apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CI: remove unused worklow; use GITHUB_TOKEN where possible (#104657)

Browse Source 
* remove unused worklow; use GITHUB_TOKEN where possible

* pin usages of checkout and setup-go

* Fix zizmor errors

* add zizmor.yml

* fix `changelog.yml`

* fix `core-plugins-build-and-release.yml`

* fix `release-comms.yml`

* update release-pr.yml and run-e2e-suite.yml

* Fix errors in files outside of .github/workflows

* Remove path filter on zizmor.yml

---------

Co-authored-by: Sven Grossmann <svennergr@gmail.com>
Co-authored-by: joshhunt <josh.hunt@grafana.com>
pull/104716/head
Kevin Minehart 3 months ago committed by GitHub
parent 97a1614cde
commit 97d10b5095
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
68 changed files with 475 additions and 467 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      .github/actions/setup-enterprise/action.yml
  2. 2
      .github/actions/setup-grafana-bench/action.yml
  3. 2
      .github/actions/test-coverage-processor/action.yml
  4. 8
      .github/workflows/alerting-swagger-gen.yml
  5. 5
      .github/workflows/alerting-update-module.yml
  6. 6
      .github/workflows/analytics-events-report.yml
  7. 7
      .github/workflows/backend-code-checks.yml
  8. 22
      .github/workflows/backend-unit-tests.yml
  9. 21
      .github/workflows/backport.yml
  10. 32
      .github/workflows/bump-version.yml
  11. 44
      .github/workflows/changelog.yml
  12. 44
      .github/workflows/close-milestone.yml
  13. 6
      .github/workflows/codeowners-validator.yml
  14. 5
      .github/workflows/codeql-analysis.yml
  15. 10
      .github/workflows/commands.yml
  16. 2
      .github/workflows/community-release.yml
  17. 52
      .github/workflows/core-plugins-build-and-release.yml
  18. 2
      .github/workflows/create-next-release-branch.yml
  19. 5
      .github/workflows/create-security-patch-from-security-mirror.yml
  20. 2
      .github/workflows/dashboards-issue-add-label.yml
  21. 2
      .github/workflows/deploy-pr-preview.yml
  22. 36
      .github/workflows/detect-breaking-changes-levitate.yml
  23. 4
      .github/workflows/documentation-ci.yml
  24. 3
      .github/workflows/ephemeral-instances-pr-comment.yml
  25. 4
      .github/workflows/feature-toggles-ci.yml
  26. 48
      .github/workflows/frontend-lint.yml
  27. 2
      .github/workflows/github-release.yml
  28. 8
      .github/workflows/go-lint.yml
  29. 6
      .github/workflows/i18n-crowdin-create-tasks.yml
  30. 13
      .github/workflows/i18n-crowdin-download.yml
  31. 6
      .github/workflows/i18n-crowdin-upload.yml
  32. 17
      .github/workflows/issue-opened.yml
  33. 6
      .github/workflows/lint-build-docs.yml
  34. 1
      .github/workflows/metrics-collector.yml
  35. 2
      .github/workflows/migrate-prs.yml
  36. 19
      .github/workflows/milestone.yml
  37. 6
      .github/workflows/pr-backend-coverage.yml
  38. 1
      .github/workflows/pr-checks.yml
  39. 3
      .github/workflows/pr-codeql-analysis-javascript.yml
  40. 3
      .github/workflows/pr-codeql-analysis-python.yml
  41. 1
      .github/workflows/pr-commands.yml
  42. 9
      .github/workflows/pr-dependabot-update-go-workspace.yml
  43. 7
      .github/workflows/pr-e2e-tests.yml
  44. 20
      .github/workflows/pr-frontend-unit-tests.yml
  45. 8
      .github/workflows/pr-go-workspace-check.yml
  46. 8
      .github/workflows/pr-k8s-codegen-check.yml
  47. 2
      .github/workflows/pr-patch-check-event.yml
  48. 14
      .github/workflows/pr-test-integration.yml
  49. 5
      .github/workflows/publish-kinds-next.yml
  50. 7
      .github/workflows/publish-kinds-release.yml
  51. 4
      .github/workflows/publish-technical-documentation-next.yml
  52. 5
      .github/workflows/publish-technical-documentation-release.yml
  53. 21
      .github/workflows/release-comms.yml
  54. 108
      .github/workflows/release-pr.yml
  55. 60
      .github/workflows/remove-milestone.yml
  56. 22
      .github/workflows/run-dashboard-search-e2e.yml
  57. 15
      .github/workflows/run-e2e-suite.yml
  58. 12
      .github/workflows/run-schema-v2-e2e.yml
  59. 6
      .github/workflows/skye-add-to-project.yml
  60. 8
      .github/workflows/storybook-verification.yml
  61. 23
      .github/workflows/sync-mirror-event.yml
  62. 6
      .github/workflows/trivy-scan.yml
  63. 52
      .github/workflows/update-changelog.yml
  64. 6
      .github/workflows/update-make-docs.yml
  65. 5
      .github/workflows/verify-kinds.yml
  66. 6
      .github/workflows/zizmor.yml
  67. 31
      .github/zizmor.yml
  68. 2
      pkg/build/actions/bump-version/action.yml

