Drone: Retrieve the machine-user from a Vault secret (#35489)

This will remove the need to use a Drone repository secret

.drone.yml

@@ -3493,4 +3493,12 @@ get:
   path: infra/data/ci/github/grafanabot
   name: pat
 
+---
+kind: secret
+name: drone_token
+
+get:
+  path: infra/data/ci/drone
+  name: machine-user-token
+
 ...

scripts/lib.star

@@ -1,4 +1,4 @@
-load('scripts/vault.star', 'from_secret', 'github_token', 'pull_secret')
+load('scripts/vault.star', 'from_secret', 'github_token', 'pull_secret', 'drone_token')
 
 grabpl_version = '2.0.0'
 build_image = 'grafana/build-container:1.4.1'
@@ -193,7 +193,7 @@ def enterprise_downstream_step(edition):
         'image': 'grafana/drone-downstream',
         'settings': {
             'server': 'https://drone.grafana.net',
-            'token': from_secret('drone_token'),
+            'token': from_secret(drone_token),
             'repositories': [
                 'grafana/grafana-enterprise@main',
             ],

scripts/vault.star

@@ -1,5 +1,6 @@
 pull_secret = 'dockerconfigjson'
 github_token = 'github_token'
+drone_token = 'drone_token'
 
 def from_secret(secret):
     return {
@@ -19,5 +20,6 @@ def vault_secret(name, path, key):
 def secrets():
     return [
         vault_secret(pull_secret, 'secret/data/common/gcr', '.dockerconfigjson'),
-        vault_secret(github_token, 'infra/data/ci/github/grafanabot', 'pat')
+        vault_secret(github_token, 'infra/data/ci/github/grafanabot', 'pat'),
+        vault_secret(drone_token, 'infra/data/ci/drone', 'machine-user-token'),
     ]