IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96646)

Browse Source 
* Add github app token generation in pipelines that use GITHUB_TOKEN

* ci?

* clone gh repo using x-access-token user

* address linting issues

* use mounted volume for exporting token

* remove unused github_token env var swagger gen step

* replace pat on release_pr pipepline

* cleanup GH PAT references

* linting

* Update scripts/drone/steps/lib.star

* make drone

---------

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
This commit is contained in:
Kevin Minehart 2024-11-21 09:08:02 -06:00 committed by GitHub
parent 3984756ccc
commit 2400483d6c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 487 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

389
.drone.yml
View File

@ -184,12 +184,27 @@ steps:
- yarn-install
image: node:20.9.0-alpine
name: betterer-frontend
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -199,12 +214,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- yarn run ci:test-frontend
depends_on:
@ -230,6 +247,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -248,12 +267,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -263,12 +297,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -318,6 +354,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -336,12 +374,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -351,12 +404,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -426,6 +481,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -455,12 +512,27 @@ steps:
CGO_ENABLED: 0
image: golang:1.23.1-alpine
name: compile-build-cmd
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -470,12 +542,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update make
- make gen-go
@ -515,6 +589,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -533,6 +609,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -736,10 +826,12 @@ steps:
image: cypress/included:13.10.0
name: end-to-end-tests-old-arch/various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@ -748,11 +840,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@ -795,6 +888,7 @@ steps:
- success
- failure
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
- export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
- 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@ -806,17 +900,19 @@ steps:
\"}"'
depends_on:
- playwright-e2e-report-upload
environment:
GITHUB_TOKEN:
from_secret: github_token
- github-app-generate-token
failure: ignore
image: byrnedo/alpine-curl:0.1.8
name: playwright-e2e-report-post-link
volumes:
- name: github-app
path: /github-app
when:
status:
- success
- failure
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@ -836,15 +932,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@ -889,6 +987,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -953,12 +1053,27 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -968,12 +1083,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- mkdir -p bin
- curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.1/grabpl
@ -1158,6 +1275,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1287,12 +1406,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -1302,12 +1436,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update git make
- make swagger-clean && make openapi3-gen
@ -1318,9 +1454,6 @@ steps:
&& return 1; fi
depends_on:
- clone-enterprise
environment:
GITHUB_TOKEN:
from_secret: github_token
image: golang:1.23.1-alpine
name: swagger-gen
trigger:
@ -1331,6 +1464,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1395,9 +1530,24 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- GITHUB_TOKEN=$(cat /github-app/token)
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@ -1407,12 +1557,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
depends_on: []
@ -1509,6 +1661,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@ -1933,6 +2087,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@ -2139,10 +2307,12 @@ steps:
image: cypress/included:13.10.0
name: end-to-end-tests-old-arch/various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@ -2151,11 +2321,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@ -2198,6 +2369,7 @@ steps:
- success
- failure
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
- export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
- 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@ -2209,17 +2381,19 @@ steps:
\"}"'
depends_on:
- playwright-e2e-report-upload
environment:
GITHUB_TOKEN:
from_secret: github_token
- github-app-generate-token
failure: ignore
image: byrnedo/alpine-curl:0.1.8
name: playwright-e2e-report-post-link
volumes:
- name: github-app
path: /github-app
when:
status:
- success
- failure
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@ -2239,15 +2413,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@ -2404,6 +2580,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -3534,6 +3712,7 @@ platform:
services: []
steps:
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@ -3542,10 +3721,11 @@ steps:
depends_on: []
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@ -3555,6 +3735,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@ -3604,6 +3786,21 @@ steps:
image: grafana/grafana-ci-deploy:1.3.3
name: publish-storybook
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@ -3611,12 +3808,14 @@ steps:
-f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
depends_on:
- publish-artifacts
- github-app-generate-token
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@ -4118,6 +4317,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_main.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -4137,8 +4337,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4157,6 +4355,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
branch: main
event:
@ -4192,6 +4392,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -4211,8 +4412,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4231,6 +4430,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
event:
exclude:
@ -4353,6 +4554,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -4372,8 +4574,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4392,6 +4592,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
ref:
- refs/heads/v[0-9]*
@ -4589,6 +4791,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_nightly_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@ -4608,8 +4811,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4628,6 +4829,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
@ -4652,8 +4855,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -4718,8 +4919,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -4734,6 +4933,7 @@ steps:
name: rgm-copy
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_publish_nightly_grafana.sh
depends_on:
- rgm-copy
@ -4755,8 +4955,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4775,6 +4973,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- depends_on:
- rgm-publish
image: us.gcr.io/kubernetes-dev/package-publish:latest
@ -4844,9 +5044,26 @@ platform:
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
--enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
- --go-version=1.23.1
depends_on:
- github-app-generate-token
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
from_secret: dagger_token
@ -4865,8 +5082,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@ -4885,6 +5100,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
- gcloud auth activate-service-account --key-file=/tmp/key.json
@ -4906,8 +5123,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@ -5471,6 +5686,7 @@ steps:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
image: aquasec/trivy:0.21.0
@ -5509,6 +5725,7 @@ steps:
- trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
- trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
- trivy --exit-code 1 --severity HIGH,CRITICAL scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
environment:
@ -5541,6 +5758,24 @@ volumes:
- name: config
temp: {}
---
get:
name: app-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-app-id
---
get:
name: app-installation-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-installation-id
---
get:
name: private-key
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-private-key
---
get:
name: credentials.json
path: infra/data/ci/grafana-release-eng/grafanauploads
@ -5571,12 +5806,6 @@ get:
kind: secret
name: gar
---
get:
name: pat
path: ci/data/repo/grafana/grafana/grafanabot
kind: secret
name: github_token
---
get:
name: machine-user-token
path: infra/data/ci/drone
@ -5740,6 +5969,6 @@ kind: secret
name: gcr_credentials
---
kind: signature
hmac: bb28bcd274c9d2ce724db12659ed6e3dcc461f8a07ae0eb9385a64ca5daad4de
hmac: b164dd562488c482f2e670688fca02ae20dcd2e7841ec80c95838472842b4b5e
...

