From 44a32da3482249f2e3d56440df04b11e68dd2c78 Mon Sep 17 00:00:00 2001
From: "Grot (@grafanabot)" <43478413+grafanabot@users.noreply.github.com>
Date: Fri, 20 Sep 2024 15:21:51 +0100
Subject: [PATCH] [release-2.13] Update workflows to use actions that don't
 need organization secrets (#9336)

Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
---
 .../publish-technical-documentation-next.yml  | 64 ++++---------
 ...ical-documentation-release-helm-charts.yml | 89 +++++--------------
 ...-technical-documentation-release-mimir.yml | 89 +++++--------------
 3 files changed, 66 insertions(+), 176 deletions(-)

diff --git a/.github/workflows/publish-technical-documentation-next.yml b/.github/workflows/publish-technical-documentation-next.yml
index 27c5fd35e7b..76b82029a68 100644
--- a/.github/workflows/publish-technical-documentation-next.yml
+++ b/.github/workflows/publish-technical-documentation-next.yml
@@ -1,57 +1,31 @@
-name: "publish-technical-documentation-next"
+name: publish-technical-documentation-next
 
 on:
   push:
     branches:
-    - "main"
+      - main
     paths:
-    - "docs/sources/helm-charts/**"
-    - "docs/sources/mimir/**"
+      - "docs/sources/helm-charts/**"
+      - "docs/sources/mimir/**"
   workflow_dispatch:
 jobs:
   test:
     uses: ./.github/workflows/test-docs.yml
 
   sync:
-    runs-on: "ubuntu-latest"
-    needs: "test"
+    if: github.repository == 'grafana/mimir'
+    needs: test
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
     steps:
-    - name: "Check out code"
-      uses: "actions/checkout@v4"
-
-    - name: "Clone website-sync Action"
-      # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-      # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-      # GitHub administrator to update the organization secret.
-      # The IT helpdesk can update the organization secret.
-      run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"
-
-    - name: "Publish to website repository mimir (next)"
-      uses: "./.github/actions/website-sync"
-      id: "publish-next-mimir"
-      with:
-        repository: "grafana/website"
-        branch: "master"
-        host: "github.com"
-        # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-        # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-        # GitHub administrator to update the organization secret.
-        # The IT helpdesk can update the organization secret.
-        github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
-        source_folder: "docs/sources/mimir"
-        target_folder: "content/docs/mimir/next"
-        allow_no_changes: true
-
-    - name: "Publish to website repository helm-charts/mimir-distributed (next)"
-      uses: "./.github/actions/website-sync"
-      id: "publish-next-mimir-distributed"
-      with:
-        repository: "grafana/website"
-        branch: "master"
-        host: "github.com"
-        # PUBLISH_TO_WEBSITE_MIMIR is a fine-grained GitHub Personal Access Token that expires.
-        # It must be updated in the grafanabot GitHub account.
-        github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
-        source_folder: "docs/sources/helm-charts/mimir-distributed"
-        target_folder: "content/docs/helm-charts/mimir-distributed/next"
-        allow_no_changes: true
+      - uses: actions/checkout@v4
+      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
+        with:
+          source_directory: docs/sources/mimir
+          website_directory: content/docs/mimir/next
+      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
+        with:
+          source_directory: docs/sources/helm-charts/mimir-distributed
+          website_directory: content/docs/helm-charts/mimir-distributed/next
diff --git a/.github/workflows/publish-technical-documentation-release-helm-charts.yml b/.github/workflows/publish-technical-documentation-release-helm-charts.yml
index fcd93cce4bf..5cd1cfa61ca 100644
--- a/.github/workflows/publish-technical-documentation-release-helm-charts.yml
+++ b/.github/workflows/publish-technical-documentation-release-helm-charts.yml
@@ -1,76 +1,35 @@
-name: "publish-technical-documentation-release-helm-charts"
+name: publish-technical-documentation-release-helm-charts
 