2
.github/actions/setup-enterprise/action.yml
Unescape View File

@ -12,7 +12,7 @@ runs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id

2
.github/actions/setup-grafana-bench/action.yml
Unescape View File

@ -16,7 +16,7 @@ runs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id

2
.github/actions/test-coverage-processor/action.yml
Unescape View File

@ -38,7 +38,7 @@ runs:
fi
- name: Report coverage to CodeCov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
if: inputs.codecov-token != ''
with:
files: ${{ inputs.coverage-file }}

8
.github/workflows/alerting-swagger-gen.yml
Unescape View File

@ -10,18 +10,19 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 2
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod
- name: Build swagger
run: |
make -C pkg/services/ngalert/api/tooling post.json api.json
- name: Open Pull Request
uses: peter-evans/create-pull-request@v5
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "chore: update alerting swagger spec"
@ -34,4 +35,3 @@ jobs:
labels: 'area/alerting,type/docs,no-changelog'
team-reviewers: 'grafana/alerting-backend'
draft: false

5
.github/workflows/alerting-update-module.yml
Unescape View File

@ -18,7 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
persist-credentials: false
- name: Check if update branch exists
run: |
if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
@ -96,7 +97,7 @@ jobs:
make update-workspace
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # 1.1.0
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
GITHUB_APP_ID=alerting-team:app-id

6
.github/workflows/analytics-events-report.yml
Unescape View File

@ -8,10 +8,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

7
.github/workflows/backend-code-checks.yml
Unescape View File

@ -24,10 +24,11 @@ jobs:
name: Validate Backend Configs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
# Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
# The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs

22
.github/workflows/backend-unit-tests.yml
Unescape View File

@ -17,9 +17,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
grafana:
@ -29,11 +27,16 @@ jobs:
name: Grafana
runs-on: ubuntu-latest-8-cores
continue-on-error: true
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Generate Go code
@ -46,11 +49,16 @@ jobs:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Grafana Enterprise
runs-on: ubuntu-latest-8-cores
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Setup Enterprise

21
.github/workflows/backport.yml
Unescape View File

@ -5,6 +5,10 @@ on:
- closed
- labeled
permissions:
contents: write
pull-requests: write
jobs:
main:
if: github.repository == 'grafana/grafana'
@ -14,20 +18,15 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
persist-credentials: false
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- run: git config --global user.email '132647405+grafana-delivery-bot[bot]@users.noreply.github.com'
- run: git config --global user.name 'grafana-delivery-bot[bot]'
- run: git config --local user.name "github-actions[bot]"
- run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
- run: git config --local --add --bool push.autoSetupRemote true
- name: Set remote URL
env:
GIT_TOKEN: ${{ steps.generate_token.outputs.token }}
GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
- name: Run backport
uses: grafana/grafana-github-actions-go/backport@d4c452f92ed826d515dccf1f62923e537953acd8 # main
uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}

32
.github/workflows/bump-version.yml
Unescape View File

@ -11,33 +11,37 @@ on:
dry_run:
default: false
required: false
permissions:
contents: write
pull-requests: write
jobs:
main:
bump-version:
runs-on: ubuntu-latest
steps:
- name: Checkout Grafana
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Update package.json versions
uses: ./pkg/build/actions/bump-version
with:
version: ${{ inputs.version }}
- if: ${{ inputs.push }}
name: Generate token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- if: ${{ inputs.push }}
name: Push & Create PR
env:
VERSION: ${{ inputs.version }}
DRY_RUN: ${{ inputs.dry_run }}
REF_NAME: ${{ github.ref_name }}
RUN_ID: ${{ github.run_id }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true
git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}"
git checkout -b "bump-version/${RUN_ID}/${VERSION}"
git add .
git commit -m "bump version ${{ inputs.version }}"
git commit -m "bump version ${VERSION}"
git push
gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"