13
scripts/drone/events/release.star
View File

@ -7,6 +7,12 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
"github_app_step_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -69,10 +75,10 @@ def release_pr_step(depends_on = []):
"image": images["curl"],
"depends_on": depends_on,
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
"GH_CLI_URL": "https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz",
},
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
"apk add perl",
"v_target=`echo $${{TAG}} | perl -pe 's/{}/v\\1.\\2.x/'`".format(semver_regex),
# Install gh CLI
@ -86,6 +92,7 @@ def release_pr_step(depends_on = []):
"-f latest=$${LATEST} " +
"--repo=grafana/grafana release-pr.yml",
],
"volumes": github_app_step_volumes(),
}
def release_npm_packages_step():
@ -149,7 +156,8 @@ def publish_artifacts_pipelines(mode):
compile_build_cmd(),
publish_artifacts_step(),
publish_storybook_step(),
release_pr_step(depends_on = ["publish-artifacts"]),
github_app_generate_token_step(),
release_pr_step(depends_on = ["publish-artifacts", github_app_generate_token_step()["name"]]),
]
return [
@ -162,6 +170,7 @@ def publish_artifacts_pipelines(mode):
steps = [
release_pr_step(),
],
volumes = github_app_pipeline_volumes(),
),
pipeline(
name = "publish-artifacts-{}".format(mode),

12
scripts/drone/pipelines/benchmarks.star
View File

@ -7,6 +7,11 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -32,10 +37,13 @@ def integration_benchmarks(prefix):
environment = {"EDITION": "oss"}
services = integration_test_services()
volumes = integration_test_services_volumes()
volumes = integration_test_services_volumes() + github_app_pipeline_volumes()
# In pull requests, attempt to clone grafana enterprise.
init_steps = [enterprise_setup_step(isPromote = True)]
init_steps = [
github_app_generate_token_step(),
enterprise_setup_step(isPromote = True),
]
verify_step = verify_gen_cue_step()
verify_jsonnet_step = verify_gen_jsonnet_step()

7
scripts/drone/pipelines/build.star
View File

@ -1,5 +1,10 @@
"""This module contains the comprehensive build pipeline."""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"build_frontend_package_step",
@ -57,6 +62,7 @@ def build_e2e(trigger, ver_mode):
environment = {"EDITION": "oss"}
init_steps = [
github_app_generate_token_step(),
identify_runner_step(),
download_grabpl_step(),
compile_build_cmd(),
@ -173,4 +179,5 @@ def build_e2e(trigger, ver_mode):
services = [],
steps = init_steps + build_steps,
trigger = trigger,
volumes = github_app_pipeline_volumes(),
)

8
scripts/drone/pipelines/integration_tests.star
View File

@ -7,6 +7,11 @@ load(
"integration_test_services",
"integration_test_services_volumes",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -50,8 +55,11 @@ def integration_tests(trigger, prefix, ver_mode = "pr"):
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps.append(github_app_generate_token_step())
init_steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
init_steps += [
download_grabpl_step(),
compile_build_cmd(),

11
scripts/drone/pipelines/lint_backend.star
View File

@ -2,6 +2,11 @@
This module returns the pipeline used for linting backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"compile_build_cmd",
@ -37,10 +42,15 @@ def lint_backend_pipeline(trigger, ver_mode):
compile_build_cmd(),
]
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps.append(github_app_generate_token_step())
init_steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
init_steps.append(wire_step)
test_steps = [
@ -57,4 +67,5 @@ def lint_backend_pipeline(trigger, ver_mode):
services = [],
steps = init_steps + test_steps,
environment = environment,
volumes = volumes,
)

15
scripts/drone/pipelines/lint_frontend.star
View File

@ -2,6 +2,11 @@
This module returns the pipeline used for linting frontend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"enterprise_setup_step",
@ -31,9 +36,16 @@ def lint_frontend_pipeline(trigger, ver_mode):
lint_step = lint_frontend_step()
i18n_step = verify_i18n_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
init_steps = [enterprise_setup_step()]
init_steps = [
github_app_generate_token_step(),
enterprise_setup_step(),
]
volumes += github_app_pipeline_volumes()
init_steps += [
identify_runner_step(),
@ -50,4 +62,5 @@ def lint_frontend_pipeline(trigger, ver_mode):
services = [],
steps = init_steps + test_steps,
environment = environment,
volumes = volumes,
)

14
scripts/drone/pipelines/swagger_gen.star
View File

@ -2,6 +2,11 @@
This module returns all pipelines used in OpenAPI specification generation of Grafana HTTP APIs
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"enterprise_setup_step",
@ -14,10 +19,6 @@ load(
"scripts/drone/utils/utils.star",
"pipeline",
)
load(
"scripts/drone/vault.star",
"from_secret",
)
def swagger_gen_step(ver_mode):
if ver_mode != "pr":
@ -26,9 +27,6 @@ def swagger_gen_step(ver_mode):
return {
"name": "swagger-gen",
"image": images["go"],
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"apk add --update git make",
"make swagger-clean && make openapi3-gen",
@ -42,6 +40,7 @@ def swagger_gen_step(ver_mode):
def swagger_gen(ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
test_steps = [
github_app_generate_token_step(),
enterprise_setup_step(source = source, canFail = True),
swagger_gen_step(ver_mode = ver_mode),
]
@ -53,6 +52,7 @@ def swagger_gen(ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
},
services = [],
steps = test_steps,
volumes = github_app_pipeline_volumes(),
)
return p

