Merge branch 'main' into deprecate/loki-canary

Author: jkroepke

.github/CODEOWNERS

@@ -6,15 +6,18 @@
 # Unless a later match takes precedence, they will be requested for review when someone opens a pull request.
 * @grafana/helm-charts-admins
 
-/charts/grafana/ @jkroepke @maorfr @torstenwalter @Xtigyro @zanhsieh
+/charts/grafana/ @jkroepke @maorfr @torstenwalter @Xtigyro @zanhsieh @QuentinBisson
 /charts/loki-distributed/ @grafana/loki-squad @unguiculus @Whyeasy
 /charts/loki-canary/ @grafana/loki-squad @unguiculus @Whyeasy
 /charts/promtail/ @grafana/loki-squad @unguiculus @Whyeasy
 /charts/tempo/ @grafana/tempo @Sheikh-Abubaker @dgzlopes @swartz-k @BitProcessor @faustodavid
-/charts/tempo-distributed/ @grafana/tempo @Sheikh-Abubaker @mapno @swartz-k @BitProcessor @faustodavid
+/charts/tempo-distributed/ @grafana/tempo @Sheikh-Abubaker @swartz-k @BitProcessor @faustodavid @QuentinBisson
 /charts/enterprise-metrics/ @grafana/mimir-maintainers
 /charts/rollout-operator/ @grafana/mimir-maintainers
 /charts/enterprise-logs/ @grafana/loki-squad
 /charts/tempo-vulture/ @grafana/tempo @Whyeasy @dgzlopes
 /charts/synthetic-monitoring-agent/ @torstenwalter @zanhsieh
 /charts/agent-operator/ @grafana/grafana-agent-maintainers
+/charts/cloudcost-exporter/ @grafana/platform-monitoring
+/charts/grafana-mcp/ @jkroepke @Sheikh-Abubaker @KyriosGN0 @QuentinBisson
+/charts/pdc-agent/ @grafana/grafana-datasources-core-services

.github/workflows/check-codeowners.yaml

@@ -4,9 +4,11 @@ on: workflow_call
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: install yq
         run: |
           sudo snap install yq

.github/workflows/ci.yml

@@ -2,6 +2,8 @@ name: CI
 
 on: pull_request
 
+permissions: {}
+
 jobs:
   call-check-codeowners:
     uses: ./.github/workflows/check-codeowners.yaml

.github/workflows/lint-test.yaml

@@ -29,6 +29,7 @@ on:
 
 env:
   CT_CONFIGFILE: ${{ inputs.ct_configfile }}
+  CT_CHECK_VERSION_INCREMENT: ${{ inputs.ct_check_version_increment }}
 
 jobs:
   lint-test:
@@ -38,9 +39,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ inputs.helm_version }}
 
@@ -52,7 +54,7 @@ jobs:
           python-version: 3.12
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.1.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -63,10 +65,10 @@ jobs:
           fi
 
       - name: Run chart-testing (lint)
-        run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=${{ inputs.ct_check_version_increment }}
+        run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment="${CT_CHECK_VERSION_INCREMENT}"
 
       - name: Create kind cluster
-        uses: helm/[email protected]
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         if: steps.list-changed.outputs.changed == 'true'
         with:
           kubectl_version: ${{ inputs.kind_kubectl_version }}
@@ -98,5 +100,8 @@ jobs:
           elif [[ "$changed" == "charts/snyk-exporter" ]]; then
             # Do not run `ct install` for snyk-exporter as it requires Snyk API token
             exit 0
+          elif [[ "$changed" == "charts/cloudcost-exporter" ]]; then
+            # Do not run `ct install` for cloudcost-exporter as it requires IRSA
+            exit 0
           fi
           ct install --config "${CT_CONFIGFILE}"

.github/workflows/linter.yml

@@ -19,6 +19,8 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check Docs
         run: |

.github/workflows/release.yaml

@@ -18,14 +18,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: v3.12.0
 
@@ -39,7 +40,7 @@ jobs:
           helm repo add minio-new https://charts.min.io
 
       - name: Run chart-releaser
-        uses: helm/[email protected]
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
         with:
           charts_dir: charts
           config: cr.yaml
@@ -48,7 +49,7 @@ jobs:
           CR_SKIP_EXISTING: "true"
 
       - name: Login to GHCR
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/sync-readme.yaml

@@ -13,11 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - run: |
           cp -f README.md ${{ runner.temp }}/README.md
       - uses: actions/checkout@v4
         with:
           ref: gh-pages
+          persist-credentials: false
       - run: |
           cp -f ${{ runner.temp }}/README.md .
           git config user.name "$GITHUB_ACTOR"

.github/workflows/update-helm-repo.yaml

@@ -30,6 +30,9 @@ on:
       github_app_pem:
         description: GitHub APP pem to authenticate with
         required: false
+      vault_repo_secret_name:
+        description: Vault secret name that holds repository's GitHub App credentials to authenticate with
+        required: false
       helm_repo_token:
         description: GitHub api token to use against the helm-charts repository
         required: false
@@ -41,6 +44,7 @@ env:
   CR_PACKAGE_PATH: "${{ github.workspace }}/.cr-release-packages"
   CR_TOOL_PATH: "${{ github.workspace }}/.cr-tool"
   HELM_TAG_PREFIX: "${{ inputs.helm_tag_prefix }}"
+  REF_NAME: "${{ github.ref_name }}"
 
 jobs:
   setup:
@@ -54,9 +58,10 @@ jobs:
         with:
           fetch-depth: 0
           path: source
+          persist-credentials: false
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.1.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: List changed charts
         id: list-changed
@@ -65,8 +70,8 @@ jobs:
 
           latest_tag=$( if ! git describe --tags --abbrev=0 2> /dev/null ; then git rev-list --max-parents=0 --first-parent HEAD ; fi )
 
-          echo "Running: ct list-changed --config ${CT_CONFIGFILE} --since ${latest_tag} --target-branch ${{ github.ref_name }}"
-          changed=$(ct list-changed --config "${CT_CONFIGFILE}" --since "${latest_tag}" --target-branch "${{ github.ref_name }}")
+          echo "Running: ct list-changed --config ${CT_CONFIGFILE} --since ${latest_tag} --target-branch ${REF_NAME}"
+          changed=$(ct list-changed --config "${CT_CONFIGFILE}" --since "${latest_tag}" --target-branch "${REF_NAME}")
           echo "${changed}"
           num_changed=$(wc -l <<< ${changed})
           if [[ "${num_changed}" -gt "1" ]] ; then
@@ -94,30 +99,48 @@ jobs:
     needs: [setup]
     runs-on: ubuntu-latest
     permissions:
+      id-token: write # allows GitHub App to generate id-token from Github's OIDC
       contents: write # allows GITHUB_TOKEN to push chart release, create release, and push tags to github
       packages: write # allows GITHUB_TOKEN to push package to ghcr
     env:
-      github_app_id: ${{ secrets.github_app_id }}
+      # APP_ID and PRIVATE_KEY are overwritten by credentials from vault, if configured
+      GITHUB_APP_ID: ${{ secrets.github_app_id }}
+      PRIVATE_KEY: ${{ secrets.github_app_pem }}
+      VAULT_REPO_SECRET_NAME: ${{ secrets.vault_repo_secret_name }}
     if: needs.setup.outputs.changed == 'true'
     steps:
-      - name: Create a GitHub App installation access token
-        if: env.github_app_id != ''
-        uses: tibdex/github-app-token@v2
+      - name: Retrieve GitHub App credentials from Vault
+        if: env.VAULT_REPO_SECRET_NAME != ''
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=${{ env.VAULT_REPO_SECRET_NAME }}:app-id
+            PRIVATE_KEY=${{ env.VAULT_REPO_SECRET_NAME }}:private-key
+
+      - name: Generate GitHub App Token
+        if: env.GITHUB_APP_ID != ''
         id: app-token
+        uses: actions/create-github-app-token@v1
         with:
-          app_id: ${{ secrets.github_app_id }}
-          private_key: ${{ secrets.github_app_pem }}
+          # Variables generated by the previous step get-secrets
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
 
       - name: Set the correct token (Github App or PAT)
+        env:
+          HELM_REPO_TOKEN: ${{ secrets.helm_repo_token }}
+          APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
-          if [[ "${{ env.github_app_id }}" == '' ]]; then
-            echo "AUTHTOKEN=${{ secrets.helm_repo_token }}" >> $GITHUB_ENV
+          if [[ "${GITHUB_APP_ID}" == '' ]]; then
+            echo "AUTHTOKEN=${HELM_REPO_TOKEN}" >> $GITHUB_ENV
           else
-            echo "AUTHTOKEN=${{ steps.app-token.outputs.token }}" >> $GITHUB_ENV
+            echo "AUTHTOKEN=${APP_TOKEN}" >> $GITHUB_ENV
           fi
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[artipacked] without this ignore comment, zizmor would complain that persist-credentials is not explicitly set to false. We need it set to true (default) to be able to push the release tags later on in this workflow
         with:
           fetch-depth: 0
           path: source
@@ -130,12 +153,12 @@ jobs:
 
