root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 196 Packages Projects Releases Wiki Activity

CI: remove unused worklow; use GITHUB_TOKEN where possible (#104657)
Backend Code Checks / Validate Backend Configs (push) Waiting to run Details
Backend Unit Tests / Grafana (push) Waiting to run Details
Backend Unit Tests / Grafana Enterprise (push) Waiting to run Details
CodeQL checks / Analyze (go) (push) Waiting to run Details
CodeQL checks / Analyze (javascript) (push) Waiting to run Details
CodeQL checks / Analyze (python) (push) Waiting to run Details
Lint Frontend / Verify i18n (push) Waiting to run Details
Lint Frontend / Lint (push) Waiting to run Details
Lint Frontend / Typecheck (push) Waiting to run Details
Lint Frontend / Betterer (push) Waiting to run Details
golangci-lint / lint-go (push) Waiting to run Details
Crowdin Upload Action / upload-sources-to-crowdin (push) Waiting to run Details
Coverage / Backend Unit Tests (push) Waiting to run Details
End-to-end tests / Build & Package Grafana (push) Waiting to run Details
End-to-end tests / ${{ matrix.suite }} (dashboards-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (panels-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (smoke-tests-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (various-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (old arch) (old-arch/dashboards-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (old arch) (old-arch/panels-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (old arch) (old-arch/smoke-tests-suite) (push) Blocked by required conditions Details
End-to-end tests / ${{ matrix.suite }} (old arch) (old-arch/various-suite) (push) Blocked by required conditions Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (1) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (2) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (3) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (4) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (5) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (6) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (7) (push) Waiting to run Details
Frontend tests / Unit tests (${{ matrix.chunk }} / 8) (8) (push) Waiting to run Details
Integration Tests / Sqlite (push) Waiting to run Details
Integration Tests / MySQL (push) Waiting to run Details
Integration Tests / Postgres (push) Waiting to run Details
Run dashboard schema v2 e2e / dashboard-schema-v2-e2e (push) Waiting to run Details
Dispatch sync to mirror / dispatch-job (push) Waiting to run Details
Trivy Scan / trivy-scan (push) Waiting to run Details
Zizmor GitHub Actions static analysis / Analyse with Zizmor (push) Waiting to run Details 

* remove unused worklow; use GITHUB_TOKEN where possible

* pin usages of checkout and setup-go

* Fix zizmor errors

* add zizmor.yml

* fix `changelog.yml`

* fix `core-plugins-build-and-release.yml`

* fix `release-comms.yml`

* update release-pr.yml and run-e2e-suite.yml

* Fix errors in files outside of .github/workflows

* Remove path filter on zizmor.yml

---------

Co-authored-by: Sven Grossmann <svennergr@gmail.com>
Co-authored-by: joshhunt <josh.hunt@grafana.com>
This commit is contained in:
Kevin Minehart 2025-04-29 10:09:23 -05:00 committed by GitHub
parent 97a1614cde
commit 97d10b5095
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
68 changed files with 478 additions and 470 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/setup-enterprise/action.yml vendored
View File

@ -12,7 +12,7 @@ runs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id

2
.github/actions/setup-grafana-bench/action.yml vendored
View File

@ -16,7 +16,7 @@ runs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=${{ inputs.github-app-name }}:app-id

2
.github/actions/test-coverage-processor/action.yml vendored
View File

@ -38,7 +38,7 @@ runs:
fi
- name: Report coverage to CodeCov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
if: inputs.codecov-token != ''
with:
files: ${{ inputs.coverage-file }}

8
.github/workflows/alerting-swagger-gen.yml vendored
View File

@ -10,18 +10,19 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 2
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod
- name: Build swagger
run: |
make -C pkg/services/ngalert/api/tooling post.json api.json
- name: Open Pull Request
uses: peter-evans/create-pull-request@v5
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "chore: update alerting swagger spec"
@ -34,4 +35,3 @@ jobs:
labels: 'area/alerting,type/docs,no-changelog'
team-reviewers: 'grafana/alerting-backend'
draft: false

5
.github/workflows/alerting-update-module.yml vendored
View File

@ -18,7 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
persist-credentials: false
- name: Check if update branch exists
run: |
if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
@ -96,7 +97,7 @@ jobs:
make update-workspace
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # 1.1.0
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
GITHUB_APP_ID=alerting-team:app-id

6
.github/workflows/analytics-events-report.yml vendored
View File

@ -8,10 +8,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

7
.github/workflows/backend-code-checks.yml vendored
View File

@ -24,10 +24,11 @@ jobs:
name: Validate Backend Configs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
# Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
# The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs

22
.github/workflows/backend-unit-tests.yml vendored
View File

@ -17,9 +17,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
grafana:
@ -29,11 +27,16 @@ jobs:
name: Grafana
runs-on: ubuntu-latest-8-cores
continue-on-error: true
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Generate Go code
@ -46,11 +49,16 @@ jobs:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Grafana Enterprise
runs-on: ubuntu-latest-8-cores
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
- name: Setup Enterprise

