Toolkit: fixes for security and publishing (#23749)

* Fixes and security patches:
1. Always keep the source directory, just don't package the source
2. Do not publish the SSH key for common plugin tasks.
Changed to environment variable

* env variable renamed.

* Re-added the src remove

* touch config.yml for rebuild

packages/grafana-toolkit/config/circleci/config.yml

@@ -3,7 +3,7 @@ version: 2.1
 parameters:
 parameters:
   ssh-fingerprint:
   ssh-fingerprint:
     type: string
     type: string
-    default: "dc:60:ab:c7:2d:8c:82:50:2a:2a:97:1a:c0:66:83:14"
+    default: ${GITHUB_SSH_FINGERPRINT}
 
 
 aliases:
 aliases:
   # Workflow filters
   # Workflow filters
@@ -177,6 +177,10 @@ jobs:
   provisioning:
   provisioning:
     executor: default_exec
     executor: default_exec
     steps:
     steps:
+    - run:
+      name: Continue if this plugin has a provisioning path
+      command: |
+        [ -z "${PROVISIONING_REPO_PATH}" ] && circleci-agent step halt
     - checkout
     - checkout
     - add_ssh_keys:
     - add_ssh_keys:
         fingerprints:
         fingerprints:
@@ -189,8 +193,8 @@ jobs:
         command: |
         command: |
           mkdir ci # Avoid error if not exists
           mkdir ci # Avoid error if not exists
           mkdir ci/jobs # Avoid error if not exists
           mkdir ci/jobs # Avoid error if not exists
-          mkdir ci/jobs/provisioning
-          mv plugin-provisioning/plugins/google-sheets/provisioning/* ci/jobs/provisioning
+          mkdir ci/jobs/provisioning  
+          mv plugin-provisioning/${PROVISIONING_REPO_PATH}/* ci/jobs/provisioning
     - persist_to_workspace:
     - persist_to_workspace:
         root: .
         root: .
         paths:
         paths:
@@ -199,6 +203,10 @@ jobs:
   e2e_canary:
   e2e_canary:
     executor: e2e_exec
     executor: e2e_exec
     steps:
     steps:
+    - run:
+      name: Continue if this plugin has a provisioning path
+      command: |
+        [ -z "${PROVISIONING_REPO_PATH}" ] && circleci-agent step halt
     - checkout
     - checkout
     - attach_workspace:
     - attach_workspace:
         at: .
         at: .
@@ -222,7 +230,6 @@ jobs:
           ## To make sure grafana has started up
           ## To make sure grafana has started up
           while ! $(netstat -tulpn | grep 3000 >/dev/null 2>&1); do sleep 1; done 
           while ! $(netstat -tulpn | grep 3000 >/dev/null 2>&1); do sleep 1; done 
           /opt/grafana/bin/grafana-cli --version
           /opt/grafana/bin/grafana-cli --version
-
     - run:
     - run:
         name: Copy provisioning files
         name: Copy provisioning files
         command: cp -r ci/jobs/provisioning provisioning/
         command: cp -r ci/jobs/provisioning provisioning/
@@ -286,4 +293,3 @@ jobs:
           name: "Publish Release on GitHub"
           name: "Publish Release on GitHub"
           command: |
           command: |
             ./node_modules/.bin/grafana-toolkit plugin:github-publish
             ./node_modules/.bin/grafana-toolkit plugin:github-publish
-

packages/grafana-toolkit/src/cli/tasks/plugin.utils.ts

@@ -102,6 +102,7 @@ const prepareRelease = useSpinner<any>('Preparing release', async ({ dryrun, ver
           line[1].push('--dry-run');
           line[1].push('--dry-run');
         }
         }
 
 
+        // Exit if the plugin is NOT an enterprise plugin
         if (pluginJson.enterprise && !opts['enterprise']) {
         if (pluginJson.enterprise && !opts['enterprise']) {
           continue;
           continue;
         }
         }