name: Run commands when issues are labeled or comments added # important: this workflow uses a github app that is strictly limited # to issues. If you want to change the triggers for this workflow, # please review if the permissions are still sufficient. on: issues: types: [labeled, unlabeled] issue_comment: types: [created] concurrency: group: issue-commands-${{ github.event.issue.number }} permissions: {} jobs: config: runs-on: "ubuntu-latest" outputs: has-secrets: ${{ steps.check.outputs.has-secrets }} steps: - name: "Check for secrets" id: check shell: bash run: | if [ "${{ github.repository }}" == "grafana/grafana" ]; then echo "has-secrets=1" >> "$GITHUB_OUTPUT" fi main: needs: config if: needs.config.outputs.has-secrets runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - name: "Get vault secrets" id: vault-secrets uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses] with: # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault repo_secrets: | GITHUB_APP_ID=grafana_pr_automation_app:app_id GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem - name: Generate token id: generate_token uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2 with: app-id: ${{ env.GITHUB_APP_ID }} private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }} - name: Checkout Actions uses: actions/checkout@v4 # v4.2.2 with: repository: "grafana/grafana-github-actions" path: ./actions ref: main persist-credentials: false - name: Install Actions run: npm install --production --prefix ./actions - name: Run Commands uses: ./actions/commands with: metricsWriteAPIKey: "" token: ${{ steps.generate_token.outputs.token }} configPath: commands