plugin-tools icon indicating copy to clipboard operation
plugin-tools copied to clipboard
verified publisher icon grafana

Bug: Tools generate default github actions which fail zizmor checks & can't be used for internal plugins

Open moxious opened this issue 6 months ago • 1 comments

Which package(s) does this bug affect?

  • [x] Create Plugin
  • [ ] Sign Plugin
  • [ ] Plugin E2E
  • [ ] Plugin Meta Extractor
  • [ ] Plugin ESLint Rules

Package versions

we're working on a plugin over here, and took the default github actions; as a consequence (because they fail zizmor scanning) we can't enable github actions on the plugin repo.  We have proposed fixes though.

What happened?

Existing workflows block the use of Github actions for internal Grafana plugins

What you expected to happen

Clean zizmor scan on auto-generated GitHub actions, suitable to run GitHub actions safely on plugin creation & contribution.

How to reproduce it (as minimally and precisely as possible)

  1. In this environment...
  2. With this config...
  3. Run '...'
  4. See error...

Environment

github

Additional context

See this PR for our proposed fixes to our local plugin, to show what kind of changes need to be made to the workflow to make them pass with no errors/warnings

https://github.com/grafana/docs-plugin/pull/24

it's a combination of excess privileges, lack of SHA hash pinning on actions, and other things.

moxious avatar Jun 17 '25 15:06 moxious

@moxious thanks for raising this issue. From looking at the code base it seems the issue was resolved in this PR. However because our tooling doesn't currently update the workflows (as we can't guarantee we own them) when doing @grafana/create-plugin@latest update the only way to really do this with an existing plugin is to scaffold another "dummy" plugin and copy the workflows across.

jackw avatar Jun 18 '25 12:06 jackw