Github Actions: Migrate Cloud pipelines

.drone/drone.jsonnet

@@ -31,16 +31,6 @@ local fromSecret(secret) = {
 };
 
 local secrets = {
-  // Grafana Cloud API test secrets
-  cloudOrg: secret('grafana-cloud-org', 'infra/data/ci/terraform-provider-grafana/cloud', 'cloud-org'),
-  cloudApiKey: secret('grafana-cloud-api-key', 'infra/data/ci/terraform-provider-grafana/cloud', 'cloud-api-key'),
-
-  // Grafana Cloud Instance test secrets
-  cloudInstanceUrl: secret('grafana-cloud-instance-url', 'infra/data/ci/terraform-provider-grafana/cloud', 'cloud-instance-url'),
-  apiToken: secret('grafana-api-token', 'infra/data/ci/terraform-provider-grafana/cloud', 'api-key'),
-  smToken: secret('grafana-sm-token', 'infra/data/ci/terraform-provider-grafana/cloud', 'sm-access-token'),
-  onCallToken: secret('grafana-oncall-token', 'infra/data/ci/terraform-provider-grafana/cloud', 'oncall-access-token'),
-
   // Grafana Enterprise
   enterpriseLicense: secret('grafana-enterprise-license', 'infra/data/ci/terraform-provider-grafana/enterprise', 'license.jwt'),
 };
@@ -115,55 +105,6 @@ local localTestPipeline(
   );
 
 [
-  pipeline(
-    'cloud api tests',
-    steps=[
-      installTerraformStep,
-      {
-        name: 'tests',
-        image: images.go,
-        commands: [
-          'make testacc-cloud-api',
-        ],
-        environment: {
-          GRAFANA_CLOUD_API_KEY: fromSecret(secrets.cloudApiKey),
-          GRAFANA_CLOUD_ORG: fromSecret(secrets.cloudOrg),
-          TF_ACC_TERRAFORM_PATH: terraformPath,
-        },
-      },
-    ]
-  )
-  + withConcurrencyLimit(1)
-  + onPromoteTrigger,
-
-  pipeline(
-    'cloud instance tests',
-    steps=[
-      installTerraformStep,
-      {
-        name: 'wait for instance',
-        image: images.go,
-        commands: ['.drone/wait-for-instance.sh $${GRAFANA_URL}'],
-        environment: {
-          GRAFANA_URL: fromSecret(secrets.cloudInstanceUrl),
-        },
-      },
-      {
-        name: 'tests',
-        image: images.go,
-        commands: ['make testacc-cloud-instance'],
-        environment: {
-          GRAFANA_URL: fromSecret(secrets.cloudInstanceUrl),
-          GRAFANA_AUTH: fromSecret(secrets.apiToken),
-          GRAFANA_SM_ACCESS_TOKEN: fromSecret(secrets.smToken),
-          GRAFANA_ONCALL_ACCESS_TOKEN: fromSecret(secrets.onCallToken),
-          TF_ACC_TERRAFORM_PATH: terraformPath,
-        },
-      },
-    ]
-  )
-  + withConcurrencyLimit(1),
-
   // Grafana Enterprise tests
   localTestPipeline(
     grafanaVersions[0],