21
.github/workflows/backport.yml vendored
View File

@ -5,6 +5,10 @@ on:
- closed
- labeled
permissions:
contents: write
pull-requests: write
jobs:
main:
if: github.repository == 'grafana/grafana'
@ -14,20 +18,15 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
persist-credentials: false
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- run: git config --global user.email '132647405+grafana-delivery-bot[bot]@users.noreply.github.com'
- run: git config --global user.name 'grafana-delivery-bot[bot]'
- run: git config --local user.name "github-actions[bot]"
- run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
- run: git config --local --add --bool push.autoSetupRemote true
- name: Set remote URL
env:
GIT_TOKEN: ${{ steps.generate_token.outputs.token }}
GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
- name: Run backport
uses: grafana/grafana-github-actions-go/backport@d4c452f92ed826d515dccf1f62923e537953acd8 # main
uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}

32
.github/workflows/bump-version.yml vendored
View File

@ -11,33 +11,37 @@ on:
dry_run:
default: false
required: false
permissions:
contents: write
pull-requests: write
jobs:
main:
bump-version:
runs-on: ubuntu-latest
steps:
- name: Checkout Grafana
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Update package.json versions
uses: ./pkg/build/actions/bump-version
with:
version: ${{ inputs.version }}
- if: ${{ inputs.push }}
name: Generate token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- if: ${{ inputs.push }}
name: Push & Create PR
env:
VERSION: ${{ inputs.version }}
DRY_RUN: ${{ inputs.dry_run }}
REF_NAME: ${{ github.ref_name }}
RUN_ID: ${{ github.run_id }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true
git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}"
git checkout -b "bump-version/${RUN_ID}/${VERSION}"
git add .
git commit -m "bump version ${{ inputs.version }}"
git commit -m "bump version ${VERSION}"
git push
gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"

44
.github/workflows/changelog.yml vendored
View File

@ -51,15 +51,20 @@ on:
default: false
type: boolean
permissions:
contents: write
pull-requests: write
permissions: {}
jobs:
main:
env:
RUN_ID: ${{ github.run_id }}
VERSION: ${{ inputs.version }}
PREVIOUS_VERISON: ${{ inputs.previous_version }}
TARGET: ${{ inputs.target }}
DRY_RUN: ${{ inputs.dry_run }}
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: "Generate token"
id: generate_token
@ -68,7 +73,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
ref: main
sparse-checkout: |
@ -79,8 +84,9 @@ jobs:
.prettierrc.js
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
- name: "Configure git user"
@ -89,7 +95,7 @@ jobs:
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local --add --bool push.autoSetupRemote true
- name: "Create branch"
run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}"
run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
- name: "Generate changelog"
id: changelog
uses: ./.github/workflows/actions/changelog
@ -103,24 +109,24 @@ jobs:
# Prepare CHANGELOG.md content with version delimiters
(
echo
echo "# ${{ inputs.version}} ($(date '+%F'))"
echo "# ${VERSION} ($(date '+%F'))"
echo
cat changelog_items.md
) > CHANGELOG.part
# Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
# Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
-e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
else
# Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
echo "Version $VERSION not found in the CHANGELOG.md"
(
echo "<!-- ${{ inputs.version }} START -->"
echo "<!-- ${VERSION} START -->"
cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->"
echo "<!-- ${VERSION} END -->"
cat CHANGELOG.md
) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md
@ -138,11 +144,11 @@ jobs:
- name: "Create changelog PR"
run: >
gh pr create \
--dry-run=${{ inputs.dry_run }} \
--dry-run=${DRY_RUN} \
--label "no-backport" \
--label "no-changelog" \
-B "${{ inputs.target }}" \
--title "Release: update changelog for ${{ inputs.version }}" \
--body "Changelog changes for release ${{ inputs.version }}"
-B "${TARGET}" \
--title "Release: update changelog for ${VERSION}" \
--body "Changelog changes for release ${VERSION}"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

44
.github/workflows/close-milestone.yml vendored
View File

@ -1,44 +0,0 @@
name: Close milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
main:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Close milestone (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/close-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Close milestone (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/close-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

6
.github/workflows/codeowners-validator.yml vendored
View File

@ -9,9 +9,11 @@ jobs:
runs-on: ubuntu-latest
steps:
# Checks-out your repository, which is validated in the next step
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: GitHub CODEOWNERS Validator
uses: mszostok/codeowners-validator@v0.7.4
uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
# input parameters
with:
# ==== GitHub Auth ====

5
.github/workflows/codeql-analysis.yml vendored
View File

@ -40,15 +40,16 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
- if: matrix.language == 'go'
name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod

10
.github/workflows/commands.yml vendored
View File

@ -12,9 +12,7 @@ on:
concurrency:
group: issue-commands-${{ github.event.issue.number }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
config:
@ -34,10 +32,13 @@ jobs:
needs: config
if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |
@ -57,6 +58,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions

2
.github/workflows/community-release.yml vendored
View File

@ -36,7 +36,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Run community-release (manually invoked)
uses: grafana/grafana-github-actions-go/community-release@main
uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }}

52
.github/workflows/core-plugins-build-and-release.yml vendored
View File

@ -33,6 +33,8 @@ permissions:
jobs:
build-and-publish:
env:
PLUGIN_ID: ${{ inputs.plugin_id }}
name: Build and publish ${{ inputs.plugin_id }}
runs-on: ubuntu-latest
outputs:
@ -41,12 +43,14 @@ jobs:
version: ${{ steps.build_frontend.outputs.version }}
steps:
- name: checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Verify inputs
run: |
if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi
if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
- id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
repo_secrets: |
@ -54,13 +58,13 @@ jobs:
PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with:
credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
cache: yarn
@ -70,7 +74,7 @@ jobs:
run: |
dir=$(dirname \
$(egrep -lir --include=plugin.json --exclude-dir=dist \
'"id": "${{ inputs.plugin_id }}"' \
'"id": "${PLUGIN_ID}"' \
public/app/plugins \
) \
)
@ -85,19 +89,19 @@ jobs:
working-directory: ${{ steps.get_dir.outputs.dir }}
run: |
[ ! -d ./bin ] && mkdir -pv ./bin || true
curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl
curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
chmod 0755 ./bin/grabpl
- name: Check backend
id: check_backend
shell: bash
run: |
if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then
if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
echo "has_backend=true" >> $GITHUB_OUTPUT
else
echo "has_backend=false" >> $GITHUB_OUTPUT
fi
- name: Setup golang environment
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
if: steps.check_backend.outputs.has_backend == 'true'
with:
go-version-file: go.mod
@ -151,7 +155,7 @@ jobs:
# Release branch, do not add commit hash to version
command="plugin:build"
fi
yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}"
yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
echo "version=${version}" >> $GITHUB_OUTPUT
- name: build:backend
@ -160,7 +164,7 @@ jobs:
env:
VERSION: ${{ steps.build_frontend.outputs.version }}
run: |
make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }}
make build-plugin-go PLUGIN_ID=$PLUGIN_ID
- name: package
working-directory: ${{ steps.get_dir.outputs.dir }}
run: |
@ -175,7 +179,7 @@ jobs:
VERSION: ${{ steps.build_frontend.outputs.version }}
run: |
api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
'${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \
'${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
-H 'accept: application/json')
api_res_code=$(echo $api_res | jq -r .code)
if [ "$api_res_code" = "NotFound" ]; then
@ -197,10 +201,10 @@ jobs:
run: |
echo "Publish release to Google Cloud Storage:"
touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows
gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux
gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin
gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any
gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux
gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
- name: Publish new plugin version on grafana.com
if: steps.check_backend.outputs.has_backend == 'true'
working-directory: ${{ steps.get_dir.outputs.dir }}
@ -214,27 +218,27 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": {
\"linux-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
},
\"linux-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
},
\"linux-arm\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
\"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
},
\"windows-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
},
\"darwin-amd64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
},
\"darwin-arm64\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
\"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
}
}
@ -257,7 +261,7 @@ jobs:
\"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
\"download\": {
\"any\": {
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\",
\"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
\"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
}
}

2
.github/workflows/create-next-release-branch.yml vendored
View File

@ -46,7 +46,7 @@ jobs:
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Create release branch
id: branch
uses: grafana/grafana-github-actions-go/bump-release@main
uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
with:
ownerRepo: ${{ inputs.ownerRepo }}
source: ${{ inputs.source }}

5
.github/workflows/create-security-patch-from-security-mirror.yml vendored
View File

@ -17,7 +17,7 @@ on:
jobs:
trigger_downstream_create_security_patch:
concurrency: create-patch-${{ github.ref_name }}
uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
if: github.repository == 'grafana/grafana-security-mirror'
with:
repo: "${{ github.repository }}"
@ -25,5 +25,4 @@ jobs:
patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
patch_repo: "grafana/grafana-security-patches"
patch_prefix: "${{ github.event.pull_request.number }}"
secrets: inherit
secrets: inherit # zizmor: ignore[secrets-inherit]

2
.github/workflows/dashboards-issue-add-label.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |

2
.github/workflows/deploy-pr-preview.yml vendored
View File

@ -12,7 +12,7 @@ on:
jobs:
deploy-pr-preview:
if: "!github.event.pull_request.head.repo.fork"
uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main
uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
with:
branch: ${{ github.head_ref }}
event_number: ${{ github.event.number }}

