apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[v10.4.x] CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96870)

Browse Source 
CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96646)

* Add github app token generation in pipelines that use GITHUB_TOKEN

* ci?

* clone gh repo using x-access-token user

* address linting issues

* use mounted volume for exporting token

* remove unused github_token env var swagger gen step

* replace pat on release_pr pipepline

* cleanup GH PAT references

* linting

* Update scripts/drone/steps/lib.star

* make drone

---------

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
(cherry picked from commit 2400483d6c)
pull/97128/head
Kevin Minehart 7 months ago committed by GitHub
parent 0746eae720
commit ae50f0195d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 546 additions and 111 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 385
      .drone.yml
  2. 13
      scripts/drone/events/release.star
  3. 12
      scripts/drone/pipelines/benchmarks.star
  4. 7
      scripts/drone/pipelines/build.star
  5. 8
      scripts/drone/pipelines/integration_tests.star
  6. 11
      scripts/drone/pipelines/lint_backend.star
  7. 15
      scripts/drone/pipelines/lint_frontend.star
  8. 18
      scripts/drone/pipelines/swagger_gen.star
  9. 11
      scripts/drone/pipelines/test_backend.star
  10. 11
      scripts/drone/pipelines/test_frontend.star
  11. 19
      scripts/drone/rgm.star
  12. 40
      scripts/drone/steps/github.star
  13. 96
      scripts/drone/steps/lib.star
  14. 1
      scripts/drone/utils/images.star
  15. 10
      scripts/drone/vault.star

385
.drone.yml
Unescape View File

@ -127,12 +127,27 @@ steps:
- yarn-install
image: node:20.9.0-alpine
name: betterer-frontend
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -142,12 +157,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- yarn run ci:test-frontend
depends_on:
@ -173,6 +190,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -191,12 +210,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -206,12 +240,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -264,6 +300,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -282,12 +320,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -297,12 +350,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -372,6 +427,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -401,12 +458,27 @@ steps:
CGO_ENABLED: 0
image: golang:1.22.7-alpine
name: compile-build-cmd
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -416,12 +488,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update make
- make gen-go
@ -468,6 +542,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -486,6 +562,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -621,10 +711,12 @@ steps:
image: cypress/included:13.1.0
name: end-to-end-tests-various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@ -633,11 +725,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@ -647,6 +740,7 @@ steps:
repo:
- grafana/grafana
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@ -666,15 +760,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@ -760,6 +856,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -823,12 +921,27 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -838,12 +951,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- mkdir -p bin
- curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.1/grabpl
@ -1027,6 +1142,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1157,23 +1274,44 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
grafana-enterprise
- cd grafana-enterprise
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
elif git checkout main; then echo "git checkout main"; else git checkout main;
fi
environment:
GITHUB_TOKEN:
from_secret: github_token
elif git checkout ${DRONE_TARGET_BRANCH}; then echo "git checkout ${DRONE_TARGET_BRANCH}";
else git checkout main; fi
- cd ../
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update git make
- make swagger-clean && make openapi3-gen
@ -1184,9 +1322,6 @@ steps:
fi
depends_on:
- clone-enterprise
environment:
GITHUB_TOKEN:
from_secret: github_token
image: golang:1.22.7-alpine
name: swagger-gen
trigger:
@ -1203,6 +1338,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1266,9 +1403,24 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- GITHUB_TOKEN=$(cat /github-app/token)
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -1278,12 +1430,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
depends_on: []
@ -1380,6 +1534,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1759,6 +1915,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -1893,10 +2063,12 @@ steps:
image: cypress/included:13.1.0
name: end-to-end-tests-various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@ -1905,11 +2077,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@ -1919,6 +2092,7 @@ steps:
repo:
- grafana/grafana
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@ -1938,15 +2112,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@ -2151,6 +2327,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -2736,6 +2914,7 @@ platform:
services: []
steps:
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@ -2744,10 +2923,11 @@ steps:
depends_on: []
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@ -2757,6 +2937,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -2806,6 +2988,21 @@ steps:
image: grafana/grafana-ci-deploy:1.3.3
name: publish-storybook
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@ -2813,12 +3010,14 @@ steps:
-f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
depends_on:
- publish-artifacts
- github-app-generate-token
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@ -3278,6 +3477,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_main.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -3297,8 +3497,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -3317,6 +3515,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
branch: main
event:
@ -3352,6 +3552,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -3371,8 +3572,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -3391,6 +3590,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
event:
exclude:
@ -3513,6 +3714,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -3532,8 +3734,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -3552,6 +3752,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
ref:
- refs/heads/v[0-9]*
@ -3751,6 +3953,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_nightly_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -3770,8 +3973,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -3790,6 +3991,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
@ -3814,8 +4017,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -3880,8 +4081,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -3896,6 +4095,7 @@ steps:
name: rgm-copy
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_publish_nightly_grafana.sh
depends_on:
- rgm-copy
@ -3917,8 +4117,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -3937,6 +4135,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- depends_on:
- rgm-publish
image: us.gcr.io/kubernetes-dev/package-publish:latest
@ -4006,8 +4206,25 @@ platform:
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
--enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
depends_on:
- github-app-generate-token
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
from_secret: dagger_token
@ -4026,8 +4243,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.22.7
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4046,6 +4261,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
- gcloud auth activate-service-account --key-file=/tmp/key.json
@ -4067,8 +4284,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -4629,6 +4844,7 @@ steps:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
image: aquasec/trivy:0.21.0
@ -4666,6 +4882,7 @@ steps:
- trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
- trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
- trivy --exit-code 1 --severity HIGH,CRITICAL scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
environment:
@ -4698,6 +4915,24 @@ volumes:
- name: config
temp: {}
---
get:
name: app-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-app-id
---
get:
name: app-installation-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-installation-id
---
get:
name: private-key
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-private-key
---
get:
name: credentials.json
path: infra/data/ci/grafana-release-eng/grafanauploads
@ -4728,12 +4963,6 @@ get:
kind: secret
name: gar
---
get:
name: pat
path: ci/data/repo/grafana/grafana/grafanabot
kind: secret
name: github_token
---
get:
name: machine-user-token
path: infra/data/ci/drone
@ -4897,6 +5126,6 @@ kind: secret
name: gcr_credentials
---
kind: signature
hmac: 046471b0eef4e59d1a6c78850e497a67ae3cfabea2b82c148084a84e43496ce7
hmac: d5afbd3e3107644d41932a47ef3722072b03617f16c2d41550faacf50107fe1a
...

