diff --git a/.github/workflows/deploy-release.yml b/.github/workflows/deploy-release.yml new file mode 100644 index 0000000..f9b5da4 --- /dev/null +++ b/.github/workflows/deploy-release.yml @@ -0,0 +1,23 @@ +name: deploy tagged release to prod + +on: + workflow_dispatch: + push: + branches: + - main + tags: + - 'v*' # Run workflow on version tags, e.g. v1.0.0. + +permissions: + contents: 'write' + id-token: 'write' + attestations: 'write' + +jobs: + CD: + name: Deploy to dev, ops, and prod + uses: grafana/plugin-ci-workflows/.github/workflows/cd.yml@main + with: + environment: 'prod' + upload-playwright-artifacts: true # IMPORTANT: we must ensure there are no unmasked secrets in the E2E tests + attestation: true # this guarantees that the plugin was built from the source code provided in the release diff --git a/.github/workflows/plugin-artifact.yml b/.github/workflows/plugin-artifact.yml deleted file mode 100644 index 8623262..0000000 --- a/.github/workflows/plugin-artifact.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: build & upload plugin artifact to GCS - -on: - workflow_dispatch: - push: - branches: - - main - tags: - - 'v*' # Run workflow on version tags, e.g. v1.0.0. - -permissions: - contents: 'read' - id-token: 'write' - -jobs: - build: - name: Build, lint and unit tests - runs-on: ubuntu-latest - outputs: - archive: ${{ steps.build.outputs.archive }} - plugin-id: ${{ steps.build.outputs.plugin-id }} - plugin-version: ${{ steps.build.outputs.plugin-version }} - - steps: - - uses: actions/checkout@v4 - # Only build and release if the repository is grafana/metrics-drilldown (not a fork) - if: github.repository == 'grafana/metrics-drilldown' - - - name: Setup Node.js environment - uses: actions/setup-node@v4 - with: - node-version: '22' - cache: 'npm' - - - name: Install dependencies - run: npm ci - - - name: Check types - run: npm run typecheck - - - name: Lint - run: npm run lint - - - name: Unit tests - run: npm run test:ci - - - id: get-secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main - with: - common_secrets: | - GRAFANA_ACCESS_POLICY_TOKEN=plugins/sign-plugin-access-policy-token:token - - - name: Call shared build action - id: build - uses: ./.github/actions/build - with: - policy_token: ${{ env.GRAFANA_ACCESS_POLICY_TOKEN }} - - upload-to-gcs: - runs-on: ubuntu-latest - needs: [build] - - steps: - - uses: actions/checkout@v4 - - - name: Set filename suffix - id: set-suffix - run: | - if [[ $GITHUB_REF == refs/tags/v* ]]; then - # For tags, use the version number without the 'v' prefix - echo "suffix=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT - else - # For main branch pushes, use 'latest' - echo "suffix=latest" >> $GITHUB_OUTPUT - fi - - - name: Download zip - uses: actions/download-artifact@v4 - with: - name: ${{ needs.build.outputs.archive }} - - - id: get-secrets - uses: grafana/shared-workflows/actions/get-vault-secrets@main - with: - common_secrets: | - GCP_UPLOAD_ARTIFACTS_KEY=grafana/integration-artifacts-uploader-service-account:'credentials.json' - - - id: 'auth' - uses: 'google-github-actions/auth@v2' - with: - credentials_json: '${{ env.GCP_UPLOAD_ARTIFACTS_KEY }}' - - - name: Rename zip file if tagged version - if: ${{ steps.set-suffix.outputs.suffix != 'latest' }} - run: | - mv ${{ needs.build.outputs.archive }} ${{ needs.build.outputs.plugin-id }}-${{ steps.set-suffix.outputs.suffix }}.zip - - - id: 'upload-to-gcs' - name: 'Upload assets to main' - uses: 'google-github-actions/upload-cloud-storage@v1' - with: - path: ./${{ needs.build.outputs.plugin-id }}-${{ steps.set-suffix.outputs.suffix }}.zip - destination: 'integration-artifacts/${{ needs.build.outputs.plugin-id }}/' - parent: false