CI: Add github app token generation in pipelines that use GITHUB_TOKEN (#96646)

* Add github app token generation in pipelines that use GITHUB_TOKEN

* ci?

* clone gh repo using x-access-token user

* address linting issues

* use mounted volume for exporting token

* remove unused github_token env var swagger gen step

* replace pat on release_pr pipepline

* cleanup GH PAT references

* linting

* Update scripts/drone/steps/lib.star

* make drone

---------

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>

.drone.yml

@@ -184,12 +184,27 @@ steps:
   - yarn-install
   image: node:20.9.0-alpine
   name: betterer-frontend
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -199,12 +214,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - yarn run ci:test-frontend
   depends_on:
@@ -230,6 +247,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -248,12 +267,27 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -263,12 +297,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -318,6 +354,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -336,12 +374,27 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -351,12 +404,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -426,6 +481,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -455,12 +512,27 @@ steps:
     CGO_ENABLED: 0
   image: golang:1.23.1-alpine
   name: compile-build-cmd
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -470,12 +542,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update make
   - make gen-go
@@ -515,6 +589,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -533,6 +609,20 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -736,10 +826,12 @@ steps:
   image: cypress/included:13.10.0
   name: end-to-end-tests-old-arch/various-suite
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - cd /
   - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
   depends_on:
   - grafana-server
+  - github-app-generate-token
   environment:
     AZURE_SP_APP_ID:
       from_secret: azure_sp_app_id
@@ -748,11 +840,12 @@ steps:
     AZURE_TENANT:
       from_secret: azure_tenant
     CYPRESS_CI: "true"
-    GITHUB_TOKEN:
-      from_secret: github_token
     HOST: grafana-server
   image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
   name: end-to-end-tests-cloud-plugins-suite-azure
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     paths:
       include:
@@ -795,6 +888,7 @@ steps:
     - success
     - failure
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
   - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
   - 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@@ -806,17 +900,19 @@ steps:
     \"}"'
   depends_on:
   - playwright-e2e-report-upload
-  environment:
+  - github-app-generate-token
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: byrnedo/alpine-curl:0.1.8
   name: playwright-e2e-report-post-link
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
     - failure
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
     false; fi
   - apt-get update
@@ -836,15 +932,17 @@ steps:
   - end-to-end-tests-panels-suite
   - end-to-end-tests-smoke-tests-suite
   - end-to-end-tests-various-suite
+  - github-app-generate-token
   environment:
     E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
     GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
       from_secret: gcp_upload_artifacts_key
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: google/cloud-sdk:431.0.0
   name: e2e-tests-artifacts-upload
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
@@ -889,6 +987,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -953,12 +1053,27 @@ services:
   image: memcached:1.6.9-alpine
   name: memcached
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -968,12 +1083,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - mkdir -p bin
   - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v3.1.1/grabpl
@@ -1158,6 +1275,8 @@ volumes:
 - name: mysql80
   temp:
     medium: memory
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1287,12 +1406,27 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST"
     | jq .head.repo.fork)
   - if [ "$is_fork" != false ]; then return 1; fi
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -1302,12 +1436,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update git make
   - make swagger-clean && make openapi3-gen
@@ -1318,9 +1454,6 @@ steps:
     && return 1; fi
   depends_on:
   - clone-enterprise
-  environment:
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: golang:1.23.1-alpine
   name: swagger-gen
 trigger:
@@ -1331,6 +1464,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1395,9 +1530,24 @@ services:
   image: memcached:1.6.9-alpine
   name: memcached
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - apk add --update curl jq bash
-  - git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
+  - GITHUB_TOKEN=$(cat /github-app/token)