 on:
   push:
     tags:  # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192
-    - "mimir-distributed-[0-9]+.[0-9]+.[0-9]+"
+      - "mimir-distributed-[0-9]+.[0-9]+.[0-9]+"
     branches: # this excludes pre-releases, e.g. mimir-distributed-2.2.0-weekly.192
-    - "mimir-distributed-release-[0-9]+.[0-9]+"
+      - "mimir-distributed-release-[0-9]+.[0-9]+"
     paths:
-    - "docs/sources/helm-charts/**"
-    - "operations/helm/charts/mimir-distributed/Chart.yaml"
-
-  workflow_dispatch: # for manual testing
-
+      - "docs/sources/helm-charts/**"
+      - "operations/helm/charts/mimir-distributed/Chart.yaml"
+  workflow_dispatch:
 jobs:
   test:
     uses: ./.github/workflows/test-docs.yml
-
   sync:
-    runs-on: "ubuntu-latest"
-    needs: "test"
+    if: github.repository == 'grafana/mimir'
+    needs: test
+    # The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault.
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
     steps:
-
-    - name: "Checkout Mimir repo"
-      uses: "actions/checkout@v4"
-      with:
-        fetch-depth: 0
-
-    - name: "Checkout Actions library"
-      uses: "actions/checkout@v4"
-      with:
-        repository: "grafana/grafana-github-actions"
-        path: "./actions"
-
-    - name: "Install Actions from library"
-      run: "npm install --production --prefix ./actions"
-
-    - name: "Determine if there is a matching release tag"
-      id: "has-matching-release-tag"
-      uses: "./actions/has-matching-release-tag"
-      with:
-        ref_name: "${{ github.ref_name }}"
-        release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
-        release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
-
-    - name: "Determine technical documentation version"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      uses: "./actions/docs-target"
-      id: "target"
-      with:
-        ref_name: "${{ github.ref_name }}"
-
-    - name: "Clone website-sync Action"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-      # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-      # GitHub administrator to update the organization secret.
-      # The IT helpdesk can update the organization secret.
-      run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"
-
-    - name: "Publish to website repository (release)"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      uses: "./.github/actions/website-sync"
-      id: "publish-release"
-      with:
-        repository: "grafana/website"
-        branch: "master"
-        host: "github.com"
-        # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-        # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-        # GitHub administrator to update the organization secret.
-        # The IT helpdesk can update the organization secret.
-        github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
-        source_folder: "docs/sources/helm-charts/mimir-distributed"
-        # Append ".x" to target to produce a v<major>.<minor>.x directory.
-        target_folder: "content/docs/helm-charts/mimir-distributed/${{ steps.target.outputs.target }}.x"
+      - uses: actions/checkout@v4
+        with:
+          # Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch.
+          fetch-depth: 0
+      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
+        with:
+          release_tag_regexp: "^mimir-distributed-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          release_branch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          release_branch_with_patch_regexp: "^mimir-distributed-release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          source_directory: docs/sources/helm-charts/mimir-distributed
+          website_directory: content/docs/helm-charts/mimir-distributed
diff --git a/.github/workflows/publish-technical-documentation-release-mimir.yml b/.github/workflows/publish-technical-documentation-release-mimir.yml
index c064cca1300..c91b7b7d069 100644
--- a/.github/workflows/publish-technical-documentation-release-mimir.yml
+++ b/.github/workflows/publish-technical-documentation-release-mimir.yml
@@ -1,77 +1,34 @@
-name: "publish-technical-documentation-release-mimir"
+name: publish-technical-documentation-release-mimir
 
 on:
   push:
     branches:
-    - "release-*"
+      - "release-*"
     tags:
-    - "mimir-[0-9]+.[0-9]+.[0-9]+"
+      - "mimir-[0-9]+.[0-9]+.[0-9]+"
     paths:
-    - "docs/sources/mimir/**"
-
-  workflow_dispatch: # for manual testing
-
+      - "docs/sources/mimir/**"
+  workflow_dispatch:
 jobs:
   test:
     uses: ./.github/workflows/test-docs.yml
-
   sync:
-    runs-on: "ubuntu-latest"
-    needs: "test"
+    if: github.repository == 'grafana/mimir'
+    needs: test
+    # The following permissions are required to to assume roles from GitHub's OIDC which is used to fetch secrets from Vault.
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
     steps:
-
-    - name: "Checkout Mimir repo"
-      uses: "actions/checkout@v4"
-      with:
-        fetch-depth: 0
-
-    - name: "Checkout Actions library"
-      uses: "actions/checkout@v4"
-      with:
-        repository: "grafana/grafana-github-actions"
-        path: "./actions"
-
-    - name: "Install Actions from library"
-      run: "npm install --production --prefix ./actions"
-
-    - name: "Determine if there is a matching release tag"
-      id: "has-matching-release-tag"
-      uses: "./actions/has-matching-release-tag"
-      with:
-        ref_name: "${{ github.ref_name }}"
-        release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
-        release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
-
-    - name: "Determine technical documentation version"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      uses: "./actions/docs-target"
-      id: "target"
-      with:
-        ref_name: "${{ github.ref_name }}"
-
-    - name: "Clone website-sync Action"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      # WEBSITE_SYNC_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-      # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-      # GitHub administrator to update the organization secret.
-      # The IT helpdesk can update the organization secret.
-      run: "git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.WEBSITE_SYNC_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync"
-
-    - name: "Publish to website repository (release)"
-      if: "steps.has-matching-release-tag.outputs.bool == 'true'"
-      uses: "./.github/actions/website-sync"
-      id: "publish-release"
-      with:
-        repository: "grafana/website"
-        branch: "master"
-        host: "github.com"
-        # PUBLISH_TO_WEBSITE_TOKEN is a fine-grained GitHub Personal Access Token that expires.
-        # It must be regenerated in the grafanabot GitHub account and requires a Grafana organization
-        # GitHub administrator to update the organization secret.
-        # The IT helpdesk can update the organization secret.
-        github_pat: "grafanabot:${{ secrets.PUBLISH_TO_WEBSITE_TOKEN }}"
-        source_folder: "docs/sources/mimir"
-        # Append ".x" to target to produce a v<major>.<minor>.x directory.
-        target_folder: "content/docs/mimir/${{ steps.target.outputs.target }}.x"
-        # Patch releases may not have any new technical documentation.
-        allow_no_changes: true
+      - uses: actions/checkout@v4
+        with:
+          # Full fetch depth is required to fetch tags. The publishing workflow uses tags to prevent publishing a release branch before it has been formally released, as determined by the presence of a matching tag for the release branch.
+          fetch-depth: 0
+      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
+        with:
+          release_tag_regexp: "^mimir-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          release_branch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          release_branch_with_patch_regexp: "^release-(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          source_directory: docs/sources/mimir
+          website_directory: content/docs/mimir