36
.github/workflows/detect-breaking-changes-levitate.yml vendored
View File

@ -6,9 +6,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
id-token: write
permissions: {}
on:
pull_request:
@ -24,12 +22,16 @@ jobs:
defaults:
run:
working-directory: './pr'
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: './pr'
- uses: actions/setup-node@v4
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -67,17 +69,20 @@ jobs:
buildBase:
name: Build Base packages artifacts
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
defaults:
run:
working-directory: './base'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: './base'
ref: ${{ github.event.pull_request.base.ref }}
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -123,8 +128,8 @@ jobs:
id-token: 'write'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 22.11.0
@ -145,14 +150,14 @@ jobs:
run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
- id: 'auth'
uses: 'google-github-actions/auth@v2'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.LEVITATE_SA }}
project_id: 'grafanalabs-global'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
with:
version: '>= 363.0.0'
project_id: 'grafanalabs-global'
@ -180,6 +185,9 @@ jobs:
name: Report breaking changes in PR comment
runs-on: ubuntu-latest
needs: ['Detect']
permissions:
contents: read
id-token: write
steps:
- name: "Generate token"
@ -189,7 +197,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: 'Download artifact'
uses: actions/download-artifact@v4
@ -238,7 +246,7 @@ jobs:
# Comment on the PR
- name: Comment on PR
if: steps.levitate-run.outputs.exit_code == 1
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with:
header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }}
@ -255,7 +263,7 @@ jobs:
# Remove comment from the PR (no more breaking changes)
- name: Remove comment from PR
if: steps.levitate-run.outputs.exit_code == 0
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
with:
header: levitate-breaking-change-comment
number: ${{ github.event.pull_request.number }}

4
.github/workflows/documentation-ci.yml vendored
View File

@ -10,10 +10,10 @@ jobs:
container:
image: grafana/vale:latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: grafana/writers-toolkit/vale-action@vale-action/v1
- uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
with:
filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
token: ${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/ephemeral-instances-pr-comment.yml vendored
View File

@ -41,12 +41,13 @@ jobs:
private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}
- name: Checkout ephemeral instances repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: grafana/ephemeral-grafana-instances-github-action
token: ${{ steps.generate_token.outputs.token }}
ref: main
path: ephemeral
persist-credentials: false
- name: build and deploy ephemeral instance
uses: ./ephemeral

4
.github/workflows/feature-toggles-ci.yml vendored
View File

@ -11,12 +11,12 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true

48
.github/workflows/frontend-lint.yml vendored
View File

@ -6,17 +6,20 @@ on:
- main
- release-*.*.*
permissions:
contents: read
id-token: write
permissions: {}
jobs:
lint-frontend-verify-i18n:
name: Verify i18n
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -34,14 +37,17 @@ jobs:
exit 1
fi
lint-frontend-prettier:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-prettier-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -50,13 +56,16 @@ jobs:
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-prettier-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -69,14 +78,17 @@ jobs:
- run: yarn run prettier:check
- run: yarn run lint
lint-frontend-typecheck:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `lint-frontend-typecheck-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -84,13 +96,16 @@ jobs:
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-typecheck-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -102,11 +117,14 @@ jobs:
- run: yarn install --immutable --check-cache
- run: yarn run typecheck
lint-frontend-betterer:
permissions:
contents: read
id-token: write
name: Betterer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

2
.github/workflows/github-release.yml vendored
View File

@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Create GitHub release (manually invoked)
uses: grafana/grafana-github-actions-go/github-release@main
uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }}

8
.github/workflows/go-lint.yml vendored
View File

@ -16,13 +16,15 @@ jobs:
lint-go:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: ./go.mod
- run: make gen-go
- name: golangci-lint
uses: golangci/golangci-lint-action@v7
uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
with:
version: v2.0.2
args: |

6
.github/workflows/i18n-crowdin-create-tasks.yml vendored
View File

@ -11,10 +11,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'

13
.github/workflows/i18n-crowdin-download.yml vendored
View File

@ -22,14 +22,15 @@ jobs:
app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.head_ref }}
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Download sources
id: crowdin-download
uses: crowdin/github-action@v2
uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with:
upload_sources: false
upload_translations: false
@ -72,7 +73,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Get project board ID
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
id: get-project-id
if: steps.crowdin-download.outputs.pull_request_url
with:
@ -92,7 +93,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Add to project board
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
if: steps.crowdin-download.outputs.pull_request_url
with:
projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@ -109,7 +110,7 @@ jobs:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
- name: Run auto-milestone
uses: grafana/grafana-github-actions-go/auto-milestone@main
uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
if: steps.crowdin-download.outputs.pull_request_url
with:
pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
@ -117,7 +118,7 @@ jobs:
- name: Get vault secrets
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
repo_secrets: |

6
.github/workflows/i18n-crowdin-upload.yml vendored
View File

@ -14,10 +14,12 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Upload sources
uses: crowdin/github-action@v2
uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
with:
upload_sources: true
upload_sources_args: '--dest=public/locales/en-US/grafana.json'

