[release-12.2.1] backport bump-version.yml and release-build.yml (#111341)

* [release-12.2.1] backport bump-version.yml and release-build.yml * add release-npm.yml
2025-09-18 16:57:08 -05:00 · 2025-09-18 16:57:08 -05:00 · e5a98c3c43
parent 50403b38d6
commit e5a98c3c43
3 changed files with 219 additions and 5 deletions
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@ -31,9 +31,9 @@ jobs:
          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
          repositories: '["grafana"]'
-          permissions: '{"contents": "write", "pull_requests": "write"}'
+          permissions: '{"contents": "write", "pull_requests": "write", "workflows": "write"}'
      - name: Checkout Grafana
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Update package.json versions
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@ -56,7 +56,7 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          persist-credentials: false
      - name: Set up version (Release Branches)
@ -140,7 +140,7 @@ jobs:
        # The downside to this is that the frontend will be built for each one when it could be reused for all of them.
        # This could be a future improvement.
        include:
-          - name: linux-amd64
+          - name: linux-amd64 # publish-npm relies on this step building npm packages
            artifacts: targz:grafana:linux/amd64,deb:grafana:linux/amd64,rpm:grafana:linux/amd64,docker:grafana:linux/amd64,docker:grafana:linux/amd64:ubuntu,npm:grafana,storybook
            verify: true
          - name: linux-arm64
@ -169,7 +169,7 @@ jobs:
            verify: true
    steps:
      - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          persist-credentials: false
      - name: Set up QEMU
@ -197,6 +197,7 @@ jobs:
          name: artifacts-${{ matrix.name }}
          path: ${{ steps.build.outputs.dist-dir }}
          retention-days: 1
+
  publish-artifacts:
    name: Upload artifacts
    uses: grafana/grafana/.github/workflows/publish-artifact.yml@main
@ -211,6 +212,7 @@ jobs:
      run-id: ${{ github.run_id }}
      bucket-path: ${{ needs.setup.outputs.version }}_${{ github.run_id }}
      environment: prod
+
  publish-dockerhub:
    if: github.ref_name == 'main'
    permissions:
@ -268,3 +270,68 @@ jobs:
          docker manifest push grafana/grafana:main-ubuntu
          docker manifest push "grafana/grafana-dev:${VERSION}"
          docker manifest push "grafana/grafana-dev:${VERSION}-ubuntu"
+
+  publish-npm-canaries:
+    if: github.ref_name == 'main'
+    name: Publish NPM canaries
+    uses: ./.github/workflows/release-npm.yml
+    permissions:
+      contents: read
+      id-token: write
+    needs:
+      - setup
+      - build
+    with:
+      grafana_commit: ${{ needs.setup.outputs.grafana-commit }}
+      version: ${{ needs.setup.outputs.version }}
+      build_id: ${{ github.run_id }}
+      version_type: "canary"
+
+  # notify-pr creates (or updates) a comment in a pull request to link to this workflow where the release artifacts are
+  # being built.
+  notify-pr:
+    runs-on: ubuntu-x64-small
+    permissions:
+      contents: read
+      id-token: write
+    needs:
+      - setup
+    steps:
+      - id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          repositories: '["grafana"]'
+          permissions: '{"issues": "write", "pull_requests": "write", "contents": "read"}'
+      - name: Find PR
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
+        run: echo "ISSUE_NUMBER=$(gh api "/repos/grafana/grafana/commits/${GRAFANA_COMMIT}/pulls" | jq -r '.[0].number')" >> "$GITHUB_ENV"
+      - name: Find Comment
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
+        id: fc
+        with:
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          comment-author: 'grafana-delivery-bot[bot]'
+          body-includes: GitHub Actions Build
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Create or update comment
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          body: |
+            :rocket: Your submission is now being built and packaged.
