CI: Fix release-comms workflow (#104968)

* pass around github_token

.github/workflows/changelog.yml

@@ -81,13 +81,13 @@ jobs:
           ref: main
           sparse-checkout: |
             .github/workflows
+            .github/actions
             CHANGELOG.md
             .nvmrc
             .prettierignore
             .prettierrc.js
           fetch-depth: 0
           fetch-tags: true
-          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:

.github/workflows/community-release.yml

@@ -37,7 +37,6 @@ jobs:
         with:
           # Secrets placed in the ci/repo/grafana/grafana/community_release path in Vault
           repo_secrets: |
-            GRAFANA_MISC_STATS_API_KEY=community_release:GRAFANA_MISC_STATS_API_KEY
             GRAFANABOT_FORUM_KEY=community_release:GRAFANABOT_FORUM_KEY
 
       - name: Run community-release (manually invoked)
@@ -45,7 +44,6 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}
-          metrics_api_key: ${{ env.GRAFANA_MISC_STATS_API_KEY }}
           community_api_key: ${{ env.GRAFANABOT_FORUM_KEY }}
           community_api_username: grafanabot
           dry_run: ${{ inputs.dry_run }}

.github/workflows/github-release.yml

@@ -40,19 +40,10 @@ jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/github_release path in Vault
-          repo_secrets: |
-            GRAFANA_MISC_STATS_API_KEY=github_release:GRAFANA_MISC_STATS_API_KEY
-
       - name: Create GitHub release (manually invoked)
         uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}
-          metrics_api_key: ${{ env.GRAFANA_MISC_STATS_API_KEY }}
           latest: ${{ inputs.latest }}
           dry_run: ${{ inputs.dry_run }}

.github/workflows/release-comms.yml

@@ -21,13 +21,13 @@ on:
     - 'main'
     - 'release-*.*.*'
 
-permissions: {}
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
 
 jobs:
   setup:
-    permissions:
-      contents: read
-      id-token: write
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) }}
     name: Setup and establish latest
     outputs:
@@ -35,6 +35,8 @@ jobs:
       release_branch: ${{ steps.output.outputs.release_branch }}
       dry_run: ${{ steps.output.outputs.dry_run }}
       latest: ${{ steps.output.outputs.latest }}
+      private_key: ${{ steps.output.outputs.delivery_bot_pem }}
+      app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
     env:
       HEAD_REF: ${{ github.head_ref }}
       DRY_RUN: ${{ inputs.dry_run }}
@@ -42,6 +44,13 @@ jobs:
       VERSION: ${{ inputs.version }}
     runs-on: ubuntu-latest
     steps:
+    - name: "Get vault secrets"
+      id: vault-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      with:
+        # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+        repo_secrets: |
+          GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
     - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
       run: |
         {

.github/workflows/release-pr.yml

@@ -15,15 +15,19 @@ on:
       version:
         required: true
         type: string
-        description: The version of Grafana that is being released
+        description: The version of Grafana that is being released (without the `v` prefix)`
       target:
         required: true
         type: string
         description: The release branch pattern (eg v9.5.x) that these changes are being merged into
-      backport:
+      changelog:
         required: false
-        type: string
+        type: boolean
-        description: Branch to backport these changes to
+        default: true
+      bump:
+        required: false
+        type: boolean
+        default: true
       dry_run:
         required: false
         default: false
@@ -41,6 +45,7 @@ jobs:
   push-changelog-to-main:
     permissions:
       contents: write
+      id-token: write
       pull-requests: write
     name: Create PR to main to update the changelog
     uses: ./.github/workflows/changelog.yml
@@ -54,6 +59,7 @@ jobs:
   create-prs:
     permissions:
       contents: write
+      id-token: write
       pull-requests: write
     name: Create Release PR
     runs-on: ubuntu-latest
@@ -70,29 +76,20 @@ jobs:
           # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
           repo_secrets: |
             GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Get release branch
+      - run: echo "RELEASE_BRANCH=release-${VERSION}" >> "$GITHUB_ENV"
-        id: branch
-        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          ownerRepo: 'grafana/grafana'
-          pattern: ${{ inputs.target }}
       - name: Checkout Grafana
         uses: actions/checkout@v4
         with:
-          ref: ${{ steps.branch.outputs.branch }}
+          ref: ${{ env.RELEASE_BRANCH }}
           fetch-tags: true
-          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
-          persist-credentials: false
       - name: Checkout Grafana (main)
         uses: actions/checkout@v4
         with:
           ref: main
           fetch-depth: '0'
-          fetch-tags: 'false'
           path: .grafana-main
-          token: ${{ secrets.GITHUB_TOKEN }}
+
-          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -104,8 +101,9 @@ jobs:
           git config --local --add --bool push.autoSetupRemote true
 
       - name: Create branch
-        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
+        run: git checkout -b "release/${{ github.run_number }}/$VERSION"
       - name: Generate changelog token
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         id: generate_changelog_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
@@ -113,12 +111,15 @@ jobs:
           private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Generate changelog
         id: changelog
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         uses: ./.grafana-main/.github/actions/changelog
         with:
+          previous: ${{inputs.previous_version}}
           github_token: ${{ steps.generate_changelog_token.outputs.token }}
           target: v${{ env.VERSION }}
           output_file: changelog_items.md
       - name: Patch CHANGELOG.md
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: |
           # Prepare CHANGELOG.md content with version delimiters
           (
@@ -150,16 +151,20 @@ jobs:
 
           git diff CHANGELOG.md
       - name: "Prettify CHANGELOG.md"
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: npx prettier --write CHANGELOG.md
       - name: Commit CHANGELOG.md changes
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
 
       - name: Update package.json versions
+        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
         uses: ./.grafana-main/pkg/build/actions/bump-version
         with:
           version: 'patch'
 
       - name: Add package.json changes
+        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
         run: |
           git add package.json lerna.json yarn.lock packages public
           test -e e2e/test-plugins && git add e2e/test-plugins
@@ -167,28 +172,8 @@ jobs:
 
       - name: Git push
         if: inputs.dry_run != true
-        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
+        run: git push
-
+      - name: Create PR
-      - name: Create PR without backports
-        if: "${{ inputs.backport == '' }}"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: ${{ steps.branch.outputs.branch }}
-        run: |
-          LATEST_FLAG=""
-          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG=(-l "release/latest")
-          fi
-          gh pr create \
-            "${LATEST_FLAG[@]}" \
-            -l "no-changelog" \
-            --dry-run="$DRY_RUN" \
-            -B "$BRANCH" \
-            --title "Release: $VERSION" \
-            --body "These code changes must be merged after a release is complete"
-
-      - name: Create PR with backports
-        if: "${{ inputs.backport != '' }}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BRANCH: ${{ steps.branch.outputs.branch }}
@@ -199,7 +184,6 @@ jobs:
           fi
           gh pr create \
             "${LATEST_FLAG[@]}" \
-            -l "product-approved" \
             -l "no-changelog" \
             --dry-run="$DRY_RUN" \
             -B "$BRANCH" \

.github/zizmor.yml

@@ -29,3 +29,6 @@ rules:
       - pr-commands.yml
       - pr-patch-check-event.yml
       - run-dashboard-search-e2e.yml
+  excessive-permissions:
+    ignore:
+      - release-comms.yml