Actions: Reject GH secrets (#105289)

1 month ago · 99273f15eb
parent 65ac0ed3e9
commit 99273f15eb
8 changed files with 76 additions and 134 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -753,7 +753,6 @@ embed.go @grafana/grafana-as-code
 /.github/commands.json @torkelo
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
-/.github/metrics-collector.json @torkelo
 /.github/pr-checks.json @tolzhabayev
 /.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
@ -783,13 +782,13 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
 /.github/workflows/lint-build-docs.yml @grafana/docs-tooling
-/.github/workflows/metrics-collector.yml @torkelo
 /.github/workflows/pr-checks.yml @tolzhabayev
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
 /.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
+/.github/workflows/reject-gh-secrets.yml @grafana/grafana-operator-experience-squad
 /.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
--- a/.github/metrics-collector.json
+++ b/.github/metrics-collector.json
@ -1,32 +0,0 @@
-{
-  "queries": [
-    {
-      "name": "type_bug",
-      "query": "label:\"type/bug\" is:issue is:open"
-    },
-    {
-      "name": "type_docs",
-      "query": "label:\"type/docs\" is:issue is:open"
-    },
-    {
-      "name": "needs_investigation",
-      "query": "label:\"needs investigation\" is:issue is:open"
-    },
-    {
-      "name": "needs_more_info",
-      "query": "label:\"needs more info\" is:issue is:open"
-    },
-    {
-      "name": "triage_needs_confirmation",
-      "query": "label:\"triage/needs-confirmation\" is:issue is:open"
-    },
-    {
-      "name": "unlabeled",
-      "query": "is:open is:issue no:label"
-    },
-    {
-      "name": "open_prs",
-      "query": "is:open is:pull-request"
-    }
-  ]
-}
--- a/.github/workflows/i18n-crowdin-create-tasks.yml
+++ b/.github/workflows/i18n-crowdin-create-tasks.yml
@ -2,10 +2,9 @@ name: Crowdin automatic task management

 on:
  workflow_dispatch:
-  # TODO uncomment when we're confident this works
  # once a week on Sunday at midnight
-  # schedule:
-  #   - cron: "0 0 * * 0"
+  schedule:
+    - cron: "0 0 * * 0"

 jobs:
  create-tasks-in-crowdin:
@ -39,12 +38,12 @@ jobs:

      - name: Clean up completed tasks
        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+          CROWDIN_PROJECT_ID: '5'
+          CROWDIN_PERSONAL_TOKEN: ${{ env.CROWDIN_TOKEN }}
        run: node --experimental-strip-types ./.github/workflows/scripts/crowdin/cleanup-tasks.ts

      - name: Create tasks
        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+          CROWDIN_PROJECT_ID: '5'
+          CROWDIN_PERSONAL_TOKEN: ${{ env.CROWDIN_TOKEN }}
        run: node --experimental-strip-types ./.github/workflows/scripts/crowdin/create-tasks.ts
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@ -56,7 +56,6 @@ jobs:
      - name: Run Commands
        uses: ./actions/commands
        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
          token: ${{ steps.generate_token.outputs.token }}
          configPath: "issue-opened"

--- a/.github/workflows/metrics-collector.yml
+++ b/.github/workflows/metrics-collector.yml
@ -1,54 +0,0 @@
-#
-# When triggered by the cron job it will also collect metrics for:
-#  * number of issues without label
-#  * number of issues with "needs more info"
-#  * number of issues with "needs investigation"
-#  * number of issues with label type/bug
-#  * number of open issues in current milestone
-#
-# https://github.com/grafana/grafana-github-actions/blob/main/metrics-collector/index.ts
-#
-name: Github issue metrics collection
-on:
-  schedule:
-    - cron: "*/10 * * * *"
-  issues:
-    types: [opened, closed]
-
-permissions:
-  contents: read
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: Run metrics collector
-        uses: ./actions/metrics-collector
-        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.GITHUB_TOKEN}}
-          configPath: "metrics-collector"
--- a/.github/workflows/publish-kinds-next.yml
+++ b/.github/workflows/publish-kinds-next.yml
@ -8,25 +8,17 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    if: github.repository == 'grafana/grafana'
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
+permissions: {}

+jobs:
  main:
-    needs: config
-    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
    runs-on: "ubuntu-latest"
+    permissions:
+      contents: read # cloning repo
+      actions: read # reading .github/workflows/ dir
+      id-token: write # reading vault secrets
+
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@ -42,12 +34,20 @@ jobs:
      - name: "Verify kinds"
        run: go run .github/workflows/scripts/kinds/verify-kinds.go

+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        run: "git clone --single-branch --no-tags --depth 1 -b master https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/website-sync ./.github/actions/website-sync"
--- a/.github/workflows/publish-kinds-release.yml
+++ b/.github/workflows/publish-kinds-release.yml
@ -10,25 +10,17 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    if: github.repository == 'grafana/grafana'
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
+permissions: {}

+jobs:
  main:
-    needs: config
-    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
    runs-on: "ubuntu-latest"
+    permissions:
+      contents: read # cloning repo
+      actions: read # reading .github/workflows/ dir
+      id-token: write # reading vault secrets
+
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@ -63,12 +55,20 @@ jobs:
          release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
          release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"

+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        if: "steps.has-matching-release-tag.outputs.bool == 'true'"
--- a/.github/workflows/reject-gh-secrets.yml
+++ b/.github/workflows/reject-gh-secrets.yml
@ -0,0 +1,31 @@
+name: Reject GitHub secrets
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+      - release-*
+
+permissions: {}
+
+jobs:
+  reject-gh-secrets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Grep for secrets accesses
+        run: |
+          if grep -E '\$\{\{\s*secrets\s*\.\s*[a-zA-Z0-9_\-]+\s*\}\}' .github/workflows/*.yml | grep -vF 'secrets.GITHUB_TOKEN' | grep -vF '# nolint:reject-gh-secrets'; then
+            echo "Found secrets access in the codebase. Please remove it in favour of Vault secrets."
+            echo "If you are sure this is correct, add '# nolint:reject-gh-secrets' to the end of the line. Be VERY careful with this."
+            exit 1
+          fi