-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[release-2.13] Update workflows to use actions that don't need organi…
…zation secrets (#9336) Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
- Loading branch information
1 parent
aa9f965
commit 44a32da
Showing
3 changed files
with
66 additions
and
176 deletions.
There are no files selected for viewing
64 changes: 19 additions & 45 deletions
64
.github/workflows/publish-technical-documentation-next.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,57 +1,31 @@ | ||
| name: "publish-technical-documentation-next" | ||
| name: publish-technical-documentation-next | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - "main" | ||
| - main | ||
| paths: | ||
| - "docs/sources/helm-charts/**" | ||
| - "docs/sources/mimir/**" | ||
| - "docs/sources/helm-charts/**" | ||
| - "docs/sources/mimir/**" | ||
| workflow_dispatch: | ||
| jobs: | ||
| test: | ||
| uses: ./.github/workflows/test-docs.yml | ||
|
|
||
| sync: | ||
| runs-on: "ubuntu-latest" | ||
| needs: "test" | ||
| if: github.repository == 'grafana/mimir' | ||
| needs: test | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "Check out code" | ||
| uses: "actions/checkout@v4" | ||
|
|
||
| - name: "Clone website-sync Action" | ||
| # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" | ||
|
|
||
| - name: "Publish to website repository mimir (next)" | ||
| uses: "./.github/actions/website-sync" | ||
| id: "publish-next-mimir" | ||
| with: | ||
| repository: "grafana/website" | ||
| branch: "master" | ||
| host: "github.com" | ||
| # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" | ||
| source_folder: "docs/sources/mimir" | ||
| target_folder: "content/docs/mimir/next" | ||
| allow_no_changes: true | ||
|
|
||
| - name: "Publish to website repository helm-charts/mimir-distributed (next)" | ||
| uses: "./.github/actions/website-sync" | ||
| id: "publish-next-mimir-distributed" | ||
| with: | ||
| repository: "grafana/website" | ||
| branch: "master" | ||
| host: "github.com" | ||
| # PUBLISH_TO_WEBSITE_MIMIR is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be updated in the grafanabot GitHub account. | ||
| github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" | ||
| source_folder: "docs/sources/helm-charts/mimir-distributed" | ||
| target_folder: "content/docs/helm-charts/mimir-distributed/next" | ||
| allow_no_changes: true | ||
| - uses: actions/checkout@v4 | ||
| - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 | ||
| with: | ||
| source_directory: docs/sources/mimir | ||
| website_directory: content/docs/mimir/next | ||
| - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 | ||
| with: | ||
| source_directory: docs/sources/helm-charts/mimir-distributed | ||
| website_directory: content/docs/helm-charts/mimir-distributed/next |
89 changes: 24 additions & 65 deletions
89
.github/workflows/publish-technical-documentation-release-helm-charts.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,76 +1,35 @@ | ||
| name: "publish-technical-documentation-release-helm-charts" | ||
| name: publish-technical-documentation-release-helm-charts | ||
|
|
||
| on: | ||
| push: | ||
| tags: # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192 | ||
| - "mimir-distributed-[0-9]+.[0-9]+.[0-9]+" | ||
| - "mimir-distributed-[0-9]+.[0-9]+.[0-9]+" | ||
| branches: # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192 | ||
| - "mimir-distributed-release-[0-9]+.[0-9]+" | ||
| - "mimir-distributed-release-[0-9]+.[0-9]+" | ||
| paths: | ||
| - "docs/sources/helm-charts/**" | ||
| - "operations/helm/charts/mimir-distributed/Chart.yaml" | ||
|
|
||
| workflow_dispatch: # for manual testing | ||
|
|
||
| - "docs/sources/helm-charts/**" | ||
| - "operations/helm/charts/mimir-distributed/Chart.yaml" | ||
| workflow_dispatch: | ||
| jobs: | ||
| test: | ||
| uses: ./.github/workflows/test-docs.yml | ||
|
|
||
| sync: | ||
| runs-on: "ubuntu-latest" | ||
| needs: "test" | ||
| if: github.repository == 'grafana/mimir' | ||
| needs: test | ||
| # The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault. | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
||
| - name: "Checkout Mimir repo" | ||
| uses: "actions/checkout@v4" | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: "Checkout Actions library" | ||
| uses: "actions/checkout@v4" | ||
| with: | ||
| repository: "grafana/grafana-github-actions" | ||
| path: "./actions" | ||
|
|
||
| - name: "Install Actions from library" | ||
| run: "npm install --production --prefix ./actions" | ||
|
|
||
| - name: "Determine if there is a matching release tag" | ||
| id: "has-matching-release-tag" | ||
| uses: "./actions/has-matching-release-tag" | ||
| with: | ||
| ref_name: "${{ github.ref_name }}" | ||
