fix synk security scan on CI (#4875)

# Which issue(s) this PR closes

Closes #4503
Closes grafana/oncall-private#2876

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
    show up in the autogenerated release notes.

.github/workflows/on-pull-requests.yml

@@ -22,3 +22,4 @@ jobs:
   snyk-security-scan:
     name: Snyk security scan
     uses: ./.github/workflows/snyk-security-scan.yml
+    secrets: inherit

.github/workflows/on-release-published.yml

@@ -13,6 +13,7 @@ jobs:
   snyk-security-scan:
     name: Snyk security scan
     uses: ./.github/workflows/snyk-security-scan.yml
+    secrets: inherit
 
   build-sign-and-publish-plugin-to-gcom:
     name: Build, sign, and publish frontend plugin to grafana.com

.github/workflows/snyk-security-scan.yml

@@ -23,8 +23,20 @@ jobs:
         uses: ./.github/actions/install-frontend-dependencies
       - name: Install Snyk
         uses: snyk/actions/setup@master
-      - name: Run Snyk
-        continue-on-error: true
-        run: snyk monitor --all-projects --severity-threshold=high
+      # NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories
+      # because we can't install the requirements.txt files of these directories alongside the main engine
+      # requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it
+      # as a seperate job and setup a separate Python env w/ just the deps of those projects. Since these projects
+      # are really just dev/internal scripts we don't really need to worry about them for now
+      - name: snyk monitor
+        # https://docs.snyk.io/snyk-cli/commands/monitor
+        run: snyk monitor --all-projects --severity-threshold=high --exclude=dev,tools
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: snyk test
+        # https://docs.snyk.io/snyk-cli/commands/test
+        # yamllint disable rule:line-length
+        run: snyk test --all-projects --severity-threshold=high --exclude=dev,tools --fail-on=all --show-vulnerable-paths=all
+        # yamllint enable rule:line-length
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

engine/requirements.in

@@ -36,13 +36,13 @@ humanize==4.10.0
 icalendar==5.0.10
 lxml==5.2.2
 markdown2==2.4.10
-opentelemetry-sdk==1.25.0
-opentelemetry-api==1.25.0
-opentelemetry-exporter-otlp-proto-grpc==1.25.0
-opentelemetry-instrumentation-logging==0.46b0
-opentelemetry-instrumentation-wsgi==0.46b0
-opentelemetry-instrumentation-requests==0.46b0
-opentelemetry-instrumentation-django==0.46b0
+opentelemetry-sdk==1.26.0
+opentelemetry-api==1.26.0
+opentelemetry-exporter-otlp-proto-grpc==1.26.0
+opentelemetry-instrumentation-logging==0.47b0
+opentelemetry-instrumentation-wsgi==0.47b0
+opentelemetry-instrumentation-requests==0.47b0
+opentelemetry-instrumentation-django==0.47b0
 phonenumbers==8.10.0
 prometheus_client==0.16.0
 psutil==5.9.4

engine/requirements.txt

@@ -74,6 +74,7 @@ deprecated==1.2.14
     # via
     #   opentelemetry-api
     #   opentelemetry-exporter-otlp-proto-grpc
+    #   opentelemetry-semantic-conventions
 django==4.2.15
     # via
     #   -r requirements.in
@@ -264,7 +265,7 @@ oauthlib==3.2.2
     # via
     #   requests-oauthlib
     #   social-auth-core
-opentelemetry-api==1.25.0
+opentelemetry-api==1.26.0
     # via
     #   -r requirements.in
     #   opentelemetry-exporter-otlp-proto-grpc
@@ -275,41 +276,41 @@ opentelemetry-api==1.25.0
     #   opentelemetry-instrumentation-wsgi
     #   opentelemetry-sdk
     #   opentelemetry-semantic-conventions
-opentelemetry-exporter-otlp-proto-common==1.25.0
+opentelemetry-exporter-otlp-proto-common==1.26.0
     # via opentelemetry-exporter-otlp-proto-grpc
-opentelemetry-exporter-otlp-proto-grpc==1.25.0
+opentelemetry-exporter-otlp-proto-grpc==1.26.0
     # via -r requirements.in
-opentelemetry-instrumentation==0.46b0
+opentelemetry-instrumentation==0.47b0
     # via
     #   opentelemetry-instrumentation-django
     #   opentelemetry-instrumentation-logging
     #   opentelemetry-instrumentation-requests
     #   opentelemetry-instrumentation-wsgi
-opentelemetry-instrumentation-django==0.46b0
+opentelemetry-instrumentation-django==0.47b0
     # via -r requirements.in
-opentelemetry-instrumentation-logging==0.46b0
+opentelemetry-instrumentation-logging==0.47b0
     # via -r requirements.in
-opentelemetry-instrumentation-requests==0.46b0
+opentelemetry-instrumentation-requests==0.47b0
     # via -r requirements.in
-opentelemetry-instrumentation-wsgi==0.46b0
+opentelemetry-instrumentation-wsgi==0.47b0
     # via
     #   -r requirements.in
     #   opentelemetry-instrumentation-django
-opentelemetry-proto==1.25.0
+opentelemetry-proto==1.26.0
     # via
     #   opentelemetry-exporter-otlp-proto-common
     #   opentelemetry-exporter-otlp-proto-grpc
-opentelemetry-sdk==1.25.0
+opentelemetry-sdk==1.26.0
     # via
     #   -r requirements.in
     #   opentelemetry-exporter-otlp-proto-grpc
-opentelemetry-semantic-conventions==0.46b0
+opentelemetry-semantic-conventions==0.47b0
     # via
     #   opentelemetry-instrumentation-django
     #   opentelemetry-instrumentation-requests
     #   opentelemetry-instrumentation-wsgi
     #   opentelemetry-sdk
-opentelemetry-util-http==0.46b0
+opentelemetry-util-http==0.47b0
     # via
     #   opentelemetry-instrumentation-django
     #   opentelemetry-instrumentation-requests

grafana-plugin/package.json

@@ -170,13 +170,14 @@
     "react-string-replace": "^0.4.4",
     "react-transition-group": "^4.4.5",
     "react-use": "^17.4.0",
-    "stylelint": "^13.13.1",
+    "stylelint": "^14.0.0",
     "stylelint-config-standard": "^22.0.0",
     "throttle-debounce": "^2.1.0",
     "tinycolor2": "^1.6.0",
     "tslib": "2.5.3"
   },
   "resolutions": {
-    "braces": "3.0.3"
+    "braces": "3.0.3",
+    "micromatch": "4.0.6"
   }
 }