ci: hackathon release improvements

.gitattributes

@@ -4,4 +4,4 @@ pkg/operator/crds/*.yaml linguist-generated=true
 Makefile text eol=lf
 tools/make/*.mk text eol=lf
 tools/image-tag text eol=lf
-tools/release text eol=lf
+tools/publish-release-assets.sh text eol=lf

.github/pull_request_template.md

@@ -1,10 +1,9 @@
 <!--
 
-CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md#updating-the-changelog
+CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md
 
 If this is your first PR or you have not contributed in a while, we recommend
-taking the time to review the guide. It gives helpful instructions for
-contributors around things like how to update the changelog.
+taking the time to review the guide.
 
 -->
 
@@ -21,7 +20,6 @@ contributors around things like how to update the changelog.
 
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] CHANGELOG.md updated
 - [ ] Documentation added
 - [ ] Tests updated
 - [ ] Config converters updated

.github/workflows/autolock.yml

@@ -1,25 +1,35 @@
-name: Lock closed issues and PRs
+name: Auto-lock conversations
+
 on:
-  workflow_dispatch: {}
+  pull_request_target: # zizmor: ignore[dangerous-triggers] Only used to lock PRs from forks
+    types: [closed]
   schedule:
     - cron: '0 0 * * *'
-
-permissions:
-  issues: write
-  pull-requests: write
-  discussions: write
-
-concurrency:
-  group: lock-threads
+  workflow_dispatch:
 
 jobs:
-  action:
+  lock-pr-on-close:
+    if: github.event_name == 'pull_request_target'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Lock PR conversation 🔏
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr lock "$PR_URL"
+    permissions:
+      pull-requests: write
+
+  lock-stale-issues:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
+      - name: Lock stale issue conversations 🔏
+        uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
-          pr-inactive-days: 30
-          issue-inactive-days: 30
+          issue-inactive-days: 14
           add-issue-labels: 'frozen-due-to-age'
-          add-pr-labels: 'frozen-due-to-age'
-          process-only: 'issues, prs'
+          process-only: 'issues'
+    permissions:
+      issues: write

.github/workflows/check-sync-module-dependencies.yml

@@ -12,6 +12,7 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5

.github/workflows/check-windows-container.yml

@@ -9,15 +9,15 @@ on:
       - '.github/workflows/check-windows-container.yml'
       - '.github/workflows/publish-alloy.yml'
       - '.github/workflows/publish-alloy-devel.yml'
-      - '.github/workflows/publish-alloy-release.yml'
+      - '.github/workflows/release-publish-alloy-artifacts.yml'
   pull_request:
     paths:
       - 'Dockerfile.windows'
       - 'tools/ci/docker-containers-windows'
       - '.github/workflows/check-windows-container.yml'
       - '.github/workflows/publish-alloy.yml'
       - '.github/workflows/publish-alloy-devel.yml'
-      - '.github/workflows/publish-alloy-release.yml'
+      - '.github/workflows/release-publish-alloy-artifacts.yml'
 
 permissions:
   contents: read

.github/workflows/integration-tests-k8s.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
     - name: Setup Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
       with:

.github/workflows/lint-pr-title.yml

@@ -0,0 +1,61 @@
+name: PR Title Lint
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+  id-token: write
+
+jobs:
+  lint-pr-title:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub app secrets 🔐
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
+        with:
+          export_env: false
+          repo_secrets: |
+            ALLOYBOT_APP_ID=alloybot:app_id
+            ALLOYBOT_PRIVATE_KEY=alloybot:private_key
+
+      - name: Generate token 🔐
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        id: app-token
+        with:
+          app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_APP_ID }}
+          private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_PRIVATE_KEY }}
+          owner: grafana
+          repositories: alloy
+
+      - name: Validate PR title 🔎
+        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          # Require conventional commit types
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          # Scope is optional
+          requireScope: false
+          # Disallow uppercase first letter in subject
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: |
+            The subject "{subject}" must start with a lowercase letter.
+            Example: "feat: add new component" not "feat: Add new component"

.github/workflows/lint.yml

@@ -55,7 +55,7 @@ jobs:
           packaging,\
           production,\
           tools/ci,\
-          tools/release,\
+          tools/publish-release-assets.sh,\
           docs/sources/tutorials/assets\
           "
 

.github/workflows/release-backport.yml

@@ -0,0 +1,94 @@
+name: Backport PR
+
+on:
+  pull_request:
+    types: [labeled, closed]
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  backport:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PR is merged and find backport labels 🏷️
+        id: check
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+
+            if (!pr.merged_at) {
+              console.log('PR is not merged, skipping');
+              core.setOutput('should_backport', 'false');
+              return;
+            }
+
+            const labels = pr.labels || [];
+            const backportLabels = labels
+              .map(l => l.name)
+              .filter(name => name.startsWith('backport/'));
+
+            if (backportLabels.length === 0) {
+              console.log('No backport labels found, skipping');
+              core.setOutput('should_backport', 'false');
+              return;
+            }
+
+            console.log(`PR is merged and has backport labels: ${backportLabels.join(', ')}`);
+            core.setOutput('labels', JSON.stringify(backportLabels));
+            core.setOutput('should_backport', 'true');
+
+      - name: Get GitHub app secrets 🔐
+        if: steps.check.outputs.should_backport == 'true'
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
+        with:
+          export_env: false
+          repo_secrets: |
+            ALLOYBOT_APP_ID=alloybot:app_id
+            ALLOYBOT_PRIVATE_KEY=alloybot:private_key
+
+      - name: Generate token 🔐
+        if: steps.check.outputs.should_backport == 'true'
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        id: app-token
+        with:
+          app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_APP_ID }}
+          private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_PRIVATE_KEY }}
+          owner: grafana
+          repositories: alloy
+
+      - name: Checkout repository 🛎️
+        if: steps.check.outputs.should_backport == 'true'
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go 🏗️
+        if: steps.check.outputs.should_backport == 'true'
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+
+      - name: Run backport tool 🍒
+        if: steps.check.outputs.should_backport == 'true'
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+          LABELS: ${{ steps.check.outputs.labels }}
+        run: |
+          cd tools
+          labels="${LABELS}"
+
+          for label in $(echo "$labels" | jq -r '.[]'); do
+            echo "🍒 Processing backport for label: $label"
+            go run ./release/backport \
+              --pr "${{ github.event.pull_request.number }}" \
+              --label "$label"
+          done