This pull request updates multiple GitHub Actions workflows to improve
security, stability, and functionality. The most notable changes include
pinning action versions to specific commit SHAs, adding validation for
branch names, and updating dependencies and configurations.
### Security Improvements:
* Added `persist-credentials: false` to `actions/checkout` steps in
`.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml`
and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized
access to credentials.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
* Validated branch names against a safe pattern in
`.github/workflows/linting-and-tests.yml` to prevent potential misuse of
branch names in subsequent steps.
### Stability Enhancements:
* Pinned all third-party GitHub Actions to specific commit SHAs across
various workflows to ensure consistent and predictable behavior.
Examples include
`grafana/shared-workflows/actions/build-push-to-dockerhub`,
`catchpoint/workflow-telemetry-action`, and
`actions-ecosystem/action-remove-labels`.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
[[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15)
* Updated Helm-related actions in
`.github/workflows/linting-and-tests.yml` and
`.github/workflows/on-release-published.yml` to specific SHAs for better
reliability.
[[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170)
[[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91)
### Functional Updates:
* Enhanced `.github/workflows/linting-and-tests.yml` by using validated
branch references in Git commands to avoid errors caused by unsafe
branch names.
* Updated `snyk/actions/setup` in
`.github/workflows/snyk-security-scan.yml` to a specific SHA for
improved compatibility and security.
These changes collectively enhance the security, reliability, and
maintainability of the workflows.
# What this PR does
Add [`yamllint`](https://github.com/adrienverge/yamllint) to
`pre-commit` configuration + fix pre-existing errors
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
# What this PR does
The `docs/reference` shortcode supports contextual destinations and
version inference.
`<ONCALL VERSION>` is inferred to match the version of the documentation
set. For example, the inferred version for the page
/docs/grafana/oncall/latest/get-started/ is "latest". It can also be
overriden using front matter.
Given the same page, but with the additional front matter
`oncall_version: next`, the variable is substituted with "next" rather
than "latest".
Contextual destinations are achieved using repeated labels in the
shortcode inner text. The format is [<LABEL>]: "<PAGE PATH PREFIX> ->
<HUGO REFERENCE>".
- _`<LABEL>`_ matches the reference style link label used in the rest of
the text.
- _`<PAGE PATH PREFIX>`_ is matched against the page during the
production build. If the match is successful, the destination that is
used is _`<HUGO REFERENCE>`_. The first matching prefix is used, not the
longest matching prefix.
## Which issue(s) this PR fixes
- Broken links due to ambiguous relref resolution. Any relref parameter
that does not start with either `/`, `./`, or `../` can resolve
ambiguously and is resulting in broken link behavior on the current
site.
- Broken links in Grafana Cloud. We mount OnCall documentation in
Grafana Cloud. In https://github.com/grafana/website/pull/13872 the
location will become /docs/grafana-cloud/alerting-and-irm/oncall. This
PR is intended to be merged alongside that PR.
---------
Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
Co-authored-by: Joey Orlando <joey.orlando@grafana.com>
