IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96646)

Browse Source 
* Add github app token generation in pipelines that use GITHUB_TOKEN

* ci?

* clone gh repo using x-access-token user

* address linting issues

* use mounted volume for exporting token

* remove unused github_token env var swagger gen step

* replace pat on release_pr pipepline

* cleanup GH PAT references

* linting

* Update scripts/drone/steps/lib.star

* make drone

---------

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
This commit is contained in:
Kevin Minehart
2024-11-21 09:08:02 -06:00
committed by GitHub
parent 3984756ccc
commit 2400483d6c
15 changed files with 487 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

389
.drone.yml
View File

@@ -184,12 +184,27 @@ steps:
- yarn-install
image: node:20.9.0-alpine
name: betterer-frontend
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -199,12 +214,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- yarn run ci:test-frontend
depends_on:
@@ -230,6 +247,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -248,12 +267,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -263,12 +297,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@@ -318,6 +354,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -336,12 +374,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -351,12 +404,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@@ -426,6 +481,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -455,12 +512,27 @@ steps:
CGO_ENABLED: 0
image: golang:1.23.1-alpine
name: compile-build-cmd
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -470,12 +542,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update make
- make gen-go
@@ -515,6 +589,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -533,6 +609,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@@ -736,10 +826,12 @@ steps:
image: cypress/included:13.10.0
name: end-to-end-tests-old-arch/various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@@ -748,11 +840,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@@ -795,6 +888,7 @@ steps:
- success
- failure
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
- export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
- 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@@ -806,17 +900,19 @@ steps:
\"}"'
depends_on:
- playwright-e2e-report-upload
environment:
GITHUB_TOKEN:
from_secret: github_token
- github-app-generate-token
failure: ignore
image: byrnedo/alpine-curl:0.1.8
name: playwright-e2e-report-post-link
volumes:
- name: github-app
path: /github-app
when:
status:
- success
- failure
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@@ -836,15 +932,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@@ -889,6 +987,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -953,12 +1053,27 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -968,12 +1083,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- mkdir -p bin
- curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.1/grabpl
@@ -1158,6 +1275,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -1287,12 +1406,27 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
- GITHUB_TOKEN=$(cat /github-app/token)
- is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
| jq .head.repo.fork)
- if [ "$is_fork" != false ]; then return 1; fi
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -1302,12 +1436,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update git make
- make swagger-clean && make openapi3-gen
@@ -1318,9 +1454,6 @@ steps:
&& return 1; fi
depends_on:
- clone-enterprise
environment:
GITHUB_TOKEN:
from_secret: github_token
image: golang:1.23.1-alpine
name: swagger-gen
trigger:
@@ -1331,6 +1464,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -1395,9 +1530,24 @@ services:
image: memcached:1.6.9-alpine
name: memcached
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- apk add --update curl jq bash
- git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
- GITHUB_TOKEN=$(cat /github-app/token)
- git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
../grafana-enterprise
- cd ../grafana-enterprise
- if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -1407,12 +1557,14 @@ steps:
- ln -s src grafana
- cd ./grafana-enterprise
- ./build.sh
environment:
GITHUB_TOKEN:
from_secret: github_token
depends_on:
- github-app-generate-token
failure: ignore
image: alpine/git:2.40.1
name: clone-enterprise
volumes:
- name: github-app
path: /github-app
- commands:
- go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
depends_on: []
@@ -1509,6 +1661,8 @@ volumes:
- name: mysql80
temp:
medium: memory
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -1933,6 +2087,20 @@ platform:
os: linux
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- echo $DRONE_RUNNER_NAME
image: alpine:3.20.3
@@ -2139,10 +2307,12 @@ steps:
image: cypress/included:13.10.0
name: end-to-end-tests-old-arch/various-suite
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- cd /
- ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
depends_on:
- grafana-server
- github-app-generate-token
environment:
AZURE_SP_APP_ID:
from_secret: azure_sp_app_id
@@ -2151,11 +2321,12 @@ steps:
AZURE_TENANT:
from_secret: azure_tenant
CYPRESS_CI: "true"
GITHUB_TOKEN:
from_secret: github_token
HOST: grafana-server
image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
name: end-to-end-tests-cloud-plugins-suite-azure
volumes:
- name: github-app
path: /github-app
when:
paths:
include:
@@ -2198,6 +2369,7 @@ steps:
- success
- failure
- commands:
- GITHUB_TOKEN=$(cat /github-app/token)
- if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
- export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
- 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@@ -2209,17 +2381,19 @@ steps:
\"}"'
depends_on:
- playwright-e2e-report-upload
environment:
GITHUB_TOKEN:
from_secret: github_token
- github-app-generate-token
failure: ignore
image: byrnedo/alpine-curl:0.1.8
name: playwright-e2e-report-post-link
volumes:
- name: github-app
path: /github-app
when:
status:
- success
- failure
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
false; fi
- apt-get update
@@ -2239,15 +2413,17 @@ steps:
- end-to-end-tests-panels-suite
- end-to-end-tests-smoke-tests-suite
- end-to-end-tests-various-suite
- github-app-generate-token
environment:
E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
from_secret: gcp_upload_artifacts_key
GITHUB_TOKEN:
from_secret: github_token
failure: ignore
image: google/cloud-sdk:431.0.0
name: e2e-tests-artifacts-upload
volumes:
- name: github-app
path: /github-app
when:
status:
- success
@@ -2404,6 +2580,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -3534,6 +3712,7 @@ platform:
services: []
steps:
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -3542,10 +3721,11 @@ steps:
depends_on: []
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@@ -3555,6 +3735,8 @@ volumes:
- host:
path: /var/run/docker.sock
name: docker
- name: github-app
temp: {}
---
clone:
retries: 3
@@ -3604,6 +3786,21 @@ steps:
image: grafana/grafana-ci-deploy:1.3.3
name: publish-storybook
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- apk add perl
- v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
- curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -3611,12 +3808,14 @@ steps:
-f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
depends_on:
- publish-artifacts
- github-app-generate-token
environment:
GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
GITHUB_TOKEN:
from_secret: github_token
image: byrnedo/alpine-curl:0.1.8
name: create-release-pr
volumes:
- name: github-app
path: /github-app
trigger:
event:
- promote
@@ -4118,6 +4317,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_main.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4137,8 +4337,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4157,6 +4355,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
branch: main
event:
@@ -4192,6 +4392,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4211,8 +4412,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4231,6 +4430,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
event:
exclude:
@@ -4353,6 +4554,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_tag_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4372,8 +4574,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4392,6 +4592,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
trigger:
ref:
- refs/heads/v[0-9]*
@@ -4589,6 +4791,7 @@ services: []
steps:
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_build_nightly_grafana.sh
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4608,8 +4811,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4628,6 +4829,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
@@ -4652,8 +4855,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@@ -4718,8 +4919,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@@ -4734,6 +4933,7 @@ steps:
name: rgm-copy
- commands:
- export GRAFANA_DIR=$$(pwd)
- export GITHUB_TOKEN=$(cat /github-app/token)
- cd /src && ./scripts/drone_publish_nightly_grafana.sh
depends_on:
- rgm-copy
@@ -4755,8 +4955,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4775,6 +4973,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- depends_on:
- rgm-publish
image: us.gcr.io/kubernetes-dev/package-publish:latest
@@ -4844,9 +5044,26 @@ platform:
services: []
steps:
- commands:
- echo $(/usr/bin/github-app-external-token) > /github-app/token
environment:
GITHUB_APP_ID:
from_secret: github-app-app-id
GITHUB_APP_INSTALLATION_ID:
from_secret: github-app-installation-id
GITHUB_APP_PRIVATE_KEY:
from_secret: github-app-private-key
image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
name: github-app-generate-token
volumes:
- name: github-app
path: /github-app
- commands:
- export GITHUB_TOKEN=$(cat /github-app/token)
- 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
--enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
- --go-version=1.23.1
depends_on:
- github-app-generate-token
environment:
_EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
from_secret: dagger_token
@@ -4865,8 +5082,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GO_VERSION: 1.23.1
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
@@ -4885,6 +5100,8 @@ steps:
volumes:
- name: docker
path: /var/run/docker.sock
- name: github-app
path: /github-app
- commands:
- printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
- gcloud auth activate-service-account --key-file=/tmp/key.json
@@ -4906,8 +5123,6 @@ steps:
from_secret: grafana_api_key
GCP_KEY_BASE64:
from_secret: gcp_key_base64
GITHUB_TOKEN:
from_secret: github_token
GPG_PASSPHRASE:
from_secret: packages_gpg_passphrase
GPG_PRIVATE_KEY:
@@ -5471,6 +5686,7 @@ steps:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
image: aquasec/trivy:0.21.0
@@ -5509,6 +5725,7 @@ steps:
- trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
- trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
- trivy --exit-code 1 --severity HIGH,CRITICAL scottyhardy/docker-wine:stable-9.0
- trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
depends_on:
- authenticate-gcr
environment:
@@ -5541,6 +5758,24 @@ volumes:
- name: config
temp: {}
---
get:
name: app-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-app-id
---
get:
name: app-installation-id
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-installation-id
---
get:
name: private-key
path: ci/data/repo/grafana/grafana/github-app
kind: secret
name: github-app-private-key
---
get:
name: credentials.json
path: infra/data/ci/grafana-release-eng/grafanauploads
@@ -5571,12 +5806,6 @@ get:
kind: secret
name: gar
---
get:
name: pat
path: ci/data/repo/grafana/grafana/grafanabot
kind: secret
name: github_token
---
get:
name: machine-user-token
path: infra/data/ci/drone
@@ -5740,6 +5969,6 @@ kind: secret
name: gcr_credentials
---
kind: signature
hmac: bb28bcd274c9d2ce724db12659ed6e3dcc461f8a07ae0eb9385a64ca5daad4de
hmac: b164dd562488c482f2e670688fca02ae20dcd2e7841ec80c95838472842b4b5e
...