Cleanup github actions files (#367)

kevinwcyu · web-flow · commit 6fcc9248a69e · 2025-05-05T11:45:04.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,6 +23,8 @@ jobs:
       GRAFANA_ACCESS_POLICY_TOKEN: ${{ secrets.GRAFANA_ACCESS_POLICY_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
@@ -52,13 +54,13 @@ jobs:
           cache-dependency-path: "**/*.sum"
 
       - name: Test backend
-        uses: magefile/mage-action@v3
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           version: latest
           args: coverage
 
       - name: Build backend
-        uses: magefile/mage-action@v3
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           version: latest
           args: build:linux
@@ -82,9 +84,12 @@ jobs:
 
       - name: Package plugin
         id: package-plugin
+        env:
+          PLUGIN_ID: ${{ steps.metadata.outputs.plugin-id }}
+          ARCHIVE: ${{ steps.metadata.outputs.archive }}
         run: |
-          mv dist ${{ steps.metadata.outputs.plugin-id }}
-          zip ${{ steps.metadata.outputs.archive }} ${{ steps.metadata.outputs.plugin-id }} -r
+          mv dist "$PLUGIN_ID"
+          zip "$ARCHIVE" "$PLUGIN_ID" -r
 
       - name: Archive Build
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -4,7 +4,6 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -20,6 +19,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Resolve Grafana E2E versions
         id: resolve-versions
         uses: grafana/plugin-actions/e2e-version@main
@@ -28,6 +30,8 @@ jobs:
 
   playwright-tests:
     needs: resolve-versions
+    permissions:
+      id-token: write
     timeout-minutes: 60
     strategy:
       fail-fast: false
@@ -42,6 +46,8 @@ jobs:
         run: echo "Running for ${{ matrix.GRAFANA_IMAGE.name }}@${{ matrix.GRAFANA_IMAGE.VERSION }}"
 
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
@@ -53,7 +59,7 @@ jobs:
         run: yarn install
 
       - name: Install Mage
-        uses: magefile/mage-action@v3
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           install-only: true
 
@@ -72,12 +78,7 @@ jobs:
           GRAFANA_VERSION=${{ matrix.GRAFANA_IMAGE.VERSION }} GRAFANA_IMAGE=${{ matrix.GRAFANA_IMAGE.NAME }} docker compose up -d
 
       - name: Wait for Grafana to start
-        uses: nev7n/wait_for_response@v1
-        with:
-          url: 'http://localhost:3000/'
-          responseCode: 200
-          timeout: 60000
-          interval: 500
+        uses: grafana/plugin-actions/wait-for-grafana@main
 
       - name: Run Playwright tests
         id: run-tests
diff --git a/.github/workflows/is-compatible.yml b/.github/workflows/is-compatible.yml
@@ -1,11 +1,16 @@
 name: Latest Grafana API compatibility check
 on: [pull_request]
+permissions: {}
 
 jobs:
   compatibilitycheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/issue_commands.yml b/.github/workflows/issue_commands.yml
@@ -2,8 +2,12 @@ name: Run commands when issues are labeled
 on:
   issues:
     types: [labeled, unlabeled]
+permissions: {}
 jobs:
   main:
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
@@ -12,14 +16,22 @@ jobs:
           repository: 'grafana/grafana-github-actions'
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
+      - name: Get secrets from vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            AWS_DS_TOKEN_CREATOR_ID=aws-ds-token-creator:app_id
+            AWS_DS_TOKEN_CREATOR_PEM=aws-ds-token-creator:pem
       - name: 'Generate token'
         id: generate_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
-          app_id: ${{ secrets.AWS_DS_TOKEN_CREATOR_ID }}
-          private_key: ${{ secrets.AWS_DS_TOKEN_CREATOR_PEM }}
+          app_id: ${{ env.AWS_DS_TOKEN_CREATOR_ID }}
+          private_key: ${{ env.AWS_DS_TOKEN_CREATOR_PEM }}
       - name: Run Commands
         uses: ./actions/commands
         with:
diff --git a/.github/workflows/pr-commands.yml b/.github/workflows/pr-commands.yml
@@ -6,24 +6,36 @@ on:
       - opened
 concurrency:
   group: pr-commands-${{ github.event.number }}
+permissions: {}
 jobs:
   main:
     runs-on: ubuntu-latest
+    permissions: 
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout Actions
         uses: actions/checkout@v4
         with:
           repository: 'grafana/grafana-github-actions'
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
+      - name: Get secrets from vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            AWS_DS_TOKEN_CREATOR_ID=aws-ds-token-creator:app_id
+            AWS_DS_TOKEN_CREATOR_PEM=aws-ds-token-creator:pem        
       - name: 'Generate token'
         id: generate_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
-          app_id: ${{ secrets.AWS_DS_TOKEN_CREATOR_ID }}
-          private_key: ${{ secrets.AWS_DS_TOKEN_CREATOR_PEM }}
+          app_id: ${{ env.AWS_DS_TOKEN_CREATOR_ID }}
+          private_key: ${{ env.AWS_DS_TOKEN_CREATOR_PEM }}
       - name: Run Commands
         uses: ./actions/commands
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
     tags:
       - 'v*' # Run workflow on version tags, e.g. v1.0.0.
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   release:
@@ -17,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: grafana/plugin-actions/build-plugin@release
         with:
           policy_token: ${{ secrets.GRAFANA_ACCESS_POLICY_TOKEN }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: any
+        github/*: any
+        grafana/*: any