13
scripts/drone/events/release.star
Unescape View File

@ -7,6 +7,12 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
"github_app_step_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -69,10 +75,10 @@ def release_pr_step(depends_on = []):
"image": images["curl"],
"depends_on": depends_on,
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
"GH_CLI_URL": "https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz",
},
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
"apk add perl",
"v_target=`echo $${{TAG}} | perl -pe 's/{}/v\\1.\\2.x/'`".format(semver_regex),
# Install gh CLI
@ -86,6 +92,7 @@ def release_pr_step(depends_on = []):
"-f latest=$${LATEST} " +
"--repo=grafana/grafana release-pr.yml",
],
"volumes": github_app_step_volumes(),
}
def release_npm_packages_step():
@ -149,7 +156,8 @@ def publish_artifacts_pipelines(mode):
compile_build_cmd(),
publish_artifacts_step(),
publish_storybook_step(),
release_pr_step(depends_on = ["publish-artifacts"]),
github_app_generate_token_step(),
release_pr_step(depends_on = ["publish-artifacts", github_app_generate_token_step()["name"]]),
]
return [
@ -162,6 +170,7 @@ def publish_artifacts_pipelines(mode):
steps = [
release_pr_step(),
],
volumes = github_app_pipeline_volumes(),
),
pipeline(
name = "publish-artifacts-{}".format(mode),

12
scripts/drone/pipelines/benchmarks.star
Unescape View File

@ -7,6 +7,11 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -32,10 +37,13 @@ def integration_benchmarks(prefix):
environment = {"EDITION": "oss"}
services = integration_test_services()
volumes = integration_test_services_volumes()
volumes = integration_test_services_volumes() + github_app_pipeline_volumes()
# In pull requests, attempt to clone grafana enterprise.
init_steps = [enterprise_setup_step(isPromote = True)]
init_steps = [
github_app_generate_token_step(),
enterprise_setup_step(isPromote = True),
]
verify_step = verify_gen_cue_step()
verify_jsonnet_step = verify_gen_jsonnet_step()