.drone/drone.yml

@@ -1,80 +1,4 @@
 ---
-concurrency:
-  limit: 1
-kind: pipeline
-name: cloud api tests
-platform:
-  arch: amd64
-  os: linux
-services: []
-steps:
-- commands:
-  - cp /bin/terraform /drone/terraform-provider-grafana/terraform
-  - chmod a+x /drone/terraform-provider-grafana/terraform
-  image: hashicorp/terraform
-  name: download-terraform
-- commands:
-  - make testacc-cloud-api
-  environment:
-    GRAFANA_CLOUD_API_KEY:
-      from_secret: grafana-cloud-api-key
-    GRAFANA_CLOUD_ORG:
-      from_secret: grafana-cloud-org
-    TF_ACC_TERRAFORM_PATH: /drone/terraform-provider-grafana/terraform
-  image: golang:1.21
-  name: tests
-trigger:
-  event:
-  - promote
-type: docker
-workspace:
-  path: /drone/terraform-provider-grafana
----
-concurrency:
-  limit: 1
-kind: pipeline
-name: cloud instance tests
-platform:
-  arch: amd64
-  os: linux
-services: []
-steps:
-- commands:
-  - cp /bin/terraform /drone/terraform-provider-grafana/terraform
-  - chmod a+x /drone/terraform-provider-grafana/terraform
-  image: hashicorp/terraform
-  name: download-terraform
-- commands:
-  - .drone/wait-for-instance.sh $${GRAFANA_URL}
-  environment:
-    GRAFANA_URL:
-      from_secret: grafana-cloud-instance-url
-  image: golang:1.21
-  name: wait for instance
-- commands:
-  - make testacc-cloud-instance
-  environment:
-    GRAFANA_AUTH:
-      from_secret: grafana-api-token
-    GRAFANA_ONCALL_ACCESS_TOKEN:
-      from_secret: grafana-oncall-token
-    GRAFANA_SM_ACCESS_TOKEN:
-      from_secret: grafana-sm-token
-    GRAFANA_URL:
-      from_secret: grafana-cloud-instance-url
-    TF_ACC_TERRAFORM_PATH: /drone/terraform-provider-grafana/terraform
-  image: golang:1.21
-  name: tests
-trigger:
-  branch:
-  - master
-  event:
-  - pull_request
-  - push
-type: docker
-workspace:
-  path: /drone/terraform-provider-grafana
----
 kind: pipeline
 name: enterprise tests
 platform:
@@ -327,49 +251,13 @@ type: docker
 workspace:
   path: /drone/terraform-provider-grafana
 ---
-get:
-  name: api-key
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-api-token
----
-get:
-  name: cloud-api-key
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-cloud-api-key
----
-get:
-  name: cloud-instance-url
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-cloud-instance-url
----
-get:
-  name: cloud-org
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-cloud-org
----
 get:
   name: license.jwt
   path: infra/data/ci/terraform-provider-grafana/enterprise
 kind: secret
 name: grafana-enterprise-license
 ---
-get:
-  name: oncall-access-token
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-oncall-token
----
-get:
-  name: sm-access-token
-  path: infra/data/ci/terraform-provider-grafana/cloud
-kind: secret
-name: grafana-sm-token
----
 kind: signature
-hmac: 061cdfaa7468af8377979354d7c30181a55d80187451663d4859d0354b5eea0c
+hmac: b2a4d2fd6fbb38a3ea38005a45cfd6db865fb1e0997e5084e00261d05553a240
 
 ...

.github/workflows/acc-tests.yml

@@ -0,0 +1,39 @@
+name: acceptance tests
+on:
+  pull_request: {}
+  push:
+    branches:
+      - main
+      - master
+
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  cloudinstance:
+    concurrency: cloud-instance
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with: 
+          go-version: '1.21'
+      - uses: hashicorp/setup-terraform@v3
+      - name: Get Secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            GRAFANA_AUTH=cloud-instance-tests:auth
+            GRAFANA_ONCALL_ACCESS_TOKEN=cloud-instance-tests:oncall-token
+            GRAFANA_SM_ACCESS_TOKEN=cloud-instance-tests:sm-token
+            GRAFANA_URL=cloud-instance-tests:url
+      - uses: iFaxity/wait-on-action@v1.1.0
+        with:
+          resource: ${{ env.GRAFANA_URL }}
+          interval: 2000 # 2s
+          timeout: 30000 # 30s
+      - run: make testacc-cloud-instance
+
+  # TODO: Enterprise + OSS tests

.github/workflows/cloud-acc-tests.yml

@@ -0,0 +1,34 @@
+name: cloud acceptance tests
+on:
+  workflow_dispatch:
+    inputs:
+      tests:
+        description: 'Tests to run (regex passed to -run)'
+        default: '.*'
+
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  cloud:
+    concurrency: cloud-api
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with: 
+          go-version: '1.21'
+      - uses: hashicorp/setup-terraform@v3
+      - name: Get Secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            GRAFANA_CLOUD_API_KEY=cloud-tests:api-key
+            GRAFANA_CLOUD_ORG=cloud-tests:org
+      - run: make testacc-cloud-api
+        env:
+          TESTARGS: -run='${{ github.event.inputs.tests }}'
+
+

.github/workflows/comment-on-pr.yml

@@ -1,3 +1,5 @@
+name: pr comment
+
 on:
   pull_request_target:
 
@@ -10,8 +12,5 @@ jobs:
       - uses: mshick/add-pr-comment@v2
         with:
           message: |
-            In order to lower resource usage and have a faster runtime, PRs will not run Cloud tests automatically. To do so, a Grafana Labs employee must promote the Drone build.
-
-            _For maintainers_, it's better to run only the Cloud tests you need, rather than all of them. You can do so by setting the following parameter when promoting:
-
-            `TESTARGS='-run=<testname>'`
+            In order to lower resource usage and have a faster runtime, PRs will not run Cloud tests automatically.
+            To do so, a Grafana Labs employee must trigger the `cloud acceptance tests` workflow manually.

.github/workflows/tests.yml → .github/workflows/unit-tests.yml

@@ -1,4 +1,4 @@
-name: tests
+name: unit tests
 on:
   pull_request: {}
   push: