From b2f2cda3db48d24b7c3b7c8bcbad3dd9846b5405 Mon Sep 17 00:00:00 2001 From: Kevin Minehart <5140827+kminehart@users.noreply.github.com> Date: Thu, 18 Sep 2025 17:35:55 -0500 Subject: [PATCH] [release-12.1.2] backport bump-version.yml and release-build.yml (#111351) --- .github/workflows/bump-version.yml | 28 ++++-- .github/workflows/release-build.yml | 145 +++++++++++++++++++++++++-- .github/workflows/release-npm.yml | 148 ++++++++++++++++++++++++++++ 3 files changed, 304 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/release-npm.yml diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index e9c902fe484..45aeb486738 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -13,17 +13,29 @@ on: required: false permissions: - contents: write - pull-requests: write + id-token: write + contents: read jobs: bump-version: runs-on: ubuntu-latest steps: - - name: Checkout Grafana - uses: actions/checkout@v4 + - uses: grafana/shared-workflows/actions/get-vault-secrets@main with: - persist-credentials: false + repo_secrets: | + GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + with: + app_id: ${{ vars.DELIVERY_BOT_APP_ID }} + private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} + repositories: '["grafana"]' + permissions: '{"contents": "write", "pull_requests": "write", "workflows": "write"}' + - name: Checkout Grafana + uses: actions/checkout@v5 + with: + token: ${{ steps.generate_token.outputs.token }} - name: Update package.json versions uses: ./pkg/build/actions/bump-version with: @@ -35,10 +47,10 @@ jobs: DRY_RUN: ${{ inputs.dry_run }} REF_NAME: ${{ github.ref_name }} RUN_ID: ${{ github.run_id }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.generate_token.outputs.token }} run: | - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" + git config --local user.name "grafana-delivery-bot[bot]" + git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com" git config --local --add --bool push.autoSetupRemote true git checkout -b "bump-version/${RUN_ID}/${VERSION}" git add . diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 33288a4f971..ff65d90cf5b 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -10,7 +10,7 @@ on: schedule: # Every weeknight at midnight # "Scheduled workflows will only run on the default branch." (docs.github.com) - - cron: "0 0 * * 1-5" + - cron: '0 0 * * 1-5' push: branches: - release-*.*.* @@ -49,14 +49,14 @@ jobs: setup: name: setup runs-on: github-hosted-ubuntu-x64-small - if: github.repository == 'grafana/grafana' + if: (github.repository == 'grafana/grafana') || (github.repository == 'grafana/grafana-security-mirror' && contains(github.ref_name, '+security')) outputs: version: ${{ steps.output.outputs.version }} grafana-commit: ${{ steps.output.outputs.grafana_commit }} permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: persist-credentials: false - name: Set up version (Release Branches) @@ -103,11 +103,13 @@ jobs: BUILD_ID: ${{ github.run_id }} BUCKET: grafana-prerelease GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }} + SOURCE_EVENT: ${{ inputs.source-event || github.event_name }} + REPO: ${{ github.repository }} with: github-token: ${{ steps.generate_token.outputs.token }} script: | - const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, GITHUB_EVENT_NAME} = process.env; - + const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, SOURCE_EVENT, REPO} = process.env; + await github.rest.actions.createWorkflowDispatch({ owner: 'grafana', repo: 'grafana-enterprise', @@ -118,7 +120,8 @@ jobs: "build-id": String(BUILD_ID), "bucket": BUCKET, "grafana-commit": GRAFANA_COMMIT, - "source-event": GITHUB_EVENT_NAME, + "source-event": SOURCE_EVENT, + "upstream": REPO, } }) @@ -137,7 +140,7 @@ jobs: # The downside to this is that the frontend will be built for each one when it could be reused for all of them. # This could be a future improvement. include: - - name: linux-amd64 + - name: linux-amd64 # publish-npm relies on this step building npm packages artifacts: targz:grafana:linux/amd64,deb:grafana:linux/amd64,rpm:grafana:linux/amd64,docker:grafana:linux/amd64,docker:grafana:linux/amd64:ubuntu,npm:grafana,storybook verify: true - name: linux-arm64 @@ -165,8 +168,8 @@ jobs: artifacts: targz:grafana:darwin/arm64 verify: true steps: - - uses: grafana/shared-workflows/actions/dockerhub-login@main - - uses: actions/checkout@v4 + - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2 + - uses: actions/checkout@v5 with: persist-credentials: false - name: Set up QEMU @@ -194,6 +197,7 @@ jobs: name: artifacts-${{ matrix.name }} path: ${{ steps.build.outputs.dist-dir }} retention-days: 1 + publish-artifacts: name: Upload artifacts uses: grafana/grafana/.github/workflows/publish-artifact.yml@main @@ -208,3 +212,126 @@ jobs: run-id: ${{ github.run_id }} bucket-path: ${{ needs.setup.outputs.version }}_${{ github.run_id }} environment: prod + + publish-dockerhub: + if: github.ref_name == 'main' + permissions: + contents: read + id-token: write + runs-on: ubuntu-x64-small + needs: + - setup + - build + steps: + - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-list-linux-amd64 + path: . + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-list-linux-arm64 + path: . + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-list-linux-armv7 + path: . + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-linux-amd64 + path: dist + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-linux-arm64 + path: dist + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + with: + name: artifacts-linux-armv7 + path: dist + - name: Push to Docker Hub + env: + VERSION: ${{ needs.setup.outputs.version }} + run: | + # grep can use a wildcard but then it includes the filename as part of the result and that gets complicated. + # It's easier to use cat to combine the artifact lists + cat artifacts-*.txt > artifacts.txt + grep 'grafana_.*docker.tar.gz$' artifacts.txt | xargs -I % docker load -i % | sed 's/Loaded image: //g' | tee docker_images + while read -r line; do + # This tag will be `grafana/grafana-image-tags:...` + docker push "$line" + done < docker_images + + docker manifest create grafana/grafana:main "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64" "grafana/grafana-image-tags:${VERSION}-armv7" + docker manifest create grafana/grafana:main-ubuntu "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64" "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7" + docker manifest create "grafana/grafana-dev:${VERSION}" "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64" "grafana/grafana-image-tags:${VERSION}-armv7" + docker manifest create "grafana/grafana-dev:${VERSION}-ubuntu" "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64" "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7" + + docker manifest push grafana/grafana:main + docker manifest push grafana/grafana:main-ubuntu + docker manifest push "grafana/grafana-dev:${VERSION}" + docker manifest push "grafana/grafana-dev:${VERSION}-ubuntu" + + publish-npm-canaries: + if: github.ref_name == 'main' + name: Publish NPM canaries + uses: ./.github/workflows/release-npm.yml + permissions: + contents: read + id-token: write + needs: + - setup + - build + with: + grafana_commit: ${{ needs.setup.outputs.grafana-commit }} + version: ${{ needs.setup.outputs.version }} + build_id: ${{ github.run_id }} + version_type: "canary" + + # notify-pr creates (or updates) a comment in a pull request to link to this workflow where the release artifacts are + # being built. + notify-pr: + runs-on: ubuntu-x64-small + permissions: + contents: read + id-token: write + needs: + - setup + steps: + - id: vault-secrets + uses: grafana/shared-workflows/actions/get-vault-secrets@main + with: + repo_secrets: | + GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + with: + app_id: ${{ vars.DELIVERY_BOT_APP_ID }} + private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} + repositories: '["grafana"]' + permissions: '{"issues": "write", "pull_requests": "write", "contents": "read"}' + - name: Find PR + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }} + run: echo "ISSUE_NUMBER=$(gh api "/repos/grafana/grafana/commits/${GRAFANA_COMMIT}/pulls" | jq -r '.[0].number')" >> "$GITHUB_ENV" + - name: Find Comment + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 + id: fc + with: + issue-number: ${{ env.ISSUE_NUMBER }} + comment-author: 'grafana-delivery-bot[bot]' + body-includes: GitHub Actions Build + token: ${{ steps.generate_token.outputs.token }} + - name: Create or update comment + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 + with: + token: ${{ steps.generate_token.outputs.token }} + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ env.ISSUE_NUMBER }} + body: | + :rocket: Your submission is now being built and packaged. + + - [GitHub Actions Build](https://github.com/grafana/grafana/actions/runs/${{ github.run_id }}) + - Version: ${{ needs.setup.outputs.version }} + edit-mode: replace diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml new file mode 100644 index 00000000000..ff0af784232 --- /dev/null +++ b/.github/workflows/release-npm.yml @@ -0,0 +1,148 @@ +name: Publish NPM packages +on: + workflow_call: + inputs: + grafana_commit: + description: 'Grafana commit SHA to build against' + required: true + type: string + version: + description: 'Version to publish as' + required: true + type: string + build_id: + description: 'Run ID from the original release-build workflow' + required: true + type: string + version_type: + description: 'Version type (canary, nightly, stable)' + required: true + type: string + + workflow_dispatch: + inputs: + grafana_commit: + description: 'Grafana commit SHA to build against' + required: true + version: + description: 'Version to publish as' + required: true + build_id: + description: 'Run ID from the original release-build workflow' + required: true + version_type: + description: 'Version type (canary, nightly, stable)' + required: true + +permissions: {} + +jobs: + # If called with version_type 'canary' or 'stable', build + publish to NPM + # If called with version_type 'nightly', just tag the given version with nightly tag. It was already published by the canary build. + + publish: + name: Publish NPM packages + runs-on: github-hosted-ubuntu-x64-small + if: inputs.version_type == 'canary' || inputs.version_type == 'stable' + permissions: + contents: read + id-token: write + steps: + - name: Info + env: + GITHUB_REF: ${{ github.ref }} + GRAFANA_COMMIT: ${{ inputs.grafana_commit }} + run: | + echo "GRAFANA_COMMIT: $GRAFANA_COMMIT" + echo "github.ref: $GITHUB_REF" + + - name: Checkout workflow ref + uses: actions/checkout@v4 + with: + persist-credentials: false + fetch-depth: 100 + fetch-tags: false + + # this will fail with "{commit} is not a valid commit" if the commit is valid but + # not in the last 100 commits. + - name: Verify commit is in workflow HEAD + env: + GIT_COMMIT: ${{ inputs.grafana_commit }} + run: ./.github/workflows/scripts/validate-commit-in-head.sh + shell: bash + + - name: Map version type to NPM tag + id: npm-tag + env: + VERSION: ${{ inputs.version }} + VERSION_TYPE: ${{ inputs.version_type }} + REFERENCE_PKG: "@grafana/runtime" + run: | + TAG=$(./.github/workflows/scripts/determine-npm-tag.sh) + echo "NPM_TAG=$TAG" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Checkout build commit + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ inputs.grafana_commit }} + + - name: Setup Node + uses: ./.github/actions/setup-node + + # Trusted Publishing is only available in npm v11.5.1 and later + - name: Update npm + run: npm install -g npm@^11.5.1 + + - name: Install dependencies + run: yarn install --immutable + + - name: Typecheck packages + run: yarn run packages:typecheck + + - name: Version, build, and pack packages + env: + VERSION: ${{ inputs.version }} + run: | + yarn run packages:build + yarn lerna version "$VERSION" \ + --exact \ + --no-git-tag-version \ + --no-push \ + --force-publish \ + --yes + yarn run packages:pack + + - name: Debug packed files + run: tree -a ./npm-artifacts + + - name: Validate packages + run: ./scripts/validate-npm-packages.sh + + - name: Debug OIDC Claims + uses: github/actions-oidc-debugger@2e9ba5d3f4bebaad1f91a2cede055115738b7ae8 + with: + audience: '${{ github.server_url }}/${{ github.repository_owner }}' + + - name: Publish packages + env: + NPM_TAG: ${{ steps.npm-tag.outputs.NPM_TAG }} + run: ./scripts/publish-npm-packages.sh --dist-tag "$NPM_TAG" --registry 'https://registry.npmjs.org/' + + # TODO: finish this step + tag-nightly: + name: Tag nightly release + runs-on: github-hosted-ubuntu-x64-small + needs: publish + if: inputs.version_type == 'nightly' + + steps: + - name: Checkout workflow ref + uses: actions/checkout@v4 + with: + persist-credentials: false + + # TODO: tag the given release with nightly + +