diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 31839f88a7d..e8833ee1cc1 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -81,13 +81,13 @@ jobs: ref: main sparse-checkout: | .github/workflows + .github/actions CHANGELOG.md .nvmrc .prettierignore .prettierrc.js fetch-depth: 0 fetch-tags: true - persist-credentials: false - name: Setup nodejs environment uses: actions/setup-node@v4 with: diff --git a/.github/workflows/community-release.yml b/.github/workflows/community-release.yml index 5b278c24da4..bdf079f2217 100644 --- a/.github/workflows/community-release.yml +++ b/.github/workflows/community-release.yml @@ -37,7 +37,6 @@ jobs: with: # Secrets placed in the ci/repo/grafana/grafana/community_release path in Vault repo_secrets: | - GRAFANA_MISC_STATS_API_KEY=community_release:GRAFANA_MISC_STATS_API_KEY GRAFANABOT_FORUM_KEY=community_release:GRAFANABOT_FORUM_KEY - name: Run community-release (manually invoked) @@ -45,7 +44,6 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version: ${{ inputs.version }} - metrics_api_key: ${{ env.GRAFANA_MISC_STATS_API_KEY }} community_api_key: ${{ env.GRAFANABOT_FORUM_KEY }} community_api_username: grafanabot dry_run: ${{ inputs.dry_run }} diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index f9ba5e32b8b..bd8eab8c176 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -40,19 +40,10 @@ jobs: main: runs-on: ubuntu-latest steps: - - name: "Get vault secrets" - id: vault-secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main - with: - # Secrets placed in the ci/repo/grafana/grafana/github_release path in Vault - repo_secrets: | - GRAFANA_MISC_STATS_API_KEY=github_release:GRAFANA_MISC_STATS_API_KEY - - name: Create GitHub release (manually invoked) uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses] with: token: ${{ secrets.GITHUB_TOKEN }} version: ${{ inputs.version }} - metrics_api_key: ${{ env.GRAFANA_MISC_STATS_API_KEY }} latest: ${{ inputs.latest }} dry_run: ${{ inputs.dry_run }} diff --git a/.github/workflows/release-comms.yml b/.github/workflows/release-comms.yml index 72acfd03b7e..e0bd93d3b7d 100644 --- a/.github/workflows/release-comms.yml +++ b/.github/workflows/release-comms.yml @@ -21,13 +21,13 @@ on: - 'main' - 'release-*.*.*' -permissions: {} +permissions: + contents: write + pull-requests: write + id-token: write jobs: setup: - permissions: - contents: read - id-token: write if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) }} name: Setup and establish latest outputs: @@ -35,6 +35,8 @@ jobs: release_branch: ${{ steps.output.outputs.release_branch }} dry_run: ${{ steps.output.outputs.dry_run }} latest: ${{ steps.output.outputs.latest }} + private_key: ${{ steps.output.outputs.delivery_bot_pem }} + app_id: ${{ vars.DELIVERY_BOT_APP_ID }} env: HEAD_REF: ${{ github.head_ref }} DRY_RUN: ${{ inputs.dry_run }} @@ -42,6 +44,13 @@ jobs: VERSION: ${{ inputs.version }} runs-on: ubuntu-latest steps: + - name: "Get vault secrets" + id: vault-secrets + uses: grafana/shared-workflows/actions/get-vault-secrets@main + with: + # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault + repo_secrets: | + GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }} run: | { diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 60cf41c771d..02f283e5d0b 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -15,15 +15,19 @@ on: version: required: true type: string - description: The version of Grafana that is being released + description: The version of Grafana that is being released (without the `v` prefix)` target: required: true type: string description: The release branch pattern (eg v9.5.x) that these changes are being merged into - backport: + changelog: required: false - type: string - description: Branch to backport these changes to + type: boolean + default: true + bump: + required: false + type: boolean + default: true dry_run: required: false default: false @@ -41,6 +45,7 @@ jobs: push-changelog-to-main: permissions: contents: write + id-token: write pull-requests: write name: Create PR to main to update the changelog uses: ./.github/workflows/changelog.yml @@ -54,6 +59,7 @@ jobs: create-prs: permissions: contents: write + id-token: write pull-requests: write name: Create Release PR runs-on: ubuntu-latest @@ -70,29 +76,20 @@ jobs: # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault repo_secrets: | GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY - - name: Get release branch - id: branch - uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses] - with: - token: ${{ secrets.GITHUB_TOKEN }} - ownerRepo: 'grafana/grafana' - pattern: ${{ inputs.target }} + - run: echo "RELEASE_BRANCH=release-${VERSION}" >> "$GITHUB_ENV" - name: Checkout Grafana uses: actions/checkout@v4 with: - ref: ${{ steps.branch.outputs.branch }} + ref: ${{ env.RELEASE_BRANCH }} fetch-tags: true - token: ${{ secrets.GITHUB_TOKEN }} - persist-credentials: false + fetch-depth: 0 - name: Checkout Grafana (main) uses: actions/checkout@v4 with: ref: main fetch-depth: '0' - fetch-tags: 'false' path: .grafana-main - token: ${{ secrets.GITHUB_TOKEN }} - persist-credentials: false + - name: Setup nodejs environment uses: actions/setup-node@v4 with: @@ -104,8 +101,9 @@ jobs: git config --local --add --bool push.autoSetupRemote true - name: Create branch - run: git checkout -b "release/${{ github.run_id }}/$VERSION" + run: git checkout -b "release/${{ github.run_number }}/$VERSION" - name: Generate changelog token + if: ${{ inputs.changelog == true || inputs.changelog == 'true' }} id: generate_changelog_token uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 with: @@ -113,12 +111,15 @@ jobs: private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} - name: Generate changelog id: changelog + if: ${{ inputs.changelog == true || inputs.changelog == 'true' }} uses: ./.grafana-main/.github/actions/changelog with: + previous: ${{inputs.previous_version}} github_token: ${{ steps.generate_changelog_token.outputs.token }} target: v${{ env.VERSION }} output_file: changelog_items.md - name: Patch CHANGELOG.md + if: ${{ inputs.changelog == true || inputs.changelog == 'true' }} run: | # Prepare CHANGELOG.md content with version delimiters ( @@ -150,16 +151,20 @@ jobs: git diff CHANGELOG.md - name: "Prettify CHANGELOG.md" + if: ${{ inputs.changelog == true || inputs.changelog == 'true' }} run: npx prettier --write CHANGELOG.md - name: Commit CHANGELOG.md changes + if: ${{ inputs.changelog == true || inputs.changelog == 'true' }} run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md - name: Update package.json versions + if: ${{ inputs.bump == true || inputs.bump == 'true' }} uses: ./.grafana-main/pkg/build/actions/bump-version with: version: 'patch' - name: Add package.json changes + if: ${{ inputs.bump == true || inputs.bump == 'true' }} run: | git add package.json lerna.json yarn.lock packages public test -e e2e/test-plugins && git add e2e/test-plugins @@ -167,28 +172,8 @@ jobs: - name: Git push if: inputs.dry_run != true - run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION" - - - name: Create PR without backports - if: "${{ inputs.backport == '' }}" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - BRANCH: ${{ steps.branch.outputs.branch }} - run: | - LATEST_FLAG="" - if [ "$LATEST" = "true" ]; then - LATEST_FLAG=(-l "release/latest") - fi - gh pr create \ - "${LATEST_FLAG[@]}" \ - -l "no-changelog" \ - --dry-run="$DRY_RUN" \ - -B "$BRANCH" \ - --title "Release: $VERSION" \ - --body "These code changes must be merged after a release is complete" - - - name: Create PR with backports - if: "${{ inputs.backport != '' }}" + run: git push + - name: Create PR env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} BRANCH: ${{ steps.branch.outputs.branch }} @@ -199,7 +184,6 @@ jobs: fi gh pr create \ "${LATEST_FLAG[@]}" \ - -l "product-approved" \ -l "no-changelog" \ --dry-run="$DRY_RUN" \ -B "$BRANCH" \ diff --git a/.github/zizmor.yml b/.github/zizmor.yml index fba4a80be24..eac536c3db5 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -29,3 +29,6 @@ rules: - pr-commands.yml - pr-patch-check-event.yml - run-dashboard-search-e2e.yml + excessive-permissions: + ignore: + - release-comms.yml