[release-11.3.9] Actions: Backport actions #106985

Proximyst · 2025-06-19T11:43:45Z

This backports the actions from main, along with necessary scripts and other moves.

This probably won't work for a while. Sorry.

.github/workflows/e2e-dashboard-new-layouts.yml

+    runs-on: ubuntu-latest
+    continue-on-error: true
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Pin Go version to mod file
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - run: go version
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'yarn'
+      - name: Install dependencies
+        run: yarn install --immutable
+      - name: Build grafana
+        run: make build
+      - name: Install Cypress dependencies
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          runTests: false
+      - name: Run dashboardNewLayouts e2e
+        run: yarn e2e:dashboard-new-layouts


To fix the issue, add a permissions block to the root of the workflow file. This block will explicitly define the least privileges required for the workflow to function correctly. Based on the actions performed in the workflow, the contents: read permission is sufficient. This ensures that the workflow cannot perform write operations unless explicitly allowed.

The permissions block should be added at the top level of the workflow file, immediately after the name field. This will apply the permissions to all jobs in the workflow unless overridden by job-specific permissions blocks.

.github/workflows/i18n-crowdin-create-tasks.yml

+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-create-tasks.yml@main
+    with:
+      crowdin_project_id: 5


To fix the issue, add a permissions block at the root of the workflow file. This block will define the least privileges required for the workflow to function correctly. Based on the context, the workflow likely needs read access to repository contents and possibly write access to specific resources (e.g., pull requests or issues). As a starting point, we will set contents: read and adjust further if additional permissions are required.

.github/workflows/i18n-crowdin-download.yml

+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-download.yml@main
+    with:
+      crowdin_project_id: 5
+      pr_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
+      github_board_id: 78 # Frontend Platform project
+      en_paths: public/locales/en-US/grafana.json, public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json, public/app/plugins/datasource/mssql/locales/en-US/mssql.json, packages/grafana-prometheus/src/locales/en-US/grafana-prometheus.json, packages/grafana-sql/src/locales/en-US/grafana-sql.json


To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Based on the context, the workflow likely needs read access to repository contents and possibly write access to pull requests (if it creates or updates pull requests).

The permissions block can be added at the root level of the workflow to apply to all jobs or within the specific job (download-sources-from-crowdin) to limit permissions to that job only. Since the workflow uses a third-party action, we should consult its documentation to confirm the exact permissions required. For now, we will assume the minimal permissions needed are contents: read and pull-requests: write.

.github/workflows/i18n-crowdin-upload.yml

+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-upload.yml@main
+    with:
+      crowdin_project_id: 5


To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Since the workflow uploads sources to Crowdin, it likely only needs read access to the repository contents.

The permissions block should be added at the root level of the workflow to apply to all jobs, as there is only one job in this workflow. Alternatively, it can be added specifically to the upload-sources-to-crowdin job.

.github/workflows/release-build.yml

.github/workflows/pr-e2e-tests.yml

.github/workflows/release-comms.yml

.github/workflows/swagger-gen.yml

pkg/build/daggerbuild/gcom/publish.go

+
+	return d.Container().From("alpine/curl").
+		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonVersionPayload), versionApiUrl.String())}).


To fix the issue, the JSON payload should be sanitized to escape single quotes before embedding it into the shell command. Alternatively, a safer approach is to avoid manual string construction and use an API that supports structured command execution. In this case, escaping single quotes using strings.ReplaceAll is a straightforward solution. This ensures that any single quotes in the JSON payload are properly escaped, preventing premature termination of the quoted string.

Steps to fix:

Use strings.ReplaceAll to escape single quotes in the JSON payload.

Ensure that backslashes are also escaped to avoid interference with the escaping mechanism.

Replace the vulnerable fmt.Sprintf construction with the sanitized payload.

pkg/build/daggerbuild/gcom/publish.go

+
+	return d.Container().From("alpine/curl").
+		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
+		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonPackagePayload), packagesApiUrl.String())}).


To fix the issue, the JSON payload (jsonPackagePayload) should be sanitized to escape single quotes before embedding it into the shell command. Alternatively, a safer approach is to avoid manual string construction and use structured APIs or placeholders for the command arguments. In this case, the best solution is to escape single quotes using strings.ReplaceAll to ensure the payload does not break the quoted string in the shell command.

Changes to make:

Sanitize jsonPackagePayload by escaping single quotes and backslashes before embedding it into the curl command.

Apply the same fix to jsonVersionPayload in the PublishGCOMVersion function to ensure consistency and security.

grafana-delivery-bot · 2025-07-23T20:07:53Z

Hello @Proximyst, we've noticed that the original base branch release-11.3.9 for this PR is no longer a release candidate. We've automatically updated your PR's base branch to the current release target: release-11.3.10. Please review and resolve any potential merge conflicts. If this PR is not merged it will NOT be included in the next release. Thanks!

Proximyst added 4 commits June 19, 2025 13:37

Actions: Remove old actions

b8bff89

Actions: Checkout actions from main

0b297ae

Actions: Checkout scripts from main

1001717

Actions: Backport more necessities

f3628ef

github-advanced-security bot found potential problems Jun 19, 2025

View reviewed changes

.github/workflows/release-build.yml Fixed Show fixed Hide fixed

.github/workflows/release-build.yml Fixed Show fixed Hide fixed

github-advanced-security bot found potential problems Jun 19, 2025

View reviewed changes

This comment has been minimized.

Sign in to view

Proximyst added 2 commits June 19, 2025 13:52

Script: Add scripts for CI

f576592

Build: Vendor pkg/build from main

32d0477

This comment has been minimized.

Sign in to view

Proximyst added 2 commits June 19, 2025 13:55

Actions: Backport config files

211badd

Script: Don't gen for dashboard CUE

1fea32a

github-advanced-security bot found potential problems Jun 19, 2025

View reviewed changes

Proximyst added 3 commits June 24, 2025 13:46

Actions: Backport removal of A11y test

b3c8710

Chore: go work use

0129eb8

Backport: Configs to build

2fef3e3

grafana-delivery-bot bot changed the base branch from release-11.3.9 to release-11.3.10 July 23, 2025 20:07

@@ -1,2 +1,4 @@
             name: Run e2e for dashboardNewLayouts
+            permissions:
+              contents: read

@@ -35,2 +35,5 @@
             	}
+            	// Escape single quotes and backslashes in the JSON payload
+            	sanitizedPayload := strings.ReplaceAll(string(jsonVersionPayload), `\`, `\\`)
+            	sanitizedPayload = strings.ReplaceAll(sanitizedPayload, "'", "\\'")
@@ -40,3 +43,3 @@
             		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
-            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonVersionPayload), versionApiUrl.String())}).
+            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, sanitizedPayload, versionApiUrl.String())}).
             		Stdout(ctx)
@@ -52,2 +55,5 @@
             	}
+            	// Escape single quotes and backslashes in the JSON payload
+            	sanitizedPayload := strings.ReplaceAll(string(jsonPackagePayload), `\`, `\\`)
+            	sanitizedPayload = strings.ReplaceAll(sanitizedPayload, "'", "\\'")
@@ -57,3 +63,3 @@
             		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
-            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonPackagePayload), packagesApiUrl.String())}).
+            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, sanitizedPayload, packagesApiUrl.String())}).
             		Stdout(ctx)

@@ -35,2 +35,5 @@
             	}
+            	// Escape single quotes and backslashes in the JSON payload
+            	sanitizedPayload := strings.ReplaceAll(string(jsonVersionPayload), `\`, `\\`)
+            	sanitizedPayload = strings.ReplaceAll(sanitizedPayload, "'", "\\'")
@@ -40,3 +43,3 @@
             		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
-            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonVersionPayload), versionApiUrl.String())}).
+            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, sanitizedPayload, versionApiUrl.String())}).
             		Stdout(ctx)
@@ -52,2 +55,5 @@
             	}
+            	// Escape single quotes and backslashes in the JSON payload
+            	sanitizedPayload := strings.ReplaceAll(string(jsonPackagePayload), `\`, `\\`)
+            	sanitizedPayload = strings.ReplaceAll(sanitizedPayload, "'", "\\'")
@@ -57,3 +63,3 @@
             		WithSecretVariable("GCOM_API_KEY", apiKeySecret).
-            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, string(jsonPackagePayload), packagesApiUrl.String())}).
+            		WithExec([]string{"/bin/sh", "-c", fmt.Sprintf(`curl -H "Content-Type: application/json" -H "Authorization: Bearer $GCOM_API_KEY" -d '%s' %s`, sanitizedPayload, packagesApiUrl.String())}).
             		Stdout(ctx)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[release-11.3.9] Actions: Backport actions #106985

[release-11.3.9] Actions: Backport actions #106985

Proximyst commented Jun 19, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

Check failure

Copilot Autofix

Check failure

Copilot Autofix

grafana-delivery-bot bot commented Jul 23, 2025

Uh oh!

Uh oh!

@@ -2,2 +2,6 @@
+            permissions:
+              contents: read
+              pull-requests: write
             on:
@@ -9,3 +13,3 @@
               download-sources-from-crowdin:
-                uses: grafana/grafana-github-actions/.github/workflows/crowdin-download.yml@main
+                uses: grafana/grafana-grafana-github-actions/.github/workflows/crowdin-download.yml@main
                 with:

[release-11.3.9] Actions: Backport actions #106985

Are you sure you want to change the base?

[release-11.3.9] Actions: Backport actions #106985

Conversation

Proximyst commented Jun 19, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

grafana-delivery-bot bot commented Jul 23, 2025

Uh oh!

Uh oh!