       - name: Checkout helm-charts
         # The cr tool only works if the target repository is already checked out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # zizmor: ignore[artipacked] without this ignore comment, zizmor would complain that persist-credentials is not explicitly set to false. We need it set to true (default) to be able to push the release tags later on in this workflow
         with:
           fetch-depth: 0
           repository: grafana/helm-charts
           path: helm-charts
-          token: ${{ env.AUTHTOKEN  }}
+          token: ${{ env.AUTHTOKEN }}
 
       - name: Configure Git for helm-charts
         run: |
@@ -144,15 +167,17 @@ jobs:
           git config user.email "[email protected]"
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: v3.16.2
 
       - name: Parse Chart.yaml
         id: parse-chart
+        env:
+          CHARTPATH: ${{ needs.setup.outputs.chartpath }}
         run: |
           cd source
-          changed="${{ needs.setup.outputs.chartpath }}"
+          changed="${CHARTPATH}"
           description=$(yq ".description" < ${changed}/Chart.yaml)
           name=$(yq ".name" < ${changed}/Chart.yaml)
           version=$(yq ".version" < ${changed}/Chart.yaml)
@@ -166,10 +191,12 @@ jobs:
           echo "packagename=${name}-${version}" >> $GITHUB_OUTPUT
 
       - name: Add dependency chart repos
+        env:
+          CHARTPATH: ${{ steps.parse-chart.outputs.chartpath }}
         run: |
           cd source
           # Skip the header line and make sure that tabs are expanded into spaces
-          deps=$(helm dependency list "${{ steps.parse-chart.outputs.chartpath }}" | tail +2 | expand)
+          deps=$(helm dependency list "${CHARTPATH}" | tail +2 | expand)
           while read -r row; do
             IFS=' ' read -ra parts <<< "$row"
             name="${parts[0]}"
@@ -190,20 +217,24 @@ jobs:
           rm -f cr.tar.gz
 
       - name: Create helm package
+        env:
+          CHARTPATH: ${{ steps.parse-chart.outputs.chartpath }}
         run: |
           cd source
-          "${CR_TOOL_PATH}/cr" package "${{ steps.parse-chart.outputs.chartpath }}" --config "${CR_CONFIGFILE}" --package-path "${CR_PACKAGE_PATH}"
+          "${CR_TOOL_PATH}/cr" package "${CHARTPATH}" --config "${CR_CONFIGFILE}" --package-path "${CR_PACKAGE_PATH}"
           echo "Result of chart package:"
           ls -l "${CR_PACKAGE_PATH}"
 
       - name: Create tag and check if exists on origin
+        env:
+          TAGNAME: ${{ steps.parse-chart.outputs.tagname }}
         run: |
           cd source
-          echo "Making tag ${{ steps.parse-chart.outputs.tagname }}"
-          git tag "${{ steps.parse-chart.outputs.tagname }}"
+          echo "Making tag ${TAGNAME}"
+          git tag "${TAGNAME}"
 
       - name: Make github release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tags/v1
         with:
           body: |
             ${{ steps.parse-chart.outputs.desc }}
@@ -219,18 +250,20 @@ jobs:
           token: ${{ env.AUTHTOKEN }}
 
       - name: Push release tag on origin
+        env:
+          TAGNAME: ${{ steps.parse-chart.outputs.tagname }}
         run: |
           cd source
-          echo "Pushing tag ${{ steps.parse-chart.outputs.tagname }}"
-          git push origin "${{ steps.parse-chart.outputs.tagname }}"
+          echo "Pushing tag ${TAGNAME}"
+          git push origin "${TAGNAME}"
 
       - name: Update helm repo index.yaml
         run: |
           cd helm-charts
           "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ env.AUTHTOKEN }}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}" --push
 
       - name: Login to GHCR
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -239,5 +272,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push charts to GHCR
+        env:
+          PACKAGENAME: ${{ steps.parse-chart.outputs.packagename }}
         run: |
-          helm push "${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
+          helm push "${CR_PACKAGE_PATH}/${PACKAGENAME}.tgz" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"

.github/workflows/validate-pr.yaml

@@ -8,6 +8,10 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  pull-requests: read
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -16,10 +20,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up chart-testing
-        uses: helm/[email protected]
-
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
       - name: Validate PR
         run: scripts/validate-pr.sh
         env: