Chore: Migrate workflows to use create-github-app-token (#2142)

- Removes dependabot.yml as renovate will update grafana-sdk for us
- Migrates to `create-github-app-token`
- Pin workflows
- Removes is-compatible.yml I found that workflow not helping much but
creating an annoyingly long comment

Fixes https://github.com/grafana/oss-big-tent-squad/issues/144

.github/dependabot.yml

@@ -1,13 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    allow:
-      # Keep the sdk modules up-to-date
-      - dependency-name: "github.com/grafana/grafana-plugin-sdk-go"
-        dependency-type: "all"
-    commit-message:
-      prefix: "Upgrade grafana-plugin-sdk-go "
-      include: "scope"

.github/workflows/add-to-project.yml

@@ -16,20 +16,12 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - id: get-secrets
+      - id: get-github-token
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/shared-workflows/actions/create-github-app-token@ae92934a14a48b94494dbc06d74a81d47fe08a40 # create-github-app-token/v0.2.2
         with:
-          repo_secrets: |
+          github_app: grafana-oss-big-tent
-            GITHUB_APP_ID=grafana-oss-big-tent:app-id
+      - name: Add to project
-            GITHUB_APP_PRIVATE_KEY=grafana-oss-big-tent:private-key
+        uses: actions/add-to-project@main
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-      - uses: actions/add-to-project@main
         with:
           project-url: https://github.com/orgs/grafana/projects/457
-          github-token: ${{ steps.generate-token.outputs.token }}
+          github-token: ${{ steps.get-github-token.outputs.token }}

.github/workflows/compatibility-50.yml

@@ -14,11 +14,11 @@ jobs:
   compatibility-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
       
-      - uses: actions/setup-go@v5.3.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
 
       - name: Start Zabbix environment
         run: |

.github/workflows/compatibility-60.yml

@@ -14,11 +14,11 @@ jobs:
   compatibility-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@v5.3.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
 
       - name: Start Zabbix environment
         run: |

.github/workflows/compatibility-70.yml

@@ -14,11 +14,11 @@ jobs:
   compatibility-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@v5.3.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
 
       - name: Start Zabbix environment
         run: |

.github/workflows/compatibility-72.yml

@@ -14,11 +14,11 @@ jobs:
   compatibility-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@v5.3.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
 
       - name: Start Zabbix environment
         run: |

.github/workflows/compatibility-74.yml

@@ -14,11 +14,11 @@ jobs:
   compatibility-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@v5.3.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
 
       - name: Start Zabbix environment
         run: |

.github/workflows/is-compatible.yml

@@ -1,28 +0,0 @@
-name: Compatibility check
-on: [push]
-
-jobs:
-  compatibilitycheck:
-    permissions:
-      # Required permissions when comment-pr is set to 'yes': pull-requests: write, contents: read
-      pull-requests: write
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-      - name: Install dependencies
-        run: yarn install
-      - name: Build plugin
-        run: yarn build
-      - name: Compatibility check
-        uses: grafana/plugin-actions/is-compatible@main
-        with:
-          module: './src/module.ts'
-          comment-pr: 'yes'
-          fail-if-incompatible: 'no'

.github/workflows/publish.yaml

@@ -27,12 +27,12 @@ on:
 jobs:
   cd:
     name: CD
-    uses: grafana/plugin-ci-workflows/.github/workflows/cd.yml@main
+    uses: grafana/plugin-ci-workflows/.github/workflows/cd.yml@ci-cd-workflows/v4.3.0
     with:
-      go-version: '1.25'
+      golangci-lint-version: '2.7.2'
-      golangci-lint-version: '2.4.0'
+      go-version: '1.25.5'
       branch: ${{ github.event.inputs.branch }}
       environment: ${{ github.event.inputs.environment }}
       docs-only: ${{ fromJSON(github.event.inputs.docs-only) }}
-      github-draft-release: false
       run-playwright: true
+      github-draft-release: false

.github/workflows/push.yaml

@@ -12,9 +12,9 @@ on:
 jobs:
   ci:
     name: CI
-    uses: grafana/plugin-ci-workflows/.github/workflows/ci.yml@main
+    uses: grafana/plugin-ci-workflows/.github/workflows/ci.yml@ci-cd-workflows/v4.3.0
     with:
-      go-version: '1.25'
+      go-version: '1.25.5'
-      golangci-lint-version: '2.4.0'
+      golangci-lint-version: '2.7.2'
       plugin-version-suffix: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
       run-playwright: true

.github/workflows/stale.yml

@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           operations-per-run: 750

.github/workflows/update-create-plugin.yml

@@ -7,10 +7,17 @@ on:
 
 permissions:
   contents: write
+  id-token: write # Needed for create-github-app-token
   pull-requests: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: grafana/plugin-actions/create-plugin-update@main
+      - id: get-github-token
+        uses: grafana/shared-workflows/actions/create-github-app-token@ae92934a14a48b94494dbc06d74a81d47fe08a40 # create-github-app-token/v0.2.2
+        with:
+          github_app: grafana-oss-big-tent
+      - uses: grafana/plugin-actions/create-plugin-update@244c3bc9c6eb94bc1dd6458ade2462499bbf0f5b #create-plugin-update/v2.0.1
+        with:
+          token: ${{ steps.get-github-token.outputs.token }}