+  - git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git"
     ../grafana-enterprise
   - cd ../grafana-enterprise
   - if git checkout ${DRONE_SOURCE_BRANCH}; then echo "checked out ${DRONE_SOURCE_BRANCH}";
@@ -1407,12 +1557,14 @@ steps:
   - ln -s src grafana
   - cd ./grafana-enterprise
   - ./build.sh
-  environment:
+  depends_on:
-    GITHUB_TOKEN:
+  - github-app-generate-token
-      from_secret: github_token
   failure: ignore
   image: alpine/git:2.40.1
   name: clone-enterprise
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - go build -o ./bin/build -ldflags '-extldflags -static' ./pkg/build/cmd
   depends_on: []
@@ -1509,6 +1661,8 @@ volumes:
 - name: mysql80
   temp:
     medium: memory
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -1933,6 +2087,20 @@ platform:
   os: linux
 services: []
 steps:
+- commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
 - commands:
   - echo $DRONE_RUNNER_NAME
   image: alpine:3.20.3
@@ -2139,10 +2307,12 @@ steps:
   image: cypress/included:13.10.0
   name: end-to-end-tests-old-arch/various-suite
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - cd /
   - ./cpp-e2e/scripts/ci-run.sh azure ${DRONE_SOURCE_BRANCH}
   depends_on:
   - grafana-server
+  - github-app-generate-token
   environment:
     AZURE_SP_APP_ID:
       from_secret: azure_sp_app_id
@@ -2151,11 +2321,12 @@ steps:
     AZURE_TENANT:
       from_secret: azure_tenant
     CYPRESS_CI: "true"
-    GITHUB_TOKEN:
-      from_secret: github_token
     HOST: grafana-server
   image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
   name: end-to-end-tests-cloud-plugins-suite-azure
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     paths:
       include:
@@ -2198,6 +2369,7 @@ steps:
     - success
     - failure
 - commands:
+  - GITHUB_TOKEN=$(cat /github-app/token)
   - if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi
   - export E2E_PLAYWRIGHT_REPORT_URL=https://storage.googleapis.com/releng-pipeline-artifacts-dev/${DRONE_BUILD_NUMBER}/playwright-report/index.html
   - 'curl -L -X POST https://api.github.com/repos/grafana/grafana/issues/${DRONE_PULL_REQUEST}/comments
@@ -2209,17 +2381,19 @@ steps:
     \"}"'
   depends_on:
   - playwright-e2e-report-upload
-  environment:
+  - github-app-generate-token
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: byrnedo/alpine-curl:0.1.8
   name: playwright-e2e-report-post-link
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
     - failure
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos';
     false; fi
   - apt-get update
@@ -2239,15 +2413,17 @@ steps:
   - end-to-end-tests-panels-suite
   - end-to-end-tests-smoke-tests-suite
   - end-to-end-tests-various-suite
+  - github-app-generate-token
   environment:
     E2E_TEST_ARTIFACTS_BUCKET: releng-pipeline-artifacts-dev
     GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY:
       from_secret: gcp_upload_artifacts_key
-    GITHUB_TOKEN:
-      from_secret: github_token
   failure: ignore
   image: google/cloud-sdk:431.0.0
   name: e2e-tests-artifacts-upload
+  volumes:
+  - name: github-app
+    path: /github-app
   when:
     status:
     - success
@@ -2404,6 +2580,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -3534,6 +3712,7 @@ platform:
 services: []
 steps:
 - commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - apk add perl
   - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
   - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -3542,10 +3721,11 @@ steps:
   depends_on: []
   environment:
     GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: byrnedo/alpine-curl:0.1.8
   name: create-release-pr
+  volumes:
+  - name: github-app
+    path: /github-app
 trigger:
   event:
   - promote
@@ -3555,6 +3735,8 @@ volumes:
 - host:
     path: /var/run/docker.sock
   name: docker
+- name: github-app
+  temp: {}
 ---
 clone:
   retries: 3
@@ -3604,6 +3786,21 @@ steps:
   image: grafana/grafana-ci-deploy:1.3.3
   name: publish-storybook
 - commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
+- commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - apk add perl
   - v_target=`echo $${TAG} | perl -pe 's/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/v\1.\2.x/'`
   - curl -L $${GH_CLI_URL} | tar -xz --strip-components=1 -C /usr
@@ -3611,12 +3808,14 @@ steps:
     -f latest=$${LATEST} --repo=grafana/grafana release-pr.yml
   depends_on:
   - publish-artifacts
+  - github-app-generate-token
   environment:
     GH_CLI_URL: https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz
-    GITHUB_TOKEN:
-      from_secret: github_token
   image: byrnedo/alpine-curl:0.1.8
   name: create-release-pr
+  volumes:
+  - name: github-app
+    path: /github-app
 trigger:
   event:
   - promote
@@ -4118,6 +4317,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_main.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4137,8 +4337,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4157,6 +4355,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   branch: main
   event:
@@ -4192,6 +4392,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_tag_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4211,8 +4412,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4231,6 +4430,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   event:
     exclude:
@@ -4353,6 +4554,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_tag_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4372,8 +4574,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4392,6 +4592,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 trigger:
   ref:
   - refs/heads/v[0-9]*
@@ -4589,6 +4791,7 @@ services: []
 steps:
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_build_nightly_grafana.sh
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
@@ -4608,8 +4811,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4628,6 +4829,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - commands:
   - mkdir -p $${DESTINATION}/$${DRONE_BUILD_EVENT}
   - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
@@ -4652,8 +4855,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -4718,8 +4919,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -4734,6 +4933,7 @@ steps:
   name: rgm-copy
 - commands:
   - export GRAFANA_DIR=$$(pwd)
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - cd /src && ./scripts/drone_publish_nightly_grafana.sh
   depends_on:
   - rgm-copy
@@ -4755,8 +4955,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4775,6 +4973,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - depends_on:
   - rgm-publish
   image: us.gcr.io/kubernetes-dev/package-publish:latest
@@ -4844,9 +5044,26 @@ platform:
 services: []
 steps:
 - commands:
+  - echo $(/usr/bin/github-app-external-token) > /github-app/token
+  environment:
+    GITHUB_APP_ID:
+      from_secret: github-app-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: github-app-installation-id
+    GITHUB_APP_PRIVATE_KEY:
+      from_secret: github-app-private-key
+  image: us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
+  name: github-app-generate-token
+  volumes:
+  - name: github-app
+    path: /github-app
+- commands:
+  - export GITHUB_TOKEN=$(cat /github-app/token)
   - 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
     --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
   - --go-version=1.23.1
+  depends_on:
+  - github-app-generate-token
   environment:
     _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
       from_secret: dagger_token
@@ -4865,8 +5082,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GO_VERSION: 1.23.1
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
@@ -4885,6 +5100,8 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  - name: github-app
+    path: /github-app
 - commands:
   - printenv GCP_KEY_BASE64 | base64 -d > /tmp/key.json
   - gcloud auth activate-service-account --key-file=/tmp/key.json
@@ -4906,8 +5123,6 @@ steps:
       from_secret: grafana_api_key
     GCP_KEY_BASE64:
       from_secret: gcp_key_base64
-    GITHUB_TOKEN:
-      from_secret: github_token
     GPG_PASSPHRASE:
       from_secret: packages_gpg_passphrase
     GPG_PRIVATE_KEY:
@@ -5471,6 +5686,7 @@ steps:
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
   - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM scottyhardy/docker-wine:stable-9.0
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
   depends_on:
   - authenticate-gcr
   image: aquasec/trivy:0.21.0
@@ -5509,6 +5725,7 @@ steps:
   - trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
   - trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
   - trivy --exit-code 1 --severity HIGH,CRITICAL scottyhardy/docker-wine:stable-9.0
+  - trivy --exit-code 1 --severity HIGH,CRITICAL us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59
   depends_on:
   - authenticate-gcr
   environment:
@@ -5541,6 +5758,24 @@ volumes:
 - name: config
   temp: {}
 ---
+get:
+  name: app-id
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-app-id
+---
+get:
+  name: app-installation-id
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-installation-id
+---
+get:
+  name: private-key
+  path: ci/data/repo/grafana/grafana/github-app
+kind: secret
+name: github-app-private-key
+---
 get:
   name: credentials.json
   path: infra/data/ci/grafana-release-eng/grafanauploads
@@ -5571,12 +5806,6 @@ get:
 kind: secret
 name: gar
 ---
-get:
-  name: pat
-  path: ci/data/repo/grafana/grafana/grafanabot
-kind: secret
-name: github_token
----
 get:
   name: machine-user-token
   path: infra/data/ci/drone
@@ -5740,6 +5969,6 @@ kind: secret
 name: gcr_credentials
 ---
 kind: signature
-hmac: bb28bcd274c9d2ce724db12659ed6e3dcc461f8a07ae0eb9385a64ca5daad4de
+hmac: b164dd562488c482f2e670688fca02ae20dcd2e7841ec80c95838472842b4b5e
 