+
+            - [GitHub Actions Build](https://github.com/grafana/grafana/actions/runs/${{ github.run_id }})
+            - Version: ${{ needs.setup.outputs.version }}
+          edit-mode: replace
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@ -0,0 +1,147 @@
+name: Publish NPM packages
+on:
+  workflow_call:
+    inputs:
+      grafana_commit:
+        description: 'Grafana commit SHA to build against'
+        required: true
+        type: string
+      version:
+        description: 'Version to publish as'
+        required: true
+        type: string
+      build_id:
+        description: 'Run ID from the original release-build workflow'
+        required: true
+        type: string
+      version_type:
+        description: 'Version type (canary, nightly, stable)'
+        required: true
+        type: string
+
+  workflow_dispatch:
+    inputs:
+      grafana_commit:
+        description: 'Grafana commit SHA to build against'
+        required: true
+      version:
+        description: 'Version to publish as'
+        required: true
+      build_id:
+        description: 'Run ID from the original release-build workflow'
+        required: true
+      version_type:
+        description: 'Version type (canary, nightly, stable)'
+        required: true
+
+permissions: {}
+
+jobs:
+  # If called with version_type 'canary' or 'stable', build + publish to NPM
+  # If called with version_type 'nightly', just tag the given version with nightly tag. It was already published by the canary build.
+
+  publish:
+    name: Publish NPM packages
+    runs-on: github-hosted-ubuntu-x64-small
+    if: inputs.version_type == 'canary' || inputs.version_type == 'stable'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Info
+        env:
+          GITHUB_REF: ${{ github.ref }}
+        run: |
+          echo "GRAFANA_COMMIT: $GRAFANA_COMMIT"
+          echo "github.ref: $GITHUB_REF"
+
+      - name: Checkout workflow ref
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 100
+          fetch-tags: false
+
+      # this will fail with "{commit} is not a valid commit" if the commit is valid but
+      # not in the last 100 commits.
+      - name: Verify commit is in workflow HEAD
+        env:
+          GIT_COMMIT: ${{ github.event.inputs.grafana_commit }}
+        run: ./.github/workflows/scripts/validate-commit-in-head.sh
+        shell: bash
+
+      - name: Map version type to NPM tag
+        id: npm-tag
+        env:
+          VERSION: ${{ github.event.inputs.version }}
+          VERSION_TYPE: ${{ github.event.inputs.version_type }}
+          REFERENCE_PKG: "@grafana/runtime"
+        run: |
+          TAG=$(./.github/workflows/scripts/determine-npm-tag.sh)
+          echo "NPM_TAG=$TAG" >> "$GITHUB_OUTPUT"
+        shell: bash
+
+      - name: Checkout build commit
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.event.inputs.grafana_commit }}
+
+      - name: Setup Node
+        uses: ./.github/actions/setup-node
+
+      # Trusted Publishing is only available in npm v11.5.1 and later
+      - name: Update npm
+        run: npm install -g npm@^11.5.1
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Typecheck packages
+        run: yarn run packages:typecheck
+
+      - name: Version, build, and pack packages
+        env:
+          VERSION: ${{ github.event.inputs.version }}
+        run: |
+          yarn run packages:build
+          yarn lerna version "$VERSION" \
+            --exact \
+            --no-git-tag-version \
+            --no-push \
+            --force-publish \
+            --yes
+          yarn run packages:pack
+
+      - name: Debug packed files
+        run: tree -a ./npm-artifacts
+
+      - name: Validate packages
+        run: ./scripts/validate-npm-packages.sh
+
+      - name: Debug OIDC Claims
+        uses: github/actions-oidc-debugger@2e9ba5d3f4bebaad1f91a2cede055115738b7ae8
+        with:
+          audience: '${{ github.server_url }}/${{ github.repository_owner }}'
+
+      - name: Publish packages
+        env:
+          NPM_TAG: ${{ steps.npm-tag.outputs.NPM_TAG }}
+        run: ./scripts/publish-npm-packages.sh --dist-tag "$NPM_TAG" --registry 'https://registry.npmjs.org/'
+
+  # TODO: finish this step
+  tag-nightly:
+    name: Tag nightly release
+    runs-on: github-hosted-ubuntu-x64-small
+    needs: publish
+    if: inputs.version_type == 'nightly'
+
+    steps:
+      - name: Checkout workflow ref
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      # TODO: tag the given release with nightly
+
+