17
.github/workflows/issue-opened.yml vendored
View File

@ -10,14 +10,15 @@ on:
concurrency:
group: issue-opened-${{ github.event.issue.number }}
permissions:
contents: read
id-token: write
permissions: {}
jobs:
main:
runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana'
permissions:
contents: read
id-token: write
steps:
- name: Checkout Actions
@ -26,6 +27,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
@ -37,7 +39,7 @@ jobs:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
repo_secrets: |
@ -60,13 +62,16 @@ jobs:
auto-triage:
needs: [main]
permissions:
contents: read
id-token: write
if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
runs-on: ubuntu-latest
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
repo_secrets: |
@ -87,7 +92,7 @@ jobs:
- name: Send issue to the auto triager action
id: auto_triage
uses: grafana/auto-triager@main
uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
issue_number: ${{ github.event.issue.number }}

6
.github/workflows/lint-build-docs.yml vendored
View File

@ -22,10 +22,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: '22.11.0'
cache: 'yarn'

1
.github/workflows/metrics-collector.yml vendored
View File

@ -43,6 +43,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: Run metrics collector

2
.github/workflows/migrate-prs.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Migrate PRs
uses: grafana/grafana-github-actions-go/migrate-open-prs@main
uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
ownerRepo: ${{ inputs.ownerRepo }}

19
.github/workflows/milestone.yml vendored
View File

@ -1,19 +0,0 @@
name: Close Milestone
on:
workflow_dispatch:
inputs:
version_input:
description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
required: true
jobs:
call-remove-milestone:
uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
call-close-milestone:
uses: grafana/grafana/.github/workflows/close-milestone.yml@main
with:
version_call: ${{ github.event.inputs.version_input }}
secrets: inherit
needs: call-remove-milestone

6
.github/workflows/pr-backend-coverage.yml vendored
View File

@ -23,9 +23,11 @@ jobs:
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true

1
.github/workflows/pr-checks.yml vendored
View File

@ -36,6 +36,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: Run PR Checks

3
.github/workflows/pr-codeql-analysis-javascript.yml vendored
View File

@ -20,11 +20,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

3
.github/workflows/pr-codeql-analysis-python.yml vendored
View File

@ -18,11 +18,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

1
.github/workflows/pr-commands.yml vendored
View File

@ -35,6 +35,7 @@ jobs:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
persist-credentials: false
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"

7
.github/workflows/pr-dependabot-update-go-workspace.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
steps:
- name: Retrieve GitHub App secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
with:
repo_secrets: |
APP_ID=grafana-go-workspace-bot:app-id
@ -37,14 +37,15 @@ jobs:
private-key: ${{ env.PRIVATE_KEY }}
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ steps.generate_token.outputs.token }}
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod

7
.github/workflows/pr-e2e-tests.yml vendored
View File

@ -18,15 +18,16 @@ jobs:
outputs:
artifact: ${{ steps.artifact.outputs.artifact }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
repository: 'grafana/grafana-build'
ref: 'main'
- uses: actions/checkout@v4
persist-credentials: false
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: ./grafana
- run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work | cut -d\ -f2)" >> "$GITHUB_ENV"
- uses: dagger/dagger-for-github@8.0.0
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with:
verb: run
args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt

20
.github/workflows/pr-frontend-unit-tests.yml vendored
View File

@ -6,12 +6,13 @@ on:
- main
- release-*.*.*
permissions:
contents: read
id-token: write
permissions: {}
jobs:
frontend-unit-tests:
permissions:
contents: read
id-token: write
# Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
# the `frontend-unit-tests-enterprise` workflow will run instead
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
@ -22,8 +23,10 @@ jobs:
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'
@ -36,6 +39,9 @@ jobs:
TEST_SHARD_TOTAL: 8
frontend-unit-tests-enterprise:
permissions:
contents: read
id-token: write
# Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest-8-cores
@ -45,8 +51,8 @@ jobs:
matrix:
chunk: [1, 2, 3, 4, 5, 6, 7, 8]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: '.nvmrc'
cache: 'yarn'

6
.github/workflows/pr-go-workspace-check.yml vendored
View File

@ -21,10 +21,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
cache: false
go-version-file: go.mod

6
.github/workflows/pr-k8s-codegen-check.yml vendored
View File

@ -19,10 +19,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Set go version
uses: actions/setup-go@v4
uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
with:
go-version-file: go.mod

2
.github/workflows/pr-patch-check-event.yml vendored
View File

@ -13,6 +13,8 @@ on:
- "v*.*.*"
- "release-*"
permissions: {}
# Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging.
jobs:

14
.github/workflows/pr-test-integration.yml vendored
View File

@ -17,9 +17,11 @@ jobs:
runs-on: ubuntu-latest-8-cores
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
@ -45,9 +47,9 @@ jobs:
- 3306:3306
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true
@ -70,9 +72,9 @@ jobs:
- 5432:5432
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: go.mod
cache: true

5
.github/workflows/publish-kinds-next.yml vendored
View File

@ -29,12 +29,13 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod

7
.github/workflows/publish-kinds-release.yml vendored
View File

@ -31,13 +31,14 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
# required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod
@ -45,7 +46,7 @@ jobs:
run: go run .github/workflows/scripts/kinds/verify-kinds.go
- name: "Checkout Actions library"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
repository: "grafana/grafana-github-actions"
path: "./actions"