11
scripts/drone/pipelines/test_backend.star
View File

@ -2,6 +2,11 @@
This module returns the pipeline used for testing backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"enterprise_setup_step",
@ -34,10 +39,15 @@ def test_backend(trigger, ver_mode):
verify_step = verify_gen_cue_step()
verify_jsonnet_step = verify_gen_jsonnet_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
steps.append(github_app_generate_token_step())
steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
steps += [
identify_runner_step(),
verify_step,
@ -52,4 +62,5 @@ def test_backend(trigger, ver_mode):
trigger = trigger,
steps = steps,
environment = environment,
volumes = volumes,
)

11
scripts/drone/pipelines/test_frontend.star
View File

@ -2,6 +2,11 @@
This module returns the pipeline used for testing backend code.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_pipeline_volumes",
)
load(
"scripts/drone/steps/lib.star",
"betterer_frontend_step",
@ -35,10 +40,15 @@ def test_frontend(trigger, ver_mode):
test_step = test_frontend_step()
volumes = []
if ver_mode == "pr":
# In pull requests, attempt to clone grafana enterprise.
steps.append(github_app_generate_token_step())
steps.append(enterprise_setup_step())
volumes += github_app_pipeline_volumes()
steps.append(test_step)
return pipeline(
@ -46,4 +56,5 @@ def test_frontend(trigger, ver_mode):
trigger = trigger,
steps = steps,
environment = environment,
volumes = volumes,
)

19
scripts/drone/rgm.star
View File

@ -20,6 +20,11 @@ load(
"scripts/drone/pipelines/whats_new_checker.star",
"whats_new_checker_pipeline",
)
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_step_volumes",
)
load(
"scripts/drone/utils/images.star",
"images",
@ -42,7 +47,6 @@ load(
"rgm_destination",
"rgm_downloads_destination",
"rgm_gcp_key_base64",
"rgm_github_token",
"rgm_storybook_destination",
)
@ -111,7 +115,6 @@ def rgm_env_secrets(env):
env["DOWNLOADS_DESTINATION"] = from_secret(rgm_downloads_destination)
env["GCP_KEY_BASE64"] = from_secret(rgm_gcp_key_base64)
env["GITHUB_TOKEN"] = from_secret(rgm_github_token)
env["_EXPERIMENTAL_DAGGER_CLOUD_TOKEN"] = from_secret(rgm_dagger_token)
env["GPG_PRIVATE_KEY"] = from_secret("packages_gpg_private_key")
env["GPG_PUBLIC_KEY"] = from_secret("packages_gpg_public_key")
@ -142,12 +145,13 @@ def rgm_run(name, script):
"pull": "always",
"commands": [
"export GRAFANA_DIR=$$(pwd)",
"export GITHUB_TOKEN=$(cat /github-app/token)",
"cd /src && ./scripts/{}".format(script),
],
"environment": rgm_env_secrets(env),
# The docker socket is a requirement for running dagger programs
# In the future we should find a way to use dagger without mounting the docker socket.
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
}
return [
@ -345,6 +349,7 @@ def rgm_promotion_pipeline():
"image": "grafana/grafana-build:main",
"pull": "always",
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
"dagger run --silent /src/grafana-build artifacts " +
"-a $${ARTIFACTS} " +
"--grafana-ref=$${GRAFANA_REF} " +
@ -356,12 +361,16 @@ def rgm_promotion_pipeline():
"environment": rgm_env_secrets(env),
# The docker socket is a requirement for running dagger programs
# In the future we should find a way to use dagger without mounting the docker socket.
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
"volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
}
generate_token_step = github_app_generate_token_step()
publish_step = rgm_copy("dist/*", "$${UPLOAD_TO}")
build_step["depends_on"] = [
generate_token_step["name"],
]
steps = [
generate_token_step,
build_step,
publish_step,
]

40
scripts/drone/steps/github.star Normal file
View File

@ -0,0 +1,40 @@
"""
This module is used to interface with the GitHub App to extract temporary installation tokens.
"""
load(
"scripts/drone/utils/images.star",
"images",
)
load(
"scripts/drone/vault.star",
"from_secret",
"github_app_app_id",
"github_app_app_installation_id",
"github_app_private_key",
)
def github_app_step_volumes():
return [
{"name": "github-app", "path": "/github-app"},
]
def github_app_pipeline_volumes():
return [
{"name": "github-app", "temp": {}},
]
def github_app_generate_token_step():
return {
"name": "github-app-generate-token",
"image": images["github_app_secret_writer"],
"environment": {
"GITHUB_APP_ID": from_secret(github_app_app_id),
"GITHUB_APP_INSTALLATION_ID": from_secret(github_app_app_installation_id),
"GITHUB_APP_PRIVATE_KEY": from_secret(github_app_private_key),
},
"commands": [
"echo $(/usr/bin/github-app-external-token) > /github-app/token",
],
"volumes": github_app_step_volumes(),
}

36
scripts/drone/steps/lib.star
View File

@ -2,6 +2,11 @@
This module is a library of Drone steps and other pipeline components.
"""
load(
"scripts/drone/steps/github.star",
"github_app_generate_token_step",
"github_app_step_volumes",
)
load(
"scripts/drone/steps/rgm.star",
"rgm_build_backend_step",
@ -99,23 +104,25 @@ def clone_enterprise_step_pr(source = "${DRONE_COMMIT}", target = "main", canFai
check = []
else:
check = [
'is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
'is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
'if [ "$is_fork" != false ]; then return 1; fi', # Only clone if we're confident that 'fork' is 'false'. Fail if it's also empty.
]
step = {
"name": "clone-enterprise",
"image": images["git"],
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"apk add --update curl jq bash",
"GITHUB_TOKEN=$(cat /github-app/token)",
] + check + [
'git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
'git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
"cd {}".format(location),
'if git checkout {0}; then echo "checked out {0}"; elif git checkout {1}; then echo "git checkout {1}"; else git checkout main; fi'.format(source, target),
],
"depends_on": [
github_app_generate_token_step()["name"],
],
"volumes": github_app_step_volumes(),
}
if canFail:
@ -316,6 +323,7 @@ def e2e_tests_artifacts():
"end-to-end-tests-panels-suite",
"end-to-end-tests-smoke-tests-suite",
"end-to-end-tests-various-suite",
github_app_generate_token_step()["name"],
],
"failure": "ignore",
"when": {
@ -327,9 +335,9 @@ def e2e_tests_artifacts():
"environment": {
"GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
"E2E_TEST_ARTIFACTS_BUCKET": "releng-pipeline-artifacts-dev",
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"export GITHUB_TOKEN=$(cat /github-app/token)",
# if no videos found do nothing
"if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos'; false; fi",
"apt-get update",
@ -344,6 +352,7 @@ def e2e_tests_artifacts():
'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA} -H "Authorization: token $${GITHUB_TOKEN}" -d ' +
'"{\\"state\\":\\"success\\",\\"target_url\\":\\"$${E2E_ARTIFACTS_VIDEO_ZIP}\\", \\"description\\": \\"Click on the details to download e2e recording videos\\", \\"context\\": \\"e2e_artifacts\\"}"',
],
"volumes": github_app_step_volumes(),
}
def playwright_e2e_report_upload():
@ -380,6 +389,7 @@ def playwright_e2e_report_post_link():
"image": images["curl"],
"depends_on": [
"playwright-e2e-report-upload",
github_app_generate_token_step()["name"],
],
"failure": "ignore",
"when": {
@ -388,10 +398,8 @@ def playwright_e2e_report_post_link():
"failure",
],
},
"environment": {
"GITHUB_TOKEN": from_secret("github_token"),
},
"commands": [
"GITHUB_TOKEN=$(cat /github-app/token)",
# if the trace doesn't folder exists, it means that there are no failed tests.
"if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi",
# if it exists, we will post a comment on the PR with the link to the report
@ -403,6 +411,7 @@ def playwright_e2e_report_post_link():
'-H "X-GitHub-Api-Version: 2022-11-28" -d ' +
'"{\\"body\\":\\"❌ Failed to run Playwright plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to browse the Playwright report and trace viewer. <br /> For information on how to run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests). \\"}"',
],
"volumes": github_app_step_volumes(),
}
def upload_cdn_step(ver_mode, trigger = None, depends_on = ["grafana-server"]):
@ -852,7 +861,6 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
environment = {
"CYPRESS_CI": "true",
"HOST": "grafana-server",
"GITHUB_TOKEN": from_secret("github_token"),
"AZURE_SP_APP_ID": from_secret("azure_sp_app_id"),
"AZURE_SP_PASSWORD": from_secret("azure_sp_app_pw"),
"AZURE_TENANT": from_secret("azure_tenant"),
@ -873,9 +881,15 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
"image": "us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0",
"depends_on": [
"grafana-server",
github_app_generate_token_step()["name"],
],
"environment": environment,
"commands": ["cd /", "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch)],
"commands": [
"GITHUB_TOKEN=$(cat /github-app/token)",
"cd /",
"./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch),
],
"volumes": github_app_step_volumes(),
}
step = dict(step, when = when)
return step