44
.github/workflows/changelog.yml
Unescape View File

@ -51,15 +51,20 @@ on:
default: false
type: boolean
permissions:
contents: write
pull-requests: write
permissions: {}
jobs:
main:
env:
RUN_ID: ${{ github.run_id }}
VERSION: ${{ inputs.version }}
PREVIOUS_VERISON: ${{ inputs.previous_version }}
TARGET: ${{ inputs.target }}
DRY_RUN: ${{ inputs.dry_run }}
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: "Generate token"
id: generate_token
@ -68,7 +73,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
ref: main
sparse-checkout: |
@ -79,8 +84,9 @@ jobs:
.prettierrc.js
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
- name: "Configure git user"
@ -89,7 +95,7 @@ jobs:
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true
- name: "Create branch"
run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}"
run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
- name: "Generate changelog"
id: changelog
uses: ./.github/workflows/actions/changelog
@ -103,24 +109,24 @@ jobs:
# Prepare CHANGELOG.md content with version delimiters
(
echo
echo "# ${{ inputs.version}} ($(date '+%F'))"
echo "# ${VERSION} ($(date '+%F'))"
echo
cat changelog_items.md
) > CHANGELOG.part
# Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
# Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
-e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
else
# Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
echo "Version $VERSION not found in the CHANGELOG.md"
(
echo "<!-- ${{ inputs.version }} START -->"
echo "<!-- ${VERSION} START -->"
cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->"
echo "<!-- ${VERSION} END -->"
cat CHANGELOG.md
) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md
@ -138,11 +144,11 @@ jobs:
- name: "Create changelog PR"
run: >
gh pr create \
--dry-run=${{ inputs.dry_run }} \
--dry-run=${DRY_RUN} \
--label "no-backport" \
--label "no-changelog" \
-B "${{ inputs.target }}" \
--title "Release: update changelog for ${{ inputs.version }}" \
--body "Changelog changes for release ${{ inputs.version }}"
-B "${TARGET}" \
--title "Release: update changelog for ${VERSION}" \
--body "Changelog changes for release ${VERSION}"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

44
.github/workflows/close-milestone.yml
Unescape View File

@ -1,44 +0,0 @@
name: Close milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
main:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Close milestone (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/close-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Close milestone (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/close-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

6
.github/workflows/codeowners-validator.yml
Unescape View File

@ -9,9 +9,11 @@ jobs:
runs-on: ubuntu-latest
steps:
# Checks-out your repository, which is validated in the next step
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: GitHub CODEOWNERS Validator
uses: mszostok/codeowners-validator@v0.7.4
uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
# input parameters
with:
# ==== GitHub Auth ====

5
.github/workflows/codeql-analysis.yml
Unescape View File

@ -40,15 +40,16 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
- if: matrix.language == 'go'
name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod

10
.github/workflows/commands.yml
Unescape View File

@ -12,9 +12,7 @@ on:
concurrency:
group: issue-commands-${{ github.event.issue.number }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
config:
@ -34,10 +32,13 @@ jobs:
needs: config
if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |
@ -57,6 +58,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions

2
.github/workflows/community-release.yml
Unescape View File

@ -36,7 +36,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run community-release (manually invoked)
uses: grafana/grafana-github-actions-go/community-release@main
uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }}

52
.github/workflows/core-plugins-build-and-release.yml
Unescape View File

@ -33,6 +33,8 @@ permissions:
jobs:
build-and-publish:
env:
PLUGIN_ID: ${{ inputs.plugin_id }}
name: Build and publish ${{ inputs.plugin_id }}
runs-on: ubuntu-latest
outputs:
@ -41,12 +43,14 @@ jobs:
version: ${{ steps.build_frontend.outputs.version }}
steps:
- name: checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Verify inputs
run: |
if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi
if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
repo_secrets: |
@ -54,13 +58,13 @@ jobs:
PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with:
credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
cache: yarn
@ -70,7 +74,7 @@ jobs:
run: |
dir=$(dirname \
$(egrep -lir --include=plugin.json --exclude-dir=dist \
'"id": "${{ inputs.plugin_id }}"' \
'"id": "${PLUGIN_ID}"' \
public/app/plugins \
) \
)
@ -85,19 +89,19 @@ jobs:
working-directory: ${{ steps.get_dir.outputs.dir }}
run: |
[ ! -d ./bin ] && mkdir -pv ./bin || true
curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl
curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
chmod 0755 ./bin/grabpl
- name: Check backend
id: check_backend
shell: bash
run: |
if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then
if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
echo "has_backend=true" >> $GITHUB_OUTPUT
else
echo "has_backend=false" >> $GITHUB_OUTPUT
fi
- name: Setup golang environment
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
if: steps.check_backend.outputs.has_backend == 'true'
with:
go-version-file: go.mod
@ -151,7 +155,7 @@ jobs:
# Release branch, do not add commit hash to version
command="plugin:build"
fi
yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}"
yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
echo "version=${version}" >> $GITHUB_OUTPUT
- name: build:backend
@ -160,7 +164,7 @@ jobs:
env:
VERSION: ${{ steps.build_frontend.outputs.version }}
run: |
make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }}
make build-plugin-go PLUGIN_ID=$PLUGIN_ID
- name: package
working-directory: ${{ steps.get_dir.outputs.dir }}
run: |
@ -175,7 +179,7 @@ jobs:
VERSION: ${{ steps.build_frontend.outputs.version }}
run: |
api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
'${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \
'${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
-H 'accept: application/json')
api_res_code=$(echo $api_res | jq -r .code)
if [ "$api_res_code" = "NotFound" ]; then
@ -197,10 +201,10 @@ jobs:
run: |
echo "Publish release to Google Cloud Storage:"
touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows
gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux
gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin
gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any
gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux
gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
- name: Publish new plugin version on grafana.com
if: steps.check_backend.outputs.has_backend == 'true'
working-directory: ${{ steps.get_dir.outputs.dir }}
@ -214,27 +218,27 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": {
\"linux-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
},
\"linux-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
},
\"linux-arm\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
},
\"windows-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
},
\"darwin-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
},
\"darwin-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
}
}
@ -257,7 +261,7 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": {
\"any\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
\"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
}
}

2
.github/workflows/create-next-release-branch.yml
Unescape View File

@ -46,7 +46,7 @@ jobs:
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Create release branch
id: branch
uses: grafana/grafana-github-actions-go/bump-release@main
uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
with:
ownerRepo: ${{ inputs.ownerRepo }}
source: ${{ inputs.source }}

5
.github/workflows/create-security-patch-from-security-mirror.yml
Unescape View File

@ -17,7 +17,7 @@ on:
jobs:
trigger_downstream_create_security_patch:
concurrency: create-patch-${{ github.ref_name }}
uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
if: github.repository == 'grafana/grafana-security-mirror'
with:
repo: "${{ github.repository }}"
@ -25,5 +25,4 @@ jobs:
patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
patch_repo: "grafana/grafana-security-patches"
patch_prefix: "${{ github.event.pull_request.number }}"
secrets: inherit
secrets: inherit # zizmor: ignore[secrets-inherit]

2
.github/workflows/dashboards-issue-add-label.yml
Unescape View File

@ -22,7 +22,7 @@ jobs:
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |

2
.github/workflows/deploy-pr-preview.yml
Unescape View File

@ -12,7 +12,7 @@ on:
jobs:
deploy-pr-preview:
if: "!github.event.pull_request.head.repo.fork"
uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main
uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
with:
branch: ${{ github.head_ref }}
event_number: ${{ github.event.number }}

36
.github/workflows/detect-breaking-changes-levitate.yml
Unescape View File

@ -6,9 +6,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
id-token: write
permissions: {}
on:
pull_request:
@ -24,12 +22,16 @@ jobs:
defaults:
run:
working-directory: './pr'
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: './pr'
- uses: actions/setup-node@v4
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -67,17 +69,20 @@ jobs:
buildBase:
name: Build Base packages artifacts
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
defaults:
run:
working-directory: './base'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: './base'
ref: ${{ github.event.pull_request.base.ref }}
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -123,8 +128,8 @@ jobs:
id-token: 'write'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -145,14 +150,14 @@ jobs:
run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
- id: 'auth'
uses: 'google-github-actions/auth@v2'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.LEVITATE_SA }}
project_id: 'grafanalabs-global'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
with:
version: '>= 363.0.0'
project_id: 'grafanalabs-global'
@ -180,6 +185,9 @@ jobs:
name: Report breaking changes in PR comment
runs-on: ubuntu-latest
needs: ['Detect']
permissions:
contents: read
id-token: write
steps:
- name: "Generate token"
@ -189,7 +197,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: 'Download artifact'
uses: actions/download-artifact@v4
@ -238,7 +246,7 @@ jobs:
# Comment on the PR
- name: Comment on PR
if: steps.levitate-run.outputs.exit_code == 1
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with:
header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }}
@ -255,7 +263,7 @@ jobs:
# Remove comment from the PR (no more breaking changes)
- name: Remove comment from PR
if: steps.levitate-run.outputs.exit_code == 0
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with:
header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }}

4
.github/workflows/documentation-ci.yml
Unescape View File

@ -10,10 +10,10 @@ jobs:
container:
image: grafana/vale:latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: grafana/writers-toolkit/vale-action@vale-action/v1
- uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
with:
filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
token: ${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/ephemeral-instances-pr-comment.yml
Unescape View File

@ -41,12 +41,13 @@ jobs:
private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}
- name: Checkout ephemeral instances repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: grafana/ephemeral-grafana-instances-github-action
token: ${{ steps.generate_token.outputs.token }}
ref: main
path: ephemeral
persist-credentials: false
- name: build and deploy ephemeral instance
uses: ./ephemeral

4
.github/workflows/feature-toggles-ci.yml
Unescape View File

@ -11,12 +11,12 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true

48
.github/workflows/frontend-lint.yml
Unescape View File

@ -6,17 +6,20 @@ on:
- main
- release-*.*.*
permissions:
contents: read
id-token: write
permissions: {}
jobs:
lint-frontend-verify-i18n:
name: Verify i18n
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -34,14 +37,17 @@ jobs:
exit 1
fi
lint-frontend-prettier:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-prettier-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -50,13 +56,16 @@ jobs:
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-prettier-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -69,14 +78,17 @@ jobs:
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-typecheck:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-typecheck-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -84,13 +96,16 @@ jobs:
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-typecheck-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -102,11 +117,14 @@ jobs:
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-betterer:
permissions:
contents: read
id-token: write
name: Betterer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

2
.github/workflows/github-release.yml
Unescape View File

@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Create GitHub release (manually invoked)
uses: grafana/grafana-github-actions-go/github-release@main
uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }}

8
.github/workflows/go-lint.yml
Unescape View File

@ -16,13 +16,15 @@ jobs:
lint-go:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: ./go.mod
- run: make gen-go
- name: golangci-lint
uses: golangci/golangci-lint-action@v7
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
with:
version: v2.0.2
args: |

6
.github/workflows/i18n-crowdin-create-tasks.yml
Unescape View File

@ -11,10 +11,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'

13
.github/workflows/i18n-crowdin-download.yml
Unescape View File

@ -22,14 +22,15 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.head_ref }}
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Download sources
id: crowdin-download
uses: crowdin/github-action@v2
uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with:
upload_sources: false
upload_translations: false
@ -72,7 +73,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Get project board ID
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
id: get-project-id
if: steps.crowdin-download.outputs.pull_request_url
with:
@ -92,7 +93,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Add to project board
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
if: steps.crowdin-download.outputs.pull_request_url
with:
projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@ -109,7 +110,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Run auto-milestone
uses: grafana/grafana-github-actions-go/auto-milestone@main
uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
if: steps.crowdin-download.outputs.pull_request_url
with:
pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
@ -117,7 +118,7 @@ jobs:
- name: Get vault secrets
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
repo_secrets: |

6
.github/workflows/i18n-crowdin-upload.yml
Unescape View File

@ -14,10 +14,12 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Upload sources
uses: crowdin/github-action@v2
uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with:
upload_sources: true
upload_sources_args: '--dest=public/locales/en-US/grafana.json'

17
.github/workflows/issue-opened.yml
Unescape View File

@ -10,14 +10,15 @@ on:
concurrency:
group: issue-opened-${{ github.event.issue.number }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
main:
runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana'
permissions:
contents: read
id-token: write
steps:
- name: Checkout Actions
@ -26,6 +27,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
@ -37,7 +39,7 @@ jobs:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |
@ -60,13 +62,16 @@ jobs:
auto-triage:
needs: [main]
permissions:
contents: read
id-token: write
if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
runs-on: ubuntu-latest
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
repo_secrets: |
@ -87,7 +92,7 @@ jobs:
- name: Send issue to the auto triager action
id: auto_triage
uses: grafana/auto-triager@main
uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
issue_number: ${{ github.event.issue.number }}

6
.github/workflows/lint-build-docs.yml
Unescape View File

@ -22,10 +22,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: '22.11.0'
cache: 'yarn'

1
.github/workflows/metrics-collector.yml
Unescape View File

@ -43,6 +43,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: Run metrics collector

2
.github/workflows/migrate-prs.yml
Unescape View File

@ -51,7 +51,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Migrate PRs
uses: grafana/grafana-github-actions-go/migrate-open-prs@main
uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
ownerRepo: ${{ inputs.ownerRepo }}

19
.github/workflows/milestone.yml
Unescape View File

@ -1,19 +0,0 @@
name: Close Milestone
on:
workflow_dispatch:
inputs:
version_input:
description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
required: true
jobs:
call-remove-milestone:
uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
call-close-milestone:
uses: grafana/grafana/.github/workflows/close-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
needs: call-remove-milestone

6
.github/workflows/pr-backend-coverage.yml
Unescape View File

@ -23,9 +23,11 @@ jobs:
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true

1
.github/workflows/pr-checks.yml
Unescape View File

@ -36,6 +36,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: Run PR Checks

3
.github/workflows/pr-codeql-analysis-javascript.yml
Unescape View File

@ -20,11 +20,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

3
.github/workflows/pr-codeql-analysis-python.yml
Unescape View File

@ -18,11 +18,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

1
.github/workflows/pr-commands.yml
Unescape View File

@ -35,6 +35,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"

9
.github/workflows/pr-dependabot-update-go-workspace.yml
Unescape View File

@ -22,7 +22,7 @@ jobs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=grafana-go-workspace-bot:app-id
@ -37,14 +37,15 @@ jobs:
private-key: ${{ env.PRIVATE_KEY }}
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod
@ -65,4 +66,4 @@ jobs:
echo "Committing and pushing workspace changes"
git commit -a -m "update workspace"
git push origin $BRANCH_NAME
fi
fi

7
.github/workflows/pr-e2e-tests.yml
Unescape View File

@ -18,15 +18,16 @@ jobs:
outputs:
artifact: ${{ steps.artifact.outputs.artifact }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: 'grafana/grafana-build'
ref: 'main'
- uses: actions/checkout@v4
persist-credentials: false
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: ./grafana
- run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work | cut -d\ -f2)" >> "$GITHUB_ENV"
- uses: dagger/dagger-for-github@8.0.0
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with:
verb: run
args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt

20
.github/workflows/pr-frontend-unit-tests.yml
Unescape View File

@ -6,12 +6,13 @@ on:
- main
- release-*.*.*
permissions:
contents: read
id-token: write
permissions: {}
jobs:
frontend-unit-tests:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `frontend-unit-tests-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
@ -22,8 +23,10 @@ jobs:
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -36,6 +39,9 @@ jobs:
TEST_SHARD_TOTAL: 8
frontend-unit-tests-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest-8-cores
@ -45,8 +51,8 @@ jobs:
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

8
.github/workflows/pr-go-workspace-check.yml
Unescape View File

@ -21,10 +21,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
cache: false
go-version-file: go.mod
@ -42,4 +44,4 @@ jobs:
exit 1
fi
- name: Ensure Dockerfile contains submodule COPY commands
run: ./scripts/go-workspace/validate-dockerfile.sh
run: ./scripts/go-workspace/validate-dockerfile.sh

8
.github/workflows/pr-k8s-codegen-check.yml
Unescape View File

@ -19,10 +19,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod
@ -36,4 +38,4 @@ jobs:
git diff
echo "Please run './hack/update-codegen.sh' and commit the changes."
exit 1
fi
fi

2
.github/workflows/pr-patch-check-event.yml
Unescape View File

@ -13,6 +13,8 @@ on:
- "v*.*.*"
- "release-*"
permissions: {}
# Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging.
jobs:

14
.github/workflows/pr-test-integration.yml
Unescape View File

@ -17,9 +17,11 @@ jobs:
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
@ -45,9 +47,9 @@ jobs:
- 3306:3306
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
@ -70,9 +72,9 @@ jobs:
- 5432:5432
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true

5
.github/workflows/publish-kinds-next.yml
Unescape View File

@ -29,12 +29,13 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod

7
.github/workflows/publish-kinds-release.yml
Unescape View File

@ -31,13 +31,14 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
# required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod
@ -45,7 +46,7 @@ jobs:
run: go run .github/workflows/scripts/kinds/verify-kinds.go
- name: "Checkout Actions library"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
repository: "grafana/grafana-github-actions"
path: "./actions"

4
.github/workflows/publish-technical-documentation-next.yml
Unescape View File

@ -15,7 +15,7 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
with:
website_directory: content/docs/grafana/next

5
.github/workflows/publish-technical-documentation-release.yml
Unescape View File

@ -17,10 +17,11 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2
persist-credentials: false
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
with:
release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

21
.github/workflows/release-comms.yml
Unescape View File

@ -30,18 +30,16 @@ jobs:
release_branch: ${{ steps.output.outputs.release_branch }}
dry_run: ${{ steps.output.outputs.dry_run }}
latest: ${{ steps.output.outputs.latest }}
env:
HEAD_REF: ${{ github.head_ref }}
DRY_RUN: ${{ inputs.dry_run }}
LATEST: ${{ inputs.latest && '1' || '0' }}
VERSION: ${{ inputs.version }}
runs-on: ubuntu-latest
steps:
# The github-release action expects a `LATEST` value of a string of either '1' or '0'
- if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo setting up GITHUB_ENV for ${{ github.event_name }}
echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
echo "LATEST=${{ inputs.latest && '1' || '0' }}" >> $GITHUB_ENV
- if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
run: |
echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
- id: output
@ -120,7 +118,10 @@ jobs:
post_on_slack:
needs: setup
runs-on: ubuntu-latest
env:
DRY_RUN: ${{ needs.setup.outputs.dry_run }}
VERSION: ${{ needs.setup.outputs.version }}
steps:
- run: |
echo announce on slack that ${{ needs.setup.outputs.version }} has been released
echo dry run: ${{ needs.setup.outputs.dry_run }}
echo announce on slack that $VERSION has been released
echo dry run: $DRY_RUN

108
.github/workflows/release-pr.yml
Unescape View File

@ -33,12 +33,13 @@ on:
default: false
type: boolean
permissions:
contents: write
pull-requests: write
permissions: {}
jobs:
push-changelog-to-main:
permissions:
contents: write
pull-requests: write
name: Create PR to main to update the changelog
uses: ./.github/workflows/changelog.yml
with:
@ -50,41 +51,44 @@ jobs:
secrets:
GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
create-prs:
permissions:
contents: write
pull-requests: write
name: Create Release PR
runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana'
env:
VERSION: ${{ inputs.version }}
LATEST: ${{ inputs.latest }}
DRY_RUN: ${{ inputs.dry_run }}
steps:
- name: Generate bot token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Get release branch
id: branch
uses: grafana/grafana-github-actions-go/latest-release-branch@main
uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
ownerRepo: 'grafana/grafana'
pattern: ${{ inputs.target }}
- name: Checkout Grafana
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ steps.branch.outputs.branch }}
fetch-depth: 0
fetch-tags: true
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Checkout Grafana (main)
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: main
fetch-depth: '0'
fetch-tags: 'false'
path: .grafana-main
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
- name: Configure git user
@ -94,37 +98,43 @@ jobs:
git config --local --add --bool push.autoSetupRemote true
- name: Create branch
run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}"
run: git checkout -b "release/${{ github.run_id }}/$VERSION"
- name: Generate changelog token
id: generate_changelog_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Generate changelog
id: changelog
uses: ./.grafana-main/.github/workflows/actions/changelog
with:
github_token: ${{ steps.generate_token.outputs.token }}
target: v${{ inputs.version }}
github_token: ${{ steps.generate_changelog_token.outputs.token }}
target: v${{ env.VERSION }}
output_file: changelog_items.md
- name: Patch CHANGELOG.md
run: |
# Prepare CHANGELOG.md content with version delimiters
(
echo
echo "# ${{ inputs.version}} ($(date '+%F'))"
echo "# $VERSION ($(date '+%F'))"
echo
cat changelog_items.md
) > CHANGELOG.part
# Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
# Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
-e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
else
# Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
echo "Version $VERSION not found in the CHANGELOG.md"
(
echo "<!-- ${{ inputs.version }} START -->"
echo "<!-- $VERSION START -->"
cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->"
echo "<!-- $VERSION END -->"
cat CHANGELOG.md
) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md
@ -147,35 +157,45 @@ jobs:
run: |
git add package.json lerna.json yarn.lock packages public
test -e e2e/test-plugins && git add e2e/test-plugins
git commit -m "Update version to ${{ inputs.version }}"
git commit -m "Update version to $VERSION"
- name: Git push
if: ${{ inputs.dry_run }} != true
run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }}
run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
- name: Create PR without backports
if: "${{ inputs.backport == '' }}"
run: >
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
$LATEST_FLAG \
-l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \
-B "${{ steps.branch.outputs.branch }}" \
--title "Release: ${{ inputs.version }}" \
--dry-run="$DRY_RUN" \
-B "$BRANCH" \
--title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create PR with backports
if: "${{ inputs.backport != '' }}"
run: >
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
$LATEST_FLAG \
-l "product-approved" \
-l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \
-B "${{ steps.branch.outputs.branch }}" \
--title "Release: ${{ inputs.version }}" \
--dry-run="$DRY_RUN" \
-B "$BRANCH" \
--title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

60
.github/workflows/remove-milestone.yml
Unescape View File

@ -1,60 +0,0 @@
name: Remove milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Remove milestone from open issues (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/remove-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Remove milestone from open issues (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/remove-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

22
.github/workflows/run-dashboard-search-e2e.yml
Unescape View File

@ -11,6 +11,8 @@ on:
env:
ARCH: linux-amd64
permissions: {}
jobs:
setup:
runs-on: ubuntu-latest
@ -18,16 +20,21 @@ jobs:
outputs:
ini_files: ${{ steps.get_files.outputs.ini_files }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true
- run: go version
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
@ -44,7 +51,7 @@ jobs:
run: yarn install --immutable
- name: Install Cypress dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Cache Grafana Build and Dependencies
@ -81,10 +88,13 @@ jobs:
matrix:
ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Restore Cached Node Modules
uses: actions/cache@v3
with:

15
.github/workflows/run-e2e-suite.yml
Unescape View File

@ -14,19 +14,26 @@ jobs:
main:
runs-on: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/download-artifact@v4
with:
name: ${{ inputs.package }}
- uses: dagger/dagger-for-github@8.0.0
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
if: inputs.old-arch == false
with:
verb: run
args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
- run: echo "suite=$(echo ${{ inputs.suite }} | sed 's/\//-/g')" >> $GITHUB_ENV
- name: Set suite name
id: set-suite-name
env:
SUITE: ${{ inputs.suite }}
run: |
echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
if: ${{ always() && inputs.old-arch != true }}
with:
name: e2e-${{ env.suite }}-${{github.run_number}}
name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
path: videos
retention-days: 1

12
.github/workflows/run-schema-v2-e2e.yml
Unescape View File

@ -18,13 +18,15 @@ jobs:
if: github.event.pull_request.draft == false
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
- run: go version
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
@ -33,7 +35,7 @@ jobs:
- name: Build grafana
run: make build
- name: Install Cypress dependencies
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Run dashboard scenes e2e
@ -41,4 +43,4 @@ jobs:
- name: Always succeed # This is a workaround to make the job pass even if the previous step fails
if: failure()
run: exit 0
run: exit 0

6
.github/workflows/skye-add-to-project.yml
Unescape View File

@ -30,7 +30,7 @@ jobs:
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Vault secret paths:
# - ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot
@ -70,7 +70,7 @@ jobs:
- name: Get node ID for item
if: steps.check_user.outputs.user_allowed == 'true'
id: get_node_id
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
query getNodeId($owner: String!, $repo: String!, $number: Int!) {
@ -91,7 +91,7 @@ jobs:
# Finally, add the issue/PR to the project board
- name: Add to project board
if: steps.check_user.outputs.user_allowed == 'true'
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
mutation addItem($projectid: ID!, $itemid: ID!) {

8
.github/workflows/storybook-verification.yml
Unescape View File

@ -21,10 +21,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: 'package.json'
cache: 'yarn'
@ -33,7 +35,7 @@ jobs:
run: yarn install --immutable
- name: Run Storybook and E2E tests
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
browser: chrome
start: yarn storybook --quiet

23
.github/workflows/sync-mirror-event.yml
Unescape View File

@ -10,10 +10,21 @@ on:
- "v*.*.*"
- "release-*"
permissions: {}
# This is run after the pull request has been merged, so we'll run against the target branch
jobs:
dispatch-job:
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
env:
REF_NAME: ${{ github.ref_name }}
REPO: ${{ github.repository }}
SENDER: ${{ github.event.sender.login }}
SHA: ${{ github.sha }}
PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
steps:
- name: "Generate token"
id: generate_token
@ -28,16 +39,18 @@ jobs:
with:
github-token: ${{ steps.generate_token.outputs.token }}
script: |
const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;
await github.rest.actions.createWorkflowDispatch({
owner: 'grafana',
repo: 'security-patch-actions',
workflow_id: 'mirror-branch-and-apply-patches-event.yml',
ref: 'main',
inputs: {
src_ref: "${{ github.ref_name }}",
src_repo: "${{ github.repository }}",
src_sha: "${{ github.sha }}",
dest_repo: "${{ github.repository }}-security-mirror",
patch_repo: "${{ github.repository }}-security-patches"
src_ref: REF_NAME,
src_repo: REPO,
src_sha: SHA,
dest_repo: REPO + "-security-mirror",
patch_repo: REPO + "-security-patches"
}
})

6
.github/workflows/trivy-scan.yml
Unescape View File

@ -16,9 +16,11 @@ jobs:
trivy-scan:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2
uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
with:
version: v0.56.2
cache: true

52
.github/workflows/update-changelog.yml
Unescape View File

@ -1,52 +0,0 @@
name: Update changelog
on:
workflow_dispatch:
inputs:
version:
required: true
description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
skip_pr:
required: false
default: "0"
skip_community_post:
required: false
default: "0"
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
secrets.GRAFANABOT_FORUM_KEY != ''
) || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest
steps:
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Run update changelog (manually invoked)
uses: grafana/grafana-github-actions-go/update-changelog@main
with:
token: ${{ steps.generate_token.outputs.token }}
version: ${{ inputs.version }}
metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
community_api_username: grafanabot
skip_pr: ${{ inputs.skip_pr }}
skip_community_post: ${{ inputs.skip_community_post }}

6
.github/workflows/update-make-docs.yml
Unescape View File

@ -8,8 +8,10 @@ jobs:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
with:
pr_options: >
--label 'backport v10.1.x'

5
.github/workflows/verify-kinds.yml
Unescape View File

@ -11,12 +11,13 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod

6
.github/workflows/zizmor.yml
Unescape View File

@ -1,13 +1,9 @@
name: Zizmor GitHub Actions static analysis
on:
pull_request:
paths:
- ".github/**"
push:
branches:
- main
paths:
- ".github/**"
jobs:
zizmor:
@ -24,4 +20,4 @@ jobs:
uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@main # zizmor: ignore[unpinned-uses]
with:
fail-severity: high
min-severity: high
min-severity: high

31
.github/zizmor.yml
Unescape View File

@ -0,0 +1,31 @@
rules:
unpinned-uses:
config:
policies:
"*": hash-pin
actions/*: any
github/*: any
grafana/*: any
forbidden-uses:
config:
deny:
# Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
# https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
# https://nvd.nist.gov/vuln/detail/cve-2025-30066
# https://nvd.nist.gov/vuln/detail/cve-2025-30154
- reviewdog/*
cache-poisoning:
ignore:
- backend-unit-tests.yml
- frontend-lint.yml
- pr-frontend-unit-tests.yml
- pr-test-integration.yml
- publish-kinds-release.yml
dangerous-triggers:
ignore:
- auto-milestone.yml
- backport.yml
- pr-checks.yml
- pr-commands.yml
- pr-patch-check-event.yml
- run-dashboard-search-e2e.yml

2
pkg/build/actions/bump-version/action.yml
Unescape View File

@ -11,7 +11,7 @@ runs:
with:
go-version-file: go.mod
- name: Bump versions
uses: dagger/dagger-for-github@v5
uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with:
verb: run
args: go run ./pkg/build/actions/bump-version -version=${{ inputs.version }}

Write Preview
Loading…
Cancel
Save