clickhouse-datasource/.github/workflows/push.yml at 357e41485fe3619abaa7e97add92d0655d046740 · grafana/clickhouse-datasource · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Plugins - CI

on:
  # Run CI on all PRs
  pull_request:

  # Also run on pushes to main (used for publish + downstream automation)
  push:
    branches: [main]

  # Allow manual re-runs from the Actions UI (useful for debugging failures)
  workflow_dispatch:

# Minimal top-level permissions; jobs can extend as needed
permissions:
  contents: read
  id-token: write # Required for OIDC (Vault / shared workflows)

# Prevent duplicate runs on the same ref.
# For PRs: cancel older in-progress runs when new commits are pushed.
# For main: do NOT cancel (publishing should complete once started).
concurrency:
  group: plugins-ci-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
  ci:
    name: CI

    uses: grafana/plugin-ci-workflows/.github/workflows/ci.yml@ci-cd-workflows/v7.1.0

    # Only run CI job for PRs / non-main refs.
    # Main publishing is handled by the CD workflow below.
    if: github.ref != 'refs/heads/main'

    # Required for checkout + OIDC in shared workflows
    permissions:
      contents: read
      id-token: write

    with:
      # Ensure PR builds produce unique plugin versions.
      # For PR events, suffix with the head SHA; otherwise leave empty.
      plugin-version-suffix: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}

  publish-latest-to-catalog: # used by nightly / scheduled Cloud E2E
    name: Publish main to Dev Catalog

    # Main-only: publish the latest build to the internal Plugin Catalog (dev)
    if: github.ref == 'refs/heads/main'

    uses: grafana/plugin-ci-workflows/.github/workflows/cd.yml@ci-cd-workflows/v7.1.0

    # Publishing requires write permissions + OIDC
    permissions:
      attestations: write
      contents: write # Required to publish artifacts
      id-token: write # OIDC for Vault / signing

    with:
      # This is a "publish latest" flow, not a full release
      disable-docs-publishing: true
      disable-github-release: true

      # Target the dev catalog environment (used by Cloud E2E)
      environment: "dev"

      # Keep toolchain consistent with CI job
      go-version: "1.26.0"
      golangci-lint-version: "2.10.1"

      # Suffix artifact with commit SHA for traceability and uniqueness
      plugin-version-suffix: ${{ github.sha }}

      # Avoid re-running Playwright here (CI job already covers E2E)
      run-playwright: false

      # Restrict publishing scope to the Cloud E2E instance
      scopes: grafana_cloud_instance_datasourcese2e

  trigger-argo-workflow:
    name: Trigger Argo Workflow
    runs-on: ubuntu-24.04
    timeout-minutes: 10

    # Only trigger downstream deployment on main pushes
    if: github.ref == 'refs/heads/main'

    # Ensure publishing succeeded before triggering Argo
    needs: publish-latest-to-catalog

    permissions:
      contents: read
      id-token: write  # Required if trigger action relies on OIDC

    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          # Avoid persisting credentials in the workspace
          persist-credentials: false

      - name: Read plugin ID
        id: plugin
        shell: bash
        run: |
          set -euo pipefail
          # Extract plugin ID (used as workflow template name in Argo)
          echo "id=$(jq -er .id ./src/plugin.json)" >> "$GITHUB_OUTPUT"

      - name: Read package version
        id: pkg
        shell: bash
        run: |
          set -euo pipefail
          # Extract npm package version to construct Docker tag
          echo "version=$(jq -er .version ./package.json)" >> "$GITHUB_OUTPUT"

      - name: Trigger workflow
        uses: grafana/shared-workflows/actions/trigger-argo-workflow@b513eb1dfd9becfa671a41e55063cdd5c0a08031 # trigger-argo-workflow/v1.2.2
        with:
          # Target Argo instance and namespace
          instance: ops
          namespace: grafana-datasources-cd

          # Use plugin ID as WorkflowTemplate name
          workflow_template: ${{ steps.plugin.outputs.id }}-dev

          # Parameters passed into the Argo workflow
          parameters: |
            dockertag=${{ steps.pkg.outputs.version }}+${{ github.sha }}
            prCommentContext=triggered-by-push-to-main datasource=${{ steps.plugin.outputs.id }}
            commit_author=grafana-delivery-bot