 ...

scripts/drone/events/release.star

@@ -7,6 +7,12 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -69,10 +75,10 @@ def release_pr_step(depends_on = []):
         "image": images["curl"],
         "depends_on": depends_on,
         "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
             "GH_CLI_URL": "https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz",
         },
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "apk add perl",
             "v_target=`echo $${{TAG}} | perl -pe 's/{}/v\\1.\\2.x/'`".format(semver_regex),
             # Install gh CLI
@@ -86,6 +92,7 @@ def release_pr_step(depends_on = []):
             "-f latest=$${LATEST} " +
             "--repo=grafana/grafana release-pr.yml",
         ],
+        "volumes": github_app_step_volumes(),
     }
 
 def release_npm_packages_step():
@@ -149,7 +156,8 @@ def publish_artifacts_pipelines(mode):
         compile_build_cmd(),
         publish_artifacts_step(),
         publish_storybook_step(),
-        release_pr_step(depends_on = ["publish-artifacts"]),
+        github_app_generate_token_step(),
+        release_pr_step(depends_on = ["publish-artifacts", github_app_generate_token_step()["name"]]),
     ]
 
     return [
@@ -162,6 +170,7 @@ def publish_artifacts_pipelines(mode):
             steps = [
                 release_pr_step(),
             ],
+            volumes = github_app_pipeline_volumes(),
         ),
         pipeline(
             name = "publish-artifacts-{}".format(mode),

scripts/drone/pipelines/benchmarks.star

@@ -7,6 +7,11 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -32,10 +37,13 @@ def integration_benchmarks(prefix):
     environment = {"EDITION": "oss"}
 
     services = integration_test_services()
-    volumes = integration_test_services_volumes()
+    volumes = integration_test_services_volumes() + github_app_pipeline_volumes()
 
     # In pull requests, attempt to clone grafana enterprise.
-    init_steps = [enterprise_setup_step(isPromote = True)]
+    init_steps = [
+        github_app_generate_token_step(),
+        enterprise_setup_step(isPromote = True),
+    ]
 
     verify_step = verify_gen_cue_step()
     verify_jsonnet_step = verify_gen_jsonnet_step()

scripts/drone/pipelines/build.star

@@ -1,5 +1,10 @@
 """This module contains the comprehensive build pipeline."""
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "build_frontend_package_step",
@@ -57,6 +62,7 @@ def build_e2e(trigger, ver_mode):
 
     environment = {"EDITION": "oss"}
     init_steps = [
+        github_app_generate_token_step(),
         identify_runner_step(),
         download_grabpl_step(),
         compile_build_cmd(),
@@ -173,4 +179,5 @@ def build_e2e(trigger, ver_mode):
         services = [],
         steps = init_steps + build_steps,
         trigger = trigger,
+        volumes = github_app_pipeline_volumes(),
     )

scripts/drone/pipelines/integration_tests.star

@@ -7,6 +7,11 @@ load(
     "integration_test_services",
     "integration_test_services_volumes",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -50,8 +55,11 @@ def integration_tests(trigger, prefix, ver_mode = "pr"):
 