1
scripts/drone/utils/images.star
View File

@ -37,4 +37,5 @@ images = {
"shellcheck": "koalaman/shellcheck:stable",
"rocky": "rockylinux:9",
"wine": "scottyhardy/docker-wine:stable-9.0",
"github_app_secret_writer": "us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59",
}

10
scripts/drone/vault.star
View File

@ -9,16 +9,20 @@ gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
gcp_grafanauploads = "gcp_grafanauploads"
gcp_grafanauploads_base64 = "gcp_grafanauploads_base64"
gcp_download_build_container_assets_key = "gcp_download_build_container_assets_key"
azure_sp_app_id = "azure_sp_app_id"
azure_sp_app_pw = "azure_sp_app_pw"
azure_tenant = "azure_tenant"
github_app_app_id = "github-app-app-id"
github_app_app_installation_id = "github-app-installation-id"
github_app_private_key = "github-app-private-key"
rgm_gcp_key_base64 = "gcp_key_base64"
rgm_destination = "destination"
rgm_storybook_destination = "rgm_storybook_destination"
rgm_cdn_destination = "rgm_cdn_destination"
rgm_downloads_destination = "rgm_downloads_destination"
rgm_github_token = "github_token"
rgm_dagger_token = "dagger_token"
docker_username = "docker_username"
@ -41,12 +45,14 @@ def vault_secret(name, path, key):
def secrets():
return [
vault_secret(github_app_app_id, "ci/data/repo/grafana/grafana/github-app", "app-id"),
vault_secret(github_app_app_installation_id, "ci/data/repo/grafana/grafana/github-app", "app-installation-id"),
vault_secret(github_app_private_key, "ci/data/repo/grafana/grafana/github-app", "private-key"),
vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
vault_secret("grafana_api_key", "infra/data/ci/grafana-release-eng/grafanacom", "api_key"),
vault_secret(gcr_pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
vault_secret(gar_pull_secret, "secret/data/common/gar", ".dockerconfigjson"),
vault_secret("github_token", "ci/data/repo/grafana/grafana/grafanabot", "pat"),
vault_secret(drone_token, "infra/data/ci/drone", "machine-user-token"),
vault_secret(prerelease_bucket, "infra/data/ci/grafana/prerelease", "bucket"),
vault_secret(docker_username, "infra/data/ci/grafanaci-docker-hub", "username"),