7
scripts/drone/pipelines/build.star
Unescape View File

@ -1,5 +1,10 @@
"""This module contains the comprehensive build pipeline."""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"build_frontend_package_step",
@ -54,6 +59,7 @@ def build_e2e(trigger, ver_mode):
environment = {"EDITION": "oss"}
init_steps = [
github_app_generate_token_step(),
identify_runner_step(),
download_grabpl_step(),
compile_build_cmd(),
@ -166,4 +172,5 @@ def build_e2e(trigger, ver_mode):
services = [],
steps = init_steps + build_steps,
trigger = trigger,
volumes = github_app_pipeline_volumes(),
)

8
scripts/drone/pipelines/integration_tests.star
Unescape View File

@ -7,6 +7,11 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -50,8 +55,11 @@ def integration_tests(trigger, prefix, ver_mode = "pr"):
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps.append(github_app_generate_token_step())
init_steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
init_steps += [
download_grabpl_step(),
compile_build_cmd(),

11
scripts/drone/pipelines/lint_backend.star
Unescape View File

@ -2,6 +2,11 @@
This module returns the pipeline used for linting backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -38,10 +43,15 @@ def lint_backend_pipeline(trigger, ver_mode):
compile_build_cmd(),
]
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps.append(github_app_generate_token_step())
init_steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
init_steps.append(wire_step)
test_steps = [
@ -59,4 +69,5 @@ def lint_backend_pipeline(trigger, ver_mode):
services = [],
steps = init_steps + test_steps,
environment = environment,
volumes = volumes,
)

15
scripts/drone/pipelines/lint_frontend.star
Unescape View File

@ -2,6 +2,11 @@
This module returns the pipeline used for linting frontend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"enterprise_setup_step",
@ -31,9 +36,16 @@ def lint_frontend_pipeline(trigger, ver_mode):
lint_step = lint_frontend_step()
i18n_step = verify_i18n_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps = [enterprise_setup_step()]
init_steps = [
github_app_generate_token_step(),
enterprise_setup_step(),
]
volumes += github_app_pipeline_volumes()
init_steps += [
identify_runner_step(),
@ -50,4 +62,5 @@ def lint_frontend_pipeline(trigger, ver_mode):
services = [],
steps = init_steps + test_steps,
environment = environment,
volumes = volumes,
)

18
scripts/drone/pipelines/swagger_gen.star
Unescape View File

@ -2,9 +2,14 @@
This module returns all pipelines used in OpenAPI specification generation of Grafana HTTP APIs
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"clone_enterprise_step_pr",
"enterprise_setup_step",
)
load(
"scripts/drone/utils/images.star",
@ -14,10 +19,6 @@ load(
"scripts/drone/utils/utils.star",
"pipeline",
)
load(
"scripts/drone/vault.star",
"from_secret",
)
def swagger_gen_step(ver_mode):
if ver_mode != "pr":
@ -26,9 +27,6 @@ def swagger_gen_step(ver_mode):
return {
"name": "swagger-gen",
"image": images["go"],
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"apk add --update git make",
"make swagger-clean && make openapi3-gen",
@ -42,7 +40,8 @@ def swagger_gen_step(ver_mode):
def swagger_gen(trigger, ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
test_steps = [
clone_enterprise_step_pr(source = source, canFail = True),
github_app_generate_token_step(),
enterprise_setup_step(source = source, canFail = True),
swagger_gen_step(ver_mode = ver_mode),
]
@ -51,6 +50,7 @@ def swagger_gen(trigger, ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
trigger = trigger,
services = [],
steps = test_steps,
volumes = github_app_pipeline_volumes(),
)
return p

11
scripts/drone/pipelines/test_backend.star
Unescape View File

@ -2,6 +2,11 @@
This module returns the pipeline used for testing backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"enterprise_setup_step",
@ -34,10 +39,15 @@ def test_backend(trigger, ver_mode):
verify_step = verify_gen_cue_step()
verify_jsonnet_step = verify_gen_jsonnet_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
steps.append(github_app_generate_token_step())
steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
steps += [
identify_runner_step(),
verify_step,
@ -52,4 +62,5 @@ def test_backend(trigger, ver_mode):
trigger = trigger,
steps = steps,
environment = environment,
volumes = volumes,
)

11
scripts/drone/pipelines/test_frontend.star
Unescape View File

@ -2,6 +2,11 @@
This module returns the pipeline used for testing backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"betterer_frontend_step",
@ -35,10 +40,15 @@ def test_frontend(trigger, ver_mode):
test_step = test_frontend_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
steps.append(github_app_generate_token_step())
steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
steps.append(test_step)
return pipeline(
@ -46,4 +56,5 @@ def test_frontend(trigger, ver_mode):
trigger = trigger,
steps = steps,
environment = environment,
volumes = volumes,
)

19
scripts/drone/rgm.star
Unescape View File

@ -20,6 +20,11 @@ load(
"scripts/drone/pipelines/whats_new_checker.star",
"whats_new_checker_pipeline",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_step_volumes",
)
load(
"scripts/drone/utils/images.star",
"images",
@ -42,7 +47,6 @@ load(
"rgm_destination",
"rgm_downloads_destination",
"rgm_gcp_key_base64",
"rgm_github_token",
"rgm_storybook_destination",
)
@ -111,7 +115,6 @@ def rgm_env_secrets(env):
env["DOWNLOADS_DESTINATION"] = from_secret(rgm_downloads_destination)
env["GCP_KEY_BASE64"] = from_secret(rgm_gcp_key_base64)
env["GITHUB_TOKEN"] = from_secret(rgm_github_token)
env["_EXPERIMENTAL_DAGGER_CLOUD_TOKEN"] = from_secret(rgm_dagger_token)
env["GPG_PRIVATE_KEY"] = from_secret("packages_gpg_private_key")
env["GPG_PUBLIC_KEY"] = from_secret("packages_gpg_public_key")
@ -142,12 +145,13 @@ def rgm_run(name, script):
"pull": "always",
"commands": [
"export GRAFANA_DIR=$$(pwd)",
"export GITHUB_TOKEN=$(cat /github-app/token)",
"cd /src && ./scripts/{}".format(script),
],
"environment": rgm_env_secrets(env),
# The docker socket is a requirement for running dagger programs
# In the future we should find a way to use dagger without mounting the docker socket.
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
}
return [
@ -345,6 +349,7 @@ def rgm_promotion_pipeline():
"image": "grafana/grafana-build:main",
"pull": "always",
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
"dagger run --silent /src/grafana-build artifacts " +
"-a $${ARTIFACTS} " +
"--grafana-ref=$${GRAFANA_REF} " +
@ -355,12 +360,16 @@ def rgm_promotion_pipeline():
"environment": rgm_env_secrets(env),
# The docker socket is a requirement for running dagger programs
# In the future we should find a way to use dagger without mounting the docker socket.
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
}
generate_token_step = github_app_generate_token_step()
publish_step = rgm_copy("dist/*", "$${UPLOAD_TO}")
build_step["depends_on"] = [
generate_token_step["name"],
]
steps = [
generate_token_step,
build_step,
publish_step,
]

40
scripts/drone/steps/github.star
Unescape View File

@ -0,0 +1,40 @@
"""
This module is used to interface with the GitHub App to extract temporary installation tokens.
"""
load(
"scripts/drone/utils/images.star",
"images",
)
load(
"scripts/drone/vault.star",
"from_secret",
"github_app_app_id",
"github_app_app_installation_id",
"github_app_private_key",
)
def github_app_step_volumes():
return [
{"name": "github-app", "path": "/github-app"},
]
def github_app_pipeline_volumes():
return [
{"name": "github-app", "temp": {}},
]
def github_app_generate_token_step():
return {
"name": "github-app-generate-token",
"image": images["github_app_secret_writer"],
"environment": {
"GITHUB_APP_ID": from_secret(github_app_app_id),
"GITHUB_APP_INSTALLATION_ID": from_secret(github_app_app_installation_id),
"GITHUB_APP_PRIVATE_KEY": from_secret(github_app_private_key),
},
"commands": [
"echo $(/usr/bin/github-app-external-token) > /github-app/token",
],
"volumes": github_app_step_volumes(),
}

96
scripts/drone/steps/lib.star
Unescape View File

@ -2,6 +2,11 @@
This module is a library of Drone steps and other pipeline components.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_step_volumes",
)
load(
"scripts/drone/steps/rgm.star",
"rgm_build_backend_step",
@ -101,23 +106,25 @@ def clone_enterprise_step_pr(source = "${DRONE_COMMIT}", target = "main", canFai
check = []
else:
check = [
'is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
'is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
'if [ "$is_fork" != false ]; then return 1; fi', # Only clone if we're confident that 'fork' is 'false'. Fail if it's also empty.
]
step = {
"name": "clone-enterprise",
"image": images["git"],
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"apk add --update curl jq bash",
"GITHUB_TOKEN=$(cat /github-app/token)",
] + check + [
'git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
'git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
"cd {}".format(location),
'if git checkout {0}; then echo "checked out {0}"; elif git checkout {1}; then echo "git checkout {1}"; else git checkout main; fi'.format(source, target),
],
"depends_on": [
github_app_generate_token_step()["name"],
],
"volumes": github_app_step_volumes(),
}
if canFail:
@ -328,6 +335,7 @@ def e2e_tests_artifacts():
"end-to-end-tests-panels-suite",
"end-to-end-tests-smoke-tests-suite",
"end-to-end-tests-various-suite",
github_app_generate_token_step()["name"],
],
"failure": "ignore",
"when": {
@ -339,9 +347,9 @@ def e2e_tests_artifacts():
"environment": {
"GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
"E2E_TEST_ARTIFACTS_BUCKET": "releng-pipeline-artifacts-dev",
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
# if no videos found do nothing
"if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos'; false; fi",
"apt-get update",
@ -356,15 +364,76 @@ def e2e_tests_artifacts():
'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA} -H "Authorization: token $${GITHUB_TOKEN}" -d ' +
'"{\\"state\\":\\"success\\",\\"target_url\\":\\"$${E2E_ARTIFACTS_VIDEO_ZIP}\\", \\"description\\": \\"Click on the details to download e2e recording videos\\", \\"context\\": \\"e2e_artifacts\\"}"',
],
"volumes": github_app_step_volumes(),
}
def upload_cdn_step(ver_mode, trigger = None):
def playwright_e2e_report_upload():
return {
"name": "playwright-e2e-report-upload",
"image": images["cloudsdk"],
"depends_on": [
"playwright-plugin-e2e",
],
"failure": "ignore",
"when": {
"status": [
"success",
"failure",
],
},
"environment": {
"GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
},
"commands": [
"apt-get update",
"apt-get install -yq zip",
"printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json",
"gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json",
"gsutil cp -r ./playwright-report/. gs://releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report",
"export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html",
'echo "E2E Playwright report uploaded to: \n $${E2E_PLAYWRIGHT_REPORT_URL}"',
],
}
def playwright_e2e_report_post_link():
return {
"name": "playwright-e2e-report-post-link",
"image": images["curl"],
"depends_on": [
"playwright-e2e-report-upload",
github_app_generate_token_step()["name"],
],
"failure": "ignore",
"when": {
"status": [
"success",
"failure",
],
},
"commands": [
"GITHUB_TOKEN=$(cat /github-app/token)",
# if the trace doesn't folder exists, it means that there are no failed tests.
"if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi",
# if it exists, we will post a comment on the PR with the link to the report
"export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html",
"curl -L " +
"-X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments " +
'-H "Accept: application/vnd.github+json" ' +
'-H "Authorization: Bearer $${GITHUB_TOKEN}" ' +
'-H "X-GitHub-Api-Version: 2022-11-28" -d ' +
'"{\\"body\\":\\"❌ Failed to run Playwright plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to browse the Playwright report and trace viewer. <br /> For information on how to run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests). \\"}"',
],
"volumes": github_app_step_volumes(),
}
def upload_cdn_step(ver_mode, trigger = None, depends_on = ["grafana-server"]):
"""Uploads CDN assets using the Grafana build tool.
Args:
ver_mode: only uses the step trigger when ver_mode == 'release-branch' or 'main'
trigger: a Drone trigger for the step.
Defaults to None.
depends_on: names of steps that must run before this one will run.
Returns:
Drone step.
@ -373,9 +442,7 @@ def upload_cdn_step(ver_mode, trigger = None):
step = {
"name": "upload-cdn-assets",
"image": images["publish"],
"depends_on": [
"grafana-server",
],
"depends_on": depends_on,
"environment": {
"GCP_KEY": from_secret(gcp_grafanauploads),
"PRERELEASE_BUCKET": from_secret(prerelease_bucket),
@ -756,7 +823,6 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
environment = {
"CYPRESS_CI": "true",
"HOST": "grafana-server",
"GITHUB_TOKEN": from_secret("github_token"),
"AZURE_SP_APP_ID": from_secret("azure_sp_app_id"),
"AZURE_SP_PASSWORD": from_secret("azure_sp_app_pw"),
"AZURE_TENANT": from_secret("azure_tenant"),
@ -777,9 +843,15 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
"image": "us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0",
"depends_on": [
"grafana-server",
github_app_generate_token_step()["name"],
],
"environment": environment,
"commands": ["cd /", "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch)],
"commands": [
"GITHUB_TOKEN=$(cat /github-app/token)",
"cd /",
"./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch),
],
"volumes": github_app_step_volumes(),
}
step = dict(step, when = when)
return step

1
scripts/drone/utils/images.star
Unescape View File

@ -36,4 +36,5 @@ images = {
"shellcheck": "koalaman/shellcheck:stable",
"rocky": "rockylinux:9",
"wine": "scottyhardy/docker-wine:stable-9.0",
"github_app_secret_writer": "us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59",
}

10
scripts/drone/vault.star
Unescape View File

@ -9,16 +9,20 @@ gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
gcp_grafanauploads = "gcp_grafanauploads"
gcp_grafanauploads_base64 = "gcp_grafanauploads_base64"
gcp_download_build_container_assets_key = "gcp_download_build_container_assets_key"
azure_sp_app_id = "azure_sp_app_id"
azure_sp_app_pw = "azure_sp_app_pw"
azure_tenant = "azure_tenant"
github_app_app_id = "github-app-app-id"
github_app_app_installation_id = "github-app-installation-id"
github_app_private_key = "github-app-private-key"
rgm_gcp_key_base64 = "gcp_key_base64"
rgm_destination = "destination"
rgm_storybook_destination = "rgm_storybook_destination"
rgm_cdn_destination = "rgm_cdn_destination"
rgm_downloads_destination = "rgm_downloads_destination"
rgm_github_token = "github_token"
rgm_dagger_token = "dagger_token"
docker_username = "docker_username"
@ -41,12 +45,14 @@ def vault_secret(name, path, key):
def secrets():
return [
vault_secret(github_app_app_id, "ci/data/repo/grafana/grafana/github-app", "app-id"),
vault_secret(github_app_app_installation_id, "ci/data/repo/grafana/grafana/github-app", "app-installation-id"),
vault_secret(github_app_private_key, "ci/data/repo/grafana/grafana/github-app", "private-key"),
vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
vault_secret("grafana_api_key", "infra/data/ci/grafana-release-eng/grafanacom", "api_key"),
vault_secret(gcr_pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
vault_secret(gar_pull_secret, "secret/data/common/gar", ".dockerconfigjson"),
vault_secret("github_token", "ci/data/repo/grafana/grafana/grafanabot", "pat"),
vault_secret(drone_token, "infra/data/ci/drone", "machine-user-token"),
vault_secret(prerelease_bucket, "infra/data/ci/grafana/prerelease", "bucket"),
vault_secret(docker_username, "infra/data/ci/grafanaci-docker-hub", "username"),

Write Preview
Loading…
Cancel
Save