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        init_steps.append(github_app_generate_token_step())
         init_steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     init_steps += [
         download_grabpl_step(),
         compile_build_cmd(),

scripts/drone/pipelines/lint_backend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for linting backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "compile_build_cmd",
@@ -37,10 +42,15 @@ def lint_backend_pipeline(trigger, ver_mode):
         compile_build_cmd(),
     ]
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        init_steps.append(github_app_generate_token_step())
         init_steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     init_steps.append(wire_step)
 
     test_steps = [
@@ -57,4 +67,5 @@ def lint_backend_pipeline(trigger, ver_mode):
         services = [],
         steps = init_steps + test_steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/lint_frontend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for linting frontend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "enterprise_setup_step",
@@ -31,9 +36,16 @@ def lint_frontend_pipeline(trigger, ver_mode):
     lint_step = lint_frontend_step()
     i18n_step = verify_i18n_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
-        init_steps = [enterprise_setup_step()]
+        init_steps = [
+            github_app_generate_token_step(),
+            enterprise_setup_step(),
+        ]
+
+        volumes += github_app_pipeline_volumes()
 
     init_steps += [
         identify_runner_step(),
@@ -50,4 +62,5 @@ def lint_frontend_pipeline(trigger, ver_mode):
         services = [],
         steps = init_steps + test_steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/swagger_gen.star

@@ -2,6 +2,11 @@
 This module returns all pipelines used in OpenAPI specification generation of Grafana HTTP APIs
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "enterprise_setup_step",
@@ -14,10 +19,6 @@ load(
     "scripts/drone/utils/utils.star",
     "pipeline",
 )
-load(
-    "scripts/drone/vault.star",
-    "from_secret",
-)
 
 def swagger_gen_step(ver_mode):
     if ver_mode != "pr":
@@ -26,9 +27,6 @@ def swagger_gen_step(ver_mode):
     return {
         "name": "swagger-gen",
         "image": images["go"],
-        "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
-        },
         "commands": [
             "apk add --update git make",
             "make swagger-clean && make openapi3-gen",
@@ -42,6 +40,7 @@ def swagger_gen_step(ver_mode):
 
 def swagger_gen(ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
     test_steps = [
+        github_app_generate_token_step(),
         enterprise_setup_step(source = source, canFail = True),
         swagger_gen_step(ver_mode = ver_mode),
     ]
@@ -53,6 +52,7 @@ def swagger_gen(ver_mode, source = "${DRONE_SOURCE_BRANCH}"):
         },
         services = [],
         steps = test_steps,
+        volumes = github_app_pipeline_volumes(),
     )
 
     return p

scripts/drone/pipelines/test_backend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for testing backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "enterprise_setup_step",
@@ -34,10 +39,15 @@ def test_backend(trigger, ver_mode):
     verify_step = verify_gen_cue_step()
     verify_jsonnet_step = verify_gen_jsonnet_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        steps.append(github_app_generate_token_step())
         steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     steps += [
         identify_runner_step(),
         verify_step,
@@ -52,4 +62,5 @@ def test_backend(trigger, ver_mode):
         trigger = trigger,
         steps = steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/pipelines/test_frontend.star

@@ -2,6 +2,11 @@
 This module returns the pipeline used for testing backend code.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_pipeline_volumes",
+)
 load(
     "scripts/drone/steps/lib.star",
     "betterer_frontend_step",
@@ -35,10 +40,15 @@ def test_frontend(trigger, ver_mode):
 
     test_step = test_frontend_step()
 
+    volumes = []
+
     if ver_mode == "pr":
         # In pull requests, attempt to clone grafana enterprise.
+        steps.append(github_app_generate_token_step())
         steps.append(enterprise_setup_step())
 
+        volumes += github_app_pipeline_volumes()
+
     steps.append(test_step)
 
     return pipeline(
@@ -46,4 +56,5 @@ def test_frontend(trigger, ver_mode):
         trigger = trigger,
         steps = steps,
         environment = environment,
+        volumes = volumes,
     )

scripts/drone/rgm.star

@@ -20,6 +20,11 @@ load(
     "scripts/drone/pipelines/whats_new_checker.star",
     "whats_new_checker_pipeline",
 )
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/utils/images.star",
     "images",
@@ -42,7 +47,6 @@ load(
     "rgm_destination",
     "rgm_downloads_destination",
     "rgm_gcp_key_base64",
-    "rgm_github_token",
     "rgm_storybook_destination",
 )
 
@@ -111,7 +115,6 @@ def rgm_env_secrets(env):
     env["DOWNLOADS_DESTINATION"] = from_secret(rgm_downloads_destination)
 
     env["GCP_KEY_BASE64"] = from_secret(rgm_gcp_key_base64)
-    env["GITHUB_TOKEN"] = from_secret(rgm_github_token)
     env["_EXPERIMENTAL_DAGGER_CLOUD_TOKEN"] = from_secret(rgm_dagger_token)
     env["GPG_PRIVATE_KEY"] = from_secret("packages_gpg_private_key")
     env["GPG_PUBLIC_KEY"] = from_secret("packages_gpg_public_key")
@@ -142,12 +145,13 @@ def rgm_run(name, script):
         "pull": "always",
         "commands": [
             "export GRAFANA_DIR=$$(pwd)",
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "cd /src && ./scripts/{}".format(script),
         ],
         "environment": rgm_env_secrets(env),
         # The docker socket is a requirement for running dagger programs
         # In the future we should find a way to use dagger without mounting the docker socket.
-        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
     }
 
     return [
@@ -345,6 +349,7 @@ def rgm_promotion_pipeline():
         "image": "grafana/grafana-build:main",
         "pull": "always",
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             "dagger run --silent /src/grafana-build artifacts " +
             "-a $${ARTIFACTS} " +
             "--grafana-ref=$${GRAFANA_REF} " +
@@ -356,12 +361,16 @@ def rgm_promotion_pipeline():
         "environment": rgm_env_secrets(env),
         # The docker socket is a requirement for running dagger programs
         # In the future we should find a way to use dagger without mounting the docker socket.
-        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}],
+        "volumes": [{"name": "docker", "path": "/var/run/docker.sock"}] + github_app_step_volumes(),
     }
 
+    generate_token_step = github_app_generate_token_step()
     publish_step = rgm_copy("dist/*", "$${UPLOAD_TO}")
-
+    build_step["depends_on"] = [
+        generate_token_step["name"],
+    ]
     steps = [
+        generate_token_step,
         build_step,
         publish_step,
     ]

scripts/drone/steps/github.star

@@ -0,0 +1,40 @@
+"""
+This module is used to interface with the GitHub App to extract temporary installation tokens.
+"""
+
+load(
+    "scripts/drone/utils/images.star",
+    "images",
+)
+load(
+    "scripts/drone/vault.star",
+    "from_secret",
+    "github_app_app_id",
+    "github_app_app_installation_id",
+    "github_app_private_key",
+)
+
+def github_app_step_volumes():
+    return [
+        {"name": "github-app", "path": "/github-app"},
+    ]
+
+def github_app_pipeline_volumes():
+    return [
+        {"name": "github-app", "temp": {}},
+    ]
+
+def github_app_generate_token_step():
+    return {
+        "name": "github-app-generate-token",
+        "image": images["github_app_secret_writer"],
+        "environment": {
+            "GITHUB_APP_ID": from_secret(github_app_app_id),
+            "GITHUB_APP_INSTALLATION_ID": from_secret(github_app_app_installation_id),
+            "GITHUB_APP_PRIVATE_KEY": from_secret(github_app_private_key),
+        },
+        "commands": [
+            "echo $(/usr/bin/github-app-external-token) > /github-app/token",
+        ],
+        "volumes": github_app_step_volumes(),
+    }

scripts/drone/steps/lib.star

@@ -2,6 +2,11 @@
 This module is a library of Drone steps and other pipeline components.
 """
 
+load(
+    "scripts/drone/steps/github.star",
+    "github_app_generate_token_step",
+    "github_app_step_volumes",
+)
 load(
     "scripts/drone/steps/rgm.star",
     "rgm_build_backend_step",
@@ -99,23 +104,25 @@ def clone_enterprise_step_pr(source = "${DRONE_COMMIT}", target = "main", canFai
         check = []
     else:
         check = [
-            'is_fork=$(curl --retry 5 "https://$GITHUB_TOKEN@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
+            'is_fork=$(curl --retry 5 "https://$${GITHUB_TOKEN}@api.github.com/repos/grafana/grafana/pulls/$DRONE_PULL_REQUEST" | jq .head.repo.fork)',
             'if [ "$is_fork" != false ]; then return 1; fi',  # Only clone if we're confident that 'fork' is 'false'. Fail if it's also empty.
         ]
 