4
.github/workflows/publish-technical-documentation-next.yml vendored
View File

@ -15,7 +15,7 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
with:
website_directory: content/docs/grafana/next

5
.github/workflows/publish-technical-documentation-release.yml vendored
View File

@ -17,10 +17,11 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2
persist-credentials: false
- uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
with:
release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

21
.github/workflows/release-comms.yml vendored
View File

@ -30,18 +30,16 @@ jobs:
release_branch: ${{ steps.output.outputs.release_branch }}
dry_run: ${{ steps.output.outputs.dry_run }}
latest: ${{ steps.output.outputs.latest }}
env:
HEAD_REF: ${{ github.head_ref }}
DRY_RUN: ${{ inputs.dry_run }}
LATEST: ${{ inputs.latest && '1' || '0' }}
VERSION: ${{ inputs.version }}
runs-on: ubuntu-latest
steps:
# The github-release action expects a `LATEST` value of a string of either '1' or '0'
- if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo setting up GITHUB_ENV for ${{ github.event_name }}
echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
echo "LATEST=${{ inputs.latest && '1' || '0' }}" >> $GITHUB_ENV
- if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
run: |
echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
- id: output
@ -120,7 +118,10 @@ jobs:
post_on_slack:
needs: setup
runs-on: ubuntu-latest
env:
DRY_RUN: ${{ needs.setup.outputs.dry_run }}
VERSION: ${{ needs.setup.outputs.version }}
steps:
- run: |
echo announce on slack that ${{ needs.setup.outputs.version }} has been released
echo dry run: ${{ needs.setup.outputs.dry_run }}
echo announce on slack that $VERSION has been released
echo dry run: $DRY_RUN

114
.github/workflows/release-pr.yml vendored
View File

@ -33,12 +33,13 @@ on:
default: false
type: boolean
permissions:
contents: write
pull-requests: write
permissions: {}
jobs:
push-changelog-to-main:
permissions:
contents: write
pull-requests: write
name: Create PR to main to update the changelog
uses: ./.github/workflows/changelog.yml
with:
@ -50,41 +51,44 @@ jobs:
secrets:
GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
create-prs:
permissions:
contents: write
pull-requests: write
name: Create Release PR
runs-on: ubuntu-latest
if: github.repository == 'grafana/grafana'
env:
VERSION: ${{ inputs.version }}
LATEST: ${{ inputs.latest }}
DRY_RUN: ${{ inputs.dry_run }}
steps:
- name: Generate bot token
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Get release branch
id: branch
uses: grafana/grafana-github-actions-go/latest-release-branch@main
uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
with:
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
ownerRepo: 'grafana/grafana'
pattern: ${{ inputs.target }}
- name: Checkout Grafana
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ steps.branch.outputs.branch }}
fetch-depth: 0
fetch-tags: true
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Checkout Grafana (main)
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: main
fetch-depth: '0'
fetch-tags: 'false'
path: .grafana-main
token: ${{ steps.generate_token.outputs.token }}
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Setup nodejs environment
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: .nvmrc
- name: Configure git user
@ -94,37 +98,43 @@ jobs:
git config --local --add --bool push.autoSetupRemote true
- name: Create branch
run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}"
run: git checkout -b "release/${{ github.run_id }}/$VERSION"
- name: Generate changelog token
id: generate_changelog_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Generate changelog
id: changelog
uses: ./.grafana-main/.github/workflows/actions/changelog
with:
github_token: ${{ steps.generate_token.outputs.token }}
target: v${{ inputs.version }}
github_token: ${{ steps.generate_changelog_token.outputs.token }}
target: v${{ env.VERSION }}
output_file: changelog_items.md
- name: Patch CHANGELOG.md
run: |
# Prepare CHANGELOG.md content with version delimiters
(
echo
echo "# ${{ inputs.version}} ($(date '+%F'))"
echo "# $VERSION ($(date '+%F'))"
echo
cat changelog_items.md
) > CHANGELOG.part
# Check if a version exists in the changelog
if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
# Replace the content between START and END delimiters
echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
-e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
else
# Prepend changelog part to the main changelog file
echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
echo "Version $VERSION not found in the CHANGELOG.md"
(
echo "<!-- ${{ inputs.version }} START -->"
echo "<!-- $VERSION START -->"
cat CHANGELOG.part
echo "<!-- ${{ inputs.version }} END -->"
echo "<!-- $VERSION END -->"
cat CHANGELOG.md
) > CHANGELOG.tmp
mv CHANGELOG.tmp CHANGELOG.md
@ -147,35 +157,45 @@ jobs:
run: |
git add package.json lerna.json yarn.lock packages public
test -e e2e/test-plugins && git add e2e/test-plugins
git commit -m "Update version to ${{ inputs.version }}"
git commit -m "Update version to $VERSION"
- name: Git push
if: ${{ inputs.dry_run }} != true
run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }}
run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
- name: Create PR without backports
if: "${{ inputs.backport == '' }}"
run: >
gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \
-B "${{ steps.branch.outputs.branch }}" \
--title "Release: ${{ inputs.version }}" \
--body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \
$LATEST_FLAG \
-l "no-changelog" \
--dry-run="$DRY_RUN" \
-B "$BRANCH" \
--title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete"
- name: Create PR with backports
if: "${{ inputs.backport != '' }}"
run: >
gh pr create \
$( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-l "product-approved" \
-l "no-changelog" \
--dry-run=${{ inputs.dry_run }} \
-B "${{ steps.branch.outputs.branch }}" \
--title "Release: ${{ inputs.version }}" \
--body "These code changes must be merged after a release is complete"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
run: |
LATEST_FLAG=""
if [ "$LATEST" = "true" ]; then
LATEST_FLAG='-l "release/latest"'
fi
gh pr create \
$LATEST_FLAG \
-l "product-approved" \
-l "no-changelog" \
--dry-run="$DRY_RUN" \
-B "$BRANCH" \
--title "Release: $VERSION" \
--body "These code changes must be merged after a release is complete"

60
.github/workflows/remove-milestone.yml vendored
View File

@ -1,60 +0,0 @@
name: Remove milestone
on:
workflow_dispatch:
inputs:
version:
required: true
description: Needs to match, exactly, the name of a milestone
workflow_call:
inputs:
version_call:
description: Needs to match, exactly, the name of a milestone
required: true
type: string
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
repository: "grafana/grafana-github-actions"
path: ./actions
ref: main
- name: Install Actions
run: npm install --production --prefix ./actions
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Remove milestone from open issues (manually invoked)
if: ${{ github.event.inputs.version != '' }}
uses: ./actions/remove-milestone
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Remove milestone from open issues (workflow invoked)
if: ${{ inputs.version_call != '' }}
uses: ./actions/remove-milestone
with:
version_call: ${{ inputs.version_call }}
token: ${{ steps.generate_token.outputs.token }}

22
.github/workflows/run-dashboard-search-e2e.yml vendored
View File

@ -11,6 +11,8 @@ on:
env:
ARCH: linux-amd64
permissions: {}
jobs:
setup:
runs-on: ubuntu-latest
@ -18,16 +20,21 @@ jobs:
outputs:
ini_files: ${{ steps.get_files.outputs.ini_files }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
cache: true
- run: go version
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
@ -44,7 +51,7 @@ jobs:
run: yarn install --immutable
- name: Install Cypress dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Cache Grafana Build and Dependencies
@ -81,10 +88,13 @@ jobs:
matrix:
ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Restore Cached Node Modules
uses: actions/cache@v3
with:

15
.github/workflows/run-e2e-suite.yml vendored
View File

@ -14,19 +14,26 @@ jobs:
main:
runs-on: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: actions/download-artifact@v4
with:
name: ${{ inputs.package }}
- uses: dagger/dagger-for-github@8.0.0
- uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
if: inputs.old-arch == false
with:
verb: run
args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
- run: echo "suite=$(echo ${{ inputs.suite }} | sed 's/\//-/g')" >> $GITHUB_ENV
- name: Set suite name
id: set-suite-name
env:
SUITE: ${{ inputs.suite }}
run: |
echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
if: ${{ always() && inputs.old-arch != true }}
with:
name: e2e-${{ env.suite }}-${{github.run_number}}
name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
path: videos
retention-days: 1

10
.github/workflows/run-schema-v2-e2e.yml vendored
View File

@ -18,13 +18,15 @@ jobs:
if: github.event.pull_request.draft == false
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Pin Go version to mod file
uses: actions/setup-go@v5
uses: actions/setup-go@111f3307d8850f501ac008e886eec1fd1932a34
with:
go-version-file: 'go.mod'
- run: go version
- uses: actions/setup-node@v4
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version: 20
cache: 'yarn'
@ -33,7 +35,7 @@ jobs:
- name: Build grafana
run: make build
- name: Install Cypress dependencies
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
runTests: false
- name: Run dashboard scenes e2e

6
.github/workflows/skye-add-to-project.yml vendored
View File

@ -30,7 +30,7 @@ jobs:
steps:
- name: "Get vault secrets"
id: vault-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@main
uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
with:
# Vault secret paths:
# - ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot
@ -70,7 +70,7 @@ jobs:
- name: Get node ID for item
if: steps.check_user.outputs.user_allowed == 'true'
id: get_node_id
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
query getNodeId($owner: String!, $repo: String!, $number: Int!) {
@ -91,7 +91,7 @@ jobs:
# Finally, add the issue/PR to the project board
- name: Add to project board
if: steps.check_user.outputs.user_allowed == 'true'
uses: octokit/graphql-action@v2.x
uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
with:
query: |
mutation addItem($projectid: ID!, $itemid: ID!) {

8
.github/workflows/storybook-verification.yml vendored
View File

@ -21,10 +21,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
with:
node-version-file: 'package.json'
cache: 'yarn'
@ -33,7 +35,7 @@ jobs:
run: yarn install --immutable
- name: Run Storybook and E2E tests
uses: cypress-io/github-action@v6
uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
with:
browser: chrome
start: yarn storybook --quiet

23
.github/workflows/sync-mirror-event.yml vendored
View File

@ -10,10 +10,21 @@ on:
- "v*.*.*"
- "release-*"
permissions: {}
# This is run after the pull request has been merged, so we'll run against the target branch
jobs:
dispatch-job:
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
env:
REF_NAME: ${{ github.ref_name }}
REPO: ${{ github.repository }}
SENDER: ${{ github.event.sender.login }}
SHA: ${{ github.sha }}
PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
steps:
- name: "Generate token"
id: generate_token
@ -28,16 +39,18 @@ jobs:
with:
github-token: ${{ steps.generate_token.outputs.token }}
script: |
const {HEAD_REF, BASE_REF, REPO, SENDER, SHA} = process.env;
await github.rest.actions.createWorkflowDispatch({
owner: 'grafana',
repo: 'security-patch-actions',
workflow_id: 'mirror-branch-and-apply-patches-event.yml',
ref: 'main',
inputs: {
src_ref: "${{ github.ref_name }}",
src_repo: "${{ github.repository }}",
src_sha: "${{ github.sha }}",
dest_repo: "${{ github.repository }}-security-mirror",
patch_repo: "${{ github.repository }}-security-patches"
src_ref: REF_NAME,
src_repo: REPO,
src_sha: SHA,
dest_repo: REPO + "-security-mirror",
patch_repo: REPO + "-security-patches"
}
})

6
.github/workflows/trivy-scan.yml vendored
View File

@ -16,9 +16,11 @@ jobs:
trivy-scan:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2
uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
with:
version: v0.56.2
cache: true

52
.github/workflows/update-changelog.yml vendored
View File

@ -1,52 +0,0 @@
name: Update changelog
on:
workflow_dispatch:
inputs:
version:
required: true
description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
skip_pr:
required: false
default: "0"
skip_community_post:
required: false
default: "0"
jobs:
config:
runs-on: "ubuntu-latest"
outputs:
has-secrets: ${{ steps.check.outputs.has-secrets }}
steps:
- name: "Check for secrets"
id: check
shell: bash
run: |
if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
secrets.GRAFANABOT_FORUM_KEY != ''
) || '' }}" ]; then
echo "has-secrets=1" >> "$GITHUB_OUTPUT"
fi
main:
needs: config
if: needs.config.outputs.has-secrets
runs-on: ubuntu-latest
steps:
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: Run update changelog (manually invoked)
uses: grafana/grafana-github-actions-go/update-changelog@main
with:
token: ${{ steps.generate_token.outputs.token }}
version: ${{ inputs.version }}
metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
community_api_username: grafanabot
skip_pr: ${{ inputs.skip_pr }}
skip_community_post: ${{ inputs.skip_community_post }}

6
.github/workflows/update-make-docs.yml vendored
View File

@ -8,8 +8,10 @@ jobs:
if: github.repository == 'grafana/grafana'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
with:
pr_options: >
--label 'backport v10.1.x'

5
.github/workflows/verify-kinds.yml vendored
View File

@ -11,12 +11,13 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout Grafana repo"
uses: "actions/checkout@v4"
uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
fetch-depth: 0
persist-credentials: false
- name: "Setup Go"
uses: "actions/setup-go@v4"
uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
with:
go-version-file: go.mod

4
.github/workflows/zizmor.yml vendored
View File

@ -1,13 +1,9 @@
name: Zizmor GitHub Actions static analysis
on:
pull_request:
paths:
- ".github/**"
push:
branches:
- main
paths:
- ".github/**"
jobs:
zizmor:

31
.github/zizmor.yml vendored Normal file
View File

@ -0,0 +1,31 @@
rules:
unpinned-uses:
config:
policies:
"*": hash-pin
actions/*: any
github/*: any
grafana/*: any
forbidden-uses:
config:
deny:
# Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
# https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
# https://nvd.nist.gov/vuln/detail/cve-2025-30066
# https://nvd.nist.gov/vuln/detail/cve-2025-30154
- reviewdog/*
cache-poisoning:
ignore:
- backend-unit-tests.yml
- frontend-lint.yml
- pr-frontend-unit-tests.yml
- pr-test-integration.yml
- publish-kinds-release.yml
dangerous-triggers:
ignore:
- auto-milestone.yml
- backport.yml
- pr-checks.yml
- pr-commands.yml
- pr-patch-check-event.yml
- run-dashboard-search-e2e.yml

2
pkg/build/actions/bump-version/action.yml
View File

@ -11,7 +11,7 @@ runs:
with:
go-version-file: go.mod
- name: Bump versions
uses: dagger/dagger-for-github@v5
uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
with:
verb: run
args: go run ./pkg/build/actions/bump-version -version=${{ inputs.version }}