| release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
|
|
||
| - name: "Determine technical documentation version" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| uses: "./actions/docs-target" | ||
| id: "target" | ||
| with: | ||
| ref_name: "${{ github.ref_name }}" | ||
|
|
||
| - name: "Clone website-sync Action" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" | ||
|
|
||
| - name: "Publish to website repository (release)" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| uses: "./.github/actions/website-sync" | ||
| id: "publish-release" | ||
| with: | ||
| repository: "grafana/website" | ||
| branch: "master" | ||
| host: "github.com" | ||
| # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" | ||
| source_folder: "docs/sources/helm-charts/mimir-distributed" | ||
| # Append ".x" to target to produce a v<major>.<minor>.x directory. | ||
| target_folder: "content/docs/helm-charts/mimir-distributed/${{ steps.target.outputs.target }}.x" | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| # Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch. | ||
| fetch-depth: 0 | ||
| - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1 | ||
| with: | ||
| release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_with_patch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| source_directory: docs/sources/helm-charts/mimir-distributed | ||
| website_directory: content/docs/helm-charts/mimir-distributed |
89 changes: 23 additions & 66 deletions
89
.github/workflows/publish-technical-documentation-release-mimir.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,77 +1,34 @@ | ||
| name: "publish-technical-documentation-release-mimir" | ||
| name: publish-technical-documentation-release-mimir | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - "release-*" | ||
| - "release-*" | ||
| tags: | ||
| - "mimir-[0-9]+.[0-9]+.[0-9]+" | ||
| - "mimir-[0-9]+.[0-9]+.[0-9]+" | ||
| paths: | ||
| - "docs/sources/mimir/**" | ||
|
|
||
| workflow_dispatch: # for manual testing | ||
|
|
||
| - "docs/sources/mimir/**" | ||
| workflow_dispatch: | ||
| jobs: | ||
| test: | ||
| uses: ./.github/workflows/test-docs.yml | ||
|
|
||
| sync: | ||
| runs-on: "ubuntu-latest" | ||
| needs: "test" | ||
| if: github.repository == 'grafana/mimir' | ||
| needs: test | ||
| # The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault. | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
||
| - name: "Checkout Mimir repo" | ||
| uses: "actions/checkout@v4" | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: "Checkout Actions library" | ||
| uses: "actions/checkout@v4" | ||
| with: | ||
| repository: "grafana/grafana-github-actions" | ||
| path: "./actions" | ||
|
|
||
| - name: "Install Actions from library" | ||
| run: "npm install --production --prefix ./actions" | ||
|
|
||
| - name: "Determine if there is a matching release tag" | ||
| id: "has-matching-release-tag" | ||
| uses: "./actions/has-matching-release-tag" | ||
| with: | ||
| ref_name: "${{ github.ref_name }}" | ||
| release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
|
|
||
| - name: "Determine technical documentation version" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| uses: "./actions/docs-target" | ||
| id: "target" | ||
| with: | ||
| ref_name: "${{ github.ref_name }}" | ||
|
|
||
| - name: "Clone website-sync Action" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync" | ||
|
|
||
| - name: "Publish to website repository (release)" | ||
| if: "steps.has-matching-release-tag.outputs.bool == 'true'" | ||
| uses: "./.github/actions/website-sync" | ||
| id: "publish-release" | ||
| with: | ||
| repository: "grafana/website" | ||
| branch: "master" | ||
| host: "github.com" | ||
| # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires. | ||
| # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization | ||
| # GitHub administrator to update the organization secret. | ||
| # The IT helpdesk can update the organization secret. | ||
| github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}" | ||
| source_folder: "docs/sources/mimir" | ||
| # Append ".x" to target to produce a v<major>.<minor>.x directory. | ||
| target_folder: "content/docs/mimir/${{ steps.target.outputs.target }}.x" | ||
| # Patch releases may not have any new technical documentation. | ||
| allow_no_changes: true | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| # Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch. | ||
| fetch-depth: 0 | ||
| - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1 | ||
| with: | ||
| release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| release_branch_with_patch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$" | ||
| source_directory: docs/sources/mimir | ||
| website_directory: content/docs/mimir |