Skip to content

[release-11.5.10] Plugins: Dependencies do not inherit parent URL for preinstall #111802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 30, 2025
Merged

[release-11.5.10] Plugins: Dependencies do not inherit parent URL for preinstall #111802

merged 2 commits into from
Sep 30, 2025

Conversation

@wbrowne
Copy link
Contributor

@wbrowne wbrowne commented Sep 30, 2025

Backport 073338e from #111762

What is this feature?

Fixes a bug where if you try to preinstall via URL a plugin which contains dependencies, it will result in a invalid install.

IE

grafana-foobar-app plugin.json:

"dependencies": {
  "grafanaDependency": ">=12.0.0",
  "plugins": [
    {
      "id": "yesoreyeram-infinity-datasource",
    }
  ]
}

Grafana config.ini:

[plugins]
preinstall=grafana-foobar-app@1.0.0@https://storage.googleapis.com/grafana-plugins/grafana-foobar-app.zip

Who is this feature for?

Grafana operators

Which issue(s) does this PR fix?:

Fixes #111738

wbrowne and others added 2 commits September 30, 2025 10:39
@wbrowne
Plugins: Dependencies do not inherit parent URL for preinstall (#111762)
e213c81 
dependencies dont inehrit parent url for preinstall

(cherry picked from commit 073338e)
@wbrowne
add back bundled plugins check
e27363a
@wbrowne wbrowne self-assigned this Sep 30, 2025
@wbrowne wbrowne requested a review from a team as a code owner September 30, 2025 09:40
@wbrowne wbrowne requested review from academo and removed request for a team September 30, 2025 09:40
@wbrowne wbrowne requested review from oshirohugo and xnyo September 30, 2025 09:40
@wbrowne wbrowne moved this from 📬 Triage to 🔬 In review in Plugins Platform / Grafana Community Sep 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 30, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/backend-code-checks.yml:3:1
   |
 3 | / on:
 4 | |   pull_request:
...  |
15 | |       - 'docs/**'
16 | |       - 'latest.json'
   | |_____________________^ generally used when publishing artifacts generated at runtime
17 |
...
31 |           uses: actions/setup-go@v5
32 | /         with:
33 | |           # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
...  |
36 | |           go-version: 1.24.1
37 | |           cache: true
   | |_____________________^ opt-in for caching here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/go-lint.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
10 | |       - release-*.*.*
11 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
12 |
...
22 |             persist-credentials: false
23 |         - uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[bot-conditions]: spoofable bot actor check
  --> ./.github/workflows/pr-dependabot-update-go-workspace.yml:18:3
   |
18 | /   update:
19 | |     runs-on: "ubuntu-latest"
20 | |     if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
21 | |     continue-on-error: true
...  |
68 | |           git push origin "$BRANCH_NAME"
69 | |         fi
   | |___________^ this job
   |
   = note: audit confidence → Medium
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:3:1
   |
 3 | / on:
 4 | |   push:
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________^ generally used when publishing artifacts generated at runtime
11 |
...
25 |         - name: Pin Go version to mod file
26 |           uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:3:1
   |
 3 | / on:
 4 | |   push:
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________^ generally used when publishing artifacts generated at runtime
11 |
...
30 |         - uses: actions/setup-node@v4
31 | /         with:
32 | |           node-version-file: '.nvmrc'
33 | |           cache: 'yarn'
   | |_______________________^ opt-in for caching here
   |
   = note: audit confidence → Low

214 findings (66 ignored, 143 suppressed, 1 fixable): 0 unknown, 0 informational, 0 low, 0 medium, 5 high

@wbrowne wbrowne merged commit 3149669 into release-11.5.10 Sep 30, 2025
104 of 107 checks passed
@wbrowne wbrowne deleted the backport-111762-to-release-11.5.10 branch September 30, 2025 14:09
@github-project-automation github-project-automation bot moved this from 🔬 In review to 🚀 Shipped in Plugins Platform / Grafana Community Sep 30, 2025
@grafana-delivery-bot
Copy link
Contributor

grafana-delivery-bot bot commented Sep 30, 2025

🚀 Your submission is now being built and packaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@toddtreece toddtreece toddtreece approved these changes

@academo academo Awaiting requested review from academo academo is a code owner automatically assigned from grafana/plugins-platform-backend

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/plugins-platform-backend

@xnyo xnyo Awaiting requested review from xnyo xnyo is a code owner automatically assigned from grafana/plugins-platform-backend

Assignees

@wbrowne wbrowne

Labels

add to changelog area/backend area/plugins area/plugins-catalog backport A backport PR type/bug

Projects

Plugins Platform / Grafana Community
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wbrowne @toddtreece