[v10.4.x] CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96870)

CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96646)

* Add github app token generation in pipelines that use GITHUB_TOKEN

* ci?

* clone gh repo using x-access-token user

* address linting issues

* use mounted volume for exporting token

* remove unused github_token env var swagger gen step

* replace pat on release_pr pipepline

* cleanup GH PAT references

* linting

* Update scripts/drone/steps/lib.star

* make drone

---------

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
(cherry picked from commit 2400483d6c)

.drone.yml

@@ -127,12 +127,27 @@ steps:
   - yarn-install
   image: node:20.9.0-alpine
   name: betterer-frontend
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -142,12 +157,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - yarn run ci:test-frontend
   depends_on:
@@ -173,6 +190,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -191,12 +210,27 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -206,12 +240,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -264,6 +300,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -282,12 +320,27 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -297,12 +350,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -372,6 +427,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -401,12 +458,27 @@ steps:
     CGO_ENABLED: 0
   image: golang:1.22.7-alpine
   name: compile-build-cmd
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -416,12 +488,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update make
   - make gen-go
@@ -468,6 +542,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -486,6 +562,20 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -621,10 +711,12 @@ steps:
   image: cypress/included:13.1.0
   name: end-to-end-tests-various-suite
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - cd /
   - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
   depends_on:
   - grafana-server
+  - github-app-generate-token
   environment:
     AZURE_SP_APP_ID:
       from_secret: azure_sp_app_id
@@ -633,11 +725,12 @@ steps:
     AZURE_TENANT:
       from_secret: azure_tenant
     CYPRESS_CI: "true"
-    GITHUB_TOKEN:
-      from_secret: github_token
     HOST: grafana-server
   image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0
   name: end-to-end-tests-cloud-plugins-suite-azure
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     paths:
       include:
@@ -647,6 +740,7 @@ steps:
     repo:
     - grafana/grafana
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
     false; fi
   - apt-get update
@@ -666,15 +760,17 @@ steps:
   - end-to-end-tests-panels-suite
   - end-to-end-tests-smoke-tests-suite
   - end-to-end-tests-various-suite
+  - github-app-generate-token
   environment:
     E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
     GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
       from_secret: gcp_upload_artifacts_key
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: google/cloud-sdk:431.0.0
   name: e2e-tests-artifacts-upload
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
@@ -760,6 +856,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -823,12 +921,27 @@ services:
   image: memcached:1.6.9-alpine
   name: memcached
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -838,12 +951,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - mkdir -p bin
   - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.1/grabpl
@@ -1027,6 +1142,8 @@ volumes:
 - name: mysql80
   temp:
     medium: memory
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1157,23 +1274,44 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
-    grafana-enterprise
+    ../grafana-enterprise
-  - cd grafana-enterprise
+  - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
-    elif git checkout main; then echo "git checkout main"; else git checkout main;
+    elif git checkout ${DRONE_TARGET_BRANCH}; then echo "git checkout ${DRONE_TARGET_BRANCH}";
-    fi
+    else git checkout main; fi
-  environment:
+  - cd ../
-    GITHUB_TOKEN:
+  - ln -s src grafana
-      from_secret: github_token
+  - cd ./grafana-enterprise
+  - ./build.sh
+  depends_on:
+  - github-app-generate-token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update git make
   - make swagger-clean && make openapi3-gen
@@ -1184,9 +1322,6 @@ steps:
     fi
   depends_on:
   - clone-enterprise
-  environment:
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: golang:1.22.7-alpine
   name: swagger-gen
 trigger:
@@ -1203,6 +1338,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1266,9 +1403,24 @@ services:
   image: memcached:1.6.9-alpine
   name: memcached
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -1278,12 +1430,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
   depends_on: []
@@ -1380,6 +1534,8 @@ volumes:
 - name: mysql80
   temp:
     medium: memory
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1759,6 +1915,20 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -1893,10 +2063,12 @@ steps:
   image: cypress/included:13.1.0
   name: end-to-end-tests-various-suite
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - cd /
   - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
   depends_on:
   - grafana-server
+  - github-app-generate-token
   environment:
     AZURE_SP_APP_ID:
       from_secret: azure_sp_app_id
@@ -1905,11 +2077,12 @@ steps:
     AZURE_TENANT:
       from_secret: azure_tenant
     CYPRESS_CI: "true"
-    GITHUB_TOKEN:
-      from_secret: github_token
     HOST: grafana-server
   image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0
   name: end-to-end-tests-cloud-plugins-suite-azure
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     paths:
       include:
@@ -1919,6 +2092,7 @@ steps:
     repo:
     - grafana/grafana
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
     false; fi
   - apt-get update
@@ -1938,15 +2112,17 @@ steps:
   - end-to-end-tests-panels-suite
   - end-to-end-tests-smoke-tests-suite
   - end-to-end-tests-various-suite
+  - github-app-generate-token
   environment:
     E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
     GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
       from_secret: gcp_upload_artifacts_key
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: google/cloud-sdk:431.0.0
   name: e2e-tests-artifacts-upload
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
@@ -2151,6 +2327,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -2736,6 +2914,7 @@ platform:
 services: []
 steps:
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - apk add perl
   - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
   - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -2744,10 +2923,11 @@ steps:
   depends_on: []
   environment:
     GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: byrnedo/alpine-curl:0.1.8
   name: create-release-pr
+  volumes:
+  - name: github-app
+    path: /github-app
 trigger:
   event:
   - promote
@@ -2757,6 +2937,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -2806,6 +2988,21 @@ steps:
   image: grafana/grafana-ci-deploy:1.3.3
   name: publish-storybook
 - commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
+- commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - apk add perl
   - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
   - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -2813,12 +3010,14 @@ steps:
     -f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
   depends_on:
   - publish-artifacts
+  - github-app-generate-token
   environment:
     GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: byrnedo/alpine-curl:0.1.8
   name: create-release-pr
+  volumes:
+  - name: github-app
+    path: /github-app
 trigger:
   event:
   - promote
@@ -3278,6 +3477,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_main.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -3297,8 +3497,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -3317,6 +3515,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   branch: main
   event:
@@ -3352,6 +3552,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_tag_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -3371,8 +3572,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -3391,6 +3590,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   event:
     exclude:
@@ -3513,6 +3714,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_tag_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -3532,8 +3734,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -3552,6 +3752,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   ref:
   - refs/heads/v[0-9]*
@@ -3751,6 +3953,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_nightly_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -3770,8 +3973,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -3790,6 +3991,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - commands:
   - mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
   - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
@@ -3814,8 +4017,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -3880,8 +4081,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -3896,6 +4095,7 @@ steps:
   name: rgm-copy
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_publish_nightly_grafana.sh
   depends_on:
   - rgm-copy
@@ -3917,8 +4117,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -3937,6 +4135,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - depends_on:
   - rgm-publish
   image: us.gcr.io/kubernetes-dev/package-publish:latest
@@ -4006,8 +4206,25 @@ platform:
 services: []
 steps:
 - commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
+- commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
     --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
+  depends_on:
+  - github-app-generate-token
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
       from_secret: dagger_token
@@ -4026,8 +4243,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.22.7
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4046,6 +4261,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - commands:
   - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
   - gcloud auth activate-service-account --key-file=/tmp/key.json
@@ -4067,8 +4284,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -4629,6 +4844,7 @@ steps:
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM scottyhardy/docker-wine:stable-9.0
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
   depends_on:
   - authenticate-gcr
   image: aquasec/trivy:0.21.0
@@ -4666,6 +4882,7 @@ steps:
   - trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
   - trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
   - trivy --exit-code 1 --severity HIGH,CRITICAL scottyhardy/docker-wine:stable-9.0
+  - trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
   depends_on:
   - authenticate-gcr
   environment:
@@ -4698,6 +4915,24 @@ volumes:
 - name: config
   temp: {}
 ---
+get:
+  name: app-id
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-app-id
+---
+get:
+  name: app-installation-id
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-installation-id
+---
+get:
+  name: private-key
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-private-key
+---
 get:
   name: credentials.json
   path: infra/data/ci/grafana-release-eng/grafanauploads
@@ -4728,12 +4963,6 @@ get:
 kind: secret
 name: gar
 ---
-get:
-  name: pat
-  path: ci/data/repo/grafana/grafana/grafanabot
-kind: secret
-name: github_token
----
 get:
   name: machine-user-token
   path: infra/data/ci/drone
@@ -4897,6 +5126,6 @@ kind: secret
 name: gcr_credentials
 ---
 kind: signature
-hmac: 046471b0eef4e59d1a6c78850e497a67ae3cfabea2b82c148084a84e43496ce7
+hmac: d5afbd3e3107644d41932a47ef3722072b03617f16c2d41550faacf50107fe1a
 
 ...

scripts/drone/events/release.star

@@ -7,6 +7,12 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -69,10 +75,10 @@ def release_pr_step(depends_on = []):
         "image": images["curl"],
         "depends_on": depends_on,
         "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
             "GH_CLI_URL": "https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz",
         },
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "apk add perl",
             "v_target=`echo $${{TAG}} | perl -pe 's/{}/v\\1.\\2.x/'`".format(semver_regex),
             # Install gh CLI
@@ -86,6 +92,7 @@ def release_pr_step(depends_on = []):
             "-f latest=$${LATEST} " +
             "--repo=grafana/grafana release-pr.yml",
         ],
+        "volumes": github_app_step_volumes(),
     }
 
 def release_npm_packages_step():
@@ -149,7 +156,8 @@ def publish_artifacts_pipelines(mode):
         compile_build_cmd(),
         publish_artifacts_step(),
         publish_storybook_step(),
-        release_pr_step(depends_on = ["publish-artifacts"]),
+        github_app_generate_token_step(),
+        release_pr_step(depends_on = ["publish-artifacts", github_app_generate_token_step()["name"]]),
     ]
 
     return [
@@ -162,6 +170,7 @@ def publish_artifacts_pipelines(mode):
             steps = [
                 release_pr_step(),
             ],
+            volumes = github_app_pipeline_volumes(),
         ),
         pipeline(
             name = "publish-artifacts-{}".format(mode),

scripts/drone/pipelines/benchmarks.star

@@ -7,6 +7,11 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -32,10 +37,13 @@ def integration_benchmarks(prefix):
     environment = {"EDITION": "oss"}
 
     services = integration_test_services()
-    volumes = integration_test_services_volumes()
+    volumes = integration_test_services_volumes() + github_app_pipeline_volumes()
 
     # In pull requests, attempt to clone grafana enterprise.
-    init_steps = [enterprise_setup_step(isPromote = True)]
+    init_steps = [
+        github_app_generate_token_step(),
+        enterprise_setup_step(isPromote = True),
+    ]
 
     verify_step = verify_gen_cue_step()
     verify_jsonnet_step = verify_gen_jsonnet_step()

scripts/drone/pipelines/build.star

@@ -1,5 +1,10 @@
 """This module contains the comprehensive build pipeline."""
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "build_frontend_package_step",
@@ -54,6 +59,7 @@ def build_e2e(trigger, ver_mode):
 
     environment = {"EDITION": "oss"}
     init_steps = [
+        github_app_generate_token_step(),
         identify_runner_step(),
         download_grabpl_step(),
         compile_build_cmd(),
@@ -166,4 +172,5 @@ def build_e2e(trigger, ver_mode):
         services = [],
         steps = init_steps + build_steps,
         trigger = trigger,
+        volumes = github_app_pipeline_volumes(),
     )

scripts/drone/pipelines/integration_tests.star

@@ -7,6 +7,11 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -50,8 +55,11 @@ def integration_tests(trigger, prefix, ver_mode = "pr"):
 
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        init_steps.append(github_app_generate_token_step())
         init_steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     init_steps += [
         download_grabpl_step(),
         compile_build_cmd(),

scripts/drone/pipelines/lint_backend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for linting backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -38,10 +43,15 @@ def lint_backend_pipeline(trigger, ver_mode):
         compile_build_cmd(),
     ]
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        init_steps.append(github_app_generate_token_step())
         init_steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     init_steps.append(wire_step)
 
     test_steps = [
@@ -59,4 +69,5 @@ def lint_backend_pipeline(trigger, ver_mode):
         services = [],
         steps = init_steps + test_steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/lint_frontend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for linting frontend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "enterprise_setup_step",
@@ -31,9 +36,16 @@ def lint_frontend_pipeline(trigger, ver_mode):
     lint_step = lint_frontend_step()
     i18n_step = verify_i18n_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
-        init_steps = [enterprise_setup_step()]
+        init_steps = [
+            github_app_generate_token_step(),
+            enterprise_setup_step(),
+        ]
+
+        volumes += github_app_pipeline_volumes()
 
     init_steps += [
         identify_runner_step(),
@@ -50,4 +62,5 @@ def lint_frontend_pipeline(trigger, ver_mode):
         services = [],
         steps = init_steps + test_steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/swagger_gen.star

@@ -2,9 +2,14 @@
 This module returns all pipelines used in OpenAPI specification generation of Grafana HTTP APIs
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
-    "clone_enterprise_step_pr",
+    "enterprise_setup_step",
 )
 load(
     "scripts/drone/utils/images.star",
@@ -14,10 +19,6 @@ load(
     "scripts/drone/utils/utils.star",
     "pipeline",
 )
-load(
-    "scripts/drone/vault.star",
-    "from_secret",
-)
 
 def swagger_gen_step(ver_mode):
     if ver_mode != "pr":
@@ -26,9 +27,6 @@ def swagger_gen_step(ver_mode):
     return {
         "name": "swagger-gen",
         "image": images["go"],
-        "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
-        },
         "commands": [
             "apk add --update git make",
             "make swagger-clean && make openapi3-gen",
@@ -42,7 +40,8 @@ def swagger_gen_step(ver_mode):
 
 def swagger_gen(trigger, ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
     test_steps = [
-        clone_enterprise_step_pr(source = source, canFail = True),
+        github_app_generate_token_step(),
+        enterprise_setup_step(source = source, canFail = True),
         swagger_gen_step(ver_mode = ver_mode),
     ]
 
@@ -51,6 +50,7 @@ def swagger_gen(trigger, ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
         trigger = trigger,
         services = [],
         steps = test_steps,
+        volumes = github_app_pipeline_volumes(),
     )
 
     return p

scripts/drone/pipelines/test_backend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for testing backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "enterprise_setup_step",
@@ -34,10 +39,15 @@ def test_backend(trigger, ver_mode):
     verify_step = verify_gen_cue_step()
     verify_jsonnet_step = verify_gen_jsonnet_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        steps.append(github_app_generate_token_step())
         steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     steps += [
         identify_runner_step(),
         verify_step,
@@ -52,4 +62,5 @@ def test_backend(trigger, ver_mode):
         trigger = trigger,
         steps = steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/test_frontend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for testing backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "betterer_frontend_step",
@@ -35,10 +40,15 @@ def test_frontend(trigger, ver_mode):
 
     test_step = test_frontend_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        steps.append(github_app_generate_token_step())
         steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     steps.append(test_step)
 
     return pipeline(
@@ -46,4 +56,5 @@ def test_frontend(trigger, ver_mode):
         trigger = trigger,
         steps = steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/rgm.star

@@ -20,6 +20,11 @@ load(
     "scripts/drone/pipelines/whats_new_checker.star",
     "whats_new_checker_pipeline",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/utils/images.star",
     "images",
@@ -42,7 +47,6 @@ load(
     "rgm_destination",
     "rgm_downloads_destination",
     "rgm_gcp_key_base64",
-    "rgm_github_token",
     "rgm_storybook_destination",
 )
 
@@ -111,7 +115,6 @@ def rgm_env_secrets(env):
     env["DOWNLOADS_DESTINATION"] = from_secret(rgm_downloads_destination)
 
     env["GCP_KEY_BASE64"] = from_secret(rgm_gcp_key_base64)
-    env["GITHUB_TOKEN"] = from_secret(rgm_github_token)
     env["_EXPERIMENTAL_DAGGER_CLOUD_TOKEN"] = from_secret(rgm_dagger_token)
     env["GPG_PRIVATE_KEY"] = from_secret("packages_gpg_private_key")
     env["GPG_PUBLIC_KEY"] = from_secret("packages_gpg_public_key")
@@ -142,12 +145,13 @@ def rgm_run(name, script):
         "pull": "always",
         "commands": [
             "export GRAFANA_DIR=$$(pwd)",
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "cd /src && ./scripts/{}".format(script),
         ],
         "environment": rgm_env_secrets(env),
         # The docker socket is a requirement for running dagger programs
         # In the future we should find a way to use dagger without mounting the docker socket.
-        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
     }
 
     return [
@@ -345,6 +349,7 @@ def rgm_promotion_pipeline():
         "image": "grafana/grafana-build:main",
         "pull": "always",
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "dagger run --silent /src/grafana-build artifacts " +
             "-a $${ARTIFACTS} " +
             "--grafana-ref=$${GRAFANA_REF} " +
@@ -355,12 +360,16 @@ def rgm_promotion_pipeline():
         "environment": rgm_env_secrets(env),
         # The docker socket is a requirement for running dagger programs
         # In the future we should find a way to use dagger without mounting the docker socket.
-        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
     }
 
+    generate_token_step = github_app_generate_token_step()
     publish_step = rgm_copy("dist/*", "$${UPLOAD_TO}")
-
+    build_step["depends_on"] = [
+        generate_token_step["name"],
+    ]
     steps = [
+        generate_token_step,
         build_step,
         publish_step,
     ]

scripts/drone/steps/github.star

@@ -0,0 +1,40 @@
+"""
+This module is used to interface with the GitHub App to extract temporary installation tokens.
+"""
+
+load(
+    "scripts/drone/utils/images.star",
+    "images",
+)
+load(
+    "scripts/drone/vault.star",
+    "from_secret",
+    "github_app_app_id",
+    "github_app_app_installation_id",
+    "github_app_private_key",
+)
+
+def github_app_step_volumes():
+    return [
+        {"name": "github-app", "path": "/github-app"},
+    ]
+
+def github_app_pipeline_volumes():
+    return [
+        {"name": "github-app", "temp": {}},
+    ]
+
+def github_app_generate_token_step():
+    return {
+        "name": "github-app-generate-token",
+        "image": images["github_app_secret_writer"],
+        "environment": {
+            "GITHUB_APP_ID": from_secret(github_app_app_id),
+            "GITHUB_APP_INSTALLATION_ID": from_secret(github_app_app_installation_id),
+            "GITHUB_APP_PRIVATE_KEY": from_secret(github_app_private_key),
+        },
+        "commands": [
+            "echo $(/usr/bin/github-app-external-token) > /github-app/token",
+        ],
+        "volumes": github_app_step_volumes(),
+    }

scripts/drone/steps/lib.star

@@ -2,6 +2,11 @@
 This module is a library of Drone steps and other pipeline components.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/steps/rgm.star",
     "rgm_build_backend_step",
@@ -101,23 +106,25 @@ def clone_enterprise_step_pr(source = "${DRONE_COMMIT}", target = "main", canFai
         check = []
     else:
         check = [
-            'is_fork=$(curl "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
+            'is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
             'if [ "$is_fork" != false ]; then return 1; fi',  # Only clone if we're confident that 'fork' is 'false'. Fail if it's also empty.
         ]
 
     step = {
         "name": "clone-enterprise",
         "image": images["git"],
-        "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
-        },
         "commands": [
             "apk add --update curl jq bash",
+            "GITHUB_TOKEN=$(cat /github-app/token)",
         ] + check + [
-            'git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
+            'git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
             "cd {}".format(location),
             'if git checkout {0}; then echo "checked out {0}"; elif git checkout {1}; then echo "git checkout {1}"; else git checkout main; fi'.format(source, target),
         ],
+        "depends_on": [
+            github_app_generate_token_step()["name"],
+        ],
+        "volumes": github_app_step_volumes(),
     }
 
     if canFail:
@@ -328,6 +335,7 @@ def e2e_tests_artifacts():
             "end-to-end-tests-panels-suite",
             "end-to-end-tests-smoke-tests-suite",
             "end-to-end-tests-various-suite",
+            github_app_generate_token_step()["name"],
         ],
         "failure": "ignore",
         "when": {
@@ -339,9 +347,9 @@ def e2e_tests_artifacts():
         "environment": {
             "GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
             "E2E_TEST_ARTIFACTS_BUCKET": "releng-pipeline-artifacts-dev",
-            "GITHUB_TOKEN": from_secret("github_token"),
         },
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             # if no videos found do nothing
             "if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos'; false; fi",
             "apt-get update",
@@ -356,15 +364,76 @@ def e2e_tests_artifacts():
             'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA} -H "Authorization: token $${GITHUB_TOKEN}" -d ' +
             '"{\\"state\\":\\"success\\",\\"target_url\\":\\"$${E2E_ARTIFACTS_VIDEO_ZIP}\\", \\"description\\": \\"Click on the details to download e2e recording videos\\", \\"context\\": \\"e2e_artifacts\\"}"',
         ],
+        "volumes": github_app_step_volumes(),
     }
 
-def upload_cdn_step(ver_mode, trigger = None):
+def playwright_e2e_report_upload():
+    return {
+        "name": "playwright-e2e-report-upload",
+        "image": images["cloudsdk"],
+        "depends_on": [
+            "playwright-plugin-e2e",
+        ],
+        "failure": "ignore",
+        "when": {
+            "status": [
+                "success",
+                "failure",
+            ],
+        },
+        "environment": {
+            "GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
+        },
+        "commands": [
+            "apt-get update",
+            "apt-get install -yq zip",
+            "printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json",
+            "gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json",
+            "gsutil cp -r ./playwright-report/. gs://releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report",
+            "export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html",
+            'echo "E2E Playwright report uploaded to: \n $${E2E_PLAYWRIGHT_REPORT_URL}"',
+        ],
+    }
+
+def playwright_e2e_report_post_link():
+    return {
+        "name": "playwright-e2e-report-post-link",
+        "image": images["curl"],
+        "depends_on": [
+            "playwright-e2e-report-upload",
+            github_app_generate_token_step()["name"],
+        ],
+        "failure": "ignore",
+        "when": {
+            "status": [
+                "success",
+                "failure",
+            ],
+        },
+        "commands": [
+            "GITHUB_TOKEN=$(cat /github-app/token)",
+            # if the trace doesn't folder exists, it means that there are no failed tests.
+            "if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi",
+            # if it exists, we will post a comment on the PR with the link to the report
+            "export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html",
+            "curl -L " +
+            "-X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments " +
+            '-H "Accept: application/vnd.github+json" ' +
+            '-H "Authorization: Bearer $${GITHUB_TOKEN}" ' +
+            '-H "X-GitHub-Api-Version: 2022-11-28" -d ' +
+            '"{\\"body\\":\\"❌ Failed to run Playwright plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to browse the Playwright report and trace viewer. <br /> For information on how to run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests). \\"}"',
+        ],
+        "volumes": github_app_step_volumes(),
+    }
+
+def upload_cdn_step(ver_mode, trigger = None, depends_on = ["grafana-server"]):
     """Uploads CDN assets using the Grafana build tool.
 
     Args:
       ver_mode: only uses the step trigger when ver_mode == 'release-branch' or 'main'
       trigger: a Drone trigger for the step.
         Defaults to None.
+      depends_on: names of steps that must run before this one will run.
 
     Returns:
       Drone step.
@@ -373,9 +442,7 @@ def upload_cdn_step(ver_mode, trigger = None):
     step = {
         "name": "upload-cdn-assets",
         "image": images["publish"],
-        "depends_on": [
+        "depends_on": depends_on,
-            "grafana-server",
-        ],
         "environment": {
             "GCP_KEY": from_secret(gcp_grafanauploads),
             "PRERELEASE_BUCKET": from_secret(prerelease_bucket),
@@ -756,7 +823,6 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
         environment = {
             "CYPRESS_CI": "true",
             "HOST": "grafana-server",
-            "GITHUB_TOKEN": from_secret("github_token"),
             "AZURE_SP_APP_ID": from_secret("azure_sp_app_id"),
             "AZURE_SP_PASSWORD": from_secret("azure_sp_app_pw"),
             "AZURE_TENANT": from_secret("azure_tenant"),
@@ -777,9 +843,15 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
         "image": "us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.1.0:1.0.0",
         "depends_on": [
             "grafana-server",
+            github_app_generate_token_step()["name"],
         ],
         "environment": environment,
-        "commands": ["cd /", "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch)],
+        "commands": [
+            "GITHUB_TOKEN=$(cat /github-app/token)",
+            "cd /",
+            "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch),
+        ],
+        "volumes": github_app_step_volumes(),
     }
     step = dict(step, when = when)
     return step

scripts/drone/utils/images.star

@@ -36,4 +36,5 @@ images = {
     "shellcheck": "koalaman/shellcheck:stable",
     "rocky": "rockylinux:9",
     "wine": "scottyhardy/docker-wine:stable-9.0",
+    "github_app_secret_writer": "us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59",
 }

scripts/drone/vault.star

@@ -9,16 +9,20 @@ gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
 gcp_grafanauploads = "gcp_grafanauploads"
 gcp_grafanauploads_base64 = "gcp_grafanauploads_base64"
 gcp_download_build_container_assets_key = "gcp_download_build_container_assets_key"
+
 azure_sp_app_id = "azure_sp_app_id"
 azure_sp_app_pw = "azure_sp_app_pw"
 azure_tenant = "azure_tenant"
 
+github_app_app_id = "github-app-app-id"
+github_app_app_installation_id = "github-app-installation-id"
+github_app_private_key = "github-app-private-key"
+
 rgm_gcp_key_base64 = "gcp_key_base64"
 rgm_destination = "destination"
 rgm_storybook_destination = "rgm_storybook_destination"
 rgm_cdn_destination = "rgm_cdn_destination"
 rgm_downloads_destination = "rgm_downloads_destination"
-rgm_github_token = "github_token"
 rgm_dagger_token = "dagger_token"
 
 docker_username = "docker_username"
@@ -41,12 +45,14 @@ def vault_secret(name, path, key):
 
 def secrets():
     return [
+        vault_secret(github_app_app_id, "ci/data/repo/grafana/grafana/github-app", "app-id"),
+        vault_secret(github_app_app_installation_id, "ci/data/repo/grafana/grafana/github-app", "app-installation-id"),
+        vault_secret(github_app_private_key, "ci/data/repo/grafana/grafana/github-app", "private-key"),
         vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
         vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
         vault_secret("grafana_api_key", "infra/data/ci/grafana-release-eng/grafanacom", "api_key"),
         vault_secret(gcr_pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
         vault_secret(gar_pull_secret, "secret/data/common/gar", ".dockerconfigjson"),
-        vault_secret("github_token", "ci/data/repo/grafana/grafana/grafanabot", "pat"),
         vault_secret(drone_token, "infra/data/ci/drone", "machine-user-token"),
         vault_secret(prerelease_bucket, "infra/data/ci/grafana/prerelease", "bucket"),
         vault_secret(docker_username, "infra/data/ci/grafanaci-docker-hub", "username"),