build: Don't expose drone secrets on PR builds (#431)

Drone runs for PRs don't have access to secrets anymore, so skip these steps for PR builds and keep it for releases and merges to main.
grafana · Apr 19, 2023 · 06a9cb7 · 06a9cb7
1 parent 89233e6
commit 06a9cb7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/.drone/drone.jsonnet b/.drone/drone.jsonnet
@@ -263,13 +263,13 @@ local docker_publish(repo, auth, tag, os, arch, version='') =
           NFPM_SIGNING_KEY_FILE: '/drone/src/release-private-key.key',
         },
       },
-      step('test release', ['make release-snapshot']) {
+      step('test release', ['make release-snapshot']) + devAndRelease + {
         environment: {
           NFPM_DEFAULT_PASSPHRASE: { from_secret: 'gpg_passphrase' },
           NFPM_SIGNING_KEY_FILE: '/drone/src/release-private-key.key',
         },
       },
-      step('test deb package', ['./scripts/package/verify-deb-install.sh'], image='docker') {
+      step('test deb package', ['./scripts/package/verify-deb-install.sh'], image='docker') + devAndRelease + {
         volumes: [
           {
             name: 'docker',
@@ -278,7 +278,7 @@ local docker_publish(repo, auth, tag, os, arch, version='') =
         ],
         privileged: true,
       },
-      step('test rpm package', ['./scripts/package/verify-rpm-install.sh'], image='docker') {
+      step('test rpm package', ['./scripts/package/verify-rpm-install.sh'], image='docker') + devAndRelease + {
         volumes: [
           {
             name: 'docker',

diff --git a/.drone/drone.yml b/.drone/drone.yml
@@ -228,6 +228,10 @@ steps:
     NFPM_SIGNING_KEY_FILE: /drone/src/release-private-key.key
   image: golang:1.18
   name: test release
+  when:
+    ref:
+    - refs/heads/main
+    - refs/tags/v*.*.*
 - commands:
   - ./scripts/package/verify-deb-install.sh
   image: docker
@@ -236,6 +240,10 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  when:
+    ref:
+    - refs/heads/main
+    - refs/tags/v*.*.*
 - commands:
   - ./scripts/package/verify-rpm-install.sh
   image: docker
@@ -244,6 +252,10 @@ steps:
   volumes:
   - name: docker
     path: /var/run/docker.sock
+  when:
+    ref:
+    - refs/heads/main
+    - refs/tags/v*.*.*
 - commands:
   - make release
   environment:
@@ -315,6 +327,6 @@ kind: secret
 name: gpg_private_key
 ---
 kind: signature
-hmac: aefbf1c6a02e7bc3976ee73ad5a35538f50f55b0360f7726ef8bb5957daf040e
+hmac: 751d5fb2434e22d46fb36e2132c32bcb404e799e3f96517f13a719865accdc9b
 
 ...