From bab65989bcdb9fc18a277555e19d64651f31308d Mon Sep 17 00:00:00 2001
From: Andreas Christou <andreas.christou@grafana.com>
Date: Tue, 29 Apr 2025 16:39:35 +0100
Subject: [PATCH 1/3] Harden workflows (#237)

---
 .github/workflows/ci.yml             | 3 ++-
 .github/workflows/issue_commands.yml | 7 ++++---
 .github/workflows/publish-npm.yml    | 8 ++++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d56e23d..56a3a07 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Setup Node.js environment
         uses: actions/setup-node@v4
         with:
diff --git a/.github/workflows/issue_commands.yml b/.github/workflows/issue_commands.yml
index 7fb60fb..7fb22ae 100644
--- a/.github/workflows/issue_commands.yml
+++ b/.github/workflows/issue_commands.yml
@@ -9,13 +9,14 @@ jobs:
       - name: Checkout Actions
         uses: actions/checkout@v4
         with:
-          repository: "grafana/grafana-github-actions"
+          repository: 'grafana/grafana-github-actions'
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run Commands
         uses: ./actions/commands
-        with:          
+        with:
           token: ${{secrets.GH_BOT_ACCESS_TOKEN}}
-          configPath: issue_commands
\ No newline at end of file
+          configPath: issue_commands
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 3030bc0..7bee336 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -14,9 +14,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: main
+          persist-credentials: false
       # limit releases to version changes - https://github.com/EndBug/version-check
       - name: Check version changes
-        uses: EndBug/version-check@v2
+        uses: EndBug/version-check@36ff30f37c7deabe56a30caa043d127be658c425
         id: version_check
         with:
           file-url: https://unpkg.com/@grafana/azure-sdk@latest/package.json
@@ -24,7 +25,10 @@ jobs:
 
       - name: Version update detected
         if: steps.version_check.outputs.changed == 'true'
-        run: 'echo "Version change found! New version: ${{ steps.version_check.outputs.version }} (${{ steps.version_check.outputs.type }})"'
+        env:
+          VERSION: ${{ steps.version_check.outputs.version }}
+          TYPE: ${{ steps.version_check.outputs.type }}
+        run: 'echo "Version change found! New version: ${VERSION} (${TYPE})"'
 
       - name: Setup .npmrc file for NPM registry
         if: steps.version_check.outputs.changed == 'true'

From e031a5cc095337180fa92409ed1e3e92eb263b6a Mon Sep 17 00:00:00 2001
From: Andreas Christou <andreas.christou@grafana.com>
Date: Thu, 29 May 2025 01:02:13 +0100
Subject: [PATCH 2/3] Update workflow trigger (#238)

---
 .github/workflows/dependabot-reviewer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-reviewer.yml b/.github/workflows/dependabot-reviewer.yml
index 992fe3d..2c71c98 100644
--- a/.github/workflows/dependabot-reviewer.yml
+++ b/.github/workflows/dependabot-reviewer.yml
@@ -1,6 +1,6 @@
 name: Dependabot reviewer
 
-on: pull_request_target
+on: pull_request
 
 permissions:
   pull-requests: write

From 582c46b4c3eb7c4a40ab188d505753673e49330d Mon Sep 17 00:00:00 2001
From: Andreas Christou <andreas.christou@grafana.com>
Date: Fri, 13 Jun 2025 19:47:07 +0200
Subject: [PATCH 3/3] Update publish workflow (#239)

* Update workflow trigger

* Update publish workflow
---
 .github/workflows/publish-npm.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 7bee336..b1f1838 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -9,6 +9,10 @@ jobs:
   publish:
     name: Publish to NPM & GitHub Package Registry
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -45,11 +49,18 @@ jobs:
         if: steps.version_check.outputs.changed == 'true'
         run: yarn build
 
+      - name: Get vault secrets
+        if: steps.version_check.outputs.changed == 'true'
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          repo_secrets: |
+            NPM_TOKEN=npm-publish:token
       - name: Publish package to NPM
         if: steps.version_check.outputs.changed == 'true'
         run: npm publish --access public --scope grafana
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
 
       - name: Setup .npmrc file for GitHub Packages
         if: steps.version_check.outputs.changed == 'true'