grafana/.drone.yml

---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: pr-verify-drone
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - ./bin/build verify-drone
  depends_on:
  - compile-build-cmd
  image: byrnedo/alpine-curl:0.1.8
  name: lint-drone
trigger:
  event:
  - pull_request
  paths:
    exclude:
    - docs/**
    - '*.md'
    include:
    - scripts/drone/**
    - .drone.yml
    - .drone.star
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: pr-verify-starlark
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - go install github.com/bazelbuild/buildtools/buildifier@latest
  - buildifier --lint=warn -mode=check -r .
  depends_on: []
  image: golang:1.24.6-alpine
  name: lint-starlark
trigger:
  event:
  - pull_request
  paths:
    exclude:
    - docs/**
    - '*.md'
    include:
    - scripts/drone/**
    - .drone.star
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: pr-build-e2e
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
  environment:
    GITHUB_APP_ID:
      from_secret: github-app-app-id
    GITHUB_APP_INSTALLATION_ID:
      from_secret: github-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: github-app-private-key
  failure: ignore
  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  name: github-app-generate-token
  volumes:
  - name: github-app
    path: /github-app
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - mkdir -p bin
  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.2/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
    with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-cue
- commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-jsonnet
- commands:
  - yarn install --immutable || yarn install --immutable
  depends_on: []
  image: node:22.16.0-alpine
  name: yarn-install
- commands:
  - apk add --update jq bash
  - yarn packages:build
  - yarn packages:pack
  - ./scripts/validate-npm-packages.sh
  depends_on:
  - yarn-install
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: build-frontend-packages
- failure: ignore
  image: grafana/drone-downstream
  name: trigger-enterprise-downstream
  settings:
    params:
    - SOURCE_BUILD_NUMBER=${DRONE_COMMIT}
    - SOURCE_COMMIT=${DRONE_COMMIT}
    - OSS_PULL_REQUEST=${DRONE_PULL_REQUEST}
    repositories:
    - grafana/grafana-enterprise@${DRONE_SOURCE_BRANCH}
    server: https://drone.grafana.net
    token:
      from_secret: drone_token
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --version
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --uninstall 'qemu-*'
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --install all
  - go run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
    -a docker:grafana:linux/arm/v7:ubuntu --yarn-cache=$$YARN_CACHE_FOLDER --build-id=$$DRONE_BUILD_NUMBER
    --ubuntu-base=ubuntu-base --alpine-base=alpine-base --tag-format='{{ .version_base
    }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{ .version_base }}-{{ .buildID
    }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD > packages.txt
  - find ./dist -name '*docker*.tar.gz' -type f | xargs -n1 docker load -i
  depends_on:
  - yarn-install
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
  image: golang:1.24.6-alpine
  name: rgm-package
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - ./bin/grabpl artifacts docker publish --dockerhub-repo grafana/grafana
  depends_on:
  - rgm-package
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GITHUB_APP_ID: "329617"
    GITHUB_APP_INSTALLATION_ID: "37346161"
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  failure: ignore
  image: google/cloud-sdk:431.0.0
  name: publish-images-grafana
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - yarn e2e:plugin:build
  depends_on:
  - yarn-install
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: build-test-plugins
- commands:
  - apk add --update tar bash
  - mkdir grafana
  - tar --strip-components=1 -xvf ./dist/*amd64.tar.gz -C grafana
  - cp -r devenv scripts tools grafana && cd grafana && ./scripts/grafana-server/start-server
  depends_on:
  - rgm-package
  detach: true
  environment:
    GF_APP_MODE: development
    GF_SERVER_HTTP_PORT: "3001"
    GF_SERVER_ROUTER_LOGGING: "1"
  image: alpine:3.21.3
  name: grafana-server
- commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
  - cd /
  - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
  depends_on:
  - grafana-server
  - github-app-generate-token
  environment:
    AZURE_SP_APP_ID:
      from_secret: azure_sp_app_id
    AZURE_SP_PASSWORD:
      from_secret: azure_sp_app_pw
    AZURE_TENANT:
      from_secret: azure_tenant
    CYPRESS_CI: "true"
    HOST: grafana-server
  image: us-docker.pkg.dev/grafanalabs-dev/docker-oss-plugin-partnerships-dev/e2e-14.3.2:1.0.0
  name: end-to-end-tests-cloud-plugins-suite-azure
  volumes:
  - name: github-app
    path: /github-app
  when:
    paths:
      include:
      - pkg/tsdb/azuremonitor/**
      - public/app/plugins/datasource/azuremonitor/**
      - e2e/cloud-plugins-suite/azure-monitor.spec.ts
    repo:
    - grafana/grafana
- commands:
  - npx wait-on@7.0.1 http://$HOST:$PORT
  - yarn playwright install --with-deps chromium
  - yarn e2e:playwright
  depends_on:
  - grafana-server
  - build-test-plugins
  environment:
    HOST: grafana-server
    PORT: "3001"
    PROV_DIR: /grafana/scripts/grafana-server/tmp/conf/provisioning
  image: node:22-bookworm
  name: playwright-plugin-e2e
- commands:
  - apt-get update
  - apt-get install -yq zip
  - printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json
  - gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json
  - gsutil cp -r ./playwright-report/. gs://releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report
  - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
  - "echo \"E2E Playwright report uploaded to: \n $${E2E_PLAYWRIGHT_REPORT_URL}\""
  depends_on:
  - playwright-plugin-e2e
  environment:
    GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
      from_secret: gcp_upload_artifacts_key
  failure: ignore
  image: google/cloud-sdk:431.0.0
  name: playwright-e2e-report-upload
  when:
    status:
    - success
    - failure
- commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
  - if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
  - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
  - 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
    -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $${GITHUB_TOKEN}"
    -H "X-GitHub-Api-Version: 2022-11-28" -d "{\"body\":\"❌ Failed to run Playwright
    plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to
    browse the Playwright report and trace viewer. <br /> For information on how to
    run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests).
    \"}"'
  depends_on:
  - playwright-e2e-report-upload
  - github-app-generate-token
  failure: ignore
  image: byrnedo/alpine-curl:0.1.8
  name: playwright-e2e-report-post-link
  volumes:
  - name: github-app
    path: /github-app
  when:
    status:
    - success
    - failure
- commands:
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'no e2e videos found
    from remaining tests'; exit 0; fi
  - apt-get update
  - apt-get install -yq zip
  - printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json
  - gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json
  - find ./e2e -type f -name "*spec.ts.mp4" | zip e2e/videos.zip -@
  - gsutil cp e2e/videos.zip gs://$${E2E_TEST_ARTIFACTS_BUCKET}/${DRONE_BUILD_NUMBER}/artifacts/videos/videos.zip
  - export E2E_ARTIFACTS_VIDEO_ZIP=https://storage.googleapis.com/$${E2E_TEST_ARTIFACTS_BUCKET}/${DRONE_BUILD_NUMBER}/artifacts/videos/videos.zip
  - 'echo "E2E Test artifacts uploaded to: $${E2E_ARTIFACTS_VIDEO_ZIP}"'
  - 'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA}
    -H "Authorization: token $${GITHUB_TOKEN}" -d "{\"state\":\"success\",\"target_url\":\"$${E2E_ARTIFACTS_VIDEO_ZIP}\",
    \"description\": \"Click on the details to download e2e recording videos\", \"context\":
    \"e2e_artifacts\"}"'
  depends_on:
  - end-to-end-tests-cloud-plugins-suite-azure
  - playwright-plugin-e2e
  - github-app-generate-token
  environment:
    E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
    GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
      from_secret: gcp_upload_artifacts_key
  failure: ignore
  image: google/cloud-sdk:431.0.0
  name: e2e-tests-artifacts-upload
  volumes:
  - name: github-app
    path: /github-app
  when:
    status:
    - success
    - failure
- commands:
  - yarn storybook:build
  - ./bin/build verify-storybook
  depends_on:
  - rgm-package
  - build-frontend-packages
  environment:
    NODE_OPTIONS: --max_old_space_size=4096
  image: node:22.16.0-alpine
  name: build-storybook
  when:
    paths:
      include:
      - packages/grafana-ui/**
- commands:
  - npx wait-on@7.0.1 http://$HOST:$PORT
  - pa11y-ci --config e2e/pa11yci.conf.js
  depends_on:
  - grafana-server
  environment:
    GRAFANA_MISC_STATS_API_KEY:
      from_secret: grafana_misc_stats_api_key
    HOST: grafana-server
    NO_THRESHOLDS: "false"
    PORT: 3001
  failure: always
  image: grafana/docker-puppeteer:1.1.0
  name: test-a11y-frontend
trigger:
  event:
  - pull_request
  paths:
    exclude:
    - '*.md'
    - docs/**
    - latest.json
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  temp: {}
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: pr-docs
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - yarn install --immutable || yarn install --immutable
  depends_on: []
  image: node:22.16.0-alpine
  name: yarn-install
- commands:
  - yarn run prettier:checkDocs
  depends_on:
  - yarn-install
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: lint-docs
- commands:
  - mkdir -p /hugo/content/docs/grafana/latest
  - 'echo -e ''---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned:
    true\n---\n'' > /hugo/content/docs/grafana/_index.md'
  - cp -r docs/sources/* /hugo/content/docs/grafana/latest/
  - cd /hugo && make prod
  image: grafana/docs-base:latest
  name: build-docs-website
  pull: always
- commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
    with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-cue
trigger:
  event:
  - pull_request
  paths:
    include:
    - '*.md'
    - docs/**
    - packages/**/*.md
    - latest.json
  repo:
  - grafana/grafana
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: main-docs
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - yarn install --immutable || yarn install --immutable
  depends_on: []
  image: node:22.16.0-alpine
  name: yarn-install
- commands:
  - yarn run prettier:checkDocs
  depends_on:
  - yarn-install
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: lint-docs
- commands:
  - mkdir -p /hugo/content/docs/grafana/latest
  - 'echo -e ''---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned:
    true\n---\n'' > /hugo/content/docs/grafana/_index.md'
  - cp -r docs/sources/* /hugo/content/docs/grafana/latest/
  - cd /hugo && make prod
  image: grafana/docs-base:latest
  name: build-docs-website
  pull: always
- commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
    with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-cue
trigger:
  branch: main
  event:
  - push
  paths:
    include:
    - '*.md'
    - docs/**
    - packages/**/*.md
    - latest.json
  repo:
  - grafana/grafana
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: main-build-e2e-publish
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
  environment:
    GITHUB_APP_ID:
      from_secret: github-app-app-id
    GITHUB_APP_INSTALLATION_ID:
      from_secret: github-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: github-app-private-key
  failure: ignore
  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  name: github-app-generate-token
  volumes:
  - name: github-app
    path: /github-app
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - mkdir -p bin
  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.2/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
    with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-cue
- commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
  - '# The following command will fail if running code generators produces any diff
    in output.'
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
  image: golang:1.24.6-alpine
  name: verify-gen-jsonnet
- commands:
  - yarn install --immutable || yarn install --immutable
  depends_on: []
  image: node:22.16.0-alpine
  name: yarn-install
- commands:
  - apk add --update jq
  - new_version=$(cat package.json | jq -r .version | sed s/pre/${DRONE_BUILD_NUMBER}/g)
  - 'echo "New version: $new_version"'
  - yarn run lerna version $new_version --exact --no-git-tag-version --no-push --force-publish
    -y
  - yarn install --mode=update-lockfile
  depends_on:
  - yarn-install
  image: node:22.16.0-alpine
  name: update-package-json-version
- commands:
  - apk add --update jq bash
  - yarn packages:build
  - yarn packages:pack
  - ./scripts/validate-npm-packages.sh
  depends_on:
  - yarn-install
  - update-package-json-version
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: build-frontend-packages
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --version
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --uninstall 'qemu-*'
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --install all
  - go run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
    -a docker:grafana:linux/arm/v7:ubuntu --yarn-cache=$$YARN_CACHE_FOLDER --build-id=$$DRONE_BUILD_NUMBER
    --ubuntu-base=ubuntu-base --alpine-base=alpine-base --tag-format='{{ .version_base
    }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{ .version_base }}-{{ .buildID
    }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD > packages.txt
  - find ./dist -name '*docker*.tar.gz' -type f | xargs -n1 docker load -i
  depends_on:
  - update-package-json-version
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
  image: golang:1.24.6-alpine
  name: rgm-package
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - ./bin/grabpl artifacts docker publish --dockerhub-repo grafana/grafana
  depends_on:
  - rgm-package
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
    GITHUB_APP_ID: "329617"
    GITHUB_APP_INSTALLATION_ID: "37346161"
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
  name: publish-images-grafana
  volumes:
  - name: docker
    path: /var/run/docker.sock
  when:
    repo:
    - grafana/grafana
- commands:
  - yarn e2e:plugin:build
  depends_on:
  - yarn-install
  environment:
    NODE_OPTIONS: --max_old_space_size=8192
  image: node:22.16.0-alpine
  name: build-test-plugins
- commands:
  - apk add --update tar bash
  - mkdir grafana
  - tar --strip-components=1 -xvf ./dist/*amd64.tar.gz -C grafana
  - cp -r devenv scripts tools grafana && cd grafana && ./scripts/grafana-server/start-server
  depends_on:
  - rgm-package
  detach: true
  environment:
    GF_APP_MODE: development
    GF_SERVER_HTTP_PORT: "3001"
    GF_SERVER_ROUTER_LOGGING: "1"
  image: alpine:3.21.3
  name: grafana-server
- commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
  - cd /
  - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
  depends_on:
  - grafana-server
  - github-app-generate-token
  environment:
    AZURE_SP_APP_ID:
      from_secret: azure_sp_app_id
    AZURE_SP_PASSWORD:
      from_secret: azure_sp_app_pw
    AZURE_TENANT:
      from_secret: azure_tenant
    CYPRESS_CI: "true"
    HOST: grafana-server
  image: us-docker.pkg.dev/grafanalabs-dev/docker-oss-plugin-partnerships-dev/e2e-14.3.2:1.0.0
  name: end-to-end-tests-cloud-plugins-suite-azure
  volumes:
  - name: github-app
    path: /github-app
  when:
    paths:
      include:
      - pkg/tsdb/azuremonitor/**
      - public/app/plugins/datasource/azuremonitor/**
      - e2e/cloud-plugins-suite/azure-monitor.spec.ts
    repo:
    - grafana/grafana
- commands:
  - npx wait-on@7.0.1 http://$HOST:$PORT
  - yarn playwright install --with-deps chromium
  - yarn e2e:playwright
  depends_on:
  - grafana-server
  - build-test-plugins
  environment:
    HOST: grafana-server
    PORT: "3001"
    PROV_DIR: /grafana/scripts/grafana-server/tmp/conf/provisioning
  image: node:22-bookworm
  name: playwright-plugin-e2e
- commands:
  - apt-get update
  - apt-get install -yq zip
  - printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json
  - gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json
  - gsutil cp -r ./playwright-report/. gs://releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report
  - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
  - "echo \"E2E Playwright report uploaded to: \n $${E2E_PLAYWRIGHT_REPORT_URL}\""
  depends_on:
  - playwright-plugin-e2e
  environment:
    GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
      from_secret: gcp_upload_artifacts_key
  failure: ignore
  image: google/cloud-sdk:431.0.0
  name: playwright-e2e-report-upload
  when:
    status:
    - success
    - failure
- commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
  - if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
  - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
  - 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
    -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $${GITHUB_TOKEN}"
    -H "X-GitHub-Api-Version: 2022-11-28" -d "{\"body\":\"❌ Failed to run Playwright
    plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to
    browse the Playwright report and trace viewer. <br /> For information on how to
    run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests).
    \"}"'
  depends_on:
  - playwright-e2e-report-upload
  - github-app-generate-token
  failure: ignore
  image: byrnedo/alpine-curl:0.1.8
  name: playwright-e2e-report-post-link
  volumes:
  - name: github-app
    path: /github-app
  when:
    status:
    - success
    - failure
- commands:
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'no e2e videos found
    from remaining tests'; exit 0; fi
  - apt-get update
  - apt-get install -yq zip
  - printenv GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY > /tmp/gcpkey_upload_artifacts.json
  - gcloud auth activate-service-account --key-file=/tmp/gcpkey_upload_artifacts.json
  - find ./e2e -type f -name "*spec.ts.mp4" | zip e2e/videos.zip -@
  - gsutil cp e2e/videos.zip gs://$${E2E_TEST_ARTIFACTS_BUCKET}/${DRONE_BUILD_NUMBER}/artifacts/videos/videos.zip
  - export E2E_ARTIFACTS_VIDEO_ZIP=https://storage.googleapis.com/$${E2E_TEST_ARTIFACTS_BUCKET}/${DRONE_BUILD_NUMBER}/artifacts/videos/videos.zip
  - 'echo "E2E Test artifacts uploaded to: $${E2E_ARTIFACTS_VIDEO_ZIP}"'
  - 'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA}
    -H "Authorization: token $${GITHUB_TOKEN}" -d "{\"state\":\"success\",\"target_url\":\"$${E2E_ARTIFACTS_VIDEO_ZIP}\",
    \"description\": \"Click on the details to download e2e recording videos\", \"context\":
    \"e2e_artifacts\"}"'
  depends_on:
  - end-to-end-tests-cloud-plugins-suite-azure
  - playwright-plugin-e2e
  - github-app-generate-token
  environment:
    E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
    GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
      from_secret: gcp_upload_artifacts_key
  failure: ignore
  image: google/cloud-sdk:431.0.0
  name: e2e-tests-artifacts-upload
  volumes:
  - name: github-app
    path: /github-app
  when:
    status:
    - success
    - failure
- commands:
  - yarn storybook:build
  - ./bin/build verify-storybook
  depends_on:
  - rgm-package
  - build-frontend-packages
  environment:
    NODE_OPTIONS: --max_old_space_size=4096
  image: node:22.16.0-alpine
  name: build-storybook
  when:
    paths:
      include:
      - packages/grafana-ui/**
- commands:
  - npx wait-on@7.0.1 http://$HOST:$PORT
  - pa11y-ci --config e2e/pa11yci.conf.js
  depends_on:
  - grafana-server
  environment:
    GRAFANA_MISC_STATS_API_KEY:
      from_secret: grafana_misc_stats_api_key
    HOST: grafana-server
    NO_THRESHOLDS: "true"
    PORT: 3001
  failure: ignore
  image: grafana/docker-puppeteer:1.1.0
  name: test-a11y-frontend
- commands:
  - ./bin/build store-storybook --deployment canary
  depends_on:
  - build-storybook
  - end-to-end-tests-cloud-plugins-suite-azure
  - playwright-plugin-e2e
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/grafana-ci-deploy:1.3.3
  name: store-storybook
  when:
    paths:
      include:
      - packages/grafana-ui/**
    repo:
    - grafana/grafana
- commands:
  - apk add --update bash grep git
  - ./scripts/ci-frontend-metrics.sh ./grafana/public/build | ./bin/build publish-metrics
    $$GRAFANA_MISC_STATS_API_KEY
  depends_on:
  - test-a11y-frontend
  environment:
    GRAFANA_MISC_STATS_API_KEY:
      from_secret: grafana_misc_stats_api_key
  failure: ignore
  image: node:22.16.0-alpine
  name: publish-frontend-metrics
  when:
    repo:
    - grafana/grafana
- commands:
  - ./bin/grabpl artifacts docker publish --dockerhub-repo grafana/grafana-oss
  depends_on:
  - rgm-package
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
    GITHUB_APP_ID: "329617"
    GITHUB_APP_INSTALLATION_ID: "37346161"
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
  name: publish-images-grafana-oss
  volumes:
  - name: docker
    path: /var/run/docker.sock
  when:
    repo:
    - grafana/grafana
- commands:
  - apk add --update bash git
  - ./scripts/publish-npm-packages.sh --dist-tag 'canary' --registry 'https://registry.npmjs.org'
  depends_on:
  - end-to-end-tests-cloud-plugins-suite-azure
  - playwright-plugin-e2e
  - build-frontend-packages
  environment:
    NPM_TOKEN:
      from_secret: npm_token
  image: node:22.16.0-alpine
  name: release-canary-npm-packages
  when:
    paths:
      include:
      - packages/**
    repo:
    - grafana/grafana
- commands:
  - ./bin/build upload-packages --edition oss
  depends_on:
  - rgm-package
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/grafana-ci-deploy:1.3.3
  name: upload-packages
  when:
    repo:
    - grafana/grafana
- commands:
  - ./bin/build upload-cdn --edition oss
  depends_on:
  - rgm-package
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/grafana-ci-deploy:1.3.3
  name: upload-cdn-assets
  when:
    repo:
    - grafana/grafana
trigger:
  branch: main
  event:
  - push
  paths:
    exclude:
    - '*.md'
    - docs/**
    - latest.json
  repo:
  - grafana/grafana
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  temp: {}
---
clone:
  retries: 3
depends_on:
- main-build-e2e-publish
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: main-trigger-downstream
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- image: grafana/drone-downstream
  name: trigger-enterprise-downstream
  settings:
    params:
    - SOURCE_BUILD_NUMBER=${DRONE_COMMIT}
    - SOURCE_COMMIT=${DRONE_COMMIT}
    repositories:
    - grafana/grafana-enterprise@main
    server: https://drone.grafana.net
    token:
      from_secret: drone_token
trigger:
  branch: main
  event:
  - push
  paths:
    exclude:
    - '*.md'
    - docs/**
    - latest.json
  repo:
  - grafana/grafana
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on:
- main-build-e2e-publish
kind: pipeline
name: main-notify
platform:
  arch: amd64
  os: linux
steps:
- image: plugins/slack
  name: slack
  settings:
    channel: grafana-ci-notifications
    template: |-
      Build {{build.number}} failed for commit: <https://github.com/{{repo.owner}}/{{repo.name}}/commit/{{build.commit}}|{{ truncate build.commit 8 }}>: {{build.link}}
      Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}>
      Author: {{build.author}}
    webhook:
      from_secret: slack_webhook
trigger:
  branch: main
  event:
  - push
  paths:
    exclude:
    - '*.md'
    - docs/**
    - latest.json
  repo:
  - grafana/grafana
  status:
  - failure
type: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rrc-trigger-downstream
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- image: grafana/drone-downstream
  name: trigger-enterprise-downstream
  settings:
    params:
    - SOURCE_BUILD_NUMBER=${DRONE_COMMIT}
    - SOURCE_COMMIT=${DRONE_COMMIT}
    - SOURCE_TAG=${DRONE_TAG}
    repositories:
    - grafana/grafana-enterprise@${DRONE_SOURCE_BRANCH}
    server: https://drone.grafana.net
    token:
      from_secret: drone_token
trigger:
  branch:
  - instant
  - fast
  - steady
  - slow
  ref:
    include:
    - refs/tags/rrc*
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: publish-docker-public
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - mkdir -p bin
  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.2/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - ./bin/build artifacts docker fetch --edition oss
  depends_on:
  - compile-build-cmd
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
  image: google/cloud-sdk:431.0.0
  name: fetch-images
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - apk add bash
  - |2-

