a991fac43e
This pull request updates multiple GitHub Actions workflows to improve security, stability, and functionality. The most notable changes include pinning action versions to specific commit SHAs, adding validation for branch names, and updating dependencies and configurations. ### Security Improvements: * Added `persist-credentials: false` to `actions/checkout` steps in `.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml` and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized access to credentials. [[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29) [[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59) * Validated branch names against a safe pattern in `.github/workflows/linting-and-tests.yml` to prevent potential misuse of branch names in subsequent steps. ### Stability Enhancements: * Pinned all third-party GitHub Actions to specific commit SHAs across various workflows to ensure consistent and predictable behavior. Examples include `grafana/shared-workflows/actions/build-push-to-dockerhub`, `catchpoint/workflow-telemetry-action`, and `actions-ecosystem/action-remove-labels`. [[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38) [[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59) [[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15) * Updated Helm-related actions in `.github/workflows/linting-and-tests.yml` and `.github/workflows/on-release-published.yml` to specific SHAs for better reliability. [[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170) [[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91) ### Functional Updates: * Enhanced `.github/workflows/linting-and-tests.yml` by using validated branch references in Git commands to avoid errors caused by unsafe branch names. * Updated `snyk/actions/setup` in `.github/workflows/snyk-security-scan.yml` to a specific SHA for improved compatibility and security. These changes collectively enhance the security, reliability, and maintainability of the workflows.
140 lines
6.1 KiB
YAML
140 lines
6.1 KiB
YAML
name: On release published
|
|
|
|
on:
|
|
release:
|
|
types:
|
|
- published
|
|
|
|
jobs:
|
|
linting-and-tests:
|
|
name: Linting and tests
|
|
uses: ./.github/workflows/linting-and-tests.yml
|
|
|
|
build-sign-and-publish-plugin-to-gcom:
|
|
name: Build, sign, and publish frontend plugin to grafana.com
|
|
needs:
|
|
- linting-and-tests
|
|
runs-on: ubuntu-latest
|
|
# These permissions are needed to assume roles from Github's OIDC.
|
|
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
steps:
|
|
- name: Checkout project
|
|
uses: actions/checkout@v4
|
|
- name: Install frontend dependencies
|
|
uses: ./.github/actions/install-frontend-dependencies
|
|
# This will fetch the secret keys from vault and set them as environment variables for subsequent steps
|
|
- name: Get Vault secrets
|
|
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
|
|
with:
|
|
repo_secrets: |
|
|
GRAFANA_ACCESS_POLICY_TOKEN=grafana_cloud_access_policy_token:value
|
|
GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON=github_actions:gcs-plugin-publisher
|
|
- name: Build, sign, and package plugin
|
|
id: build-sign-and-package-plugin
|
|
uses: ./.github/actions/build-sign-and-package-plugin
|
|
with:
|
|
plugin_version_number: ${{ github.ref_name }}
|
|
- name: Authenticate with GCS
|
|
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2.1.7
|
|
with:
|
|
credentials_json: ${{ env.GCS_PLUGIN_PUBLISHER_SERVICE_ACCOUNT_JSON }}
|
|
- name: Publish plugin artifact to GCS
|
|
uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 #v2.2.1
|
|
with:
|
|
path: grafana-plugin/${{ steps.build-sign-and-package-plugin.outputs.artifact_filename }}
|
|
destination: grafana-oncall-app/releases
|
|
predefinedAcl: publicRead
|
|
- name: Determine GCS artifact URL
|
|
shell: bash
|
|
id: gcs-artifact-url
|
|
# yamllint disable rule:line-length
|
|
run: |
|
|
echo url="https://storage.googleapis.com/grafana-oncall-app/releases/grafana-oncall-app-${{ steps.build-sign-and-package-plugin.outputs.authoritative_version_number }}.zip" >> $GITHUB_OUTPUT
|
|
- name: Publish plugin to grafana.com
|
|
run: |
|
|
curl -f -w "status=%{http_code}" -s -H "Authorization: Bearer ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }}" -d "download[any][url]=${{ steps.gcs-artifact-url.outputs.url }}" -d "download[any][md5]=$(curl -sL ${{ steps.gcs-artifact-url.outputs.url }} | md5sum | cut -d'' '' -f1)" -d url=https://github.com/grafana/oncall/grafana-plugin https://grafana.com/api/plugins
|
|
# yamllint enable rule:line-length
|
|
|
|
build-engine-docker-image-and-publish-to-dockerhub:
|
|
name: Build engine Docker image and publish to Dockerhub
|
|
needs:
|
|
- linting-and-tests
|
|
uses: ./.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml
|
|
with:
|
|
engine_version: ${{ github.ref_name }}
|
|
# https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input
|
|
docker_image_tags: |
|
|
type=raw,value=${{ github.ref_name }}
|
|
type=raw,value=latest
|
|
|
|
create-helm-release-pr:
|
|
name: Create Helm release PR
|
|
needs:
|
|
- build-sign-and-publish-plugin-to-gcom
|
|
- build-engine-docker-image-and-publish-to-dockerhub
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
helm_release_pr_number: ${{ fromJSON(steps.update-helm-chart-pr.outputs.pull_request).number }}
|
|
steps:
|
|
- name: Checkout project
|
|
uses: actions/checkout@v4
|
|
- name: Prepare version tags
|
|
id: prepare-version-tags
|
|
run: |
|
|
echo app-version="${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
|
|
echo version="${GITHUB_REF_NAME:1}" >> $GITHUB_OUTPUT
|
|
- name: Update oncall Helm chart Chart.yaml
|
|
id: update-helm-chart-pr
|
|
uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 #v0.12.3
|
|
with:
|
|
valueFile: helm/oncall/Chart.yaml
|
|
branch: helm-release/${{ steps.prepare-version-tags.outputs.version }}
|
|
targetBranch: main
|
|
masterBranchName: main
|
|
createPR: true
|
|
# yamllint disable rule:line-length
|
|
description: |
|
|
This PR was created automatically by [this github action](https://github.com/grafana/oncall/blob/dev/.github/workflows/on-release-published.yml).
|
|
|
|
It will be auto-merged very soon, which will then release the updated version of the chart into the `grafana/helm-charts` helm repository.
|
|
# yamllint enable rule:line-length
|
|
message: "Release oncall Helm chart ${{ steps.prepare-version-tags.outputs.version }}"
|
|
changes: |
|
|
{
|
|
"version": "${{ steps.prepare-version-tags.outputs.version }}",
|
|
"appVersion": "${{ steps.prepare-version-tags.outputs.app-version }}"
|
|
}
|
|
|
|
merge-helm-release-pr:
|
|
name: Merge Helm release PR
|
|
needs:
|
|
- create-helm-release-pr
|
|
runs-on: ubuntu-latest
|
|
# These permissions are needed to assume roles from Github's OIDC.
|
|
# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
steps:
|
|
- name: Get Vault secrets
|
|
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
|
|
with:
|
|
repo_secrets: |
|
|
GH_APP_ID=github-app:app-id
|
|
GH_APP_PRIVATE_KEY=github-app:private-key
|
|
|
|
- name: Generate Github App token
|
|
id: generate-token
|
|
uses: actions/create-github-app-token@v1
|
|
with:
|
|
app-id: ${{ env.GH_APP_ID }}
|
|
private-key: ${{ env.GH_APP_PRIVATE_KEY }}
|
|
|
|
- name: Merge pull Request
|
|
uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 #v1.1.1
|
|
with:
|
|
github-token: ${{ steps.generate-token.outputs.token }}
|
|
number: ${{ needs.create-helm-release-pr.outputs.helm_release_pr_number }}
|