Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,9 @@ jobs:
- name: '@grafana/sign-plugin - use GRAFANA_ACCESS_POLICY_TOKEN to sign generate-panel plugin'
if: ${{ github.event.pull_request.head.repo.fork != true }}
env:
GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets).GRAFANA_ACCESS_POLICY_TOKEN }}
# Step env is evaluated even when the step is skipped, so fall back to '{}'
# to keep fromJSON from failing the job on fork PRs where get-secrets is skipped.
GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets || '{}').GRAFANA_ACCESS_POLICY_TOKEN }}
run: sign-plugin --rootUrls http://www.example.com --signatureType private
working-directory: ./${{ env.WORKING_DIR }}
test-updates:
Expand Down Expand Up @@ -477,7 +479,9 @@ jobs:
- name: '@grafana/sign-plugin - use GRAFANA_ACCESS_POLICY_TOKEN to sign generate-panel plugin'
if: ${{ matrix.workingDir == 'myorg-nobackend-panel' && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.fork != true }}
env:
GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets).GRAFANA_ACCESS_POLICY_TOKEN }}
# Step env is evaluated even when the step is skipped, so fall back to '{}'
# to keep fromJSON from failing the job on fork PRs where get-secrets is skipped.
GRAFANA_ACCESS_POLICY_TOKEN: ${{ fromJSON(steps.get-secrets.outputs.secrets || '{}').GRAFANA_ACCESS_POLICY_TOKEN }}
run: sign-plugin --rootUrls http://www.example.com --signatureType private
working-directory: ./${{ matrix.workingDir }}

Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/playwright.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,11 @@ jobs:
- name: Install Playwright Browsers
run: npx playwright install --with-deps chromium

# Fork PRs never get an OIDC id-token, so Vault secrets are unavailable there.
# Skipping the Docker Hub login falls back to anonymous image pulls (rate-limit risk only).
- name: Get secrets for DockerHub login
id: get-secrets
if: ${{ github.event.pull_request.head.repo.fork != true }}
uses: grafana/shared-workflows/actions/get-vault-secrets@9f37f656e063f0ad0b0bfc38d49894b57d363936 # v1.2.1
with:
common_secrets: |
Expand All @@ -72,10 +75,11 @@ jobs:
export_env: false

- name: Log in to Docker Hub
if: ${{ github.event.pull_request.head.repo.fork != true }}
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
username: ${{ fromJSON(steps.get-secrets.outputs.secrets).DOCKERHUB_USERNAME }}
password: ${{ fromJSON(steps.get-secrets.outputs.secrets).DOCKERHUB_PASSWORD }}
username: ${{ fromJSON(steps.get-secrets.outputs.secrets || '{}').DOCKERHUB_USERNAME }}
password: ${{ fromJSON(steps.get-secrets.outputs.secrets || '{}').DOCKERHUB_PASSWORD }}

- name: Start Grafana
working-directory: ./packages/plugin-e2e
Expand Down
Loading