        bash -c '
        IMAGE_TAG=$(echo "$${TAG}" | sed -e "s/+/-/g")
        debug=
        if [[ -n $${DRY_RUN} ]];  then debug=echo; fi
        docker login -u $${DOCKER_USER} -p $${DOCKER_PASSWORD}

        # Push the grafana-image-tags images
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-amd64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-arm64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-armv7
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

        # Create the grafana manifests
        $$debug docker manifest create grafana/grafana:$${IMAGE_TAG}       grafana/grafana-image-tags:$${IMAGE_TAG}-amd64       grafana/grafana-image-tags:$${IMAGE_TAG}-arm64       grafana/grafana-image-tags:$${IMAGE_TAG}-armv7

        $$debug docker manifest create grafana/grafana:$${IMAGE_TAG}-ubuntu       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

        # Push the grafana manifests
        $$debug docker manifest push grafana/grafana:$${IMAGE_TAG}
        $$debug docker manifest push grafana/grafana:$${IMAGE_TAG}-ubuntu

        # if LATEST is set, then also create & push latest
        if [[ -n $${LATEST} ]]; then
            $$debug docker manifest create grafana/grafana:latest           grafana/grafana-image-tags:$${IMAGE_TAG}-amd64           grafana/grafana-image-tags:$${IMAGE_TAG}-arm64           grafana/grafana-image-tags:$${IMAGE_TAG}-armv7
            $$debug docker manifest create grafana/grafana:latest-ubuntu           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

            $$debug docker manifest push grafana/grafana:latest
            $$debug docker manifest push grafana/grafana:latest-ubuntu

        fi'
  depends_on:
  - fetch-images
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
  image: docker:27-cli
  name: publish-images-grafana
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - ./bin/grabpl artifacts docker publish --dockerhub-repo grafana/grafana-oss --version-tag
    ${DRONE_TAG}
  depends_on:
  - fetch-images
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
    GITHUB_APP_ID: "329617"
    GITHUB_APP_INSTALLATION_ID: "37346161"
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
  name: publish-images-grafana-oss
  volumes:
  - name: docker
    path: /var/run/docker.sock
trigger:
  event:
  - promote
  target:
  - public
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: manually-publish-docker-public
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $DRONE_RUNNER_NAME
  image: alpine:3.21.3
  name: identify-runner
- commands:
  - mkdir -p bin
  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.2/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - ./bin/build artifacts docker fetch --edition oss
  depends_on:
  - compile-build-cmd
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
  image: google/cloud-sdk:431.0.0
  name: fetch-images
  volumes:
  - name: docker
    path: /var/run/docker.sock
- commands:
  - apk add bash
  - |2-

        bash -c '
        IMAGE_TAG=$(echo "$${TAG}" | sed -e "s/+/-/g")
        debug=
        if [[ -n $${DRY_RUN} ]];  then debug=echo; fi
        docker login -u $${DOCKER_USER} -p $${DOCKER_PASSWORD}

        # Push the grafana-image-tags images
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-amd64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-arm64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-armv7
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64
        $$debug docker push grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

        # Create the grafana manifests
        $$debug docker manifest create grafana/grafana:$${IMAGE_TAG}       grafana/grafana-image-tags:$${IMAGE_TAG}-amd64       grafana/grafana-image-tags:$${IMAGE_TAG}-arm64       grafana/grafana-image-tags:$${IMAGE_TAG}-armv7

        $$debug docker manifest create grafana/grafana:$${IMAGE_TAG}-ubuntu       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64       grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

        # Push the grafana manifests
        $$debug docker manifest push grafana/grafana:$${IMAGE_TAG}
        $$debug docker manifest push grafana/grafana:$${IMAGE_TAG}-ubuntu

        # if LATEST is set, then also create & push latest
        if [[ -n $${LATEST} ]]; then
            $$debug docker manifest create grafana/grafana:latest           grafana/grafana-image-tags:$${IMAGE_TAG}-amd64           grafana/grafana-image-tags:$${IMAGE_TAG}-arm64           grafana/grafana-image-tags:$${IMAGE_TAG}-armv7
            $$debug docker manifest create grafana/grafana:latest-ubuntu           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-amd64           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-arm64           grafana/grafana-image-tags:$${IMAGE_TAG}-ubuntu-armv7

            $$debug docker manifest push grafana/grafana:latest
            $$debug docker manifest push grafana/grafana:latest-ubuntu

        fi'
  depends_on:
  - fetch-images
  environment:
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
  image: docker:27-cli
  name: publish-images-grafana
  volumes:
  - name: docker
    path: /var/run/docker.sock
trigger:
  event:
  - promote
  target:
  - publish-docker-public
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: create-release-pr
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - apk add perl
  - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
  - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
  - gh workflow run -f dry_run=$${DRY_RUN} -f version=$${TAG} -f target=$${v_target}
    -f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
  depends_on: []
  environment:
    GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
  image: byrnedo/alpine-curl:0.1.8
  name: create-release-pr
  volumes:
  - name: github-app
    path: /github-app
trigger:
  event:
  - promote
  target: release-pr
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  temp: {}
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: publish-artifacts-public
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - ./bin/build artifacts packages --artifacts-editions=oss --tag $${DRONE_TAG} --src-bucket
    $${PRERELEASE_BUCKET}
  depends_on:
  - compile-build-cmd
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/grafana-ci-deploy:1.3.3
  name: publish-artifacts
- commands:
  - ./bin/build artifacts storybook --tag ${DRONE_TAG}
  depends_on:
  - compile-build-cmd
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/grafana-ci-deploy:1.3.3
  name: publish-storybook
- commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
  environment:
    GITHUB_APP_ID:
      from_secret: github-app-app-id
    GITHUB_APP_INSTALLATION_ID:
      from_secret: github-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: github-app-private-key
  failure: ignore
  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  name: github-app-generate-token
  volumes:
  - name: github-app
    path: /github-app
- commands:
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - apk add perl
  - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
  - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
  - gh workflow run -f dry_run=$${DRY_RUN} -f version=$${TAG} -f target=$${v_target}
    -f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
  depends_on:
  - publish-artifacts
  - github-app-generate-token
  environment:
    GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
  image: byrnedo/alpine-curl:0.1.8
  name: create-release-pr
  volumes:
  - name: github-app
    path: /github-app
trigger:
  event:
  - promote
  target:
  - public
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  temp: {}
---
clone:
  retries: 3
depends_on: []
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: publish-npm-packages-public
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - yarn install --immutable || yarn install --immutable
  depends_on: []
  image: node:22.16.0-alpine
  name: yarn-install
- commands:
  - ./bin/build artifacts npm retrieve --tag ${DRONE_TAG}
  depends_on:
  - compile-build-cmd
  - yarn-install
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  failure: ignore
  image: grafana/grafana-ci-deploy:1.3.3
  name: retrieve-npm-packages
- commands:
  - ./bin/build artifacts npm release --tag ${DRONE_TAG}
  depends_on:
  - compile-build-cmd
  - retrieve-npm-packages
  environment:
    NPM_TOKEN:
      from_secret: npm_token
  failure: ignore
  image: node:22.16.0-alpine
  name: release-npm-packages
trigger:
  event:
  - promote
  target:
  - public
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: verify-grafanacom-artifacts
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - apk add curl bash
  - "\n            for i in {1..5}; do\n                if ./scripts/drone/verify-grafanacom.sh;
    then\n                    exit 0\n                elif [ $i -eq 5 ]; then\n                    exit
    1\n                else\n                    sleep 60\n                fi\n            done\n
    \           "
  depends_on: []
  image: node:22.16.0-alpine
  name: verify-grafanacom
trigger:
  event:
  - promote
  target: verify-grafanacom-artifacts
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on:
- publish-artifacts-public
- publish-docker-public
environment:
  EDITION: oss
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: publish-packages
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- depends_on:
  - compile-build-cmd
  image: us.gcr.io/kubernetes-dev/package-publish:latest
  name: publish-linux-packages-deb
  privileged: true
  settings:
    access_key_id:
      from_secret: packages_access_key_id
    deb_distribution: auto
    gpg_passphrase:
      from_secret: packages_gpg_passphrase
    gpg_private_key:
      from_secret: packages_gpg_private_key
    gpg_public_key:
      from_secret: packages_gpg_public_key
    package_path: gs://grafana-prerelease/artifacts/downloads/*${DRONE_TAG}/oss/**.deb
    secret_access_key:
      from_secret: packages_secret_access_key
    service_account_json:
      from_secret: packages_service_account
    target_bucket: grafana-packages
- depends_on:
  - compile-build-cmd
  image: us.gcr.io/kubernetes-dev/package-publish:latest
  name: publish-linux-packages-rpm
  privileged: true
  settings:
    access_key_id:
      from_secret: packages_access_key_id
    deb_distribution: auto
    gpg_passphrase:
      from_secret: packages_gpg_passphrase
    gpg_private_key:
      from_secret: packages_gpg_private_key
    gpg_public_key:
      from_secret: packages_gpg_public_key
    package_path: gs://grafana-prerelease/artifacts/downloads/*${DRONE_TAG}/oss/**.rpm
    secret_access_key:
      from_secret: packages_secret_access_key
    service_account_json:
      from_secret: packages_service_account
    target_bucket: grafana-packages
- commands:
  - ./bin/build publish grafana-com --edition oss ${DRONE_TAG}
  depends_on:
  - publish-linux-packages-deb
  - publish-linux-packages-rpm
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    GRAFANA_COM_API_KEY:
      from_secret: grafana_api_key
  image: grafana/grafana-ci-deploy:1.3.3
  name: publish-grafanacom
- commands:
  - apk add curl bash
  - "\n            for i in {1..5}; do\n                if ./scripts/drone/verify-grafanacom.sh;
    then\n                    exit 0\n                elif [ $i -eq 5 ]; then\n                    exit
    1\n                else\n                    sleep 60\n                fi\n            done\n
    \           "
  depends_on:
  - publish-grafanacom
  image: node:22.16.0-alpine
  name: verify-grafanacom
trigger:
  event:
  - promote
  target:
  - public
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: publish-grafanacom
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
  depends_on: []
  environment:
    CGO_ENABLED: 0
  image: golang:1.24.6-alpine
  name: compile-build-cmd
- commands:
  - ./bin/build publish grafana-com --edition oss ${DRONE_TAG}
  depends_on:
  - compile-build-cmd
  environment:
    GCP_KEY:
      from_secret: gcp_grafanauploads_base64
    GRAFANA_COM_API_KEY:
      from_secret: grafana_api_key
  image: grafana/grafana-ci-deploy:1.3.3
  name: publish-grafanacom
trigger:
  event:
  - promote
  target: publish-grafanacom
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-main-prerelease
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - ./pkg/build/daggerbuild/scripts/drone_build_main.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-build
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
trigger:
  branch: main
  event:
  - push
  paths:
    exclude:
    - '*.md'
    - docs/**
    - packages/**/*.md
    - latest.json
  repo:
  - grafana/grafana
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-tag-prerelease
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
  environment:
    GITHUB_APP_ID:
      from_secret: github-app-app-id
    GITHUB_APP_INSTALLATION_ID:
      from_secret: github-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: github-app-private-key
  failure: ignore
  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  name: github-app-generate-token
  volumes:
  - name: github-app
    path: /github-app
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - ./pkg/build/daggerbuild/scripts/drone_build_tag_grafana.sh
  depends_on:
  - github-app-generate-token
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-build
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
trigger:
  event:
    exclude:
    - promote
  ref:
    exclude:
    - refs/tags/*-cloud*
    include:
    - refs/tags/v*
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  path: /github-app
- name: github-app
  temp: {}
---
clone:
  retries: 3
depends_on:
- rgm-tag-prerelease
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-tag-verify-prerelease-assets
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - apt-get update && apt-get install -yq gettext
  - printenv GCP_KEY | base64 -d > /tmp/key.json
  - gcloud auth activate-service-account --key-file=/tmp/key.json
  - ./scripts/list-release-artifacts.sh ${DRONE_TAG} | xargs -n1 gsutil stat >> /tmp/stat.log
  - '! cat /tmp/stat.log | grep "No URLs matched"'
  depends_on:
  - clone
  environment:
    BUCKET: grafana-prerelease
    GCP_KEY:
      from_secret: gcp_key_base64
  image: google/cloud-sdk:431.0.0
  name: gsutil-stat
trigger:
  event:
    exclude:
    - promote
  ref:
    exclude:
    - refs/tags/*-cloud*
    include:
    - refs/tags/v*
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-version-branch-prerelease
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - ./pkg/build/daggerbuild/scripts/drone_build_tag_grafana.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-build
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
trigger:
  ref:
  - refs/heads/v[0-9]*
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on:
- rgm-version-branch-prerelease
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-prerelease-verify-prerelease-assets
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - apt-get update && apt-get install -yq gettext
  - printenv GCP_KEY | base64 -d > /tmp/key.json
  - gcloud auth activate-service-account --key-file=/tmp/key.json
  - ./scripts/list-release-artifacts.sh ${DRONE_TAG} | xargs -n1 gsutil stat >> /tmp/stat.log
  - '! cat /tmp/stat.log | grep "No URLs matched"'
  depends_on:
  - clone
  environment:
    BUCKET: grafana-prerelease
    GCP_KEY:
      from_secret: gcp_key_base64
  image: google/cloud-sdk:431.0.0
  name: gsutil-stat
trigger:
  ref:
  - refs/heads/v[0-9]*
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-nightly-build
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - ./pkg/build/daggerbuild/scripts/drone_build_nightly_grafana.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-build
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
- commands:
  - mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
  - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
  - gcloud auth activate-service-account --key-file=/tmp/key.json
  - gcloud storage cp -r $${DRONE_WORKSPACE}/dist/* $${DESTINATION}/$${DRONE_BUILD_EVENT}
  depends_on:
  - rgm-build
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
  image: google/cloud-sdk:alpine
  name: rgm-copy
trigger:
  cron:
    include:
    - nightly-release
  event:
    include:
    - cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on:
- rgm-nightly-build
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-nightly-publish
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - mkdir -p $${DRONE_WORKSPACE}/dist
  - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
  - gcloud auth activate-service-account --key-file=/tmp/key.json
  - gcloud storage cp -r $${DESTINATION}/$${DRONE_BUILD_EVENT}/*_$${DRONE_BUILD_NUMBER}_*
    $${DRONE_WORKSPACE}/dist
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
  image: google/cloud-sdk:alpine
  name: rgm-copy
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - ./pkg/build/daggerbuild/scripts/drone_publish_nightly_grafana.sh
  depends_on:
  - rgm-copy
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-publish
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
- depends_on:
  - rgm-publish
  image: us.gcr.io/kubernetes-dev/package-publish:latest
  name: publish-deb
  privileged: true
  settings:
    access_key_id:
      from_secret: packages_access_key_id
    gpg_passphrase:
      from_secret: packages_gpg_passphrase
    gpg_private_key:
      from_secret: packages_gpg_private_key
    gpg_public_key:
      from_secret: packages_gpg_public_key
    package_path: file:///drone/src/dist/*.deb
    secret_access_key:
      from_secret: packages_secret_access_key
    service_account_json:
      from_secret: packages_service_account
    target_bucket: grafana-packages
- depends_on:
  - rgm-publish
  image: us.gcr.io/kubernetes-dev/package-publish:latest
  name: publish-rpm
  privileged: true
  settings:
    access_key_id:
      from_secret: packages_access_key_id
    gpg_passphrase:
      from_secret: packages_gpg_passphrase
    gpg_private_key:
      from_secret: packages_gpg_private_key
    gpg_public_key:
      from_secret: packages_gpg_public_key
    package_path: file:///drone/src/dist/*.rpm
    secret_access_key:
      from_secret: packages_secret_access_key
    service_account_json:
      from_secret: packages_service_account
    target_bucket: grafana-packages
trigger:
  cron:
    include:
    - nightly-release
  event:
    include:
    - cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
---
clone:
  retries: 3
depends_on: []
image_pull_secrets:
- gcr
- gar
kind: pipeline
name: rgm-promotion
node:
  type: no-parallel
platform:
  arch: amd64
  os: linux
services: []
steps:
- commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
  environment:
    GITHUB_APP_ID:
      from_secret: github-app-app-id
    GITHUB_APP_INSTALLATION_ID:
      from_secret: github-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: github-app-private-key
  failure: ignore
  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  name: github-app-generate-token
  volumes:
  - name: github-app
    path: /github-app
- commands:
  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
    | tar zx -C /bin
  - apk add docker bash
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - dagger run --silent go run ./pkg/build/cmd artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
    --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --build-id=$${DRONE_BUILD_NUMBER}
    --version=$${VERSION}
  depends_on:
  - github-app-generate-token
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    ALPINE_BASE: alpine:3.21.3
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
  image: golang:1.24.6-alpine
  name: rgm-build
  pull: always
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: github-app
    path: /github-app
- commands:
  - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
  - gcloud auth activate-service-account --key-file=/tmp/key.json
  - gcloud storage cp -r dist/* $${UPLOAD_TO}
  depends_on:
  - rgm-build
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
    CDN_DESTINATION:
      from_secret: rgm_cdn_destination
    DESTINATION:
      from_secret: destination
    DOCKER_PASSWORD:
      from_secret: docker_password
    DOCKER_USERNAME:
      from_secret: docker_username
    DOWNLOADS_DESTINATION:
      from_secret: rgm_downloads_destination
    GCOM_API_KEY:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
      from_secret: packages_gpg_private_key
    GPG_PUBLIC_KEY:
      from_secret: packages_gpg_public_key
    NPM_TOKEN:
      from_secret: npm_token
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
  image: google/cloud-sdk:alpine
  name: rgm-copy
trigger:
  event:
  - promote
  target: upload-packages
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: github-app
  path: /github-app
- name: github-app
  temp: {}
---
clone:
  retries: 3
kind: pipeline
name: scan-grafana/grafana:latest-image
platform:
  arch: amd64
  os: linux
steps:
- commands:
  - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io
  environment:
    GCR_CREDENTIALS:
      from_secret: gcr_credentials
  image: docker:dind
  name: authenticate-gcr
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest
  depends_on:
  - authenticate-gcr
  image: aquasec/trivy:0.21.0
  name: scan-unknown-low-medium-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest
  depends_on:
  - authenticate-gcr
  environment:
    GOOGLE_APPLICATION_CREDENTIALS:
      from_secret: gcr_credentials_json
  image: aquasec/trivy:0.21.0
  name: scan-high-critical-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- image: plugins/slack
  name: slack-notify-failure
  settings:
    channel: grafana-backend-ops
    template: 'Nightly docker image scan job for grafana/grafana:latest failed: {{build.link}}'
    webhook:
      from_secret: slack_webhook_backend
  when:
    status: failure
trigger:
  cron: nightly
  event: cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: config
  temp: {}
---
clone:
  retries: 3
kind: pipeline
name: scan-grafana/grafana:main-image
platform:
  arch: amd64
  os: linux
steps:
- commands:
  - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io
  environment:
    GCR_CREDENTIALS:
      from_secret: gcr_credentials
  image: docker:dind
  name: authenticate-gcr
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main
  depends_on:
  - authenticate-gcr
  image: aquasec/trivy:0.21.0
  name: scan-unknown-low-medium-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main
  depends_on:
  - authenticate-gcr
  environment:
    GOOGLE_APPLICATION_CREDENTIALS:
      from_secret: gcr_credentials_json
  image: aquasec/trivy:0.21.0
  name: scan-high-critical-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- image: plugins/slack
  name: slack-notify-failure
  settings:
    channel: grafana-backend-ops
    template: 'Nightly docker image scan job for grafana/grafana:main failed: {{build.link}}'
    webhook:
      from_secret: slack_webhook_backend
  when:
    status: failure
trigger:
  cron: nightly
  event: cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: config
  temp: {}
---
clone:
  retries: 3
kind: pipeline
name: scan-grafana/grafana:latest-ubuntu-image
platform:
  arch: amd64
  os: linux
steps:
- commands:
  - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io
  environment:
    GCR_CREDENTIALS:
      from_secret: gcr_credentials
  image: docker:dind
  name: authenticate-gcr
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:latest-ubuntu
  depends_on:
  - authenticate-gcr
  image: aquasec/trivy:0.21.0
  name: scan-unknown-low-medium-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:latest-ubuntu
  depends_on:
  - authenticate-gcr
  environment:
    GOOGLE_APPLICATION_CREDENTIALS:
      from_secret: gcr_credentials_json
  image: aquasec/trivy:0.21.0
  name: scan-high-critical-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- image: plugins/slack
  name: slack-notify-failure
  settings:
    channel: grafana-backend-ops
    template: 'Nightly docker image scan job for grafana/grafana:latest-ubuntu failed:
      {{build.link}}'
    webhook:
      from_secret: slack_webhook_backend
  when:
    status: failure
trigger:
  cron: nightly
  event: cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: config
  temp: {}
---
clone:
  retries: 3
kind: pipeline
name: scan-grafana/grafana:main-ubuntu-image
platform:
  arch: amd64
  os: linux
steps:
- commands:
  - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io
  environment:
    GCR_CREDENTIALS:
      from_secret: gcr_credentials
  image: docker:dind
  name: authenticate-gcr
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana:main-ubuntu
  depends_on:
  - authenticate-gcr
  image: aquasec/trivy:0.21.0
  name: scan-unknown-low-medium-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy image --exit-code 1 --severity HIGH,CRITICAL grafana/grafana:main-ubuntu
  depends_on:
  - authenticate-gcr
  environment:
    GOOGLE_APPLICATION_CREDENTIALS:
      from_secret: gcr_credentials_json
  image: aquasec/trivy:0.21.0
  name: scan-high-critical-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- image: plugins/slack
  name: slack-notify-failure
  settings:
    channel: grafana-backend-ops
    template: 'Nightly docker image scan job for grafana/grafana:main-ubuntu failed:
      {{build.link}}'
    webhook:
      from_secret: slack_webhook_backend
  when:
    status: failure
trigger:
  cron: nightly
  event: cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: config
  temp: {}
---
clone:
  retries: 3
kind: pipeline
name: scan-build-test-and-publish-docker-images
platform:
  arch: amd64
  os: linux
steps:
- commands:
  - echo $${GCR_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io
  environment:
    GCR_CREDENTIALS:
      from_secret: gcr_credentials
  image: docker:dind
  name: authenticate-gcr
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM docker:27-cli
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine/git:2.40.1
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.24.6-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM node:22.16.0-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM node:22-bookworm
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM google/cloud-sdk:431.0.0
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-deploy:1.3.3
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine:3.21.3
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM ubuntu:22.04
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM byrnedo/alpine-curl:0.1.8
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM plugins/slack
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us.gcr.io/kubernetes-dev/package-publish:latest
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/drone-downstream
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/docker-puppeteer:1.1.0
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/docs-base:latest
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM cypress/included:14.3.2
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM jwilder/dockerize:0.6.1
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  depends_on:
  - authenticate-gcr
  image: aquasec/trivy:0.21.0
  name: scan-unknown-low-medium-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- commands:
  - trivy --exit-code 1 --severity HIGH,CRITICAL docker:27-cli
  - trivy --exit-code 1 --severity HIGH,CRITICAL alpine/git:2.40.1
  - trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.24.6-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL node:22.16.0-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL node:22-bookworm
  - trivy --exit-code 1 --severity HIGH,CRITICAL google/cloud-sdk:431.0.0
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-deploy:1.3.3
  - trivy --exit-code 1 --severity HIGH,CRITICAL alpine:3.21.3
  - trivy --exit-code 1 --severity HIGH,CRITICAL ubuntu:22.04
  - trivy --exit-code 1 --severity HIGH,CRITICAL byrnedo/alpine-curl:0.1.8
  - trivy --exit-code 1 --severity HIGH,CRITICAL plugins/slack
  - trivy --exit-code 1 --severity HIGH,CRITICAL us.gcr.io/kubernetes-dev/package-publish:latest
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/drone-downstream
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/docker-puppeteer:1.1.0
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/docs-base:latest
  - trivy --exit-code 1 --severity HIGH,CRITICAL cypress/included:14.3.2
  - trivy --exit-code 1 --severity HIGH,CRITICAL jwilder/dockerize:0.6.1
  - trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
  depends_on:
  - authenticate-gcr
  environment:
    GOOGLE_APPLICATION_CREDENTIALS:
      from_secret: gcr_credentials_json
  image: aquasec/trivy:0.21.0
  name: scan-high-critical-vulnerabilities
  volumes:
  - name: docker
    path: /var/run/docker.sock
  - name: config
    path: /root/.docker/
- image: plugins/slack
  name: slack-notify-failure
  settings:
    channel: grafana-backend-ops
    template: 'Nightly docker image scan job for build-images failed: {{build.link}}'
    webhook:
      from_secret: slack_webhook_backend
  when:
    status: failure
trigger:
  cron: nightly
  event: cron
type: docker
volumes:
- host:
    path: /var/run/docker.sock
  name: docker
- name: config
  temp: {}
---
get:
  name: app-id
  path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-app-id
---
get:
  name: app-installation-id
  path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-installation-id
---
get:
  name: private-key
  path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-private-key
---
get:
  name: credentials.json
  path: infra/data/ci/grafana-release-eng/grafanauploads
kind: secret
name: gcp_grafanauploads
---
get:
  name: credentials_base64
  path: infra/data/ci/grafana-release-eng/grafanauploads
kind: secret
name: gcp_grafanauploads_base64
---
get:
  name: api_key
  path: infra/data/ci/grafana-release-eng/grafanacom
kind: secret
name: grafana_api_key
---
get:
  name: .dockerconfigjson
  path: secret/data/common/gcr
kind: secret
name: gcr
---
get:
  name: .dockerconfigjson
  path: secret/data/common/gar
kind: secret
name: gar
---
get:
  name: machine-user-token
  path: infra/data/ci/drone
kind: secret
name: drone_token
---
get:
  name: bucket
  path: infra/data/ci/grafana/prerelease
kind: secret
name: prerelease_bucket
---
get:
  name: username
  path: ci/data/common/dockerhub
kind: secret
name: docker_username
---
get:
  name: password
  path: ci/data/common/dockerhub
kind: secret
name: docker_password
---
get:
  name: credentials.json
  path: infra/data/ci/grafana/releng/artifacts-uploader-service-account
kind: secret
name: gcp_upload_artifacts_key
---
get:
  name: credentials.json
  path: infra/data/ci/grafana/assets-downloader-build-container-service-account
kind: secret
name: gcp_download_build_container_assets_key
---
get:
  name: application_id
  path: infra/data/ci/datasources/cpp-azure-resourcemanager-credentials
kind: secret
name: azure_sp_app_id
---
get:
  name: application_secret
  path: infra/data/ci/datasources/cpp-azure-resourcemanager-credentials
kind: secret
name: azure_sp_app_pw
---
get:
  name: tenant_id
  path: infra/data/ci/datasources/cpp-azure-resourcemanager-credentials
kind: secret
name: azure_tenant
---
get:
  name: token
  path: infra/data/ci/grafana-release-eng/npm
kind: secret
name: npm_token
---
get:
  name: public-key-b64
  path: infra/data/ci/packages-publish/gpg
kind: secret
name: packages_gpg_public_key
---
get:
  name: private-key-b64
  path: infra/data/ci/packages-publish/gpg
kind: secret
name: packages_gpg_private_key
---
get:
  name: passphrase
  path: infra/data/ci/packages-publish/gpg
kind: secret
name: packages_gpg_passphrase
---
get:
  name: credentials.json
  path: infra/data/ci/packages-publish/service-account
kind: secret
name: packages_service_account
---
get:
  name: AccessID
  path: infra/data/ci/packages-publish/bucket-credentials
kind: secret
name: packages_access_key_id
---
get:
  name: Secret
  path: infra/data/ci/packages-publish/bucket-credentials
kind: secret
name: packages_secret_access_key
---
get:
  name: static_asset_editions
  path: infra/data/ci/grafana-release-eng/artifact-publishing
kind: secret
name: static_asset_editions
---
get:
  name: gcp_service_account_prod_base64
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: gcp_key_base64
---
get:
  name: destination_prod
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: destination
---
get:
  name: storybook_destination
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: rgm_storybook_destination
---
get:
  name: cdn_destination
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: rgm_cdn_destination
---
get:
  name: downloads_destination
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: rgm_downloads_destination
---
get:
  name: dagger_token
  path: infra/data/ci/grafana-release-eng/rgm
kind: secret
name: dagger_token
---
get:
  name: PRIVATE_KEY
  path: ci/data/repo/grafana/grafana/delivery-bot-app
kind: secret
name: delivery-bot-app-private-key
---
get:
  name: service-account
  path: secret/data/common/gcr
kind: secret
name: gcr_credentials
---
kind: signature
hmac: e7227aeb1bbea13606266ce540b5f0e0a63f05f56a3eb072954d54527dcc5a11

...