grafana/.github/workflows/ephemeral-instances-pr-comment.yml

name: "Ephemeral instances"

on:
  issue_comment:
    types: [created]
  pull_request:
    types: [closed]

permissions: {}

jobs:
  handle-ephemeral-instances:
    if: ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') && github.repository_owner == 'grafana' }}
    runs-on:
      labels: ubuntu-latest-8-cores
    continue-on-error: true
    permissions:
      # For commenting.
      pull-requests: write
      # No contents permission is needed because we will impersonate an app to create the PR instead.
      id-token: write # required for vault access

    steps:
      - name: Get vault secrets
        id: vault-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in ci/repo/grafana/grafana/
          repo_secrets: |
            APP_ID=ephemeral-instances-bot:app-id
            APP_PEM=ephemeral-instances-bot:app-private-key
            GCOM_HOST=ephemeral-instances-bot:gcom-host
            GCOM_TOKEN=ephemeral-instances-bot:gcom-token
            REGISTRY=ephemeral-instances-bot:registry
            GCP_SA_ACCOUNT_KEY_BASE64=ephemeral-instances-bot:sa-key

      - name: Generate a GitHub app installation token
        id: generate_token
        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
        with:
          app_id: ${{ env.APP_ID }}
          private_key: ${{ env.APP_PEM }}

      - name: Checkout ephemeral instances repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          repository: grafana/ephemeral-grafana-instances-github-action
          token: ${{ steps.generate_token.outputs.token }}
          ref: main
          path: ephemeral
          persist-credentials: false

      - name: build and deploy ephemeral instance
        uses: ./ephemeral
        with:
          github-token: ${{ steps.generate_token.outputs.token }}
          gcom-host: ${{ env.GCOM_HOST }}
          gcom-token: ${{ env.GCOM_TOKEN }}
          registry: "${{ env.REGISTRY }}"
          gcp-service-account-key: ${{ env.GCP_SA_ACCOUNT_KEY_BASE64 }}
          ephemeral-org-id: ephemeral
          oss-or-enterprise: oss
          verbose: true