[release-11.3.7] Backport workflow fixes (#104697)

* Copy workflows and actions from main

* add zizmor.yml

.github/workflows/alerting-update-module.yml

@@ -0,0 +1,137 @@
+name: Update Alerting Module
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-grafana:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        with:
+          persist-credentials: false
+      - name: Check if update branch exists
+        run: |
+          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
+            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
+            echo "Please review and merge/close the existing PR before running this workflow again."
+            exit 1
+          fi
+
+      - name: Setup Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0
+        with:
+          "go-version-file": "go.mod"
+
+      - name: Extract current commit hash of alerting module
+        id: current-commit
+        run: |
+          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
+          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Get current branch name
+        id: current-branch-name
+        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
+
+      - name: Get latest commit
+        id: latest-commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BRANCH="${{ steps.current-branch-name.outputs.name }}"
+          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
+           if [ -z "$TO_COMMIT" ]; then
+            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
+            exit 1
+          fi
+          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Compare commit hashes
+        run: |
+          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
+          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
+          
+          # Compare just the length of the shorter hash
+          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
+          
+          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
+            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
+            exit 0
+          fi
+          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
+
+      - name: Check for commit history
+        id: check-commits
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # get all commits that contains 'Alerting:' in the message          
+          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
+            --jq '.commits[].commit.message | split("\n")[0]') || true
+          
+          # Use printf instead of echo -e for better multiline handling
+          printf "%s\n" "$ALERTING_COMMITS"
+          
+          # make the list for markdown and replace PR numbers with links
+          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
+          
+          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
+          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Update alerting module
+        env:
+          GOSUMDB: off
+        run: |
+          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
+          make update-workspace
+
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=alerting-team:app-id
+            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
+
+      - name: "Generate token"
+        id: generate_token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
+        id: create-pr
+        with:
+          token: '${{ steps.generate_token.outputs.token }}'
+          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
+          branch: alerting/update-alerting-module
+          delete-branch: true
+          body: |
+            Updates Grafana Alerting module to latest version.
+
+            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
+            <details>
+            <summary>Commits</summary>
+            
+            ${{ steps.check-commits.outputs.alerting_commits }}
+
+            </details>
+
+            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+      - name: Add PR URL to Summary
+        if: steps.create-pr.outputs.pull-request-url != ''
+        run: |
+          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
+          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY