# Owned by grafana-delivery-squad # Intended to be dropped into the base repo, Ex: grafana/grafana name: Dispatch sync to mirror run-name: dispatch-sync-to-mirror-${{ github.ref_name }} on: workflow_dispatch: push: branches: - "main" - "v*.*.*" - "release-*" permissions: {} # This is run after the pull request has been merged, so we'll run against the target branch jobs: dispatch-job: runs-on: ubuntu-latest permissions: id-token: write contents: read actions: write env: REF_NAME: ${{ github.ref_name }} REPO: ${{ github.repository }} SHA: ${{ github.sha }} steps: - name: "Get vault secrets" id: vault-secrets uses: grafana/shared-workflows/actions/get-vault-secrets@main with: # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault repo_secrets: | GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY - name: "Generate token" id: generate_token uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a with: # App needs Actions: Read/Write for the grafana/security-patch-actions repo app_id: ${{ vars.DELIVERY_BOT_APP_ID }} private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} - uses: actions/github-script@v7 if: github.repository == 'grafana/grafana' with: github-token: ${{ steps.generate_token.outputs.token }} script: | const {REF_NAME, REPO, SHA} = process.env; await github.rest.actions.createWorkflowDispatch({ owner: 'grafana', repo: 'security-patch-actions', workflow_id: 'mirror-branch-and-apply-patches-event.yml', ref: 'main', inputs: { src_ref: REF_NAME, src_repo: REPO, src_sha: SHA, dest_repo: REPO + "-security-mirror", patch_repo: REPO + "-security-patches" } })