_triage
uses: grafana/auto-triager@main uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
issue_number: ${{ github.event.issue.number }} issue_number: ${{ github.event.issue.number }}
@ -99,7 +104,7 @@ jobs:
- name: "Send Slack notification" - name: "Send Slack notification"
if: ${{ steps.auto_triage.outputs.triage_labels != '' }} if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
uses: slackapi/slack-github-action@v1.27.0 uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
with: with:
payload: > payload: >
{ {

62
.github/workflows/lint-build-docs.yml
Unescape View File

@ -0,0 +1,62 @@
name: Documentation
on:
pull_request:
paths:
- '*.md'
- 'docs/**'
- 'packages/**/*.md'
- 'latest.json'
push:
branches:
- main
paths:
- '*.md'
- 'docs/**'
- 'packages/**/*.md'
- 'latest.json'
jobs:
docs:
name: Build & Verify Docs
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: '22.11.0'
cache: 'yarn'
- name: Install dependencies
run: yarn install --immutable
- name: Lint docs
run: yarn run prettier:checkDocs
env:
# Increase memory for prettier due to large number of files
NODE_OPTIONS: --max_old_space_size=8192
- name: Build docs website
run: |
# Create and start a container from the docs-base image in detached mode
docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
# Create the directory structure inside the container
docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
# Create the _index.md file
docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
# Copy the docs sources from the host to the container
docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
# Run the make prod command inside the container
docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
# Clean up the container
docker rm -f docs-builder

6
.github/workflows/metrics-collector.yml
Unescape View File

@ -15,6 +15,9 @@ on:
issues: issues:
types: [opened, closed] types: [opened, closed]
permissions:
contents: read
jobs: jobs:
config: config:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
@ -35,11 +38,12 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout Actions - name: Checkout Actions
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: ./actions path: ./actions
ref: main ref: main
persist-credentials: false
- name: Install Actions - name: Install Actions
run: npm install --production --prefix ./actions run: npm install --production --prefix ./actions
- name: Run metrics collector - name: Run metrics collector

2
.github/workflows/migrate-prs.yml
Unescape View File

@ -51,7 +51,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }} app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Migrate PRs - name: Migrate PRs
uses: grafana/grafana-github-actions-go/migrate-open-prs@main uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
ownerRepo: ${{ inputs.ownerRepo }} ownerRepo: ${{ inputs.ownerRepo }}

19
.github/workflows/milestone.yml
Unescape View File

@ -1,19 +0,0 @@
name: Close Milestone
on:
workflow_dispatch:
inputs:
version_input:
description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
required: true
jobs:
call-remove-milestone:
uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
call-close-milestone:
uses: grafana/grafana/.github/workflows/close-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
needs: call-remove-milestone

71
.github/workflows/pr-backend-coverage.yml
Unescape View File

@ -0,0 +1,71 @@
name: Coverage
on:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- 'docs/**'
- '**/*.md'
permissions:
contents: read
id-token: write
env:
EDITION: 'oss'
WIRE_TAGS: 'oss'
jobs:
main:
name: Backend Unit Tests
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential shared-mime-info
go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
- name: Generate Go code
run: make gen-go
- name: Run unit tests
run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
- name: Process and upload coverage
uses: ./.github/actions/test-coverage-processor
with:
test-type: 'be-unit'
# Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
coverage-file: 'unit.cov'
codecov-token: ${{ secrets.CODECOV_TOKEN }}
codecov-flag: 'be-unit'
codecov-name: 'be-unit'
- name: Install Grafana Bench
# We can't allow forks here, as we need secret access.
if: ${{ github.event_name != 'pull_request' }}
uses: ./.github/actions/setup-grafana-bench
- name: Process output for Bench
if: ${{ github.event_name != 'pull_request' }}
run: |
grafana-bench report \
--trigger pr-backend-unit-tests-oss \
--report-input go \
--report-output log \
--grafana-version "$(git rev-parse HEAD)" \
--suite-name grafana-oss-unit-tests \
/tmp/unit.log || true
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

3
.github/workflows/pr-checks.yml
Unescape View File

@ -31,11 +31,12 @@ jobs:
if: github.event.pull_request.draft == false if: github.event.pull_request.draft == false
steps: steps:
- name: Checkout Actions - name: Checkout Actions
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: ./actions path: ./actions
ref: main ref: main
persist-credentials: false
- name: Install Actions - name: Install Actions
run: npm install --production --prefix ./actions run: npm install --production --prefix ./actions
- name: Run PR Checks - name: Run PR Checks

53
.github/workflows/pr-codeql-analysis-go.yml
Unescape View File

@ -1,53 +0,0 @@
name: "CodeQL for PR / go"
on:
workflow_dispatch:
pull_request:
branches: [main]
paths:
- '**/*.go'
permissions:
security-events: write
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana'
steps:
- name: "Generate token"
id: generate_token
continue-on-error: true
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Checkout repository
uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
token: ${{ steps.generate_token.outputs.token }}
- name: Set go version
uses: actions/setup-go@v4
with:
go-version-file: go.mod
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: "go"
- name: Build go files
run: |
go mod verify
make build-go
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

7
.github/workflows/pr-codeql-analysis-javascript.yml
Unescape View File

@ -20,17 +20,18 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
# We must fetch at least the immediate parents so that if this is # We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head. # a pull request then we can checkout the head.
fetch-depth: 2 fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@v3
with: with:
languages: "javascript" languages: "javascript"
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@v3

7
.github/workflows/pr-codeql-analysis-python.yml
Unescape View File

@ -18,17 +18,18 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
# We must fetch at least the immediate parents so that if this is # We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head. # a pull request then we can checkout the head.
fetch-depth: 2 fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@v3
with: with:
languages: "python" languages: "python"
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@v3

3
.github/workflows/pr-commands.yml
Unescape View File

@ -30,11 +30,12 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout Actions - name: Checkout Actions
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: ./actions path: ./actions
ref: main ref: main
persist-credentials: false
- name: Install Actions - name: Install Actions
run: npm install --production --prefix ./actions run: npm install --production --prefix ./actions
- name: "Generate token" - name: "Generate token"

9
.github/workflows/pr-dependabot-update-go-workspace.yml
Unescape View File

@ -22,7 +22,7 @@ jobs:
steps: steps:
- name: Retrieve GitHub App secrets - name: Retrieve GitHub App secrets
id: get-secrets id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with: with:
repo_secrets: | repo_secrets: |
APP_ID=grafana-go-workspace-bot:app-id APP_ID=grafana-go-workspace-bot:app-id
@ -37,14 +37,15 @@ jobs:
private-key: ${{ env.PRIVATE_KEY }} private-key: ${{ env.PRIVATE_KEY }}
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
repository: ${{ github.event.pull_request.head.repo.full_name }} repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }} ref: ${{ github.event.pull_request.head.ref }}
token: ${{ steps.generate_token.outputs.token }} token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Set go version - name: Set go version
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with: with:
go-version-file: go.mod go-version-file: go.mod
@ -65,4 +66,4 @@ jobs:
echo "Committing and pushing workspace changes" echo "Committing and pushing workspace changes"
git commit -a -m "update workspace" git commit -a -m "update workspace"
git push origin $BRANCH_NAME git push origin $BRANCH_NAME
fi fi

72
.github/workflows/pr-e2e-tests.yml
Unescape View File

@ -0,0 +1,72 @@
name: End-to-end tests
on:
pull_request:
push:
branches:
- main
- release-*.*.*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
jobs:
build-grafana:
name: Build & Package Grafana
runs-on: ubuntu-latest-16-cores
outputs:
artifact: ${{ steps.artifact.outputs.artifact }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: 'grafana/grafana-build'
ref: 'main'
persist-credentials: false
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: ./grafana
- run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work | cut -d\ -f2)" >> "$GITHUB_ENV"
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with:
verb: run
args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
- run: mv $(cat out.txt) grafana.tar.gz
- run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
id: artifact
- uses: actions/upload-artifact@v4
id: upload
with:
retention-days: 1
name: ${{ steps.artifact.outputs.artifact }}
path: grafana.tar.gz
e2e-matrix:
name: ${{ matrix.suite }}
strategy:
matrix:
suite:
- various-suite
- dashboards-suite
- smoke-tests-suite
- panels-suite
needs:
- build-grafana
uses: ./.github/workflows/run-e2e-suite.yml
with:
package: ${{ needs.build-grafana.outputs.artifact }}
suite: ${{ matrix.suite }}
e2e-matrix-old-arch:
name: ${{ matrix.suite }} (old arch)
strategy:
matrix:
suite:
- old-arch/various-suite
- old-arch/dashboards-suite
- old-arch/smoke-tests-suite
- old-arch/panels-suite
needs:
- build-grafana
uses: ./.github/workflows/run-e2e-suite.yml
with:
package: ${{ needs.build-grafana.outputs.artifact }}
suite: ${{ matrix.suite }}

69
.github/workflows/pr-frontend-unit-tests.yml
Unescape View File

@ -0,0 +1,69 @@
name: Frontend tests
on:
pull_request:
push:
branches:
- main
- release-*.*.*
permissions: {}
jobs:
frontend-unit-tests:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `frontend-unit-tests-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
runs-on: ubuntu-latest-8-cores
name: "Unit tests (${{ matrix.chunk }} / 8)"
strategy:
fail-fast: false
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- run: yarn install --immutable --check-cache
- run: yarn run test:ci
env:
TEST_MAX_WORKERS: 2
TEST_SHARD: ${{ matrix.chunk }}
TEST_SHARD_TOTAL: 8
frontend-unit-tests-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest-8-cores
name: "Unit tests (${{ matrix.chunk }} / 8)"
strategy:
fail-fast: false
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
cache-dependency-path: 'yarn.lock'
- name: Setup Enterprise
uses: ./.github/actions/setup-enterprise
with:
github-app-name: 'grafana-ci-bot'
- run: yarn install --immutable --check-cache
- run: yarn run test:ci
env:
TEST_MAX_WORKERS: 2
TEST_SHARD: ${{ matrix.chunk }}
TEST_SHARD_TOTAL: 8

9
.github/workflows/pr-go-workspace-check.yml
Unescape View File

@ -21,11 +21,14 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version - name: Set go version
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with: with:
cache: false
go-version-file: go.mod go-version-file: go.mod
- name: Update workspace - name: Update workspace
@ -41,4 +44,4 @@ jobs:
exit 1 exit 1
fi fi
- name: Ensure Dockerfile contains submodule COPY commands - name: Ensure Dockerfile contains submodule COPY commands
run: ./scripts/go-workspace/validate-dockerfile.sh run: ./scripts/go-workspace/validate-dockerfile.sh

9
.github/workflows/pr-k8s-codegen-check.yml
Unescape View File

@ -9,6 +9,7 @@ on:
- "pkg/aggregator/apis/**" - "pkg/aggregator/apis/**"
- "pkg/apimachinery/apis/**" - "pkg/apimachinery/apis/**"
- "hack/**" - "hack/**"
- "apps/**"
- "*.sum" - "*.sum"
jobs: jobs:
@ -18,10 +19,12 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version - name: Set go version
uses: actions/setup-go@v4 uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with: with:
go-version-file: go.mod go-version-file: go.mod
@ -35,4 +38,4 @@ jobs:
git diff git diff
echo "Please run './hack/update-codegen.sh' and commit the changes." echo "Please run './hack/update-codegen.sh' and commit the changes."
exit 1 exit 1
fi fi

8
.github/workflows/pr-patch-check-event.yml
Unescape View File

@ -3,7 +3,7 @@
name: Dispatch check for patch conflicts name: Dispatch check for patch conflicts
run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }} run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
on: on:
pull_request: pull_request_target:
types: types:
- opened - opened
- reopened - reopened
@ -13,10 +13,15 @@ on:
- "v*.*.*" - "v*.*.*"
- "release-*" - "release-*"
permissions: {}
# Since this is run on a pull request, we want to apply the patches intended for the # Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging. # target branch onto the source branch, to verify compatibility before merging.
jobs: jobs:
dispatch-job: dispatch-job:
permissions:
contents: read
actions: write
env: env:
HEAD_REF: ${{ github.head_ref }} HEAD_REF: ${{ github.head_ref }}
BASE_REF: ${{ github.base_ref }} BASE_REF: ${{ github.base_ref }}
@ -33,7 +38,6 @@ jobs:
# App needs Actions: Read/Write for the grafana/security-patch-actions repo # App needs Actions: Read/Write for the grafana/security-patch-actions repo
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }} app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: "Dispatch job" - name: "Dispatch job"
uses: actions/github-script@v7 uses: actions/github-script@v7
with: with:

89
.github/workflows/pr-test-integration.yml
Unescape View File

@ -0,0 +1,89 @@
name: Integration Tests
on:
push:
branches:
- main
- release-*.*.*
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
jobs:
sqlite:
name: Sqlite
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
- run: |
make gen-go
go test -tags=sqlite -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
mysql:
name: MySQL
runs-on: ubuntu-latest-8-cores
env:
GRAFANA_TEST_DB: mysql
MYSQL_HOST: 127.0.0.1
services:
mysql:
image: mysql:8.0.32
env:
MYSQL_ROOT_PASSWORD: rootpass
MYSQL_DATABASE: grafana_tests
MYSQL_USER: grafana
MYSQL_PASSWORD: password
options: --health-cmd="mysqladmin ping --silent" --health-interval=10s --health-timeout=5s --health-retries=3
ports:
- 3306:3306
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
- run: |
sudo apt-get update -yq && sudo apt-get install mariadb-client
cat devenv/docker/blocks/mysql_tests/setup.sql | mariadb -h 127.0.0.1 -P 3306 -u root -prootpass --disable-ssl-verify-server-cert
make gen-go
go test -tags=mysql -p=1 -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
postgres:
name: Postgres
runs-on: ubuntu-latest-8-cores
services:
postgres:
image: postgres:12.3-alpine
env:
POSTGRES_USER: grafanatest
POSTGRES_PASSWORD: grafanatest
POSTGRES_DB: grafanatest
ports:
- 5432:5432
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
- env:
GRAFANA_TEST_DB: postgres
PGPASSWORD: grafanatest
POSTGRES_HOST: 127.0.0.1
run: |
sudo apt-get update -yq && sudo apt-get install postgresql-client
psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
make gen-go
go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)

5
.github/workflows/publish-kinds-next.yml
Unescape View File

@ -29,12 +29,13 @@ jobs:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: "Checkout Grafana repo" - name: "Checkout Grafana repo"
uses: "actions/checkout@v4" uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: "Setup Go" - name: "Setup Go"
uses: "actions/setup-go@v4" uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with: with:
go-version-file: go.mod go-version-file: go.mod

7
.github/workflows/publish-kinds-release.yml
Unescape View File

@ -31,13 +31,14 @@ jobs:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: "Checkout Grafana repo" - name: "Checkout Grafana repo"
uses: "actions/checkout@v4" uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with: with:
# required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work # required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: "Setup Go" - name: "Setup Go"
uses: "actions/setup-go@v4" uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with: with:
go-version-file: go.mod go-version-file: go.mod
@ -45,7 +46,7 @@ jobs:
run: go run .github/workflows/scripts/kinds/verify-kinds.go run: go run .github/workflows/scripts/kinds/verify-kinds.go
- name: "Checkout Actions library" - name: "Checkout Actions library"
uses: "actions/checkout@v4" uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with: with:
repository: "grafana/grafana-github-actions" repository: "grafana/grafana-github-actions"
path: "./actions" path: "./actions"

4
.github/workflows/publish-technical-documentation-next.yml
Unescape View File

@ -15,7 +15,7 @@ jobs:
id-token: write id-token: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
with: with:
website_directory: content/docs/grafana/next website_directory: content/docs/grafana/next

5
.github/workflows/publish-technical-documentation-release.yml
Unescape View File

@ -17,10 +17,11 @@ jobs:
id-token: write id-token: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 persist-credentials: false
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
with: with:
release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$" release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

21
.github/workflows/release-comms.yml
Unescape View File

@ -30,18 +30,16 @@ jobs:
release_branch: ${{ steps.output.outputs.release_branch }} release_branch: ${{ steps.output.outputs.release_branch }}
dry_run: ${{ steps.output.outputs.dry_run }} dry_run: ${{ steps.output.outputs.dry_run }}
latest: ${{ steps.output.outputs.latest }} latest: ${{ steps.output.outputs.latest }}
env:
HEAD_REF: ${{ github.head_ref }}
DRY_RUN: ${{ inputs.dry_run }}
LATEST: ${{ inputs.latest && '1' || '0' }}
VERSION: ${{ inputs.version }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# The github-release action expects a `LATEST` value of a string of either '1' or '0'
- if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo setting up GITHUB_ENV for ${{ github.event_name }}
echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
echo "LATEST=${{ inputs.latest && '1' || '0' }}" >> $GITHUB_ENV
- if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }} - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
run: | run: |
echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
- id: output - id: output
@ -120,7 +118,10 @@ jobs:
post_on_slack: post_on_slack:
needs: setup needs: setup
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
DRY_RUN: ${{ needs.setup.outputs.dry_run }}
VERSION: ${{ needs.setup.outputs.version }}
steps: steps:
- run: | - run: |
echo announce on slack that ${{ needs.setup.outputs.version }} has been released echo announce on slack that $VERSION has been released
echo dry run: ${{ needs.setup.outputs.dry_run }} echo dry run: $DRY_RUN

107
.github/workflows/release-pr.yml
Unescape View File

@ -33,12 +33,13 @@ on:
default: false default: false
type: boolean type: boolean
permissions: permissions: {}
contents: write
pull-requests: write
jobs: jobs:
push-changelog-to-main: push-changelog-to-main:
permissions:
contents: write
pull-requests: write
name: Create PR to main to update the changelog name: Create PR to main to update the changelog
uses: ./.github/workflows/changelog.yml uses: ./.github/workflows/changelog.yml
with: with:
@ -50,39 +51,44 @@ jobs:
secrets: secrets:
GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }} GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }} GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
create-prs: create-prs:
permissions:
contents: write
pull-requests: write
name: Create Release PR name: Create Release PR
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana' if: github.repository == 'grafana/grafana'
env:
VERSION: ${{ inputs.version }}
LATEST: ${{ inputs.latest }}
DRY_RUN: ${{ inputs.dry_run }}
steps: steps:
- name: Generate bot token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Get release branch - name: Get release branch
id: branch id: branch
uses: grafana/grafana-github-actions-go/latest-release-branch@main uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
with: with:
token: ${{ steps.generate_token.outputs.token }} token: ${{ secrets.GITHUB_TOKEN }}
ownerRepo: 'grafana/grafana' ownerRepo: 'grafana/grafana'
pattern: ${{ inputs.target }} pattern: ${{ inputs.target }}
- name: Checkout Grafana - name: Checkout Grafana
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
ref: ${{ steps.branch.outputs.branch }} ref: ${{ steps.branch.outputs.branch }}
fetch-depth: 0
fetch-tags: true fetch-tags: true
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Checkout Grafana (main) - name: Checkout Grafana (main)
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
ref: main ref: main
fetch-depth: '0' fetch-depth: '0'
fetch-tags: 'false' fetch-tags: 'false'
path: .grafana-main path: .grafana-main
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Setup nodejs environment - name: Setup nodejs environment
uses: actions/setup-node@v4 uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with: with:
node-version-file: .nvmrc node-version-file: .nvmrc
- name: Configure git user - name: Configure git user
@ -92,37 +98,43 @@ jobs:
git config --local --add --bool push.autoSetupRemote true git config --local --add --bool push.autoSetupRemote true
- name: Create branch - name: Create branch
run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}" run: git checkout -b "release/${{ github.run_id }}/$VERSION"
- name: Generate changelog token
id: generate_changelog_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Generate changelog - name: Generate changelog
id: changelog id: changelog
uses: ./.grafana-main/.github/workflows/actions/changelog uses: ./.grafana-main/.github/workflows/actions/changelog
with: with:
github_token: ${{ steps.generate_token.outputs.token }} github_token: ${{ steps.generate_changelog_token.outputs.token }}
target: v${{ inputs.version }} target: v${{ env.VERSION }}
output_file: changelog_items.md output_file: changelog_items.md
- name: Patch CHANGELOG.md - name: Patch CHANGELOG.md
run: | run: |
# Prepare CHANGELOG.md content with version delimiters # Prepare CHANGELOG.md content with version delimiters
( (
echo echo
echo "# ${{ inputs.version}} ($(date '+%F'))" echo "# $VERSION ($(date '+%F'))"
echo echo
cat changelog_items.md cat changelog_items.md
) > CHANGELOG.part ) > CHANGELOG.part
# Check if a version exists in the changelog # Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
# Replace the content between START and END delimiters # Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..." echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \ sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md -e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
else else
# Prepend changelog part to the main changelog file # Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md" echo "Version $VERSION not found in the CHANGELOG.md"
( (
echo "<!-- ${{ inputs.version }} START -->" echo "<!-- $VERSION START -->"
cat CHANGELOG.part cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->" echo "<!-- $VERSION END -->"
cat CHANGELOG.md cat CHANGELOG.md
) > CHANGELOG.tmp ) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md mv CHANGELOG.tmp CHANGELOG.md
@ -144,35 +156,46 @@ jobs:
- name: Add package.json changes - name: Add package.json changes
run: | run: |
git add package.json lerna.json yarn.lock packages public git add package.json lerna.json yarn.lock packages public
git commit -m "Update version to ${{ inputs.version }}" test -e e2e/test-plugins && git add e2e/test-plugins
git commit -m "Update version to $VERSION"
- name: Git push - name: Git push
if: ${{ inputs.dry_run }} != true if: ${{ inputs.dry_run }} != true
run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }} run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
- name: Create PR without backports - name: Create PR without backports
if: "${{ inputs.backport == '' }}" if: "${{ inputs.backport == '' }}"
run: > env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \ gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \ $LATEST_FLAG \
-l "no-changelog" \ -l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \ --dry-run="$DRY_RUN" \
-B "${{ steps.branch.outputs.branch }}" \ -B "$BRANCH" \
--title "Release: ${{ inputs.version }}" \ --title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete" --body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create PR with backports - name: Create PR with backports
if: "${{ inputs.backport != '' }}" if: "${{ inputs.backport != '' }}"
run: > env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \ gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \ $LATEST_FLAG \
-l "product-approved" \ -l "product-approved" \
-l "no-changelog" \ -l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \ --dry-run="$DRY_RUN" \
-B "${{ steps.branch.outputs.branch }}" \ -B "$BRANCH" \
--title "Release: ${{ inputs.version }}" \ --title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete" --body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

60
.github/workflows/remove-milestone.yml
Unescape View File

@ -1,60 +0,0 @@
name: Remove milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Remove milestone from open issues (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/remove-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Remove milestone from open issues (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/remove-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

130
.github/workflows/run-dashboard-search-e2e.yml
Unescape View File

@ -0,0 +1,130 @@
name: run-dashboard-search-e2e
on:
workflow_run:
workflows:
- trigger-dashboard-search-e2e
types:
- completed
workflow_dispatch:
env:
ARCH: linux-amd64
permissions: {}
jobs:
setup:
runs-on: ubuntu-latest
if: github.event.pull_request.draft == false
outputs:
ini_files: ${{ steps.get_files.outputs.ini_files }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true
- run: go version
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
- name: Cache Node Modules
id: cache-node-modules
uses: actions/cache@v3
with:
path: |
node_modules
/home/runner/.cache/Cypress
key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
- name: Install dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
run: yarn install --immutable
- name: Install Cypress dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Cache Grafana Build and Dependencies
id: cache-grafana
uses: actions/cache@v3
with:
path: |
bin/
scripts/grafana-server/
tools/
public/
conf/
e2e/test-plugins/
devenv/
key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
# only rebuild grafana if search files have changed ( or dependencies )
- name: Build Grafana (Runs Only If Not Cached)
if: steps.cache-grafana.outputs.cache-hit != 'true'
run: make build
- name: Get list of .ini files
id: get_files
run: |
INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
shell: bash
run_tests:
needs: setup
runs-on: ubuntu-latest
continue-on-error: true
if: github.event.pull_request.draft == false
strategy:
matrix:
ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Restore Cached Node Modules
uses: actions/cache@v3
with:
path: |
node_modules
/home/runner/.cache/Cypress
key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
- name: Restore Cached Grafana Build and Dependencies
uses: actions/cache@v3
with:
path: |
bin/
scripts/grafana-server/
tools/
public/
conf/
e2e/test-plugins/
devenv/
key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
- name: Set the step name
id: set_file_name
env:
INI_NAME: ${{ matrix.ini_file }}
run: |
FILE_NAME=$(basename "$env.INI_NAME" .ini)
echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
- name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
env:
INI_NAME: ${{ matrix.ini_file }}
run: |
cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"

39
.github/workflows/run-e2e-suite.yml
Unescape View File

@ -0,0 +1,39 @@
name: e2e suite
on:
workflow_call:
inputs:
package:
type: string
required: true
suite:
type: string
required: true
jobs:
main:
runs-on: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/download-artifact@v4
with:
name: ${{ inputs.package }}
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
if: inputs.old-arch == false
with:
verb: run
args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
- name: Set suite name
id: set-suite-name
env:
SUITE: ${{ inputs.suite }}
run: |
echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
if: ${{ always() && inputs.old-arch != true }}
with:
name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
path: videos
retention-days: 1

46
.github/workflows/run-schema-v2-e2e.yml
Unescape View File

@ -0,0 +1,46 @@
name: Run dashboard schema v2 e2e
on:
push:
branches:
- main
pull_request:
branches:
- '**'
env:
ARCH: linux-amd64
jobs:
dashboard-schema-v2-e2e:
runs-on: ubuntu-latest
continue-on-error: true
if: github.event.pull_request.draft == false
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
- run: go version
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
- name: Install dependencies
run: yarn install --immutable
- name: Build grafana
run: make build
- name: Install Cypress dependencies
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Run dashboard scenes e2e
run: yarn e2e:schema-v2 || echo "Test failed but marking as success since schema V2 is behind a feature flag and should not block PRs"
- name: Always succeed # This is a workaround to make the job pass even if the previous step fails
if: failure()
run: exit 0

15
.github/workflows/sbom-report.yml
Unescape View File

@ -1,15 +0,0 @@
name: syft-sbom-ci
on:
release:
types: [ published ]
workflow_dispatch:
jobs:
syft-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Anchore SBOM Action
uses: grafana/shared-workflows/actions@syft-sbom-v0.0.1
with:
artifact-name: ${{ github.event.repository.name }}-spdx.json

84
.github/workflows/scripts/crowdin/create-tasks.js
Unescape View File

@ -0,0 +1,84 @@
const crowdin = require('@crowdin/crowdin-api-client');
const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
if (!API_TOKEN) {
console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
process.exit(1);
}
const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
if (!PROJECT_ID) {
console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
process.exit(1);
}
const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
token: API_TOKEN,
organization: 'grafana'
});
const languages = await getLanguages();
const fileIds = await getFileIds();
console.log('Languages: ', languages);
console.log('File IDs: ', fileIds);
// for (const language of languages) {
// const { name, id } = language;
// await createTask(`Translate to ${name}`, id, fileIds);
// }
async function getLanguages() {
try {
const project = await projectsGroupsApi.getProject(PROJECT_ID);
const languages = project.data.targetLanguages;
return languages;
} catch (error) {
console.error('Failed to fetch languages: ', error.message);
if (error.response && error.response.data) {
console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
}
process.exit(1);
}
}
async function getFileIds() {
try {
const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
const files = response.data;
const fileIds = files.map(file => file.data.id);
return fileIds;
} catch (error) {
console.error('Failed to fetch file IDs: ', error.message);
if (error.response && error.response.data) {
console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
}
process.exit(1);
}
}
async function createTask(title, languageId, fileIds) {
try {
const taskParams = {
title,
description: TRANSLATED_CONNECTOR_DESCRIPTION,
languageId,
type: 2, // Translation by vendor
workflowStepId: 78, // Translation step ID
skipAssignedStrings: true,
fileIds,
};
console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
const response = await tasksApi.addTask(PROJECT_ID, taskParams);
console.log(`Task created successfully! Task ID: ${response.data.id}`);
return response.data;
} catch (error) {
console.error('Failed to create Crowdin task: ', error.message);
if (error.response && error.response.data) {
console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
}
process.exit(1);
}
}

106
.github/workflows/skye-add-to-project.yml
Unescape View File

@ -0,0 +1,106 @@
name: Add issues and PRs to Skye project board
on:
workflow_dispatch:
inputs:
manual_issue_number:
description: 'Issue/PR number to add to project'
required: false
type: number
issues:
types: [opened]
pull_request:
types: [opened]
permissions:
contents: read
id-token: write
env:
ORGANIZATION: grafana
REPO: grafana
PROJECT_ID: "PVT_kwDOAG3Mbc4AxfcI" # Retrieved manually from GitHub GraphQL Explorer
concurrency:
group: skye-add-to-project-${{ github.event.number }}
jobs:
main:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Vault secret paths:
# - ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot
# - ci/repo/grafana/grafana/frontend_platform_skye_usernames (comma separated list of usernames)
repo_secrets: |
GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
ALLOWED_USERS=frontend_platform_skye_usernames:allowed_users
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ env.GH_APP_ID }}
private_key: ${{ env.GH_APP_PEM }}
# Check if the user is in the list from the secret
- name: Check if user is allowed
id: check_user
env:
ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
USERNAME: ${{ github.event.sender.login }}
run: |
# Convert the comma-separated list to an array
IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"
# Check if user is in the allowed list
for allowed_user in "${ALLOWED_USERS[@]}"; do
if [ "$allowed_user" = "$USERNAME" ]; then
echo "user_allowed=true" >> $GITHUB_OUTPUT
exit 0
fi
done
echo "user_allowed=false" >> $GITHUB_OUTPUT
# Convert the issue/PR number to a node ID for the GraphQL API
- name: Get node ID for item
if: steps.check_user.outputs.user_allowed == 'true'
id: get_node_id
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
query getNodeId($owner: String!, $repo: String!, $number: Int!) {
repository(owner: $owner, name: $repo) {
issueOrPullRequest(number: $number) {
... on Issue { id }
... on PullRequest { id }
}
}
}
variables: |
owner: ${{ env.ORGANIZATION }}
repo: ${{ env.REPO }}
number: ${{ github.event.number || github.event.inputs.manual_issue_number }}
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
# Finally, add the issue/PR to the project board
- name: Add to project board
if: steps.check_user.outputs.user_allowed == 'true'
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
mutation addItem($projectid: ID!, $itemid: ID!) {
addProjectV2ItemById(input: {projectId: $projectid, contentId: $itemid}) {
item { id }
}
}
variables: |
projectid: ${{ env.PROJECT_ID }}
itemid: ${{ fromJSON(steps.get_node_id.outputs.data).repository.issueOrPullRequest.id }}
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

48
.github/workflows/storybook-verification.yml
Unescape View File

@ -0,0 +1,48 @@
name: Verify Storybook
on:
pull_request:
paths:
- 'packages/grafana-ui/**'
- '!docs/**'
- '!*.md'
push:
branches:
- main
paths:
- 'packages/grafana-ui/**'
- '!docs/**'
- '!*.md'
jobs:
verify-storybook:
name: Verify Storybook
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: 'package.json'
cache: 'yarn'
- name: Install dependencies
run: yarn install --immutable
- name: Run Storybook and E2E tests
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
browser: chrome
start: yarn storybook --quiet
wait-on: 'http://localhost:9001'
wait-on-timeout: 60
command: yarn e2e:storybook
install: false
env:
HOST: localhost
PORT: 9001

23
.github/workflows/sync-mirror-event.yml
Unescape View File

@ -10,10 +10,21 @@ on:
- "v*.*.*" - "v*.*.*"
- "release-*" - "release-*"
permissions: {}
# This is run after the pull request has been merged, so we'll run against the target branch # This is run after the pull request has been merged, so we'll run against the target branch
jobs: jobs:
dispatch-job: dispatch-job:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
actions: write
env:
REF_NAME: ${{ github.ref_name }}
REPO: ${{ github.repository }}
SENDER: ${{ github.event.sender.login }}
SHA: ${{ github.sha }}
PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
steps: steps:
- name: "Generate token" - name: "Generate token"
id: generate_token id: generate_token
@ -28,16 +39,18 @@ jobs:
with: with:
github-token: ${{ steps.generate_token.outputs.token }} github-token: ${{ steps.generate_token.outputs.token }}
script: | script: |
const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;
await github.rest.actions.createWorkflowDispatch({ await github.rest.actions.createWorkflowDispatch({
owner: 'grafana', owner: 'grafana',
repo: 'security-patch-actions', repo: 'security-patch-actions',
workflow_id: 'mirror-branch-and-apply-patches-event.yml', workflow_id: 'mirror-branch-and-apply-patches-event.yml',
ref: 'main', ref: 'main',
inputs: { inputs: {
src_ref: "${{ github.ref_name }}", src_ref: REF_NAME,
src_repo: "${{ github.repository }}", src_repo: REPO,
src_sha: "${{ github.sha }}", src_sha: SHA,
dest_repo: "${{ github.repository }}-security-mirror", dest_repo: REPO + "-security-mirror",
patch_repo: "${{ github.repository }}-security-patches" patch_repo: REPO + "-security-patches"
} }
}) })

28
.github/workflows/trigger-dashboard-search-e2e.yml
Unescape View File

@ -0,0 +1,28 @@
name: trigger-dashboard-search-e2e
# triggers the dashboard search e2e tests which runs async
# doesn't block prs, allows setting up notifications from grafana
on:
push:
branches:
- main
paths:
- public/app/features/search/**/*.ts
- public/app/features/search/**/*.tsx
- pkg/storage/**/*.go
pull_request:
branches:
- main
paths:
- public/app/features/search/**/*.ts
- public/app/features/search/**/*.tsx
- pkg/storage/**/*.go
env:
ARCH: linux-amd64
jobs:
trigger-search-e2e:
runs-on: ubuntu-latest
if: github.event.pull_request.draft == false
steps:
- name: Trigger Dashboard Search E2E
run: echo "Triggered Dashboard Search e2e..."

19
.github/workflows/trivy-scan.yml
Unescape View File

@ -16,9 +16,11 @@ jobs:
trivy-scan: trivy-scan:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Trivy - name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2 uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
with: with:
version: v0.56.2 version: v0.56.2
cache: true cache: true
@ -27,11 +29,14 @@ jobs:
trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
- name: Run Trivy vulnerability scanner (table output) - name: Run Trivy vulnerability scanner (table output)
# Use the trivy binary rather than the aquasecurity/trivy-action action # Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs # to avoid a few bugs.
# scan the filesystem, rather than building a Docker image prior - the #
# downside is we won't catch dependencies that are only installed in the # We scan the file system rather than building the Docker image to only scan
# image, but the upside is we'll only catch vulnerabilities that are # our direct dependencies. The Docker images are still scanned by
# explicitly in the our dependencies # Vulnerability Observability:
# - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
# - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
# (If these links are outdated, just go to the list and find the images manually.)
run: | run: |
trivy fs \ trivy fs \
--scanners vuln \ --scanners vuln \

52
.github/workflows/update-changelog.yml
Unescape View File

@ -1,52 +0,0 @@
name: Update changelog
on:
workflow_dispatch:
inputs:
version:
required: true
description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
skip_pr:
required: false
default: "0"
skip_community_post:
required: false
default: "0"
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
secrets.GRAFANABOT_FORUM_KEY != ''
) || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest
steps:
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Run update changelog (manually invoked)
uses: grafana/grafana-github-actions-go/update-changelog@main
with:
token: ${{ steps.generate_token.outputs.token }}
version: ${{ inputs.version }}
metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
community_api_username: grafanabot
skip_pr: ${{ inputs.skip_pr }}
skip_community_post: ${{ inputs.skip_community_post }}

6
.github/workflows/update-make-docs.yml
Unescape View File

@ -8,8 +8,10 @@ jobs:
if: github.repository == 'grafana/grafana' if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 with:
persist-credentials: false
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
with: with:
pr_options: > pr_options: >
--label 'backport v10.1.x' --label 'backport v10.1.x'

5
.github/workflows/verify-kinds.yml
Unescape View File

@ -11,12 +11,13 @@ jobs:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: "Checkout Grafana repo" - name: "Checkout Grafana repo"
uses: "actions/checkout@v4" uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: "Setup Go" - name: "Setup Go"
uses: "actions/setup-go@v4" uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with: with:
go-version-file: go.mod go-version-file: go.mod

23
.github/workflows/zizmor.yml
Unescape View File

@ -0,0 +1,23 @@
name: Zizmor GitHub Actions static analysis
on:
pull_request:
push:
branches:
- main
jobs:
zizmor:
name: Analyse with Zizmor
permissions:
actions: read
contents: read
# required to comment on pull requests with the results of the check
pull-requests: write
# required to upload the results to GitHub's code scanning service
security-events: write
uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@main # zizmor: ignore[unpinned-uses]
with:
fail-severity: high
min-severity: high

31
.github/zizmor.yml
Unescape View File

@ -0,0 +1,31 @@
rules:
unpinned-uses:
config:
policies:
"*": hash-pin
actions/*: any
github/*: any
grafana/*: any
forbidden-uses:
config:
deny:
# Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
# https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
# https://nvd.nist.gov/vuln/detail/cve-2025-30066
# https://nvd.nist.gov/vuln/detail/cve-2025-30154
- reviewdog/*
cache-poisoning:
ignore:
- backend-unit-tests.yml
- frontend-lint.yml
- pr-frontend-unit-tests.yml
- pr-test-integration.yml
- publish-kinds-release.yml
dangerous-triggers:
ignore:
- auto-milestone.yml
- backport.yml
- pr-checks.yml
- pr-commands.yml
- pr-patch-check-event.yml
- run-dashboard-search-e2e.yml

2
pkg/build/actions/bump-version/action.yml
Unescape View File

@ -11,7 +11,7 @@ runs:
with: with:
go-version-file: go.mod go-version-file: go.mod
- name: Bump versions - name: Bump versions
uses: dagger/dagger-for-github@v5 uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with: with:
verb: run verb: run
args: go run ./pkg/build/actions/bump-version -version=${{ inputs.version }} args: go run ./pkg/build/actions/bump-version -version=${{ inputs.version }}

Write Preview
Loading…
Cancel
Save