name: Run commands when issues are labeled or comments added # important: this workflow uses a github app that is strictly limited # to issues. If you want to change the triggers for this workflow, # please review if the permissions are still sufficient. on: issues: types: [labeled, unlabeled] issue_comment: types: [created] concurrency: group: issue-commands-${{ github.event.issue.number }} permissions: contents: read id-token: write jobs: config: runs-on: "ubuntu-latest" outputs: has-secrets: ${{ steps.check.outputs.has-secrets }} steps: - name: "Check for secrets" id: check shell: bash run: | if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then echo "has-secrets=1" >> "$GITHUB_OUTPUT" fi main: needs: config if: needs.config.outputs.has-secrets runs-on: ubuntu-latest steps: - name: "Get vault secrets" id: vault-secrets uses: grafana/shared-workflows/actions/get-vault-secrets@main with: # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault repo_secrets: | GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem - name: "Generate token" id: generate_token uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 with: app_id: ${{ env.GH_APP_ID }} private_key: ${{ env.GH_APP_PEM }} - name: Checkout Actions uses: actions/checkout@v4 with: repository: "grafana/grafana-github-actions" path: ./actions ref: main - name: Install Actions run: npm install --production --prefix ./actions - name: Run Commands uses: ./actions/commands with: metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}} token: ${{ steps.generate_token.outputs.token }} configPath: commands