Revert "Only run workflows if they might be able to work" (#72506)

Revert "Only run workflows if they might be able to work (#63164)"

This reverts commit 234b5c8c21.

.github/workflows/backport.yml

@@ -7,7 +7,6 @@ on:
 
 jobs:
   main:
-    if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/bump-version.yml

@@ -9,7 +9,6 @@ env:
   YARN_ENABLE_IMMUTABLE_INSTALLS: false
 jobs:
   main:
-    if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
       # This is a basic workflow to help you get started with Actions

.github/workflows/close-milestone.yml

@@ -14,7 +14,6 @@ on:
 
 jobs:
   main:
-    if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/codeql-analysis.yml

@@ -18,9 +18,6 @@ on:
   schedule:
     - cron: '0 4 * * 6'
 
-permissions:
-  security-events: write
-
 jobs:
   analyze:
     name: Analyze

.github/workflows/commands.yml

@@ -7,22 +7,7 @@ on:
 concurrency:
   group: issue-commands-${{ github.event.issue.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/detect-breaking-changes-report.yml

@@ -15,11 +15,6 @@ jobs:
     env:
       ARTIFACT_NAME: 'levitate' # The name of the artifact that we would like to download
       ARTIFACT_FOLDER: '${{ github.workspace }}/tmp' # The name of the folder where we will download the artifact to
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-      artifacts: read
 
     steps:
     - uses: actions/checkout@v3
@@ -124,7 +119,7 @@ jobs:
     # Posts a notification to Slack if a PR has a breaking change and it did not have a breaking change before
     - name: Post to Slack
       id: slack
-      if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && steps.levitate-run.outputs.shouldSkip != 'true' && env.HAS_SECRETS
+      if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && steps.levitate-run.outputs.shouldSkip != 'true'
       uses: slackapi/slack-github-action@v1.24.0
       with:
         payload: |
@@ -137,15 +132,13 @@ jobs:
           }
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_LEVITATE_WEBHOOK_URL }}
-        HAS_SECRETS: ${{ (github.repository == "grafana/grafana" || secrets.SLACK_LEVITATE_WEBHOOK_URL != '') || '' }}
 
     # Add the label
     - name: Add "levitate breaking change" label
-      if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && steps.levitate-run.outputs.shouldSkip != 'true' && env.HAS_SECRETS
+      if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && steps.levitate-run.outputs.shouldSkip != 'true'
       uses: actions/github-script@v6
       env:
         PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        HAS_SECRETS: ${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         script: |
@@ -158,11 +151,10 @@ jobs:
 
     # Remove label (no more breaking changes)
     - name: Remove "levitate breaking change" label
-      if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1 && steps.levitate-run.outputs.shouldSkip != 'true' && env.HAS_SECRETS
+      if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1 && steps.levitate-run.outputs.shouldSkip != 'true'
       uses: actions/github-script@v6
       env:
         PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        HAS_SECRETS: ${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         script: |
@@ -177,11 +169,10 @@ jobs:
     # This is very weird, the actual request goes through (comes back with a 201), but does not assign the team.
     # Related issue: https://github.com/renovatebot/renovate/issues/1908
     - name: Add "grafana/plugins-platform-frontend" as a reviewer
-      if: steps.levitate-run.outputs.exit_code && steps.levitate-run.outputs.shouldSkip != 'true' && env.HAS_SECRETS
+      if: steps.levitate-run.outputs.exit_code && steps.levitate-run.outputs.shouldSkip != 'true'
       uses: actions/github-script@v6
       env:
         PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        HAS_SECRETS: ${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         script: |
@@ -195,11 +186,10 @@ jobs:
 
     # Remove reviewers (no more breaking changes)
     - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
-      if: steps.levitate-run.outputs.exit_code == 0 && steps.levitate-run.outputs.shouldSkip != 'true' && env.HAS_SECRETS
+      if: steps.levitate-run.outputs.exit_code == 0 && steps.levitate-run.outputs.shouldSkip != 'true'
       uses: actions/github-script@v6
       env:
         PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        HAS_SECRETS: ${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         script: |

.github/workflows/epic-add-to-platform-ux-parent-project.yml

@@ -5,35 +5,21 @@ on:
     types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
     labels:
       - 'type/epic'
-
+      
 env:
-  GH_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
   ORGANIZATION: ${{ github.repository_owner }}
   REPO: ${{ github.event.repository.name }}
   PARENT_PROJECT: 304
   CHILD_PROJECT_1: 78
   CHILD_PROJECT_2: 111
   CHILD_PROJECT_3: 202
-
+    
 concurrency:
   group: issue-add-to-parent-project-${{ github.event.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_PROJECTS_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets && contains(github.event.issue.labels.*.name, 'type/epic')
+    if: contains(github.event.issue.labels.*.name, 'type/epic')
     runs-on: ubuntu-latest
     steps:
       - name: Check if issue is in child or parent projects
@@ -60,7 +46,7 @@ jobs:
                 }
               }
             }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
-
+            
             echo 'IN_PARENT_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
             echo 'PARENT_PROJ_STATUS_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | select(.fieldValueByName != null) | .fieldValueByName.optionId' projects_data.json) >> $GITHUB_ENV
             echo 'ITEM_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .id' projects_data.json) >> $GITHUB_ENV
@@ -110,7 +96,7 @@ jobs:
                 }
               }
             }' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
-
+ 
             echo 'ITEM_ID='$item_id >> $GITHUB_ENV
       - name: Set parent project status Done
         if: contains(env.CHILD_PROJ_STATUS, 'Done')
@@ -138,7 +124,7 @@ jobs:
                 projectId: $project
                 itemId: $item
                 fieldId: $status_field
-                value: {
+                value: { 
                   singleSelectOptionId: $status_value
                   }
               }) {

.github/workflows/github-release.yml

@@ -9,22 +9,7 @@ on:
         required: false
         description: Mark this release as latest (`1`) or not (`0`, default)
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: "Generate token"

.github/workflows/issue-labeled.yml

@@ -5,22 +5,7 @@ on:
     types: [labeled]
 
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.SLACK_WEBHOOK_URL != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   notify:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: "Download teams.yml to know which label is for which team"

.github/workflows/metrics-collector.yml

@@ -16,22 +16,7 @@ on:
     types: [opened, closed]
 
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/milestone.yml

@@ -6,28 +6,12 @@ on:
         description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
         required: true
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   call-remove-milestone:
-    needs: config
-    if: needs.config.outputs.has-secrets
     uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
     with:
       version_call: ${{ github.event.inputs.version_input }}
     secrets: inherit
   call-close-milestone:
-    if: needs.config.outputs.has-secrets
     uses: grafana/grafana/.github/workflows/close-milestone.yml@main
     with:
       version_call: ${{ github.event.inputs.version_input }}

.github/workflows/pr-checks.yml

@@ -15,13 +15,8 @@ on:
       - demilestoned
 concurrency:
   group: pr-checks-${{ github.event.number }}
-permissions:
-  contents: write
 jobs:
   main:
-    permissions:
-      actions: write
-      contents: read
     runs-on: ubuntu-latest
     if: github.event.pull_request.draft == false
     steps:

.github/workflows/pr-codeql-analysis-go.yml

@@ -7,9 +7,6 @@ on:
     paths:
       - '**/*.go'
 
-permissions:
-  security-events: write
-
 jobs:
   analyze:
     name: Analyze

.github/workflows/pr-codeql-analysis-javascript.yml

@@ -9,9 +9,6 @@ on:
       - '**/*.ts'
       - '**/*.tsx'
 
-permissions:
-  security-events: write
-
 jobs:
   analyze:
     name: Analyze

.github/workflows/pr-codeql-analysis-python.yml

@@ -7,9 +7,6 @@ on:
     paths:
       - '**/*.py'
 
-permissions:
-  security-events: write
-
 jobs:
   analyze:
     name: Analyze

.github/workflows/pr-commands-closed.yml

@@ -2,13 +2,11 @@ name: Run when PRs are closed
 on:
   pull_request:
     types:
-      - closed
+      - closed      
 concurrency:
   group: pr-commands-closed-${{ github.event.number }}
 jobs:
   close_job:
-    permissions:
-      pull-requests: write
     # this job will only run if the PR has been closed without being merged
     if: github.event.pull_request.merged == false
     runs-on: ubuntu-latest
@@ -17,4 +15,4 @@ jobs:
         echo PR #${{ github.event.number }} has been closed without being merged, removing milestone.
         gh pr edit ${{ github.event.number }} --milestone "" --repo $GITHUB_REPOSITORY
       env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-commands.yml

@@ -8,22 +8,7 @@ on:
 concurrency:
   group: pr-commands-${{ github.event.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/publish-technical-documentation-next.yml

@@ -9,7 +9,7 @@ on:
   workflow_dispatch:
 jobs:
   sync:
-    if: github.repository == 'grafana/grafana'
+    if: "github.repository == 'grafana/grafana'"
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout Grafana repo"

.github/workflows/publish-technical-documentation-release.yml

@@ -11,7 +11,7 @@ on:
   workflow_dispatch:
 jobs:
   sync:
-    if: github.repository == 'grafana/grafana'
+    if: "github.repository == 'grafana/grafana'"
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout Grafana repo"

.github/workflows/remove-milestone.yml

@@ -13,24 +13,7 @@ on:
         type: string
 
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    permissions:
-      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions

.github/workflows/stale.yml

@@ -7,22 +7,7 @@ permissions:
   pull-requests: write
 
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   stale:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v8