     step = {
         "name": "clone-enterprise",
         "image": images["git"],
-        "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
-        },
         "commands": [
             "apk add --update curl jq bash",
+            "GITHUB_TOKEN=$(cat /github-app/token)",
         ] + check + [
-            'git clone "https://$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
+            'git clone "https://x-access-token:$${GITHUB_TOKEN}@github.com/grafana/grafana-enterprise.git" ' + location,
             "cd {}".format(location),
             'if git checkout {0}; then echo "checked out {0}"; elif git checkout {1}; then echo "git checkout {1}"; else git checkout main; fi'.format(source, target),
         ],
+        "depends_on": [
+            github_app_generate_token_step()["name"],
+        ],
+        "volumes": github_app_step_volumes(),
     }
 
     if canFail:
@@ -316,6 +323,7 @@ def e2e_tests_artifacts():
             "end-to-end-tests-panels-suite",
             "end-to-end-tests-smoke-tests-suite",
             "end-to-end-tests-various-suite",
+            github_app_generate_token_step()["name"],
         ],
         "failure": "ignore",
         "when": {
@@ -327,9 +335,9 @@ def e2e_tests_artifacts():
         "environment": {
             "GCP_GRAFANA_UPLOAD_ARTIFACTS_KEY": from_secret(gcp_upload_artifacts_key),
             "E2E_TEST_ARTIFACTS_BUCKET": "releng-pipeline-artifacts-dev",
-            "GITHUB_TOKEN": from_secret("github_token"),
         },
         "commands": [
+            "export GITHUB_TOKEN=$(cat /github-app/token)",
             # if no videos found do nothing
             "if [ -z `find ./e2e -type f -name *spec.ts.mp4` ]; then echo 'missing videos'; false; fi",
             "apt-get update",
@@ -344,6 +352,7 @@ def e2e_tests_artifacts():
             'curl -X POST https://api.github.com/repos/${DRONE_REPO}/statuses/${DRONE_COMMIT_SHA} -H "Authorization: token $${GITHUB_TOKEN}" -d ' +
             '"{\\"state\\":\\"success\\",\\"target_url\\":\\"$${E2E_ARTIFACTS_VIDEO_ZIP}\\", \\"description\\": \\"Click on the details to download e2e recording videos\\", \\"context\\": \\"e2e_artifacts\\"}"',
         ],
+        "volumes": github_app_step_volumes(),
     }
 
 def playwright_e2e_report_upload():
@@ -380,6 +389,7 @@ def playwright_e2e_report_post_link():
         "image": images["curl"],
         "depends_on": [
             "playwright-e2e-report-upload",
+            github_app_generate_token_step()["name"],
         ],
         "failure": "ignore",
         "when": {
@@ -388,10 +398,8 @@ def playwright_e2e_report_post_link():
                 "failure",
             ],
         },
-        "environment": {
-            "GITHUB_TOKEN": from_secret("github_token"),
-        },
         "commands": [
+            "GITHUB_TOKEN=$(cat /github-app/token)",
             # if the trace doesn't folder exists, it means that there are no failed tests.
             "if [ ! -d ./playwright-report/trace ]; then echo 'all tests passed'; exit 0; fi",
             # if it exists, we will post a comment on the PR with the link to the report
@@ -403,6 +411,7 @@ def playwright_e2e_report_post_link():
             '-H "X-GitHub-Api-Version: 2022-11-28" -d ' +
             '"{\\"body\\":\\"❌ Failed to run Playwright plugin e2e tests. <br /> <br /> Click [here]($${E2E_PLAYWRIGHT_REPORT_URL}) to browse the Playwright report and trace viewer. <br /> For information on how to run Playwright tests locally, refer to the [Developer guide](https://github.com/grafana/grafana/blob/main/contribute/developer-guide.md#to-run-the-playwright-tests). \\"}"',
         ],
+        "volumes": github_app_step_volumes(),
     }
 
 def upload_cdn_step(ver_mode, trigger = None, depends_on = ["grafana-server"]):
@@ -852,7 +861,6 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
         environment = {
             "CYPRESS_CI": "true",
             "HOST": "grafana-server",
-            "GITHUB_TOKEN": from_secret("github_token"),
             "AZURE_SP_APP_ID": from_secret("azure_sp_app_id"),
             "AZURE_SP_PASSWORD": from_secret("azure_sp_app_pw"),
             "AZURE_TENANT": from_secret("azure_tenant"),
@@ -873,9 +881,15 @@ def cloud_plugins_e2e_tests_step(suite, cloud, trigger = None):
         "image": "us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0",
         "depends_on": [
             "grafana-server",
+            github_app_generate_token_step()["name"],
         ],
         "environment": environment,
-        "commands": ["cd /", "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch)],
+        "commands": [
+            "GITHUB_TOKEN=$(cat /github-app/token)",
+            "cd /",
+            "./cpp-e2e/scripts/ci-run.sh {} {}".format(cloud, branch),
+        ],
+        "volumes": github_app_step_volumes(),
     }
     step = dict(step, when = when)
     return step

scripts/drone/utils/images.star

@@ -37,4 +37,5 @@ images = {
     "shellcheck": "koalaman/shellcheck:stable",
     "rocky": "rockylinux:9",
     "wine": "scottyhardy/docker-wine:stable-9.0",
+    "github_app_secret_writer": "us-docker.pkg.dev/grafanalabs-global/docker-deployment-tools-prod/github-app-secret-writer:2024-11-05-v11688112090.1-83920c59",
 }

scripts/drone/vault.star

@@ -9,16 +9,20 @@ gcp_upload_artifacts_key = "gcp_upload_artifacts_key"
 gcp_grafanauploads = "gcp_grafanauploads"
 gcp_grafanauploads_base64 = "gcp_grafanauploads_base64"
 gcp_download_build_container_assets_key = "gcp_download_build_container_assets_key"
+
 azure_sp_app_id = "azure_sp_app_id"
 azure_sp_app_pw = "azure_sp_app_pw"
 azure_tenant = "azure_tenant"
 
+github_app_app_id = "github-app-app-id"
+github_app_app_installation_id = "github-app-installation-id"
+github_app_private_key = "github-app-private-key"
+
 rgm_gcp_key_base64 = "gcp_key_base64"
 rgm_destination = "destination"
 rgm_storybook_destination = "rgm_storybook_destination"
 rgm_cdn_destination = "rgm_cdn_destination"
 rgm_downloads_destination = "rgm_downloads_destination"
-rgm_github_token = "github_token"
 rgm_dagger_token = "dagger_token"
 
 docker_username = "docker_username"
@@ -41,12 +45,14 @@ def vault_secret(name, path, key):
 
 def secrets():
     return [
+        vault_secret(github_app_app_id, "ci/data/repo/grafana/grafana/github-app", "app-id"),
+        vault_secret(github_app_app_installation_id, "ci/data/repo/grafana/grafana/github-app", "app-installation-id"),
+        vault_secret(github_app_private_key, "ci/data/repo/grafana/grafana/github-app", "private-key"),
         vault_secret(gcp_grafanauploads, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials.json"),
         vault_secret(gcp_grafanauploads_base64, "infra/data/ci/grafana-release-eng/grafanauploads", "credentials_base64"),
         vault_secret("grafana_api_key", "infra/data/ci/grafana-release-eng/grafanacom", "api_key"),
         vault_secret(gcr_pull_secret, "secret/data/common/gcr", ".dockerconfigjson"),
         vault_secret(gar_pull_secret, "secret/data/common/gar", ".dockerconfigjson"),
-        vault_secret("github_token", "ci/data/repo/grafana/grafana/grafanabot", "pat"),
         vault_secret(drone_token, "infra/data/ci/drone", "machine-user-token"),
         vault_secret(prerelease_bucket, "infra/data/ci/grafana/prerelease", "bucket"),
         vault_secret(docker_username, "infra/data/ci/grafanaci-docker-hub", "username"),