Skip to content

[release-12.0.6] Plugins: Dependencies do not inherit parent URL for preinstall #111766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 30, 2025
Merged

[release-12.0.6] Plugins: Dependencies do not inherit parent URL for preinstall #111766

merged 2 commits into from
Sep 30, 2025

Conversation

@grafana-delivery-bot
Copy link
Contributor

@grafana-delivery-bot grafana-delivery-bot bot commented Sep 29, 2025

Backport 073338e from #111762

What is this feature?

Fixes a bug where if you try to preinstall via URL a plugin which contains dependencies, it will result in a invalid install.

IE

grafana-foobar-app plugin.json:

"dependencies": {
  "grafanaDependency": ">=12.0.0",
  "plugins": [
    {
      "id": "yesoreyeram-infinity-datasource",
    }
  ]
}

Grafana config.ini:

[plugins]
preinstall=grafana-foobar-app@1.0.0@https://storage.googleapis.com/grafana-plugins/grafana-foobar-app.zip

Who is this feature for?

Grafana operators

Which issue(s) does this PR fix?:

Fixes #111738

@wbrowne @github-actions
Plugins: Dependencies do not inherit parent URL for preinstall (#111762)
f158cbe 
dependencies dont inehrit parent url for preinstall

(cherry picked from commit 073338e)
@grafana-delivery-bot grafana-delivery-bot bot requested a review from a team as a code owner September 29, 2025 17:05
@grafana-delivery-bot grafana-delivery-bot bot removed the request for review from a team September 29, 2025 17:05
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Contributor

github-actions bot commented Sep 30, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/backend-code-checks.yml:3:1
   |
 3 | / on:
 4 | |   pull_request:
...  |
15 | |       - 'docs/**'
16 | |       - 'latest.json'
   | |_____________________^ generally used when publishing artifacts generated at runtime
17 |
...
31 |           uses: actions/setup-go@v5
32 | /         with:
33 | |           # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
...  |
36 | |           go-version: 1.24.1
37 | |           cache: true
   | |_____________________^ opt-in for caching here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/go-lint.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
10 | |       - release-*.*.*
11 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
12 |
...
22 |             persist-credentials: false
23 |         - uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[bot-conditions]: spoofable bot actor check
  --> ./.github/workflows/pr-dependabot-update-go-workspace.yml:18:3
   |
18 | /   update:
19 | |     runs-on: "ubuntu-latest"
20 | |     if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
21 | |     continue-on-error: true
...  |
68 | |           git push origin "$BRANCH_NAME"
69 | |         fi
   | |___________^ this job
   |
   = note: audit confidence → Medium
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:3:1
   |
 3 | / on:
 4 | |   push:
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________^ generally used when publishing artifacts generated at runtime
11 |
...
25 |         - name: Pin Go version to mod file
26 |           uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:3:1
   |
 3 | / on:
 4 | |   push:
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________^ generally used when publishing artifacts generated at runtime
11 |
...
30 |         - uses: actions/setup-node@v4
31 | /         with:
32 | |           node-version-file: '.nvmrc'
33 | |           cache: 'yarn'
   | |_______________________^ opt-in for caching here
   |
   = note: audit confidence → Low

203 findings (65 ignored, 133 suppressed, 1 fixable): 0 unknown, 0 informational, 0 low, 0 medium, 5 high

@wbrowne wbrowne moved this from 📬 Triage to 🔬 In review in Plugins Platform / Grafana Community Sep 30, 2025
@wbrowne wbrowne merged commit cfd4902 into release-12.0.6 Sep 30, 2025
107 of 112 checks passed
@wbrowne wbrowne deleted the backport-111762-to-release-12.0.6 branch September 30, 2025 14:04
@github-project-automation github-project-automation bot moved this from 🔬 In review to 🚀 Shipped in Plugins Platform / Grafana Community Sep 30, 2025
@grafana-delivery-bot
Copy link
Contributor Author

grafana-delivery-bot bot commented Sep 30, 2025

🚀 Your submission is now being built and packaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbrowne wbrowne wbrowne approved these changes

@academo academo Awaiting requested review from academo academo is a code owner automatically assigned from grafana/plugins-platform-backend

@xnyo xnyo Awaiting requested review from xnyo xnyo is a code owner automatically assigned from grafana/plugins-platform-backend

Assignees

No one assigned

Labels

add to changelog area/backend area/plugins area/plugins-catalog backport A backport PR type/bug

Projects

Plugins Platform / Grafana Community
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wbrowne