From c86a73c79405e9b539c26a58d5890f61fb302618 Mon Sep 17 00:00:00 2001
From: Horst Gutmann <horst.gutmann@grafana.com>
Date: Thu, 17 Aug 2023 16:43:26 +0200
Subject: [PATCH] CI: Move npm token to Vault (#73407)

---
 .drone.yml                        | 8 +++++++-
 scripts/drone/events/release.star | 3 ++-
 scripts/drone/steps/lib.star      | 3 ++-
 scripts/drone/vault.star          | 7 +++++++
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 524b970ef0d..b4178b4d25a 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4449,6 +4449,12 @@ get:
 kind: secret
 name: azure_tenant
 ---
+get:
+  name: token
+  path: infra/data/ci/grafana-release-eng/npm
+kind: secret
+name: npm_token
+---
 get:
   name: public-key-b64
   path: infra/data/ci/packages-publish/gpg
@@ -4540,6 +4546,6 @@ kind: secret
 name: delivery-bot-app-private-key
 ---
 kind: signature
-hmac: fe5607d33fe4779ac63a4a77e9bf174afb0d477b0cb89009ed8a55abd733bfe0
+hmac: da71a34a4dca17f08a083941cc4f8582abc5c855dca13382a54db96c23ea7e65
 
 ...
diff --git a/scripts/drone/events/release.star b/scripts/drone/events/release.star
index b2655c0f955..13f5f72efda 100644
--- a/scripts/drone/events/release.star
+++ b/scripts/drone/events/release.star
@@ -55,6 +55,7 @@ load(
     "scripts/drone/vault.star",
     "from_secret",
     "gcp_upload_artifacts_key",
+    "npm_token",
     "prerelease_bucket",
 )
 load(
@@ -124,7 +125,7 @@ def release_npm_packages_step():
         ],
         "failure": "ignore",
         "environment": {
-            "NPM_TOKEN": from_secret("npm_token"),
+            "NPM_TOKEN": from_secret(npm_token),
         },
         "commands": ["./bin/build artifacts npm release --tag ${DRONE_TAG}"],
     }
diff --git a/scripts/drone/steps/lib.star b/scripts/drone/steps/lib.star
index 725863ad082..c4034f7317d 100644
--- a/scripts/drone/steps/lib.star
+++ b/scripts/drone/steps/lib.star
@@ -8,6 +8,7 @@ load(
     "gcp_grafanauploads",
     "gcp_grafanauploads_base64",
     "gcp_upload_artifacts_key",
+    "npm_token",
     "prerelease_bucket",
 )
 load(
@@ -1139,7 +1140,7 @@ def release_canary_npm_packages_step(trigger = None):
         "image": images["build_image"],
         "depends_on": end_to_end_tests_deps(),
         "environment": {
-            "NPM_TOKEN": from_secret("npm_token"),
+            "NPM_TOKEN": from_secret(npm_token),
         },
         "commands": [
             "./scripts/publish-npm-packages.sh --dist-tag 'canary' --registry 'https://registry.npmjs.org'",
diff --git a/scripts/drone/vault.star b/scripts/drone/vault.star
index ad98a74996f..eb7c9944dca 100644
--- a/scripts/drone/vault.star
+++ b/scripts/drone/vault.star
@@ -17,6 +17,8 @@ rgm_destination = "destination"
 rgm_github_token = "github_token"
 rgm_dagger_token = "dagger_token"
 
+npm_token = "npm_token"
+
 def from_secret(secret):
     return {"from_secret": secret}
 
@@ -64,6 +66,11 @@ def secrets():
             "infra/data/ci/datasources/cpp-azure-resourcemanager-credentials",
             "tenant_id",
         ),
+        vault_secret(
+            npm_token,
+            "infra/data/ci/grafana-release-eng/npm",
+            "token",
+        ),
         # Package publishing
         vault_secret(
             "packages_gpg_public_key",